Withdrawal credentials uncovered with Blox Staking

Withdrawal credentials are the root of lots of confusion and uncertainty. This article explains the relationship between the withdrawal keys and credentials, how Blox Staking uses them, and how you can verify yours.

Oct 11 · 5 min read
Photo by Mika Baumeister on Unsplash

The TL;DR section covers the rough process with Blox Staking from deposit to withdrawal and is based on a couple of assumptions since withdrawal isn’t implemented yet. Finally, the Withdrawal in-depth section tries to explain the relationship between keys and credentials in more detail.


  1. Blox Live generates a random seed (mnemonic/24-word passphrase)
  2. Validator and withdrawal private keys are derived from the same seed, with different derivation paths. Actually, they are childs of each other.
  3. A public withdrawal key is generated from the private withdrawal key (never shown in Blox Live)
  4. The public withdrawal key is hashed, resulting in withdrawal credentials
  5. Withdrawal credentials are sent along with the deposit transaction inside TxData

On withdrawal
(Once the merge has happened, and withdrawal is enabled. It will most likely be supported by Blox Live but is subject to change, since not yet specified)

  1. Generate the withdrawal private key from your seed (mnemonic/24-word passphrase) again.
  2. Sign a withdrawal operation with the validator and withdrawal private key and execute the withdrawal operation on the contract (This might require a voluntary validator exit beforehand).
  3. The operation contains an ETH1 address to where the funds should be moved to.
  4. The contract verifies the operation by matching the withdrawal credentials against the signed operation.
  5. If valid, funds are transferred to the given ETH1 address.

Withdrawal in-depth

How can I withdraw my staked ETH?

Withdrawal Credentials — The Blox Live process revisited

It’s best explained by watching the tutorial video again.

There are a few interesting timestamps to mention:

0:54 — Blox Live created a seed (mnemonic/24-words passphrase) for you.
1:12 — Blox Live generated your private validator key from your seed and stored it securely inside your KeyVault on AWS.
1:17 — Blox Live shows your public validator key and your public withdrawal key, purely for your information.
1:55 — The deposit transaction (32 ETH) is initiated as a normal transaction through your connected wallet.

Now that we recalled the overall process, we can look at the withdrawal credentials in more detail.

Where do withdrawal credentials come from?

The withdrawal credentials inside TxData are nothing else than a hashed version of your public withdrawal key (it’s hashed to preserve privacy and save space), which itself is derived from the withdrawal (private) key. The withdrawal private key isn’t stored with the Blox Live app, thus never shown to you. But, of course, it can always be recreated from your seed (see verify section at the end).

What’s the purpose of the withdrawal credentials?

However, it is safe to assume that once the day comes, you send a transfer request signed with your validator and withdrawal (private) key that will be verified against the withdrawal credentials (hashed version of your withdrawal public key).

There are two kinds of withdrawal credentials as of today:

  • BLS withdrawal credentials
  • ETH1 address withdrawal credentials

You can read into all the details here. It’s worth noting that until February 2021 ETH1 address withdrawal credentials weren’t available, and BLS was the only option.

Blox Live doesn’t support ETH1 addresses as withdrawal credentials, except if you created a validator outside of Blox Live and later moved it to Blox Staking.

Since major parts of the withdrawal process are not yet implemented, we can’t vote for one over another. However, for Blox Staking (non-custodial, non-pooled), the currently used BLS withdrawal credentials are good enough.

How to verify withdrawal credentials

The following step-by-step guide illustrates how you can verify if you have the right seed/keys to signal a withdrawal once the time comes.

🔴 Warning: Please only do this on your own safe, completely offline device!

The simplest way to verify this is by using the ETH2.0 deposit cli, which you can download from its GitHub release page. Once downloaded, extract it to your own safe, completely offline device.

When ready, open a command prompt in the root folder of the cli, and run the following command:

./deposit existing-mnemonic --num_validators 1 --chain mainnet

When prompted, enter your 24-words passphrase, confirm the default values, and proceed unless you see the success screen.

Note the output folder where your keys can be found, and open the deposit_data-[timestamp].json file inside that directory.

The withdrawal_credentials field contains the hashed version of your withdrawal public key (without the BLS prefix 0x00) derived from the withdrawal (private) key generated from your seed.

Now you can easily compare the withdrawal credentials of your active validator with the generated one.

Jump over to the Beacon Chain Explorer and look up your validator. Down in the Eth2 Deposits section, you can find the stored withdrawal credentials. To compare the generated ones to the stored ones, prefix them with 0x00 . Remember, the 0x00 defines the semantics of the following chunk and indicates a BLS withdrawal key (as opposed to 0x01 which indicates an ETH1 address)

If the withdrawal credentials match, you have successfully verified that you have the necessary keys to transfer your funds once the withdrawal is enabled.

Please note that if your seed is lost or stolen, all your funds are gone. There is an ongoing discussion to give stakers a second chance in case only their withdrawal keys are compromised, but not the seed.

— Ben

Blox Staking

Powering the decentralized ETH staking economy.