Aztec Sequencer Ops: Slashing Is a Vote, Keys Don’t Rotate, and Sync Choices Matter
Overview
Aztec’s operator docs make one thing clear: slashing is not an automatic “chain punishes you” mechanism. It’s a consensus-based voting system where sequencers detect offenses via watchers and then vote during block proposals on which validators from earlier rounds should be slashed. (docs.aztec.network) That means “being safe” is partly a social/consensus reality: your node participates in the process that decides guilt.
Execution is also deliberately buffered. After votes are tallied, slashing rounds become executable only after an execution delay (~3 days), and when a round is ready, proposers can include the execution call that triggers the L1 contract to slash validators that reached quorum. (docs.aztec.network) Aztec adds a failsafe: a Slashing Vetoer, described as an independent security group that can pause slashing during the delay to protect validators from unfair slashing due to client bugs. (docs.aztec.network) Inactivity enforcement also has a hidden dependency: some offenses require the Sentinel to be enabled (SENTINEL_ENABLED=true) to track validator activity. (docs.aztec.network)
Context
Key management is the second non-obvious trap. Aztec distinguishes between protocol keys (e.g., nullifier and incoming viewing) and signing keys. Protocol keys cannot be rotated because they’re embedded in the address (immutable); if compromised, the remediation is deploying a new account. (docs.aztec.network) Signing keys, by contrast, can be rotatable depending on the account contract design — which is why the ops posture should treat protocol keys as “one-way doors” and push all routine operational signing into hardened, replaceable signing infrastructure.
Sources
- Slashing and Offenses Aztec docs :
- Aztec’s New Slashing Design forum :
- Keys / Key rotation Aztec docs :
- Keystore troubleshooting & best practices:
- Syncing best practices + CLI --sync-mode:
- Slashing is consensus-driven: sequencers run watchers and vote on offenses during proposals; L1 slashes only when quorum is reached. (docs.aztec.network)
- There’s a safety buffer: slashing has an ~3-day execution delay and an independent Slashing Vetoer can pause execution to mitigate client-bug risk. (docs.aztec.network)
- Protocol keys don’t rotate: nullifier/incoming viewing keys are immutable; compromise generally means new account deployment. (docs.aztec.network)
- Ops posture should assume failures: use remote signers/HSMs for production and prefer snapshot-based sync modes for faster recovery. (docs.aztec.network)