Operator Documentation

Technical runbook for external validator seat operators.

Everything you need to set up, secure, monitor, and maintain a Centurion validator seat — from hardware selection through BLS key generation, onboarding submission, and ongoing operations.

Apply for a Seat Lifecycle Overview

Prerequisites

Hardware and infrastructure minimums.

These are the minimums for a single seat. Operators running multiple seats should scale RAM and storage accordingly.

CPU

8+ cores

Modern x86-64 or ARM64 processor

RAM

32 GB

64 GB recommended for multi-seat setups

Storage

2 TB NVMe SSD

High IOPS required; spinning disks will fall behind chain

Network

≥ 25 Mbps

Stable connection; symmetric bandwidth preferred

Linux

Ubuntu 22.04 LTS or Debian 12 recommended

Hosting

Any

Bare metal, AWS, GCP, Hetzner, OVH, and other VPS providers work

Wallet requirement

You need a Centurion-compatible EVM wallet for vault beneficiary designation. This wallet receives operator-side reward claims during the running phase. It is separate from your validator BLS signing keys — do not mix them up.

Client Setup

Three clients. One validator.

Centurion is an EVM-compatible proof-of-stake chain that ships its own client software. Run one execution client (go-centurion or rustcen), one consensus client (rockstar or centauri), and a validator client. Prefer the minority client on each layer where possible — diversity strengthens the network.

Required open ports

Execution client

30303 TCP/UDP

Peer-to-peer discovery and block propagation

Consensus client

9000 TCP/UDP

Beacon chain peer connections and attestation gossip

Validator client

No inbound required

Connects outbound to local consensus client only

Genesis & Bootnode Artifacts

Centurion is its own network. You cannot start from Ethereum mainnet or testnet genesis files. The program team distributes network artifacts directly to approved operators after seat assignment.

Execution Layer

• Chain ID and network name
• Execution genesis.json
• Static bootnode enodes

Consensus Layer

• Genesis state SSZ file
• Beacon config.yaml
• Trusted peer ENRs

These artifacts are delivered through the onboarding handoff, not published here. If you need replacements during operation, contact validator-program@centurion.network.

Client Source & Builds

Centurion ships its own EL and CL client software.

Clone the repos below and build from source. Each repository's README documents the full toolchain requirements, supported platforms, and release notes. Use one EL and one CL; prefer the minority client on each layer.

Execution

go-centurion

github.com/centurion-protocol/go-centurion

Language

Go 1.23+

Execution

rustcen

github.com/centurion-protocol/rustcen

Language

Rust (stable)

Consensus

centauri

github.com/centurion-protocol/centauri

Language

Rust (stable)

Consensus

rockstar

github.com/centurion-protocol/rockstar

Language

Node.js + pnpm

Always build from a tagged release on a trusted host. Verify the commit hash matches the published release notes before putting a binary on an active validator host.

BLS Key Generation

Generate your validator keys offline.

External operators generate BLS keypairs in their own controlled environment. The Foundation does not generate, receive, store, or regenerate your validator private key material at any point.

centurion-deposit-cli

Clone and build the operator-side CLI that generates the validator BLS keypair, the keystore file, and the deposit data payload you submit during onboarding.

github.com/ctnstaker/centurion-deposit-cli

Work on an air-gapped machine or a machine that will never go online again after key generation. A live bootable USB (Tails OS or Ubuntu) on a clean laptop is a reliable approach.

Clone centurion-deposit-cli from the repository linked above and build it locally. Verify the commit against the latest release tag before running it.

Run: centurion-deposit-cli new-mnemonic --num_validators 1 --chain centurion

Write down your mnemonic on paper. Do not type it into any digital device, take a photo of it, or store it in a password manager. This is your only recovery path.

The CLI outputs two files: keystore-m_12381_…json (load this into your validator client) and deposit_data-*.json (submit this during onboarding). Never send the keystore file to anyone.

Move the keystore file to your validator host via an encrypted channel (scp over SSH key auth). Delete it from any intermediate storage.

Never run the same keystore on two machines at the same time. Double-signing is a slashable offense. The protocol burns balance and there is no recovery path. When in doubt, wait.

Onboarding Submission

What you submit, and what you never send.

After seat approval, you submit your validator pubkey and deposit data for the assigned seat. The Foundation validates those inputs before funding.

Wait for your seat assignment notification from the program team. It will include your assigned vault withdrawal credentials.

Submit your validator public key and the deposit_data-*.json file through the operator console or the onboarding contact channel.

Do not submit your BLS private key, keystore file, or mnemonic at any point during this process.

The Foundation validates your submission against the seat vault withdrawal credentials and the deposit allowlist policy.

You will be notified when validation is complete and the deposit is funded. No action is required on your part during this step.

What to submit

Validator public key data + deposit_data-*.json

What never to send

BLS private key · keystore JSON file · mnemonic phrase

Going Live

After the deposit, your validator enters the activation queue.

