From dc34ac633de5641af4f5014bcc44794a30a53067 Mon Sep 17 00:00:00 2001 From: thedevbirb Date: Wed, 16 Oct 2024 10:26:23 +0200 Subject: [PATCH] docs(holesky): README launch wip update --- testnets/holesky/README.md | 812 +++++++++++++++++++++++++++++++++++-- 1 file changed, 781 insertions(+), 31 deletions(-) diff --git a/testnets/holesky/README.md b/testnets/holesky/README.md index c031285f3..511b16942 100644 --- a/testnets/holesky/README.md +++ b/testnets/holesky/README.md @@ -1,31 +1,148 @@ -# Holesky Launch Instructions +This document provides instructions for running the Bolt sidecar on the Holesky testnet. -## Components +# Table of Contents -The components that need to run to test Bolt on Holesky are: + -- A synced execution client -- A synced beacon node -- Active validators -- Commit-Boost with Bolt configuration +* [Prerequisites](#prerequisites) +* [Setup](#setup) + * [Docker Mode (recommended)](#docker-mode-(recommended)) + * [Commit-Boost Mode](#commit-boost-mode) + * [Native Mode (advanced)](#native-mode-(advanced)) + * [Building and running the MEV-Boost fork binary](#building-and-running-the-mev-boost-fork-binary) + * [Building and running the Bolt sidecar binary](#building-and-running-the-bolt-sidecar-binary) + * [Configuration file](#configuration-file) + * [Observability](#observability) +* [Register your validators on-chain on the Bolt Registry](#register-your-validators-on-chain-on-the-bolt-registry) + * [Validator Registration](#validator-registration) + * [Bolt Network Entrypoint](#bolt-network-entrypoint) + * [Symbiotic Integration guide for Staking Pools](#symbiotic-integration-guide-for-staking-pools) + * [Symbiotic Integration guide for Operators](#symbiotic-integration-guide-for-operators) + * [EigenLayer Integration Guide for Node Operators and Solo Stakers](#eigenlayer-integration-guide-for-node-operators-and-solo-stakers) +* [Reference](#reference) + * [Command-line options](#command-line-options) + * [Delegations and signing options for standalone and docker container setup](#delegations-and-signing-options-for-standalone-and-docker-container-setup) + * [`bolt-delegations-cli`](#`bolt-delegations-cli`) + * [Installation and usage](#installation-and-usage) + * [Delegations CLI Example](#delegations-cli-example) + * [Using a private key directly](#using-a-private-key-directly) + * [Using a ERC-2335 Keystore](#using-a-erc-2335-keystore) + * [Avoid restarting the beacon node](#avoid-restarting-the-beacon-node) -## Setup + -### Commit-Boost +# Prerequisites -#### Installation +In order to run Bolt you need some components already installed and running in +your system. -To install the `commit-boost` CLI with `cargo`: +**A synced Geth client:** + +Bolt is fully trustless since it is able to produce a fallback block with the +commitments issued in case builders do not return a valid bid. In order to do so +it relies on a synced execution client, configured via the `--execution-api-url` +flag. At the moment only Geth is supported; with more +clients to be supported in the future. + +Using the sidecar with a different execution client could lead to commitment +faults because fallback block building is not supported yet. You can download +Geth from [the official website](https://geth.ethereum.org/downloads). + +**A synced beacon node:** + +Bolt is compatible with every beacon client. Please refer to the various beacon +client implementations to download and run them. + +**Active validators:** + +The Bolt sidecar requires signing keys from active Ethereum validators, or +authorized delegates acting on their behalf, to issue and sign preconfirmations. + +> [!NOTE] +> To run the Bolt sidecar it might be necessary to restart your beacon client in +> order to set the sidecar as the [builder +> endpoint](https://ethereum.github.io/builder-specs/). +> +> See this [section](#avoid-restarting-the-beacon-node) for more details. + +**LST collateral:** + +For Holesky in order to provide credible proposer commitments it is necessary to +restake 1 ether worth of ETH derivatives per validator in either the Symbiotic +or the EigenLayer protocol. + +# Setup + +There are various way to run the Bolt Sidecar depending on what infrastructure +you want to use and your preferred signing methods: + +- Docker mode (recommended); +- [Commit-Boost](https://commit-boost.github.io/commit-boost-client) mode + (requires Docker). +- Native mode (advanced, requires building everything from source); + +Running the Bolt sidecar as a standalone binary requires building it from +source. Both the standalone binary and the Docker container requires reading +signing keys from [ERC-2335](https://eips.ethereum.org/EIPS/eip-2335) keystores, +while the Commit-Boost module relies on an internal signer and a custom PBS +module instead of regular [MEV-Boost](https://boost.flashbots.net/). + +In this section we're going to explore each of these options and its +requirements. + +## Docker Mode (recommended) + +First, make sure to have both [Docker](https://docs.docker.com/engine/install/), +[Docker Compose](https://docs.docker.com/compose/install/) and +[git](https://git-scm.com/downloads) installed in your machine. + +Then clone the Bolt repository by running: ```bash -# Use specific commit hash to ensure compatibility -cargo install --locked --git https://github.com/Commit-Boost/commit-boost-client --rev aed00e8 commit-boost +git clone --branch v0.3.0 htts://github.com/chainbound/bolt.git && cd bolt +``` + +The Docker Compose setup will spin up the Bolt sidecar along with the Bolt +MEV-Boost fork which includes supports the [Constraints +API](https://docs.boltprotocol.xyz/api/builder). + +Before starting the services, you'll need to provide configuration files +containing the necessary environment variables: + +1. **Bolt Sidecar Configuration:** + + Create a `bolt-sidecar.env` file in the `testnets/holesky` directory. If you + need a reference, you can use the `.env.example` file in the `bolt-sidecar` + directory as a starting point. For proper configuration of the signing + options, please refer to the [Delegations and + Signing](#delegations-and-signing-options-for-standalone-and-docker-container-setup) + section of this guide. + +2. **MEV-Boost Configuration:** + + Similarly, create a `mev-boost.env` file in the + `testnets/holesky` folder to configure the MEV-Boost service. If you need a + reference, you can use the `.env.example` file in the `mev-boost` directory as a + starting point. + +If you prefer not to restart your beacon node, follow the instructions in the +[Avoid Restarting the Beacon Node](#avoid-restarting-the-beacon-node) section. + +Once the configuration files are in place, you can start the Docker containers +by running: -# Test installation -commit-boost --version +```bash +cd testnets/holesky && docker compose up -d ``` -#### Configuration +The docker compose setup comes with various observability tools, such as +Prometheus and Grafana. It also comes with some pre-built dashboards, which can +be found in the `grafana` directory. + +## Commit-Boost Mode + +First download the `commit-boost-cli` binary from the Commit-Boost [official +releases page](https://github.com/Commit-Boost/commit-boost-client/releases) A commit-boost configuration file with Bolt support is provided at [`cb-bolt-config.toml`](./cb-bolt-config.toml). This file has support for the @@ -59,13 +176,13 @@ To initialize commit-boost, run the following command: commit-boost init --config cb-bolt-config.toml ``` -This will create 3 files: +This will create three files: - `cb.docker-compose.yml`: which contains the full setup of the Commit-Boost services - `.cb.env`: with local env variables, including JWTs for modules - `target.json`: which enables dynamic discovery of services for metrics scraping via Prometheus -#### Running +**Running** The final step is to run the Commit-Boost services. This can be done with the following command: @@ -75,32 +192,665 @@ commit-boost start --docker cb.docker-compose.yml --env .cb.env This will run all modules in Docker containers. -> [!IMPORTANT] -> bolt-boost will be exposed at `pbs.port` (18551 by default, set with `BOLT_SIDECAR_BUILDER_PROXY_PORT`), and your beacon node MUST be configured +> [!IMPORTANT] > `bolt-boost` will be exposed at `pbs.port` (18551 by default, set with `BOLT_SIDECAR_BUILDER_PROXY_PORT`), and your beacon node MUST be configured > to point the `builder-api` to this port for Bolt to work. -### Bolt Sidecar +## Native Mode (advanced) + +For running the Bolt Sidecar as a standalone binary you need to have the +following dependencies installed: + +- [git](https://git-scm.com/downloads); +- [Rust](https://www.rust-lang.org/tools/install). +- [Golang](https://golang.org/doc/install). + +Depending on your platform you may need to install additional dependencies. + +
