Skip to content

Validator Operations

In short

Managed validator operations at SLA: secure key management, slashing protection, and 24/7 monitoring so your staking earns reliably without staffing an in-house SRE team.

Trusted by teams building on-chain

Validator operations is the work of running a validator node in production: the staking, block production, key management, and monitoring that keep a proof-of-stake network secure and a stake earning. A validator proposes and attests to blocks, puts the network's token at stake, and is penalized (slashed) if it double-signs or drops offline.

Running one for a weekend is easy; running it reliably, signing every duty, surviving failover without equivocating, and holding uptime through upgrades and incidents is a different discipline. Protofire runs that discipline for chains, foundations, and stakers. We are one of the top DevOps teams in Web3, and our engineers have operated validators, miners, indexers, full/light/archival nodes, witnesses, relayers, fishermen, and sentinels across the ecosystem, for networks including Fuse, Meter, CrossFi, Stratos, DFK, Avalanche, Secret Network, Lava Network, and Fluence.

This is the operations layer: we run the node so block production, rewards, and slashing protection are someone's full-time job, not a side task for your protocol team.

If you need to run a validator at SLA (or hand off a fleet you can no longer babysit) without staffing a 24/7 SRE rotation, that is exactly the problem this page solves. New deployments typically go live in a few weeks.

The validator-ops stack we own end to end

Every layer from initial node setup to ongoing operations is staffed and measured.

01

Node and validator setup

Provision and harden the infrastructure: hardware or cloud, client software, and sentinel/firewall layers brought into production.
02

Key management

Isolate the signing path with remote or hardware-backed signers and custody controls that prevent key leakage or theft.
03

Monitoring and alerting

Instrument every validator for duty-success, attestation effectiveness, peer/sync health, and signing latency, with alerts routed to an on-call rotation.
04

Upgrades and hard forks

Rehearsed upgrade procedures so the validator signs through every client update and hard fork without missed duties.
05

Slashing protection

Anti-double-sign safeguards and failover architecture so a recovery event can never produce two active signers simultaneously.
01

What we run

A validator node is the unit of security on a proof-of-stake network: it stakes the chain's token, takes a turn proposing blocks, and attests to the blocks of others, earning rewards (and a yield, expressed as APR) for doing its duties on time, and losing stake to slashing when it doesn't. Validator operations is everything around that node that keeps it correct and online: provisioning the right hardware or cloud, syncing and maintaining the client, managing the signing keys, handling network upgrades and hard forks without missed duties, and responding when something breaks at 3am.

It is closer to site reliability engineering than to "deploying a server." We run validators as managed infrastructure so the people who own the protocol can stay focused on the protocol, while a dedicated team owns the boring, unforgiving operational reality of block production, duty signing, and reward continuity across the networks we support.

02

How an engagement works

1

Assessment

We map the network and client requirements, your reliability and SLA targets, key-management model, and hardware/cloud constraints. Deliverable: a validator-readiness review.
2

Deployment

We provision and harden the validator infrastructure (clients, signers, sentinel/firewall layers, anti-double-sign safeguards) and bring it into production, typically in a few weeks.
3

Monitoring Setup

We wire up duty-success, uptime, and slashing-risk monitoring with alerting and runbooks, so reliability is measurable from the first signed duty.
4

Operate and Tune

Ongoing maintenance, upgrades and hard-fork handling, incident response, and SLA-oriented operations. We flag you only when a decision genuinely needs you.
03

What teams come to us for

Managed validator-node operation at SLA
Secure signing-key management & remote signers
Slashing protection & anti-double-sign architecture
Validator monitoring, alerting & runbooks
Hard-fork / network-upgrade handling without missed duties
Multi-network validator fleet operation
Full/light/archival node operation
Indexer, relayer, witness & sentinel node roles
APR / uptime / cost-efficiency optimization
Migrating an existing validator fleet to managed ops
04

One of the top node-operations teams in Web3

Protofire is a blockchain infrastructure company and development partner that has shipped 250+ projects since 2016 (spun out of Altoros), across 60+ networks and 95+ protocols. On the operations side specifically, we are a Filecoin infrastructure partner since 2021, a top-3 indexer in The Graph ecosystem, an official Safe Guardian, and the maintainer of Solhint, the open-source Solidity linter used by 1M+ developers.

We have operated validators and other node types across networks including Avalanche, Fuse, Meter, CrossFi, Stratos, DFK, Secret Network, Lava Network, and Fluence, and we published 15 Best Practices for Validator Node Security from doing exactly this work. When we recommend a validator architecture, it is one we already run in production, measured in uptime and signed duties, not slideware.

We run the node so block production and slashing protection are someone's full-time job.

Validator Operations: Self-Managed vs. Managed at SLA

Run the validator yourselfProtofire
Signing key management & slashing protectionYou manage remote signers, anti-double-sign safeguards, failover proceduresRemote/hardware-backed signers, failover that never equivocates, formal anti-double-sign architecture
Monitoring & alertingYou build duty-success tracking, missed-block alerting, latency monitoringDuty-success tracking, peer/sync health, signing-latency monitoring, alerts to on-call rotation
Uptime & SLA targetsYou aim for uptime; no formalized SLA or incident runbooksDefined uptime SLA, documented runbooks, on-call rotation with incident response procedures
Network upgrades & hard forksYou coordinate manually; risk of missed duties during upgradesRehearsed upgrade procedures, zero-downtime hard-fork handling, test suite before production