Deposit inclusion and consensus-layer activation queue processing are separate events. Activation timing is variable and depends on current network queue depth.

Activation sequence

Foundation funds 32 CTN deposit transaction

Deposit included in an execution block

Consensus client picks up deposit and queues activation

Validator waits through activation queue (hours to days)

Validator reaches active status and begins attesting

Confirming you are live

Check your validator client logs for attestation messages after activation.

Query the beacon API to confirm active status:

GET /eth/v1/beacon/states/head/validators/{pubkey}

The response status field should read active_ongoing.

Monitoring

Alert on the things that matter.

Most validator clients expose Prometheus metrics natively. Wire them to your alerting stack and page on conditions that threaten continuity.

Missed attestations > 5% in a single epoch

Page

Check validator client connectivity to consensus client

Peer count < 10 on execution or consensus client

Page

Check firewall rules for port 30303 and 9000

Disk usage > 80%

Warn

Prune chain data or add storage before hitting 90%

Any client process restart

Warn

Check logs for the restart reason; escalate if recurring

Validator not seen attesting for > 2 epochs

Page

Confirm validator client is running and key is loaded

Troubleshooting

Common issues and how to resolve them.

Start with these checks when something looks off. They cover the most frequent operator incidents during activation and steady-state running.

Validator client is not connected to the consensus client — check the beacon API endpoint in your validator client config.
Keystore is not loaded — confirm the keystore path and password are correct in your validator client.
Consensus client is still syncing — check sync status via the beacon API before expecting attestations.

Upgrade Procedure

Apply upgrades before the target epoch.

The program team targets 72-hour advance notice for non-emergency upgrades. Emergency security events may require faster turnaround. Missing an upgrade past its target epoch can cause your validator to follow a minority fork.

Watch your email and the Announcements page. The program team targets 72 hours of notice for planned upgrades; emergency security events may require faster turnaround.

Stop your validator client cleanly before upgrading any client. Do not kill -9 it unless the process is stuck.

Upgrade the execution and/or consensus client binary as directed in the upgrade notice.

Restart the clients in order: execution client first, then consensus client, then validator client.

Confirm your validator is attesting again before marking the upgrade complete. Check your monitoring dashboard or query the beacon API.

Never skip an upgrade past its target epoch. Running a client that diverges from the canonical chain after a hard fork means your validator will attest to a minority fork and face penalties.

Hardware Migration

Stop fully before starting anywhere else.

Migrating a validator to new hardware is safe when done in strict sequence. The only risk is running the same keystore in two places at once.

Provision and fully sync the new host before touching the old host. Do not rush this step.

Stop the validator client on the old host. Confirm it has stopped — check the process list and the client logs.

Copy your keystore file from the old host to the new host using scp with SSH key authentication. Do not use cloud storage or email.

Start the validator client on the new host and confirm it is attesting before decommissioning the old host.

Running the same keystore on two machines simultaneously is a slashable offense. If you are uncertain whether the old validator is truly stopped, wait before starting the new one.

Glossary

Terms, protocols, and primitives.

Program-specific terms, cryptographic primitives, protocol mechanisms, and validator operations concepts referenced throughout this site.

Seat

A funded validator position in Centurion. One seat maps to one validator and one WithdrawalVault.

Beneficiary

Wallet identity authorized to receive operator-side vault proceeds under vault policy.

Treasury

Foundation-controlled address set that funds deposits and executes treasury-side settlement actions.

WithdrawalVault

Per-seat smart contract governing beneficiary claims and exit-settlement accounting. Each vault has two economic roles: operator beneficiary and Foundation treasury.

TreasuryRouter

A forwarding proxy that decouples the treasury's on-chain identity from the operational signing key. Enables key rotation via a 7-day time-locked process without redeploying vaults.

VaultFactory

On-chain contract that deploys vault instances with enforced parameters (32 CTN principal, PrincipalFirst policy) and maintains a registry. Enforces one vault per validator public key hash.

Principal-First

Exit rule where Foundation principal (up to 32 CTN) settles before any operator excess is distributed.

Shortfall

When total recoverable inflows are below 32 CTN after penalties or slashing; operator-side rewards can be zero.

Deposit Data

Validator onboarding payload submitted by the operator, including validator pubkey data and deposit parameters. Generated using centurion-deposit-cli.

BLS12-381

The digital signature scheme used on the consensus layer. Operates on the BLS12-381 elliptic curve with 128-bit security. Validator keypairs consist of a 32-byte private key and a 48-byte public key. BLS signatures support aggregation (combining thousands of attestation signatures into one) and are deterministic (one valid signature per key-message pair).

ECDSA

Elliptic Curve Digital Signature Algorithm, used on the execution layer (CVM) for authenticating transactions. Operates on the secp256k1 curve. BLS authenticates consensus-layer operations (attestations, exits) while ECDSA authenticates execution-layer transactions (vault calls, deposit contract interactions). The two authentication domains are structurally disjoint.

