Stake Pool Security Basics
I shall preface by saying that by staking ADA in the Cardano network, the staker has no risk of losing their ADA if a stake pool has been compromised. Then why is stake pool security important?
In order for stake pools to generate rewards, their servers need to be online for the time slot(s) that they've been elected for as slot leader. The odds of being elected as a slot leader depends on how much stake the pool has. If a stake pool's servers are not online during that time slot, they miss generating the block for the network, and they and their stakers miss out on block rewards. Hence, it is the most important mission for a stake pool operator to ensure that their servers are online and functioning 24/7.
The IOHK documentation for setting up stake pools illustrates several basic concepts for securing a stake pool and for ensuring constant service [1].
Isolate your block producing server inbound connections with your relays using your firewall
Isolate your relay servers' inbound connections to only the Cardano network and your block producing server using your firewall
Isolate the management of your servers using your firewall by configuring it to only the Admin Server's IP address, using an exclusive SSH key pair, and removing the using the standard SSH port.
Remove all existence of Stake Pool Keys from the Internet and store them offline
Below is a diagram of the high-level system design of BEAVR Stake Pool that implements these concepts.
Figure 1: High-level System Design of a Stake Pool with General Security What Kind of Attacks Can Stake Pools Expect and How Does it Affect Stakers?
Generally, there are two types of attacks a Stake Pool can expect:
Gain access to any of the servers (Block Producer, Relay, Admin)
Distributed Denial of Service (DDoS)
Gaining Access to Stake Pool Servers
The first attack relies on exploiting sloppy server configurations for attackers to gain access to the server. This could allow the attacker to:
Take the Stake Pool Operator's Pledge, if keys are present on the server
Take the server offline
In the case of the operator for HAPPY, 1M ADA of his pledge was stolen when an attacker gained access to his server, which had stored his keys [2], highlighting the importance of operators to keep their keys offline. The attacker was able to gain access using an exploit on Docker, a virtualization platform that allows users to create containers, which some pool operators have been using to quickly set up servers.
This type of attack affects stakers by reducing the potential block rewards that they can receive. If a server taken offline, it might miss producing a block. If a server loses its pledge, it will have less stake, so it will be less likely to be chosen as a slot leader to produce a block.
DDoS
The main reason for adding several relay servers to the block producer is for redundancy against DDoS. DDoS attacks have not been prevalent in the Cardano Network as of today, but having multiple relay servers safeguards the stake pool from being taken offline when it needs to generate a block, as it is more difficult and expensive to produce a coordinated DDoS on multiple server IPs at once.
This type of attack affects stakers by potentially reducing the block rewards that they can receive. If a stake pool is taken offline, it might miss producing a block.
tl;dr
Stakers run no risk of losing their ADA when a stake pool gets compromised. The only thing lost is potential block rewards as compromised servers can be taken offline. BEAVR implements several safeguards and more to make sure its servers are running 24/7 so that you, the staker, can keep receiving rewards when we generate blocks.
References
[1] Cardano Documentation, IOHK 2020, https://docs.cardano.org/projects/cardano-node/en/latest/stake-pool-operations/node_keys.html [2] Cardano Forum, junada 2020, https://forum.cardano.org/t/spos-do-not-repeat-my-mistakes-keep-your-core-node-safe/37766
Comments