+Linux + +Debian-based distributions: + +```bash +sudo apt update && sudo apt install -y git build-essential libssl-dev build-essential ca-certificates +``` + +Fedora/Red Hat/CentOS distributions: + +```bash +sudo dnf groupinstall "Development Tools" && sudo dnf install -y git openssl-devel ca-certificates pkgconfig +``` + +Arch/Manjaro-based distributions: + +```bash +sudo pacman -Syu --needed base-devel git openssl ca-certificates pkgconf +``` + +Alpine Linux + +```bash +sudo apk add git build-base openssl-dev ca-certificates pkgconf +``` + +
+ +
-WIP +
+ MacOS + +On MacOS after installing XCode Command Line tools (equivalent to `build-essential` on Linux) you can install the other dependencies with [Homebew](https://brew.sh/): + +```zsh +xcode-select --install +brew install pkg-config openssl +``` + +
+ +--- + +After having installed the dependencies you can clone the Bolt repository by +running: + +```bash +git clone --branch v0.3.0 https://github.com/chainbound/bolt.git && cd bolt +``` + +### Building and running the MEV-Boost fork binary + +The Bolt protocol relies on a modified version of +[MEV-Boost](https://boost.flashbots.net/) that supports the [Constraints +API](https://docs.boltprotocol.xyz/api/builder). This modified version is +available in the `mev-boost` directory of the project and can be built by +running + +```bash +make build +``` + +in the `mev-boost` directory. The output of the command is a `mev-boost` binary. +To run the `mev-boost` binary please read the official [documentation](https://boost.flashbots.net/). + +If you're already running MEV-Boost along with your beacon client it is +recommended to choose another port this service in order to [avoid restarting +your beacon client](#avoid-restarting-the-beacon-node). Check out the linked +section for more details. + +### Building and running the Bolt sidecar binary + +Then you can build the Bolt sidecar by running: + +```bash +cargo build --release && mv target/release/bolt-sidecar . +``` + +In order to run correctly the sidecar you need to provide either a list command +line options or a configuration file (recommended). All the options available +can be found by running `./bolt-sidecar --help`, or you can find them in the +[reference](#command-line-options) section of this guide. + +#### Configuration file + +A configuration file can be either a `.env` file or a `.toml` file. If you use +`.env` file you can find a `.env.example` file in the repository that you can +use as a template. + +For a `.toml` file you can use the template in the `Config.example.toml`. Lastly +you need to specify the path of the configuration file by setting the +`BOLT_SIDECAR_CONFIG_PATH` environment variable to the path of the file. + +Please read the section on [delegations and signing](#delegations-and-signing-options-for-standalone-and-docker-container-setup) +to configure such sidecar options properly. + +After you've set up the configuration file you can run the Bolt sidecar with + +```bash +./bolt-sidecar-cli +``` ### Observability -commit-boost comes with various observability tools, such as Prometheus, cadvisor, and Grafana. It also comes with some pre-built dashboards, -which can be found in the `grafana` directory. +Commit-Boost comes with various observability tools, such as Prometheus, +cadvisor, and Grafana. It also comes with some pre-built dashboards, which can +be found in the `grafana` directory. To update these dashboards, run the following command: +`bash ./update-grafana.sh ` + +In this directory, you can also find a Bolt dashboard, which will be launched +alongside the other dashboards. + +# Register your validators on-chain on the Bolt Registry + +Once you are successfully running the Bolt sidecar you need to register on-chain +on the Bolt Registry to successfully receive preconfirmation requests from users +and RPCs. This step is needed to provide economic security to your +commitments. + +In order to do that you need some collateral in the form of whitelisted Liquid +Staking Token (LST) that needs to be restaked in either the Symbiotic or +EigenLayer protocol. Bolt is compatible with ETH derivatives on Holesky. Here +are references to the supported tokens on both restaking protocols: + +- [Symbiotic Vaults](https://docs.symbiotic.fi/deployments#vaults) + - [`wstETH`](https://holesky.etherscan.io/address/0x8d09a4502Cc8Cf1547aD300E066060D043f6982D) + - [`rETH`](https://holesky.etherscan.io/address/0x7322c24752f79c05FFD1E2a6FCB97020C1C264F1) +- [EigenLayer Strategies](https://github.com/Layr-Labs/eigenlayer-contracts#current-testnet-deployment) + - [`stETH`](https://holesky.etherscan.io/address/0x3F1c547b21f65e10480dE3ad8E19fAAC46C95034) + - [`rETH`](https://holesky.etherscan.io/address/0x7322c24752f79c05FFD1E2a6FCB97020C1C264F1) + - [`wETH`](https://holesky.etherscan.io/address/0x94373a4919B3240D86eA41593D5eBa789FEF3848) + - [`lsETH`](https://holesky.etherscan.io/address/0x1d8b30cC38Dba8aBce1ac29Ea27d9cFd05379A09) + - [`sfrxETH`](https://holesky.etherscan.io/address/0xa63f56985F9C7F3bc9fFc5685535649e0C1a55f3) + - [`ETHx`](https://holesky.etherscan.io/address/0xB4F5fc289a778B80392b86fa70A7111E5bE0F859) + - [`osETH`](https://holesky.etherscan.io/address/0xF603c5A3F774F05d4D848A9bB139809790890864) + - [`cbETH`](https://holesky.etherscan.io/address/0x8720095Fa5739Ab051799211B146a2EEE4Dd8B37) + - [`mETH`](https://holesky.etherscan.io/address/0xe3C063B1BEe9de02eb28352b55D49D85514C67FF) + - [`ankrETH`](https://holesky.etherscan.io/address/0x8783C9C904e1bdC87d9168AE703c8481E8a477Fd) + +Then you need to interact with two contracts on Holesky: +`BoltValidators` and `BoltManager`. The former is used to register your +active validators into the protocol, while the latter is used to manage to +register as an operator into the system and integrate with the restaking +protocols. + +## Validator Registration + +The [`BoltValidators`](./src/contracts/BoltValidators.sol) contract is the only point of entry for +validators to signal their intent to participate in Bolt Protocol and authenticate with their BLS private key. + +The registration process includes the following steps: + +1. Validator signs a message with their BLS private key. This is required to prove that the + validator private key is under their control and that they are indeed its owner. +2. Validator calls the `registerValidator` function providing: + 1. Their BLS public key + 2. The BLS signature of the registration message + 3. The address of the authorized collateral provider + 4. The address of the authorized operator + +Until the Pectra hard-fork will be activated, the contract will also expose a `registerValidatorUnsafe` function +that will not check the BLS signature. This is gated by a feature flag that will be turned off post-Pectra and +will allow us to test the registration flow in a controlled environment. + +## Bolt Network Entrypoint + +The [`BoltManager`](./src/contracts/BoltManager.sol) contract is a crucial component of Bolt that +integrates with restaking ecosystems Symbiotic and Eigenlayer. It manages the registration and +coordination of validators, operators, and vaults within the Bolt network. + +Key features include: + +1. Retrieval of operator stake and proposer status from their pubkey +2. Integration with Symbiotic +3. Integration with Eigenlayer + +Specific functionalities about the restaking protocols are handled inside +the `IBoltMiddleware` contracts, such as `BoltSymbioticMiddleware` and `BoltEigenlayerMiddleware`. + +### Symbiotic Integration guide for Staking Pools + +As a staking pool, it is assumed that you are already in control of a Symbiotic Vault. +If not, please refer to the [Symbiotic docs](https://docs.symbiotic.fi/handbooks/Handbook%20for%20Vaults) +on how to spin up a Vault and start receiving stake from your node operators. + +Opting into Bolt works as any other Symbiotic middleware integration. Here are the steps: + +1. Make sure your vault collateral is whitelisted in `BoltSymbioticMiddleware` by calling `isCollateralWhitelisted`. +2. Register as a vault in `BoltSymbioticMiddleware` by calling `registerVault`. +3. Verify that your vault is active in `BoltSymbioticMiddleware` by calling `isVaultEnabled`. +4. Set the network limit for your vault in Symbiotic with `Vault.delegator().setNetworkLimit()`. +5. You can now start approving operators that opt in to your vault directly in Symbiotic. +6. When you assign shares to operators, they are able to provide commitments on behalf of your collateral. + +### Symbiotic Integration guide for Operators + +As an operator, you will need to