Proposal to set node withdrawal address mandatory

Mig21 · 15 February 2023 09:50

since all this invis drama i made some thought about possible attacks or risks.
the protocol is having an increase of attention and obv. malicious entities could think to target even the nodes.

in this regard i think that setting the withdrawal address is a fundamental thing to do that, with my surprise, is overlooked.

as 10 february 2023 there are :

634 nodes (30%)
1541 minipools (almost 15%)

without the withdrawal address set.

that’s at least 27121.6 ETH that could be at risk !!! almost 42.000.000$ !!!

that’s an unnedeed risk those NO are taking, just to think that you are one command away from losing your funds is unsettling.

a malicious entity could hijack your node, or your colleague get access to your machine or your SSH, or malicious software target your node
and just launch

rocketpool node set-withdrawal-address --force (your cold wallet address)

and you’re done, your funds are lost.

i propose to make mandatory to set a withdrawal address on node creation that will strenghten security quite a bit and will close a possible attack vector or risk that could involve nodes.

you can check with
curl -s --compressed https://rocketscan.io/api/mainnet/nodes/all | jq -r ‘.[] | [.address, .withdrawalAddress, .minipoolCount] | @csv’

and see for yourself the numbers

i’d like to thank @peteris and @[object Object] for the help

ramana · 15 February 2023 10:13

In what sense do you propose it being mandatory? How is it enforced?

Do you mean a node is not fully registered until another withdrawal address than the node address is supplied? (Enforcement in protocol contracts)

Or do you just mean soft enforcement where the smartnode doesn’t let you do anything before setting another withdrawal address?

Mig21 · 15 February 2023 10:34

i think can be done in steps,
first iteration the smartnode doesn’t let you do anything before setting another address that’s different from the node one, and is a lot easier to do.

the second one require as you said a protocol change, but i think the first one will be enough to reduce the risk to a negligible %

knoshua · 15 February 2023 10:39

How many of these nodes and minipools are actually using the smartnode? For context, Allnodes reports 1507 minipools run through them.

this does not apply to Allnodes or other setups that don’t expose the node key on a node machine.

You have not convinced me that setting a withdrawal address is overlooked in cases where it is advisable.

Mig21 · 15 February 2023 11:44

surely the vast majority are probably using allnodes but we can’t be sure of how many have used hardware wallets, and we can’t also be sure of how many will convert to smartnode users, exposing them with an unneeded risk

yes, but also with the new influx of NO coming from withdrawals, could be advisable to force it, better safe than sorry IMO

knoshua · 15 February 2023 11:51

This isn’t a valid argument, we also can’t be sure that people use a hardware wallet for a withdrawal address.

Yes, we don’t know what will happen in the future. My point is that there is no evidence that people have overlooked setting a withdrawal address if it is relevant for them.

Valdorff · 15 February 2023 13:00

I agree with @knoshua’s main point - the vast majority of users that don’t set withdrawal address are allnodes users, where the node wallet can be just as safe as the withdrawal wallet.

That said, I think the spirit of the proposal is fair - I’d propose that withdrawal address should be mandatory in the smartnode flow.