
Figment recorded zero double-sign slashing events across its Ethereum validators in Q1 2026, against 33 slashing events network-wide in the same period — a clean illustration of the gap between disciplined and undisciplined node operation. Kiln runs roughly 5 percent of the Ethereum network across more than 22,000 validators with zero slashing events to date. Since the Pectra upgrade, compounding validators (the 0x02 type) hold up to 2,048 ETH each and auto-compound rewards, replacing the 32-ETH cap that forced large stakers to manage hundreds of separate validators. For a technical PM weighing whether to build an in-house validator program or delegate to a provider, the decision turns on control, economics, and whether the institution can run the operation to the standard that avoids slashing.
The default path for an institution holding ETH is to delegate. Liquid staking (Lido stETH) requires no validator, no activation queue, and no exit period — the institution deposits ETH, receives a liquid token, and accepts the protocol's operator set and concentration profile. Exchange staking hands the whole operation to a venue. Pooled staking spreads stake across a shared operator set. Each path trades control and full rewards for convenience: the institution does not hold validator keys, does not choose clients, and shares rewards with the operator or pool. For a treasury that wants liquidity, this is fine. For an institution that wants full rewards, key control, and a documented audit trail it owns, delegation leaves value and control on the table.
Building in-house runs along a spectrum, and the first decision is self-hosted versus managed non-custodial. Fully self-hosted means the institution provisions its own hardware or cloud, generates and secures its own validator keys, runs its own consensus and execution clients, and operates its own monitoring. Managed non-custodial (Figment, Kiln, Blockdaemon, P2P.org) means a provider runs the validator fleet while the institution keeps its keys and receives rewards directly to its own withdrawal address, paying a commission. Fireblocks' ETH Staking Link standard now lets an institution connect custody to a provider's validators through a minimal interface, with the custody platform handling orchestration. The in-house program is defined by who holds the keys and who runs the nodes, and those can be split.
The build steps are concrete. First, capitalize validators: 32 ETH per legacy validator, or up to 2,048 ETH per compounding validator post-Pectra, which dramatically reduces validator count for a large position. Second, key management: generate validator signing keys and withdrawal credentials, secured in hardware or MPC custody, with the withdrawal address mapped to each validator public key. Third, client pairing: run a consensus client (attestation and voting duties, performed 225 times per day) and an execution client, and diversify across client pairs so a bug in one pair does not take the whole fleet offline. Fourth, monitoring and failover: track participation rate, missed attestations, and proposal duties, with safety prioritized over liveness so the fleet never double-signs in pursuit of uptime. Rewards accrue continuously — consensus-layer rewards are roughly 93 percent of the total and provide a reliable floor, while execution-layer rewards (the other 7 percent, including MEV and tips) introduce week-to-week variance.
Three failure points define the program. First, double-sign slashing. A validator that signs two conflicting messages — usually from a failover misconfiguration where a backup signs alongside the primary — is slashed and ejected. The mitigation is the "safety over liveness" discipline: never run two instances that can sign simultaneously, accept a missed attestation over a double-sign. Second, validator key compromise. A compromised signing key does not let an attacker steal the staked ETH, but it can cause slashing and adverse outcomes. The mitigation is hardware or MPC key custody, scoped key access, and separation of signing keys from withdrawal credentials. Third, client concentration. Running a single consensus-execution client pair across the whole fleet means a single bug can slash or sideline every validator at once — the mitigation is client diversity, the same lesson the network learned at the protocol level.
Self-hosting costs are infrastructure and headcount — hardware or cloud, DevOps, monitoring, and on-call — against zero provider commission and full rewards. Managed non-custodial costs a commission against near-zero operational burden and a provider SLA (Kiln advertises 99.95 percent effective uptime; Figment posted 99.9 percent participation). Spin-up is under 24 hours for a managed validator; self-hosting takes longer to build and harden. For a CPA evaluating the audit trail, the evidence is the validator deposit transactions, the validator-public-key-to-withdrawal-address mapping, the reward accrual records (consensus-layer median around 0.002 ETH per validator per day, plus execution-layer proposal rewards), the slashing-and-penalty log, and the periodic performance report. The reconciliation matches on-chain rewards to the income ledger, and rewards are generally taxed as income when received. Because the institution holds the keys and the withdrawal address, the audit trail is owned directly rather than mediated through a pool. The constructive signal is that compounding validators, custody-integrated staking standards, and providers with multi-year zero-slashing records mean an institution can now run validators at the same operational standard as the best dedicated operators — keeping full rewards and a clean, owned audit trail.
For informational purposes only. Not an offer to buy or sell any security. Available only to accredited investors who meet regulatory requirements.