Allnodes white label customers compromised

Hey, I wanted to formally inform the hub community that it is completely possible that there are compromised validators on the hub.

Here are some screenshots that can describe the nature of the compromise. This has been confirmed across numerous validators on Luna classic who used Allnodes as a white label provider.

I have also produced a Google document, which will later be made a PDF and hosted on the notional github.

I would like to warn the community that it seems evident that allnodes has a practice of:

  • Validating a new chain
  • Adding that chain to their orchestration system
  • Creating tendermint priv-validator-key.json and seed phrase for their customers
  • Providing neither key to their customers unless requested

I think that this underscores the importance of knowing more about validator operator infrastructure, and in particular whether or not a validator is with a primary operator or a white label provider.

If you’re a white label provider, you should not have customers seed phrases because it allows you to impersonate them

Instead, you should ensure that you never possess the client seed phrase and that they sign 100% of transactions including the create validator transaction.

If you’re an allnodes customer and validate on the cosmos hub, and any other cosmos chain, and they gave you your seed phrase, ALLNODES CAN IMPERSONATE YOU AND YOUR NODE IS A DANGER TO THE CHAIN

If you are a validator on any chain in cosmos, and you set up your validator using the white label service, and you were sent your seed phrase through a messaging app like keybase, please contact me at or The team of the chain that you are validating. Because the cosmos SDK and tenderment do not currently have key rotation features or the ability to send your delegations, the best thing that you can do is immediately remove 100% of your self-bonded stake. You are not the enemy here. Speaking as myself, but likely other members of the community as well, were you to improve your security posture by running your own node, I believe that:

  • Delegators would return
  • You’d ultimately get more delegations because you’re a primary operator, not a user of white label services

In recent conversations with white label / VaaS customers of, I found that 100% of then had compromised cryptographic secrets.

The team has been very public about who holds the keys: their CEO

I would like to urge delegators to talk with their validator to ensure that they do not use as a VaaS provider, and would like to urge both the ICF and AIB, as well as funds invested in the cosmos hub to withdraw all delegations from all white label providers and their users with extreme haste.

White label providers include

  • Allnodes
  • Coinbase Cloud
  • Figment

I don’t believe that these are the only white label providers on the cosmos hub.

White label / VaaS services provably harm both decentralization and security.


Thanks for the insight Jacob. Leaving Allnodes.

1 Like

Hi all. I’d like to know how an existing bare metal validator could hand over validator status of their node to a second party with their own setup, without compromising security of keys? Can this be achieved? TIA.

1 Like

To hand over ownership of the wallet address, you always need to pass the seed phrase.
So both parties will always be able to have a copy of the wallet address, and is hence compromised.

1 Like

Hey just so you know I’m really interested in allowing this to happen by writing the necessary SDK code.

Currently it is not possible.

So right now as @LeonoorsCryptoman mentions, we can’t do that.


This some next level reporting. Kudos to you. These types of risks go totally under radar without trusted sources like Notional.

1 Like

Im in shock that some people still redelgate to them from normal validators


Hey @serejandmyself – I think the reason that this is happening is that they continue to say that their operations are secure. Check out some of the screencaps here:

I hope to have the censure proposal on-chain today.

White label validator service providers (stand to be corrected on some):

  • Figment
  • P2P Validator
  • Chorus One
  • Allnodes
  • Swiss Staking (?)
  • Staked
  • Blockdaemon
  • Coinbase Cloud
  • Polkachu (?)

I don’t know a comprehensive list of users of this service. Whitelabel Consumers:

  • Coinbase Exchange (Coinbase Cloud)
  • Kraken (Staked)
  • Zero Knowledge (Chorus One)
  • Ledger (Figment)

There are quite likely others I am not aware of. White label service providers and consumers don’t seem to be very open about their arrangements all the time.


Hey this is massively useful information and I think you get it. The lack of transparency is precisely what makes these arrangements dangerous.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.