SKIP TO CONTENT
Yield

Withdrawal Credentials

Ethereum address designated to receive staked ETH when a validator exits.

What are Withdrawal Credentials?

Withdrawal credentials are the Ethereum address specified during validator setup that will receive a validator's staked ETH and accumulated rewards when they exit the beacon chain or when rewards are automatically skimmed. These credentials are cryptographically linked to the validator and cannot be changed after the initial deposit, making the choice of withdrawal address a critical and permanent decision.

The withdrawal credentials system ensures that only the designated address can claim a validator's assets, providing security against unauthorized withdrawals while enabling the owner to eventually recover their staked funds. This mechanism became especially important after Ethereum's Shanghai upgrade enabled staking withdrawals.

How it Works

When creating an Ethereum validator, the staker generates two types of keys: signing keys for validator duties and withdrawal credentials for asset recovery. Withdrawal credentials come in two formats, identified by their prefix byte.

Type 0x00 credentials (BLS credentials) use BLS12-381 public keys derived from the validator's mnemonic. While secure, these credentials require a separate transaction to convert to an execution layer address before withdrawals are possible. Most early validators used this format before withdrawals were enabled.

Type 0x01 credentials (execution layer credentials) directly specify an Ethereum address that will receive withdrawals. Modern validators typically use this format as it enables automatic reward skimming and straightforward full withdrawals. The address can be any valid Ethereum address, including smart contracts like EigenPods.

Validators with 0x00 credentials must perform a one-time BLS-to-execution credential change to enable withdrawals. This operation is irreversible and specifies the permanent withdrawal address. Once set, partial withdrawals (rewards above 32 ETH) are automatically swept to the execution address, and full withdrawals upon exit go to the same address.

Practical Example

Bob creates a new Ethereum validator and sets the withdrawal credentials to his hardware wallet address using the 0x01 prefix format. His validator accumulates rewards over time, and when the balance exceeds 32 ETH, the excess is automatically skimmed and sent to his hardware wallet every few days. If Bob ever decides to exit his validator, the full 32 ETH principal plus any remaining rewards will be sent to the same hardware wallet address.

Why it Matters

Withdrawal credentials are one of the most critical security decisions in Ethereum staking. Setting the wrong address or losing access to the designated wallet means permanently losing access to staked funds. For restaking users, the choice to point withdrawal credentials at an EigenPod rather than a personal wallet adds functionality but also introduces smart contract risk. Understanding withdrawal credentials is essential for anyone participating in native Ethereum staking. Fensory helps stakers understand the implications of different withdrawal credential configurations and the tradeoffs involved in various staking setups.

Examples

  • Setting withdrawal credentials to a Ledger hardware wallet address for maximum security
  • Pointing withdrawal credentials to an EigenPod contract to enable native restaking

Related Terms

See this concept in action across live DeFi protocols.

Track live yields, compare protocols, and build your DeFi portfolio with Fensory.

GET EARLY ACCESSArrow right
← BACK TO GLOSSARY