Ethereum’s Security: 5 Key Signals to Watch

Key Takeaways

• Robust Network Security. The network is more secure, with a current cost to attack the network standing at ~$40 billion per day. Since The Merge, the total number of validators more than doubled from 430,000 to 1,000,000. As the number of validators has grown, the bar has also risen to execute a 34% attack.
• Profitable Validator Operations. Although consensus rewards have decreased as more validators have joined the network, an average validator can still expect around 1 ETH return per 32 ETH staked (~3.3% return). Assuming hardware costs of $1,500, the payback period for a single validator is roughly 5 months at current network statistics. Running several validators on one instance may shorten the payback period linearly.
• Minimal Slashing Events: While the term "slashing" tends to raise alarm bells, slashing events are less prevalent than anticipated, with fewer than 200 slashable offenses in the past year. This may indicate minimal widespread issues in the form of attempts to manipulate the blockchain as well as possible self-inflicted errors by validator operators.
• Fluctuating Deposit and Withdrawal Queues. In recent months, there has been a net inflow of validators joining the network. Although upcoming Ethereum Improvement Proposals (EIPs) aim to reduce network load and congestion on the consensus layer, the net increase in validators continues to raise network load.
• Growing Decentralization. Geth, the leading execution client, has seen its market share decrease to an estimated 55% in recent months, indicating progress toward greater client decentralization.¹ While client diversity is critical, other aspects of decentralization, such as builder and relay diversity, warrant closer examination.

Robust Network Security

Since The Merge, the Ethereum network has matured, and its security has grown. The current cost to attack the Ethereum network is ~$40 billion per day, which can serve as a strong deterrent to bad actors.

The cost-to-attack metric is based on the amount of staked ETH required to obtain a 34% share of total staked ETH. At a 34% threshold, the network falls into an “inactivity leak” where the network cannot finalize and the blockchain falls into a state of limbo. To perform this type of attack, an attacker would not only have to acquire the staked ETH but also run the required infrastructure. To sustain the attack, the actor must continuously commit capital to maintain a 34% share, all while dealing with a variable deposit queue that could range from days to weeks. This scenario would be economically irrational as it would result in a substantial sunk cost for the actor in terms of lost ETH.

Other considerations related to network security are:

1. The network continues to increase in resiliency as the stake rate increases
2. Validator uptime remains high

The stake rate (proportion of staked ETH to total circulating ETH) sits at 28% and has been growing over the past year.² As stake rate increases, so would the cost to attack the network. Moreover, the online rate of validators across the network averages greater than 99%, meaning most validators are online and actively monitoring the state of the network.

Profitable Validator Operations

Validators are critical network participants. In this section, we will break down their economic incentives.

While there are various types of infrastructure set-ups (e.g. bare metal vs. cloud hosted), the most simple method is to acquire a bare-metal server that costs ~$1,500 to support hardware requirements. Assuming that one hosts a single validator on the server, with annual returns for staking at ~3.3%, one could expect a 5-month payback period.

For professional validator operators, additional resiliency requirements increase operating expenses. Economies of scale favors larger operators given the infrastructure cost for running 10 validators vs 1,000 is similar. Professional operators typically host multiple back-up environments so that in the event of the primary environment failing, they may fall back on a secondary environment. Some advanced operators are even starting to utilize a Distributed Validator Technology (DVT) infrastructure where multiple environments are run in parallel, and the private keys are split among environments to perform validator duties.

In summary, both smaller retail and professional operators can be profitable given the relatively low cost of hardware. Even with growing stake rate (which in turn lowers validator returns), we are yet to see a mass number of validators exit the network due to low returns. Time will tell if validators begin chasing yield elsewhere.

Minimal Slashing Events

Slashing events occur less frequently than most people may realize. In the past year, ~200 validators were slashed (0.1% of total validators). Slashing events are important to track as they are indicative of the following scenarios:

1. A malicious attempt to harm the network
2. A validator accidently slashed themselves through a double-signing event
3. A client bug was introduced that caused a slashable event

In the past year, the majority of slashing events were caused by scenario two. Specifically, professional operators with advanced infrastructures accidentally ran their primary and secondary environments at the same time and overlooked slashing protections. The network simply detected the same keys in two places as malicious behavior and the validators were slashed.

Figure 2 illustrates slashing event spikes—one in October 2023 (20 validators impacted) and the other in November (100 validators impacted). Both events were triggered by professional operators. The postmortem from the project team for the October incident explains that the operator accidentally had two versions of the same validator keys running in a primary instance and fallback instance without the slashing protections enabled through Web3signer, a remote signing solution.³ All things considered, slashing events are certainly possible, but are empirically rare. It is important that stakers minimize slashing risks wherever possible and consider the trade-offs of liveness through various environments vs. safety.

Fluctuating Deposit and Withdrawal Queues

In recent months, the deposit queue increased again while the withdrawal queue stayed under a day-long wait. In the six months following The Merge, the deposit queue was heavily congested and even peaked at 60 days. This meant that if a validator deposited 32 ETH, that operator would have had to wait 60 days before its validator became active. At the time of writing, the queue is around a week-long, in part due to a recent EIP that activated in the Dencun hard fork in March 2024.

This EIP, called “Max Churn Limit,” was introduced to slow down the stake rate and limit the deposit queue’s max number of validators who can enter, down from 13 validators to 8 per epoch. The community agreed this EIP was necessary to buy time for a longer-term decision around reducing the overall load on the network. Every epoch (6.4 minutes), the network demands over 1 million signatures, adding significant strain to the network.⁴ Looking forward, the community has proposed various solutions that aim to reduce network load.

