Exiting CSM validators

Exit requests from Lido

There are 3 reasons why CSM operators can receive exit requests from the Lido Protocol:

1. The node operator's bond amounts fall below the minimum threshold for the number of validator keys deposited by the CSM

2. To cover withdrawal requests from stETH holders

3. By DAO decision in some exceptional cases. This will require an on-chain vote and public discussion on the Lido Research forum.

Exit requests can be observed in the number Unbonded keys on the operator dashboard of the CSM Web App.

When this happens, CSM operators must initiate an exit on the requested number of validator keys as soon as possible (within 96 hours) to avoid penalty measures from having Stuck Keys.

Stuck Keys

Stuck Keys accrue when CSM operators do not perform timely (within 96 hours) exits on the required number of CSM-deposited validator keys when requested by the Lido Protocol.

Penalties of having Stuck Keys include:

1. New validator keys of the CSM operator will not be deposited

2. New staking rewards stop accruing for the CSM operator

Penalties are lifted when there are no more Stuck Keys. More details here.

Manual exit

Exiting CSM-deposited validator keys works the same way as exiting solo staking validator keys.

Refer to this dedicated guide for exiting validators put together by Remy Roy.

You can also follow the steps extracted from Remy's guide below (Linux only).

Overview of the validator exit process

The whole process can feel daunting so we will break it down into 3 phases.

Phase 1: Prepare the necessary files

• Ensure that you have either your 24-word mnemonic or your validator keystores + the password to decrypt it.

• Download the latest version of ethdo

cd
wget https://github.com/wealdtech/ethdo/releases/download/v1.35.3/ethdo-1.35.3-linux-amd64.tar.gz
wget https://github.com/wealdtech/ethdo/releases/download/v1.35.3/ethdo-1.35.3-linux-amd64.tar.gz.sha256

• Print the sha256 checksum

cat ethdo-1.35.3-linux-amd64.tar.gz.sha256

• Verify the checksum of the downloaded zipped file using the output of the previous command.

echo "<sha256_checksum> ethdo-1.35.3-linux-amd64.tar.gz" | sha256sum --check

Expected output:

ethdo-1.35.3-linux-amd64.tar.gz: OK

• Generate the offline-preparation.json file using ethdo

tar xvf ethdo-1.35.3-linux-amd64.tar.gz
./ethdo validator exit --prepare-offline

Expected output:

offline-preparation.json generated

Phase 2: Transfer files into an air-gapped machine

Recall the steps in the Install and prepare the OS section, but instead of installing Ubuntu as the OS, we will install TailsOS for extra security.

• Prepare 2 brand new USB drives

• Plug the first USB drive into your validator node machine and identify the USB drive on your terminal

lsblk
# Look for your USB drive in the output list. 
# It will take a name similar to "sdx1". 

• After you find it, you can proceed to mount this first USB drive onto the /media folder

sudo mount /dev/sda1 /media 
#Replace sda1 with the actual name of your USB drive.

• Load your validator keystores, the downloaded ethdo zipped file, the sha256 checksum, and the offline-preparation.json file into the first USB drive

sudo cp <file_path_to_validator_keystores> /media
sudo cp ~/offline-preparation.json ~/ethdo-1.35.3-linux-amd64.tar.gz ~/ethdo-1.35.3-linux-amd64.tar.gz.sha256 /media

• Download the latest version of TailsOS into your laptop from the website and follow the instructions to upload the downloaded file for checksum verification

• This step creates the airgapped machine: Unplug any wired connections from your laptop. Then, follow the steps in the Install and prepare the OS section to flash the second USB drive with TailsOS and boot up TailsOS on your laptop. Stop just before "Install the SSH server"

• Plug the first USB drive into your laptop that is now running TailsOS and transfer all the files into the home folder

Phase 3: Signing the exit message

Loading the files onto TailsOS

• Open up the terminal on TailsOS

• Print the sha256 checksum

cd
cat ethdo-1.35.3-linux-amd64.tar.gz.sha256

• Verify the checksum of the downloaded zipped file using the output of the previous command.

echo "<sha256_checksum> ethdo-1.35.3-linux-amd64.tar.gz" | sha256sum --check

Expected output:

ethdo-1.35.3-linux-amd64.tar.gz: OK

• Extract the ethdo file

tar xvf ethdo-1.35.2-linux-amd64.tar.gz

Generate the exit message (Choose your method)

• Method 1: Using the validator keystores + password

./ethdo validator exit --validator="KEYSTORE_FILENAME" --passphrase='KEYSTORE_PASSWORD' --json --offline > RESULTING_FILENAME

#Example:
#./ethdo validator exit --validator="KEYSTORE_FILENAME" --passphrase='KEYSTORE_PASSWORD' --json --offline > RESULTING_FILENAME

• Method 2: Using the 24-word mnemonic

./ethdo validator exit --validator=VALIDATOR_INDEX --json --offline --mnemonic="MNEMONIC" > RESULTING_FILENAME

#Example:
#./ethdo validator exit --validator=459921 --json --offline --mnemonic="silent hill auto ability front sting tunnel empower venture once wise local suffer repeat deny deliver hawk silk wedding random coil you town narrow" > 459921-exit.json

Copy the resulting file (e.g., 459921-exit.json) into your first USB (currently plugged into your TailsOS laptop). This is the exit message.

Broadcasting the exit message

• Restart your TailsOS laptop and unplug the second USB flashed with TailsOS to revert to your normal operating system

• Browse to https://beaconcha.in/tools/broadcast, upload your exit message into the widget and broadcast it

Your validator will now enter the exit queue. You must keep your validator node running until it is fully exited, or you will suffer offline penalties.

cd
git clone https://github.com/lidofinance/validator-ejector.git
cd validator-ejector

sudo cp sample.env .env
sudo nano .env

EXECUTION_NODE=http://<Internal_IP_Address>:<RPC_Port>
CONSENSUS_NODE=http://<Internal_IP_Address>:<REST_Port>
LOCATOR_ADDRESS=0x1eDf09b5023DC86737b59dE68a8130De878984f5
STAKING_MODULE_ID=1
OPERATOR_ID=123

MESSAGES_LOCATION=messages
MESSAGES_PASSWORD=pass