opt-in to the Bolt Network and any Vault that trusts you to provide +commitments on their behalf. + +The opt-in process requires the following steps: + +1. register in Symbiotic with `OperatorRegistry.registerOperator()`. +2. opt-in to the Bolt network with `OperatorNetworkOptInService.optIn(networkAddress)`. +3. opt-in to any vault with `OperatorVaultOptInService.optIn(vaultAddress)`. +4. register in Bolt with `BoltSymbioticMiddleware.registerOperator(operatorAddress)`. +5. get approved by the vault. +6. start providing commitments with the stake provided by the vault. + +### EigenLayer Integration Guide for Node Operators and Solo Stakers + +> [!NOTE] +> Without loss of generality, we will assume the reader of this guide is a Node +> Operator (NO), since the same steps apply to solo stakers. +> As a Node Operator you will be an ["Operator"](https://docs.eigenlayer.xyz/eigenlayer/overview/key-terms) +> in the Bolt AVS built on top of EigenLayer. This requires +> running an Ethereum validator and the Bolt sidecar in order issue +> preconfirmations. + +The Operator will be represented by an Ethereum address that needs +to follow the standard procedure outlined in the +[EigenLayer documentation](https://docs.eigenlayer.xyz/) to opt into EigenLayer. Let's go through the steps: + +1. As an Operator, you register into EigenLayer using [`DelegationManager.registerAsOperator`](https://github.com/Layr-Labs/eigenlayer-contracts/blob/mainnet/src/contracts/core/DelegationManager.sol#L107-L119). + +2. As an Ethereum validator offering precofirmations a NO needs some collateral in + order to be economically credible. In order to do that, some entities known as a "stakers" + need to deposit whitelisted Liquid Staking Tokens (LSTs) + into an appropriate "Strategy" associated to the LST via the + [`StrategyManager.depositIntoStrategy`](https://github.com/Layr-Labs/eigenlayer-contracts/blob/mainnet/src/contracts/core/StrategyManager.sol#L105-L110), + so that the Operator has a `min_amount` (for Holesky 1 ether) of collateral associated to it. + Whitelisted LSTs are exposed by the `BoltEigenLayerMiddleware` contract + in the `getWhitelistedCollaterals` function. + Note that NOs and stakers can be two different entities + _but there is fully trusted relationship as stakers will be slashed if a NO misbehaves_. + +3. After the stakers have deposited their collateral into a strategy they need + to choose you as their operator. To do that, they need to call the function + [`DelegationManager.delegateTo`](https://github.com/Layr-Labs/eigenlayer-contracts/blob/mainnet/src/contracts/core/DelegationManager.sol#L154-L163). + +4. As an Operator you finally opt into the Bolt AVS by interacting with the `BoltEigenLayerMiddleware`. + This consists in calling the function `BoltEigenLayerMiddleware.registerOperatorToAVS`. + The payload is a signature whose digest consists of: + + 1. your operator address + 2. the `BoltEigenLayerMiddleware` contract address + 3. a salt + 4. an expiry 2. + + The contract will then forward the call to the [`AVSDirectory.registerOperatorToAVS`](https://github.com/Layr-Labs/eigenlayer-contracts/blob/mainnet/src/contracts/core/AVSDirectory.sol#L64-L108) + with the `msg.sender` set to the Bolt AVS contract. Upon successful verification of the signature, + the operator is considered `REGISTERED` in a mapping `avsOperatorStatus[msg.sender][operator]`. + +Lastly, a NO needs to interact with both the `BoltValidators` and `BoltEigenLayerMiddleware` +contract. This is needed for internal functioning of the AVS and to make RPCs aware that you are a +registered operator and so that they can forward you preconfirmation requests. + +The steps required are the following: + +1. Register all the validator public keys you want to use with Bolt via the `BoltValidators.registerValidator`. + If you own more than one validator public key, + you can use the more gas-efficient `BoltValidators.batchRegisterValidators` function. + The `authorizedOperator` argument must be the same Ethereum address used for + opting into EigenLayer as an Operator. + +2. Register the same Operator address in the `BoltEigenLayerMiddleware` contract by calling + the `BoltEigenLayerMiddleware.registerOperator` function. This formalizes your role within the Bolt network + and allows you to manage operations effectively, such as pausing