FAQ

What does a validator do?
A validator is a node that secures a proof-of-stake blockchain. It stakes the network's token, takes turns proposing new blocks, and attests to (votes on) blocks proposed by others. For doing these duties correctly and on time it earns staking rewards, usually expressed as an APR; if it goes offline it forgoes rewards, and if it breaks consensus rules (most commonly by signing two conflicting blocks for the same slot) it is slashed and loses part of its stake. Running a validator therefore means keeping a node correct, online, and impossible to make double-sign, through network upgrades, hard forks, and failover events. That is closer to site reliability engineering than to deploying a server: provisioning the right hardware or cloud, maintaining the client, managing signing keys, and responding when something breaks at 3am. On a PoS network the economics are unforgiving: uptime earns and slashing destroys.
What's the difference between managed validator operations and running a validator myself?
You can run a validator yourself, and for one node on a stable network that can work. The gap shows up under real conditions: 24/7 monitoring, on-call incident response, safe failover that can never equivocate, signing-key custody, and handling every network upgrade and hard fork without missing duties. Managed validator operations is that whole capability as a service: we own the uptime, the slashing protection, and the runbooks, operating to defined SLA targets, so your team doesn't have to staff an SRE rotation around a node. We instrument every validator from day one with duty-success tracking, missed-block and reorg alerting, and signing-latency monitoring, route alerts to an on-call rotation with documented runbooks, and manage to three metrics: APR, uptime, and economical efficiency. The point is to keep the validator signing and run-cost predictable while your core team stays focused on the protocol.
What is slashing, and how do you protect against it?
Slashing is the protocol penalty that destroys part of a validator's stake when it misbehaves, overwhelmingly from double-signing (signing two blocks for the same slot, often caused by accidentally running two active signers) or, on some networks, prolonged downtime. We protect against it by isolating the validator's signing path, enforcing anti-double-sign safeguards so a failover can never produce two active signers, using remote or hardware-backed signers where the network supports them, and hardening node access behind sentinel and firewall layers. We also rehearse upgrade and recovery procedures before they are needed in anger. These are the practices we documented publicly in 15 Best Practices for Validator Node Security, written from running real fleets rather than theory. The goal is to make an accidental slashing event genuinely hard to trigger; making it unlikely is not enough, because on a PoS network uptime earns and a single slashing event destroys staked capital.
Which networks and node types do you run?
Proof-of-stake EVM L1/L2 chains and ecosystem foundations are our core. We have operated validators across networks including Fuse, Meter, CrossFi, Stratos, DFK, Avalanche, Secret Network, Lava Network, and Fluence, and we run other node roles too: miners, indexers, full, light, and archival nodes, witnesses, relayers, fishermen, and sentinels. For each engagement we provision and harden the infrastructure, manage the signing keys, and wire up duty-success, uptime, and slashing-risk monitoring with alerting and runbooks, so reliability is measurable from the first signed duty. If your network isn't listed, ask. The operational pattern usually transfers, because the hard parts (key management, anti-double-sign failover, upgrade handling, and 24/7 monitoring) are common across PoS networks even when the client software differs. We confirm the network and client specifics in a validator-readiness assessment before any deployment, so client maturity and quirks are handled up front.
Do you build the staking product too, or only run the validators?
This page is the operations layer: we run the validator nodes, owning block production, duty signing, slashing protection, and uptime. Building the staking software is a separate, adjacent discipline we also offer: a native staking module, a liquid staking token, an operator registry, or vote-escrow (ve8020) staking. We keep the two distinct on purpose, because running validators reliably and designing staking economics are different problems (one is site reliability engineering, the other is protocol and smart-contract design) even when a single project needs both. Slashing logic on the staking-product side (operator registries, insurance staking, reward and penalty curves) is its own discipline, separate from the operational slashing protection we apply to a running node. If you need both, we can run the validators and build the staking product, but we scope and staff them as the different engagements they are.
How long does it take to deploy a validator?
A new validator deployment typically goes live in a few weeks, depending on the network's client maturity, your key-management model, and SLA requirements. The work runs through a readiness assessment (mapping network and client requirements, reliability and SLA targets, key-management model, and hardware or cloud constraints), then deployment (provisioning and hardening the validator infrastructure, clients, signers, sentinel and firewall layers, and anti-double-sign safeguards), then monitoring configuration with alerting and runbooks, and finally ongoing operation. Migrating an existing fleet to managed operations is scoped against its current state rather than built from scratch, which changes the timeline. We confirm the exact schedule in the readiness assessment on the first call rather than quoting a generic number, because client software maturity and the key-custody model are the two factors that most affect how quickly a validator can be brought safely into production.
How is validator operations priced?
It is a recurring operations model rather than a flat fee, because cost depends on the number of validators, the networks involved, and the coverage and SLA level you need. A single validator on a mature network is a different engagement from a multi-network fleet that needs 24/7 on-call coverage, hardware-backed signers, and tight uptime targets, so we scope it on the first call and size the engagement before any work starts; no per-node figure is committed here. The metrics we manage to are APR, uptime, and economical efficiency: keep the validator signing, keep run-cost predictable, and the stake performs. Migrating an existing fleet to managed operations is scoped against its current state rather than priced as a fresh build. The readiness assessment establishes the network and client requirements, key-management model, and reliability targets that determine scope.

Reviewed by Arsenii Petrovich, Infrastructure & DevOps Lead at Protofire. Last reviewed: June 2026.

Book a call with Arsenii Petrovich

Schedule a call with our CTO to receive practical recommendations and a prompt proposal for upgrading your solution.

Protofire 2026. All rights reserved