In June 2019, before any institutional buyer was asking, we published our validator architecture: YubiHSM-backed keys, dual Tier III datacenters, VPN-only access. Seven years later, that posture is still the floor, not the ceiling.
The validator key is the entire security model. We put it behind a YubiHSM in 2019 and have not re-platformed the key boundary since.
Two physical Key Management System servers, one in each datacenter, both equipped with YubiHSM 2 hardware security modules. One primary, one hot backup. Validator signing keys never exist outside the HSM boundary. This architecture has been our standard since day one of operations and is documented publicly from 2019.
verifiedFounding setup, June 11, 2019→First Obol DVT cluster deployed September 3, 2023 — 1,001 validators, 3-of-4 threshold, fully up in under 48 hours. Now a signed Node Operator in five Lido Simple DVT Module clusters: four with Obol, one with SSV. Each operating-rules acceptance is on-chain verifiable.
verified5 Lido DVT cluster signatures→Validator signing keys live on a network segment that is not reachable from public-facing infrastructure. Validator nodes communicate with sentries and relayers only; there is no direct ingress to a signer.
Threshold signing via Horcrux across Cosmos-ecosystem chains we validate. Removes single-key double-sign risk: a signature requires a quorum of our signer instances, no one of them can sign alone. Works behind the YubiHSM, not instead of it.
Web3Signer sits between our Ethereum validator clients and the YubiHSM-backed signing keys. Validator client compromise cannot extract the key; at worst it can request a signature that Web3Signer will slash-protect-check before releasing.
Keys generated in-HSM, never exported. Access is dual-controlled; rotation events are logged, reviewed, and counter-signed.
We operate AS41536 with BGP routing policy under our control, not rented from a cloud provider. Three announced IPv4 prefixes — 195.14.16.0/24, 193.222.57.0/24, 91.198.59.0/24 — verifiable on RIPE NCC and bgp.tools. Direct 20 Gbps+ peering to tier-1 carriers, not shared public-cloud ingress.
verifiedAS41536 on bgp.tools→Active-passive deployment across two physically separate Tier III facilities. Manual failover with rehearsed procedures — no single point of failure shared with neighbour tenants.
Layer 3/4 volumetric attack mitigation at the facility boundary. Tier 1 transit provides scrubbing capacity before traffic enters our prefixes.
Access to any node — signer, validator, sentinel, monitoring — is only possible from a small set of known-good locations through VPN. No direct inbound SSH from the public internet has ever been permitted.
Validator nodes sit behind multiple sentries per network. Public RPC traffic never reaches a signing node directly. Published in the 2019 setup article.
Standard Prometheus scrapes at 15-second intervals are too coarse for oracle and validator workloads. We operate a bespoke eBPF probe stack that alerts on the shape of a single oracle report cycle or block-production window.
verifiedTechnical write-up→Hardware-backed FIDO2 / WebAuthn passkeys for all administrative systems. No SMS-based 2FA is permitted anywhere in the ops pipeline — it is explicitly disallowed.
Every validator has a named accountable engineer. Incident response is handled by people with context on the chain, not a ticket queue.
Every chain upgrade is applied to our internal testnet infrastructure before production. We do not upgrade on day one unless we have personally verified the binary.
Key-ownership lock files and HSM-level constraints make double-signing operationally implausible. One disclosed vendor-attributed incident on Osmosis (Horcrux v3.3.1 race condition, March 2025), patched in v3.3.2 within hours of release. All 4,650 affected delegators were fully reimbursed from our operational reserve — zero delegator loss.
verifiedFull post-mortem→Certified under ISO/IEC 27001. Annual surveillance audits and recertification maintained on schedule.
verifiedVerify on StakingRewards profile→Certified under ISO 9001, covering operational quality across validator and RPC services.
Independent third-party rating under ongoing review on the StakingRewards registry.
verifiedstakingrewards.com/01node→On the 2026-2027 compliance track. Target: engage a Tier 1 auditor for a Type I readiness assessment, followed by the Type II observation window. Our existing ISO 27001 ISMS maps most of the SOC 2 Security common criteria, reducing the gap materially.
Filing track under EU Markets in Crypto-Assets regulation, in preparation for full MiCA enforcement from July 1, 2026.
Annual external penetration test engagement with a top-tier security firm. Executive summary will be made available to counterparties under NDA.
Scoped programme via Immunefi for validator infrastructure, oracle node, and public RPC surfaces.
Operational incidents that are visible on-chain receive an explicit post-mortem here. Operators who hide incidents lose institutional trust the moment due-diligence finds the on-chain evidence; operators who disclose with context earn it.
Two near-simultaneous signing requests (1.5 ms apart) for Osmosis block 30968345 raced a split read/write lock pattern in Horcrux v3.3.1. Both requests passed the “have I already signed?” check before either had written the “yes I have” state update. Both proceeded to sign. The validator was tombstoned and slashed 5% under Osmosis protocol rules.
Strangelove’s advisory frames the bug as “affecting one validator out of hundreds” with “probability on typical hardware in the range of 1 in 1 billion per signed vote”. The race condition was reachable only at signing-loop latencies shorter than ~2 ms; our bare-metal infrastructure operates inside that window, which is why we were the operator that hit it.
Patched in Horcrux v3.3.2 (released <28 hours after our incident report). We deployed the patch across our Cosmos signing infrastructure within hours of release. All 4,650 affected delegators were reimbursed from our operational reserve before Strangelove and we settled vendor reimbursement.
We accept vulnerability reports on validator infrastructure, oracle nodes, public RPC endpoints, and the marketing site. Encrypt sensitive reports with our PGP key or use a secure channel of your choice.
Good-faith research conducted under this policy will not be pursued as unauthorised access under Romanian or EU law. In scope: our owned systems at 01.ro and validator endpoints we operate. Out of scope: third-party protocols, upstream vendors, social engineering of our team, and denial-of-service testing.
$ 01.ro --security --verify
KEY_STORE: YUBIHSM2 · DUAL_DC · SINCE 2019-06
DVT_ETHEREUM: 5 LIDO SIMPLE_DVT CLUSTERS · 4 OBOL + 1 SSV
NETWORK: AS41536 [195.14.16.0/24, 193.222.57.0/24, 91.198.59.0/24]
UPSTREAM: 20GBPS+ PEERING · 140GBPS DDOS
DATACENTERS: 2 TIER_III TIA-942 · ACTIVE-PASSIVE
ACCESS: VPN_ONLY · FIDO2_PASSKEYS · NO_SMS_2FA
CERTS: ISO_27001 · ISO_9001 · STAKINGREWARDS_AA
SLASHING_INCIDENTS_LIFETIME: 1 (HORCRUX v3.3.1, OSMOSIS, 2025-03-06)
DELEGATOR_LOSS_LIFETIME: 0 (FULL REIMBURSEMENT, 4,650 ADDRESSES)
DISCLOSURE: /.well-known/security.txtDownload the public trust pack — certifications, infrastructure architecture, Lido DVT cluster signatures, governance record, named team, and verification sources for every claim. The unredacted version (commercial detail, MSA template, DPA, references) is delivered under NDA.