or resuming + your service. + +3. Register the EigenLayer strategy you are using for restaking _if it has not been done by someone else already_. + This ensures that your restaked assets are correctly integrated with Bolt’s system. + +# Reference + +## Command-line options + +For completeness, here are all the command-line options available for the Bolt +sidecar. You can see them in your terminal by running the Bolt sidecar binary +with the `--help` flag: + +``` +Command-line options for the Bolt sidecar + +Usage: bolt-sidecar [OPTIONS] --engine-jwt-hex --fee-recipient --builder-private-key --commitment-private-key <--constraint-private-key |--commit-boost-signer-url |--keystore-password |--keystore-secrets-path > + +Options: + --port + Port to listen on for incoming JSON-RPC requests of the Commitments API + + [env: BOLT_SIDECAR_PORT=] + [default: 8000] + + --execution-api-url + Execution client API URL + + [env: BOLT_SIDECAR_EXECUTION_API_URL=] + [default: http://localhost:8545] + + --beacon-api-url + URL for the beacon client + + [env: BOLT_SIDECAR_BEACON_API_URL=] + [default: http://localhost:5052] + + --engine-api-url + Execution client Engine API URL. This is needed for fallback block + building and must be a synced Geth node + + [env: BOLT_SIDECAR_ENGINE_API_URL=] + [default: http://localhost:8551] + + --constraints-api-url + URL to forward the constraints produced by the Bolt sidecar to a + server supporting the Constraints API, such as an MEV-Boost fork + + [env: BOLT_SIDECAR_CONSTRAINTS_API_URL=] + [default: http://localhost:3030] + + --constraints-proxy-port + The port from which the Bolt sidecar will receive Builder-API requests from the Beacon client + + [env: BOLT_SIDECAR_CONSTRAINTS_PROXY_PORT=] + [default: 18551] + + --validator-indexes + Validator indexes of connected validators that the sidecar should + accept commitments on behalf of. Accepted values: + - a comma-separated list of indexes (e.g. "1,2,3,4") + - a contiguous range of indexes (e.g. "1..4") + - a mix of the above (e.g. "1,2..4,6..8") + + [env: BOLT_SIDECAR_VALIDATOR_INDEXES=] + [default: ] + + --engine-jwt-hex + The JWT secret token to authenticate calls to the engine API. + + It can either be a hex-encoded string or a file path to a file containing the hex-encoded secret. + + [env: BOLT_SIDECAR_ENGINE_JWT_HEX=] + + --fee-recipient + The fee recipient address for fallback blocks + + [env: BOLT_SIDECAR_FEE_RECIPIENT=] + + --builder-private-key + Secret BLS key to sign fallback payloads with + + [env: BOLT_SIDECAR_BUILDER_PRIVATE_KEY=] + + --commitment-private-key + Secret ECDSA key to sign commitment messages with + + [env: BOLT_SIDECAR_COMMITMENT_PRIVATE_KEY=] + + --max-commitments-per-slot + Max number of commitments to accept per block + + [env: BOLT_SIDECAR_MAX_COMMITMENTS=] + [default: 128] + + --max-committed-gas-per-slot + Max committed gas per slot + + [env: BOLT_SIDECAR_MAX_COMMITTED_GAS=] + [default: 10000000] + + --min-priority-fee + Min priority fee to accept for a commitment + + [env: BOLT_SIDECAR_MIN_PRIORITY_FEE=] + [default: 1000000000] + + --chain + Chain on which the sidecar is running + + [env: BOLT_SIDECAR_CHAIN=] + [default: mainnet] + [possible values: mainnet, holesky, helder, kurtosis] + + --commitment-deadline + The deadline in the slot at which the sidecar will stop accepting new commitments for the next block (parsed as milliseconds) + + [env: BOLT_SIDECAR_COMMITMENT_DEADLINE=] + [default: 8000] + + --slot-time + The slot time duration in seconds. If provided, it overrides the default for the selected [Chain] + + [env: BOLT_SIDECAR_SLOT_TIME=] + [default: 12] + + --constraint-private-key + Private key to use for signing constraint messages + + [env: BOLT_SIDECAR_CONSTRAINT_PRIVATE_KEY=] + + --commit-boost-signer-url + URL for the commit-boost sidecar + + [env: BOLT_SIDECAR_CB_SIGNER_URL=] + + --commit-boost-jwt-hex + JWT in hexadecimal format for authenticating with the commit-boost service + + [env: BOLT_SIDECAR_CB_JWT_HEX=] + + --keystore-password + The password for the ERC-2335 keystore. Reference: https://eips.ethereum.org/EIPS/eip-2335 + + [env: BOLT_SIDECAR_KEYSTORE_PASSWORD=] + + --keystore-secrets-path + The path to the ERC-2335 keystore secret passwords Reference: https://eips.ethereum.org/EIPS/eip-2335 + + [env: BOLT_SIDECAR_KEYSTORE_SECRETS_PATH=] + + --keystore-path + Path to the keystores folder. If not provided, the default path is used + + [env: BOLT_SIDECAR_KEYSTORE_PATH=] + + --delegations-path + Path to the delegations file. If not provided, the default path is used + + [env: BOLT_SIDECAR_DELEGATIONS_PATH=] + + --metrics-port + The port on which to expose Prometheus metrics + + [env: BOLT_SIDECAR_METRICS_PORT=] + [default: 3300] + + --disable-metrics + [env: BOLT_SIDECAR_DISABLE_METRICS=] + + -h, --help + Print help (see a summary with '-h') +``` + +## Delegations and signing options for standalone and docker container setup + +As mentioned in the [prerequisites](#prerequisites) section, the Bolt sidecar +can sign commitments with a delegated set of private keys on behalf of active +Ethereum validators. + +> [!IMPORTANT] +> This is the recommended way to run the Bolt sidecar as it +> doesn't expose the active validator signing keys to any additional risk. + +In order to create these delegation you can use the `bolt-delegations-cli` binary. +If you don't want to use it you can skip the following section. + +### `bolt-delegations-cli` + +`bolt-delegations-cli` is an offline command-line tool for safely generating +delegation and revocation messages signed with a BLS12-381 key for the +[Constraints API](https://docs.boltprotocol.xyz/api/builder) in +[Bolt](https://docs.boltprotocol.xyz/). + +The tool supports two key sources: + +- Local: A BLS private key provided directly from a file. +- Keystore: A keystore file that contains an encrypted BLS private key. + +and outputs a JSON file with the delegation/revocation messages to the provided +`` for the given chain + +Features: + +- Offline usage: Safely generate delegation messages in an offline environment. +- Flexible key source: Support for both direct local BLS private keys and + Ethereum keystore files (ERC-2335 format). +- BLS delegation signing: Sign delegation messages using a BLS secret key and + output the signed delegation in JSON format. + +#### Installation and usage + +Go to the root of the Bolt project you've previously cloned using Git. Enter in +the `bolt-delegations-cli` directory by running `cd bolt-delegations-cli`. + +If you're using the Docker container setup make sure you have +[Rust](https://www.rust-lang.org/tools/install) installed in your system as +well. Then you can build the `bolt-delegations-cli` binary by running: + ```bash -./update-grafana.sh +cargo build --release && mv target/release/bolt-delegations-cli . ``` -In this directory, you can also find a Bolt dashboard, which will be launched alongside the other dashboards. +Now you can run the binary by running: + +```bash +./bolt-delegations-cli +``` + +The binary exposes a single `generate` command, which accepts the following +options and subcommands (use `./bolt-delegations-cli generate --help` to see +them): + +```text +Usage: bolt-delegations-cli generate [OPTIONS] --delegatee-pubkey + +Commands: + local Use local private keys to generate the signed messages + keystore Use an EIP-2335 keystore folder to generate the signed messages + help Print this message or the help of the given subcommand(s) + +Options: + --delegatee-pubkey The BLS public key to which the delegation message should be signed [env: DELEGATEE_PUBKEY=] + --out The output file for the delegations [env: OUTPUT_FILE_PATH=] [default: delegations.json] + --chain The chain for which the delegation message is intended [env: CHAIN=] [default: mainnet] [possible values: mainnet, holesky, helder, kurtosis] + --action The action to perform. The tool can be used to generate delegation or revocation messages (default: delegate) [env: ACTION=] [default: delegate] [possible values: delegate, revoke] + -h, --help Print help (see more with '--help') +``` + +The environment variables can be also set in a `.env` file. For a reference +example you can check out the `.env.local.example` and the +`.env.keystore.example` + +In the section below you can see a usage example of the binary. + +#### Delegations CLI Example + +1. Using a local BLS private key: + + ```text + bolt-delegations-cli generate \ + --delegatee-pubkey 0x7890ab... \ + --out my_delegations.json \ + --chain holesky \ + local \ + --secret-keys 0xabc123...,0xdef456.. + ``` + +2. Using a Ethereum keystores files and raw password: + + ```text + bolt-delegations-cli generate \ + --delegatee-pubkey 