BLS Keystore (EIP-2335)

Standard JSON format for storing encrypted BLS private keys. The keystore encrypts the private key using a password-derived key (scrypt or PBKDF2), producing a portable file loadable by any compliant validator client. In BYO-BLS, the operator generates their own keystore and loads it into their validator client. The Foundation never sees this file.

Shamir Secret Sharing

A cryptographic scheme that splits a secret into n shares such that any t shares can reconstruct it, but fewer than t shares reveal nothing. Used in DVT to distribute a validator's BLS private key across multiple nodes. The threshold t balances fault tolerance (lower t) against security (higher t).

SSZ

Simple Serialize — the serialization format used throughout the consensus layer. Defines deterministic encoding for data types and computes a Merkle-tree hash tree root used in signing and verification. During onboarding, the operator signs the SSZ hash tree root of a DepositMessage container.

Withdrawal Credentials

32-byte value set at deposit time that determines where validator funds are sent. Two formats: 0x00 (BLS) couples withdrawal authority to the BLS key; 0x01 (execution layer) encodes an execution-layer address. BYO-BLS uses 0x01 credentials pointing to the vault contract, which is what enables CIP-7002 force-exits.

CIP-7002 (EL Triggerable Exits)

Execution-layer mechanism (activated in the Pectra upgrade) allowing the withdrawal credentials address to request a validator exit via a system contract, without any BLS signature. Uses a dynamic fee mechanism similar to EIP-1559 — fees can spike during mass-exit events. This is what enables the Foundation to force-exit validators without holding operator signing keys.

CIP-4895 (Push Withdrawals)

Introduced in the Capella upgrade. The protocol automatically sweeps excess validator balance to the withdrawal credentials address. Partial withdrawals sweep excess above max effective balance periodically (~every 4-5 days). Full withdrawals sweep the entire remaining balance after exit. These are protocol-level operations that credit the vault without executing contract code.

CIP-7251 (Max Effective Balance)

Raises the maximum effective balance for validators beyond 32 CTN (up to 2048 CTN). Relevant for future variable-target settlement policies. The current vault design uses 0x01 execution credentials and submits full-exit requests only.

CIP-7702 (EOA Account Code)

Allows externally owned accounts (EOAs) to temporarily delegate to contract code, blurring the distinction between EOAs and contracts. Active post-Pectra. This is a known residual risk (R2): a beneficiary address that is an EOA today could execute arbitrary code later. Mitigated by the vault's reentrancy guard.

CIP-2982 (Deposit Contract)

Specifies the deposit contract that bridges execution and consensus layers. Validators register by calling deposit with a BLS public key, withdrawal credentials, a BLS proof-of-possession signature, and a deposit data root. The DepositContractCTN extends this with a pubkey allowlist gate and an owner-only depositor gate.

CVM

Centurion Virtual Machine — the deterministic execution environment for smart contracts on the Centurion execution layer. "CVM-enforced" denotes properties guaranteed by the virtual machine: access control modifiers, reentrancy guards, arithmetic operations, and state updates that cannot be bypassed by any external actor.

Slashing

Protocol punishment for provably malicious validator behavior. Two conditions trigger it: double voting (signing two different attestations for the same slot) and surround voting (signing an attestation that surrounds or is surrounded by a previous one). Slashed validators lose at least 1/32 of effective balance (more if many validators are slashed simultaneously) and are forced to exit.

Validator Lifecycle

Protocol-defined states: Deposited (deposit included in a block) → Pending (waiting in activation queue) → Active (attesting and proposing) → Exiting (in exit queue, still attesting until exit epoch) → Exited (left active set, balance locked during withdrawal period) → Withdrawable (balance swept to withdrawal credentials). The seat manager's lifecycle is a coarser abstraction over these states.

DVT (Distributed Validator Technology)

Distributes a validator's signing authority across multiple nodes using threshold cryptography. No single node holds the full private key. Provides fault tolerance (up to n-t nodes offline) and slashing resistance (requires t+ malicious nodes to collude). DVT and BYO-BLS are complementary: an operator can use DVT internally while the Foundation uses CIP-7002 for exit authority.

Reentrancy Guard

Defense against reentrancy attacks where a malicious contract re-enters the calling contract during a token transfer before state updates complete. The WithdrawalVault uses a boolean lock that reverts if a function is called while another is executing, combined with the checks-effects-interactions pattern (state updates before external calls).

Ready to Run a Seat

Questions not covered here? Contact the program team.

For onboarding questions, incident escalation, and upgrade coordination reach the program team at the address below. See the support page for response targets and incident reporting format.

Apply Now Support

Technical runbook for external validator seat operators.

Validator not attesting after activation

Execution client peer count is zero

Consensus client is stuck and not syncing

Missed attestations spiking

Disk filling up faster than expected

Questions not covered here? Contact the program team.