Maximum Effective Balance, known as MaxEB (EIP 7251), is one such proposal by the community to improve the performance of the consensus layer. MaxEB is planned to roll out in the next hard fork, Pectra, that will widen the effective balance of validators’ ETH balances to between 32 and 2,048 ETH.⁵ The change should have two major outcomes: (1) allow validators to consolidate their operations and, in turn, reduce the number of validator signatures and load on the consensus layer, and (2) allow reward compounding within the effective balance range. Note that this proposal is one of many steps to ultimately reach single-slot finality (SSF). Today, it takes ~2 epochs for the network to finalize. Proponents of SSF have proposed SSF as a future state of Ethereum where transactions may finalize at a much faster rate than they do today.

Growing Decentralization

There are several components to Ethereum’s decentralization. Across each of the categories below, it is important to ensure no single points of failure:

• With client diversity, it is critical that the network continues to move away from supermajority clients, on both the execution and consensus layers. A supermajority client is a client that holds >67% of network share. If a supermajority client experiences a consensus breaking bug, it could lead to a chain split. A consensus breaking bug is the result of clients disagreeing on the validity of a block, for a variety of reasons. For example, if the max gas fee parameter for a block was changed in a supermajority execution client (e.g. from the current 30 million max to 10 million), this could cause disagreement among execution clients on the validity of a block and split the chain. While there are many preventative measures in place to combat a bug like this, it remains a non-zero risk that would have significant ramifications to the network. For this reason, validators, especially larger professional stakers, can diversify their clients to help minimize a supermajority client risk.
• In general, validators either use a bare metal set-up or rely on a cloud provider to run infrastructure. To avoid a network-wide outage due to cloud provider overlap, validators may benefit from diversifying away from dominant cloud providers. According to Rated.Network, an estimated 15% of professional stakers use AWS.[6] This figure may be a non-issue today but remains a watch area.
• Relay & Builder Diversity is important to monitor to avoid a situation where builders and relays could potentially collude to control transactions or cause network downtime. If there is a dominant relay, the relay could control what blocks are valid. This concern is exacerbated if a bad actor also uses a dominant builder and can control order flow. This risk is naturally reduced as relays are incentivized to behave honestly—they serve validators and block builders. If relays start to behave dishonestly, validators and block builders can opt out of the relay.

   

  • Some validators pay relays for higher valued blocks. Block builders will only pay a relay if that relay has a high success rate of ensuring their blocks land on-chain. Therefore, relays are incentivized to propagate information efficiently from block builders to relays while maintaining validators’ block criteria.
  • Another consideration is the various strategies relays employ. For example, some are considered “regulated” or censoring relays that comply with sanctions laws. Relays control the 'block validation' logic and set which addresses are blacklisted. At the time of writing, 40% of blocks are produced by censoring relays.⁷ Long-term, it is essential that the network can support both censoring and non-censoring transactions.
  • Sometimes relays simply face outages and can disrupt the network—in late March 2024, a major relay experienced downtime and briefly caused ~13% of blocks to be missed.⁸
• Stake distribution is also a potentially centralizing force that is necessary to monitor. As mentioned in “Robust Network Security”, a 34% attack would lead the network to a non-finalizing state. At the time of writing, Lido’s stETH holds ~30% of staked ETH and restaking protocol Eigenlayer holds ~15% of staked ETH. Even though the underlying validator infrastructure behind stETH and Eigenlayer is distributed across multiple node operators, it is still critical that no one protocol or entity dominates staked ETH.

Conclusion

From the perspective of validators, the Ethereum network appears to be healthy. The increased number of validators, high online rate for validators, as well as the minimal number of slashing events across the network reflects strong network security. That said, there are watch areas such as supermajority client risk and stake distribution that will fall on the community to monitor and adjust for. Significant deviations from the norm will signal issues among validators and pose potential threats to the network.

Figure 1: Cost to Attack the Network. Coin Metrics Data: https://coinmetrics.io/.

Figure 2: Slashing Events. Coin Metrics Data: https://coinmetrics.io/.

Special thanks to Jason Ward, Sean Wells, Will Baxter. 1150022.1.0
Digital assets are speculative and highly volatile, can become illiquid at any time, and are only for those investors willing to risk losing some or all of their investment and who have the experience and ability to evaluate the risks and merits of an investment. Past performance is no guarantee of future results.

FCAT does not offer digital assets nor provide clearing or custody of such assets. This information is for informational purposes only and is not intended to provide investment or any other advice and should not be construed as an offer to sell, a solicitation of an offer to buy, or a recommendation for any security or other assets. Views expressed are as of the date indicated, based on the information available at that time, and may change based on market or other conditions. The opinions provided are those of the author and not necessarily those of Fidelity Investments or its affiliates. Fidelity does not assume any duty to update any of the information. Fidelity and any other third parties are independent entities and not affiliated. Mentioning them does not suggest a recommendation or endorsement by Fidelity.

¹ "Client Diversity | Ethereum." Client Diversity | Ethereum
² “Ethereum Staking.” Dune.
³ “Post Mortem: Lido on Ethereum Launchnodes Slashing Incident.” Lido Finance, 13 Oct. 2023.
⁴ Sample lighthouse code snippet that shows the attestation signature request:
“Lighthouse/Validator_client/Src/Attestation_service.rs at Stable · Sigp/Lighthouse.” GitHub. ⁵ Max Effective Balance proposal: “Increase the MAX_EFFECTIVE_BALANCE – a Modest Proposal.” Ethereum Research, 6 June 2023.
⁶ Rated | Reputation for Machines.” Explorer.rated.network.
⁷ “Post-Merge OFAC Compliant Blocks.” MEV Watch.
⁸ Bankless Podcast. “Sam Bankman-Fried Sentencing: Too Harsh?” Bankless Friday Weekly Rollup, March 29, 2024, 36:00.