0x7890ab... \ + --out my_delegations.json \ + --chain holesky \ + keystore \ + --path /keys \ + --password myS3cr3tP@ssw0rd + ``` + +3. Using an Ethereum keystores files and secrets folder + + ```text + bolt-delegations-cli generate \ + --delegatee-pubkey 0x7890ab... \ + --out my_delegations.json \ + --chain holesky \ + keystore \ + --path /keys \ + --password-path /secrets + ``` + +When using the `keystore` key source, the `--path` flag should point to the +directory containing the encrypted keypair directories. + +The keystore folder must adhere to the following structure: + +```text +${KEYSTORE_PATH} +|-- 0x81b676591b823270a3284ace7d81cbce2d6cdce55bb0e053874d7e3a08f729453009d3e662ec3130379f43c0f3210b6d +| `-- voting-keystore.json +|-- 0x81ea9f74ef7d935b807474e38954ae3934856219a23e074954b2e860c5a3c400f9aedb42cd27cb4ceb697ca36d1e58cb +| `-- voting-keystore.json +|-- ... + `-- ... +``` + +where the folder names are the public keys and inside every +folder there is a single JSON file containing the keystore file. + +In case of validator-specific passwords (e.g. Lighthouse format) the +`--password-path` flag must be used instead of `--password`, pointing to the +directory containing the password files. + +The passwords folder must adhere to a certain structure as well, as shown below. + +``` +${KEYSTORE_PATH} +|-- 0x81b676591b823270a3284ace7d81cbce2d6cdce55bb0e053874d7e3a08f729453009d3e662ec3130379f43c0f3210b6d +|-- 0x81ea9f74ef7d935b807474e38954ae3934856219a23e074954b2e860c5a3c400f9aedb42cd27cb4ceb697ca36d1e58cb +|-- ... + `-- ... +``` + +That is, the password files should be named after the public key and each file +should just contain one line with the password in plain text. The files +themselves don't need a particular file extension. + +--- + +Now that you have generated the delegation messages you can provide them to the +sidecar using the `--delegations-path` flag (see the +[options](#command-line-options) section). When doing so the sidecar will check if +they're indeed valid messages and will keep in memory the association between +the delegator and the delegatee. + +However in order to sign the commitments you still need to provide the signing +key of the delegatee. There are two ways to do so, as explored in the sections +below. + +### Using a private key directly + +As you can see in the [command line options](#command-line-options) section you +can pass directly the private key as a hex-encoded string to the Bolt sidecar +using the `--private-key` flag. This is the simplest setup and can be used in +case if all the delegations messages point to the same delegatee or if you're +running the sidecar with a single active validator. + +### Using a ERC-2335 Keystore + +The Bolt sidecar supports [ERC-2335](https://eips.ethereum.org/EIPS/eip-2335) keystores for loading signing keypairs. +In order to use them you need to provide the `--keystore-path` pointing to the +folder containing the keystore files and the `--keystore-password` or +`keystore-secrets-path` flag pointing to the folder containing the password +file. + +Both the `keys` and `passwords` folders must adhere to the structure outlined +in the [Delegations CLI example](#delegations-cli-example) section. -### Validators +## Avoid restarting the beacon node -Validators must be configured to always prefer builder proposals over their own. Refer to client documentation for the specific configuration flags. -**If this is not set, it could lead to commitment faults**. +As mentioned in the [prerequisites](#prerequisites) section, in order to run the +sidecar correctly it might be necessary to restart your beacon client. That is +because you need to configure the `--builder` flag (or equivalent) to point to +the Bolt sidecar endpoint. -#### Registration +However if you're already running a PBS sidecar like +[MEV-Boost](https://boost.flashbots.net/) on the same machine then you can avoid +the restart by following this steps when starting the Bolt sidecar: -WIP +1. Set the `--constraints-proxy-port` flag or the + `BOLT_SIDECAR_BUILDER_PROXY_PORT` environment variable to the port previously occupied by + MEV-Boost. +2. Build the Bolt MEV-Boost fork binary or pull the Docker image and start it + using another port +3. Set the `--constraints-url` flag or the `BOLT_SIDECAR_CONSTRAINTS_URL` to point to the Bolt MEV-Boost instance.