Lack of BLS pubkey validation
shaspitz opened this issue · 2 comments
Both validators and builders in the mev pipeline are identified by 48 byte BLS pubkey (incompatible w/ normal EOA keypair). Currently we do not fully validate the ownership of a particular BLS pubkey that's passed to the provider registry or validator registry during opt-in. We merely check that the pubkey arg is indeed 48 bytes in length.
We need a well thought out mechanism to validate the ownership of BLS pubkeys for builders and validators. This could involve some form of off-chain validation, or requiring builders and validators to sign over a particular message with their BLS key to then submit their signature onchain.
The oracle could also periodically iterate through opted-in actors and confirm they have an active BLS pubkey with the beacon chain. Non-active keys could be blacklisted or slashed depending on the type of actor.
Note the current solution assumes builders set extradata to a "builder name" string similar to something like: beaverbuild.org (Hex:0x6265617665726275696c642e6f7267). However we could ask builders to change their extradata field to something like a 32 byte hash of their BLS pubkey, if it helps in robust BLS pubkey validation
Maybe we can look into adding a precompile on the mev-commit chain for BLS-signature verification.