In June 2019, before any institutional buyer was asking, we published our validator architecture: YubiHSM-backed keys, dual Tier III datacenters, VPN-only access. Seven years later, that posture is still the floor, not the ceiling.
The validator key is the entire security model. We put it behind a YubiHSM in 2019 and have not re-platformed the key boundary since.
Two physical Key Management System servers, one in each datacenter, both equipped with YubiHSM 2 hardware security modules. One primary, one hot backup. Validator signing keys never exist outside the HSM boundary. This architecture has been our standard since day one of operations and is documented publicly from 2019.
verifiedFounding setup, June 11, 2019→First Obol DVT cluster deployed September 3, 2023 — 1,001 validators, 3-of-4 threshold, fully up in under 48 hours. Now a signed Node Operator in five Lido Simple DVT Module clusters: four with Obol, one with SSV. Each operating-rules acceptance is on-chain verifiable.
verified5 Lido DVT cluster signatures→Validator signing keys live on a network segment that is not reachable from public-facing infrastructure. Validator nodes communicate with sentries and relayers only; there is no direct ingress to a signer.
Threshold signing via Horcrux across Cosmos-ecosystem chains we validate. Removes single-key double-sign risk: a signature requires a quorum of our signer instances, no one of them can sign alone. Works behind the YubiHSM, not instead of it.
Web3Signer sits between our Ethereum validator clients and the YubiHSM-backed signing keys. Validator client compromise cannot extract the key; at worst it can request a signature that Web3Signer will slash-protect-check before releasing.
Keys generated in-HSM, never exported. Access is dual-controlled; rotation events are logged, reviewed, and counter-signed.
We operate AS211396 with BGP routing policy under our control, not rented from a cloud provider. Direct 20 Gbps+ peering to tier-1 carriers, not shared public-cloud ingress.
Active-passive deployment across two physically separate Tier III facilities. Manual failover with rehearsed procedures — no single point of failure shared with neighbour tenants.
Layer 3/4 volumetric attack mitigation at the facility boundary. Tier 1 transit provides scrubbing capacity before traffic enters our prefixes.
Access to any node — signer, validator, sentinel, monitoring — is only possible from a small set of known-good locations through VPN. No direct inbound SSH from the public internet has ever been permitted.
Validator nodes sit behind multiple sentries per network. Public RPC traffic never reaches a signing node directly. Published in the 2019 setup article.
Standard Prometheus scrapes at 15-second intervals are too coarse for oracle and validator workloads. We operate a bespoke eBPF probe stack that alerts on the shape of a single oracle report cycle or block-production window.
verifiedTechnical write-up→Hardware-backed FIDO2 / WebAuthn passkeys for all administrative systems. No SMS-based 2FA is permitted anywhere in the ops pipeline — it is explicitly disallowed.
Every validator has a named accountable engineer. Incident response is handled by people with context on the chain, not a ticket queue.
Every chain upgrade is applied to our internal testnet infrastructure before production. We do not upgrade on day one unless we have personally verified the binary.
Key-ownership lock files and HSM-level constraints make a double-sign by our own infrastructure non-physical. Zero slashing events across 40+ mainnets in 6 years.
Certified under ISO/IEC 27001. Annual surveillance audits and recertification maintained on schedule.
verifiedVerify on StakingRewards profile→Certified under ISO 9001, covering operational quality across validator and RPC services.
Independent third-party rating under ongoing review on the StakingRewards registry.
verifiedstakingrewards.com/01node→On the 2026-2027 compliance track. Target: engage a Tier 1 auditor for a Type I readiness assessment, followed by the Type II observation window. Our existing ISO 27001 ISMS maps most of the SOC 2 Security common criteria, reducing the gap materially.
Filing track under EU Markets in Crypto-Assets regulation, in preparation for full MiCA enforcement from July 1, 2026.
Annual external penetration test engagement with a top-tier security firm. Executive summary will be made available to counterparties under NDA.
Scoped programme via Immunefi for validator infrastructure, oracle node, and public RPC surfaces.
We accept vulnerability reports on validator infrastructure, oracle nodes, public RPC endpoints, and the marketing site. Encrypt sensitive reports with our PGP key or use a secure channel of your choice.
Report a vulnerabilityGood-faith research conducted under this policy will not be pursued as unauthorised access under Romanian or EU law. In scope: our owned systems at 01.ro and validator endpoints we operate. Out of scope: third-party protocols, upstream vendors, social engineering of our team, and denial-of-service testing.
$ 01.ro --security --verify
KEY_STORE: YUBIHSM2 · DUAL_DC · SINCE 2019-06
DVT_ETHEREUM: 5 LIDO SIMPLE_DVT CLUSTERS · 4 OBOL + 1 SSV
NETWORK: AS211396 · 20GBPS+ PEERING · 140GBPS DDOS
DATACENTERS: 2 TIER_III TIA-942 · ACTIVE-PASSIVE
ACCESS: VPN_ONLY · FIDO2_PASSKEYS · NO_SMS_2FA
CERTS: ISO_27001 · ISO_9001 · STAKINGREWARDS_AA
SLASHING_EVENTS_LIFETIME: 0
DISCLOSURE: /.well-known/security.txtRequest the full trust pack: certifications, policies, DPA template, architectural diagrams, and historical incident review — delivered under NDA.