What Is Double Signing?

Double signing is a type of validation misbehavior that undermines blockchain consensus and protocol integrity. It is most prominently associated with proof of stake (PoS) blockchains, but can occur in any system where the consensus process involves participants (validators, nodes, miners, etc.) signing blocks or messages. In this article, we’ll focus on PoS chains specifically.

In a PoS blockchain, like Ethereum, validators stake native tokens to participate in consensus and earn rewards. These validators are responsible for securing the network by proposing blocks and attesting to block validity. To ensure the chain’s integrity and consistency, validators must propose and vote for (attestation) only one chain of blocks at any given block height. 

Double signing occurs when a validator signs and submits two conflicting blocks or attestations at the same block height or epoch. This is a violation of protocol rules and results in steep penalties for the validator. In the case of conflicting block proposals, the validator is essentially telling the network “This is the correct next block,” but pointing to two different blocks containing different sets of transactions. With attestations, a validator signs two distinct attestations for the same target epoch, indicating support for mutually exclusive events. In both scenarios, the validator is signaling two incompatible realities. 

This behavior is dangerous for the protocol because it undermines the network’s consensus, compromises its safety guarantees, and could break the protocol’s integrity if it leads to double spending. Double signing can result in temporary forks. If two versions of the chain with  different transaction histories are created, it’s possible for double spending to occur. For this reason, double singing is severely penalized by slashing penalties.

Double signing can be a result of faulty or malicious behavior. However, faulty/unintended validator behavior is far more common, given the steep repercussions (risks usually outweigh rewards for bad actors). 

Unintended double signing typically arises from operational errors, infrastructure misconfigurations, and external disruptions. These can include:  

• Misconfigured failover setups: May cause backup and primary nodes to sign at the same time.  

• Running multiple clients with the same validator key: If both clients are active, they may sign conflicting blocks or attestations. 

• Backup and recovery errors: Outdated or incomplete backups can lead to state mismatch. 

• Network partitions and connectivity issues: After reconnecting, validators may unintentionally send conflicting messages. 

• Software bugs or crashes: Bugs in the validator client software may cause the node to re-sign or lose track of its signing history. 

Among these, misconfigured failover setups and running multiple clients with the same key are the most common causes. However, both are highly preventable with better key management, failover protocols, and logging.

Because double signing can wreak havoc on PoS blockchains, most chains have a built in penalty mechanism, called slashing, to deter it. Slashing results in a portion of the offending validator’s stake being forfeited. If slashing reduces the validator’s stake to below the protocol's minimum staking requirement (e.g., 32 ETH in Ethereum), the validator will also be ejected from the active validator set. 

How slashing losses affect stakers will depend on the chain, their chosen staking setup (i.e., self-run node, staking platform, liquid staking protocol), and validator provider policies (if applicable). In the case of staking platforms and protocols, slashing losses may be distributed across all validator participants, be absorbed by the platform, or may impact the value of liquid staking derivatives. For platform operators running third-party validators, it will depend on the custodial services’s policies, but could impact the operator’s funds and ability to payout their users. 

As the most trusted place to manage crypto, Coinbase always prioritizes the security of our customers’ and end-users’ funds. That said, we take extra precautions to prevent double signing and slashing penalties in our validators. We are proud to say Coinbase validators have a spotless track record of never double signing or being slashed on any of the networks we operate. 

We have accomplished this with a layered security approach built into our staking product: 

Coinbase Double Signing Protection: As a first line of defense, we use proprietary software to ensure validator keys are never used more than once anywhere in the Coinbase infrastructure platform. This software prevents keys from being checked out of our secrets manager service if they’re already in use, and won’t allow any action where keys would be copied or moved. This prevents operator and system error that could lead to double signing.

Client protections to prevent duplicate actions: Each validator client has a local database that checks to ensure a validator key has not already performed an attestation or proposal at the given epoch.

Distributed high watermark protections to prevent duplication actions: On Ethereum, we utilize DynamoDB to ensure keys do not propose or attest more than once. If a key has already performed a required signing duty for a given event, it will opt for skipping over risking signing a message again.

A security-first upgrade strategy: All client upgrades undergo a thorough testnet phase. Long before they’re rolled out on mainnet, we test and verify expected client participation behavior, latency, and machine utilization changes that could impact performance. We also foster direct relationships with client teams to provide feedback and iterate quickly on new releases. Clusters are upgraded on a rolling basis to prevent any potential large scale issues from unforeseen client bugs.

24/7 monitoring and alerting: All of our clusters are covered by robust monitoring and alerting designed to detect any behavior that could lead to slashing or missed rewards. And our 24/7 on-call engineering team has runbooks to address and get ahead of any network operation issues that come up. This means if a validator key somehow managed to break protocol rules (despite all of our preventive measures), we would be alerted immediately. This would allow us to shut down the cluster, preventing additional keys from performing the same error.  

Double signing is a risk all stakers should be aware of and take precautions to mitigate. Choosing trusted validators with a strong history of good performance and reliability is a key way to protect your funds from slashing risks. Coinbase’s layered mitigation approach enables us to provide secure, lower risk staking offerings for our customers and their end-users.