How to Choose A Staking Provider: A Complete Evaluation Checklist

How do you choose a staking provider when the decision carries fiduciary weight?

Quick Summary

To choose a staking provider, evaluate the candidate across six categories:

• validator track record (uptime above 99.9%, zero slashing events),
• security infrastructure (MPC or HSM key management, double-sign protection, multi-region redundancy),
• slashing coverage (provider treasury, operator commitments, insurance),
• fees (5 to 15% commission on gross rewards; compare net rewards against the network benchmark),
• regulatory compliance (SOC 2 Type II, ISO 27001), and contractual protections (written SLA with uptime and defined incident response). 

This guide gives CFOs, treasury leads, and risk officers a 30-point checklist of staking provider criteria covering track record, security architecture, slashing coverage, regulatory compliance, and reporting transparency.

Use it to run a structured staking provider comparison and evaluate any validator before delegating institutional capital.

Everstake is committed to delivering reliable, institution-grade staking infrastructure for institutional clients.

Why Choosing the Right Staking Provider Matters

The Core Risks You Are Delegating

When an institution delegates to a staking provider, it delegates exposure to:

• slashing penalties,
• key-management risk,
• infrastructure downtime,
• and (depending on the custody model) counterparty risk over the assets themselves.

The provider’s operational discipline determines whether staked capital generates staking rewards or silently leaks value through missed attestations and avoidable penalties.

An institutional assessment must distinguish between:

Term	Meaning
Slashing	Penalization for consensus violations, such as double-signing
Operational Penalties	Missed attestations due to downtime
Inactivity Leaks	Prolonged offline periods during network finality failures

Conflating these categories leads to incomplete risk models and poor provider selection.

Why Fees Are Not the Primary Criterion

Commission rates are the most visible differentiator between providers, and the least informative.

A provider charging 8% commission with 99.95% uptime, strong slashing protection, and SOC 2 Type II attestation will consistently outperform a provider charging 5% on shared cloud infrastructure with no redundancy.

Focus on net rewards after missed rewards, penalties, and operational failures rather than the headline fee.

Types of Staking Providers

Centralized Exchanges

Exchange-based staking (CEX staking) offers operational simplicity: assets remain within the exchange account, and staking is activated with minimal configuration. The trade-off is full custodial risk.

The exchange holds the private keys and withdrawal credentials. In the event of an exchange insolvency, bankruptcy stay, or regulatory enforcement, staked assets may be inaccessible or treated as part of the exchange’s estate.

Institutions subject to fiduciary obligations should assess whether this model is consistent with their custody requirements.

Non-Custodial Validators

Non-custodial staking providers like Everstake, often called Tier-1 institutional validators, operate validator infrastructure without taking custody of the assets they delegate.

The institution retains control of its private keys and withdrawal credentials, while the provider manages:

• node operations,
• monitoring,
• and protocol upgrades.

This model reduces counterparty risk and aligns with most institutional custody mandates, though it requires more active engagement with key management and provider oversight.

Liquid Staking Protocols

Liquid staking protocols issue derivative tokens (such as stETH or LsETH) that represent the underlying staked position while remaining tradeable and composable across DeFi.

This model addresses the liquidity constraint of native staking: assets remain productive during the unbonding period, which is abstracted away.

However, liquid staking introduces smart-contract risk, depeg risk on the derivative token, and additional counterparty layers.

Institutions must evaluate whether the liquidity benefit justifies the added complexity.

Track Record and Performance

Uptime History

Validator uptime history directly determines reward generation.

Every missed attestation or block proposal leads to lost rewards.

Institutional-grade providers should demonstrate uptime exceeding 99.9% across all supported networks, verified through on-chain data rather than self-reported metrics.

Ask for historical uptime by network, not a blended average, and request data covering at least 12 months.

Slashing History

Slashing events are rare but consequential. On Ethereum, for example, validators have been slashed fewer than 500 times since the Beacon Chain launched.

Most incidents stem from software bugs or configuration errors, not malicious intent.

Any provider that has experienced a slashing event should be able to explain the root cause, the remediation steps, and the systemic changes implemented.

A provider with zero slashing events on major networks across a multi-year operating history demonstrates strong operational controls.

Total Value Staked

Total value staked might be considered a proxy for institutional trust.

Providers managing large staked positions across multiple Proof-of-Stake networks have economic incentives to maintain operational excellence.

That said, total value staked alone is not a strong signal of quality. It must be evaluated alongside

• uptime data,
• security certifications,
• and the breadth of supported protocols.

Security and Infrastructure

Key Management (MPC, HSM)

How a provider manages validator signing keys is the single most critical security consideration.

Leading providers use hardware security modules (HSMs) for key storage and multi-party computation (MPC) for key operations, ensuring that no single individual or process can unilaterally sign a transaction.

Evaluate whether the provider can explain its key-management architecture, including key generation, rotation schedules, access controls, and disaster-recovery procedures.

Redundancy and Geographic Distribution

Infrastructure concentrated in a single data center or cloud region is a single point of failure.

Institutional providers should operate across multiple cloud providers or bare-metal environments, distributed across at least two geographic regions.

Ask whether the provider uses multi-cloud architecture (e.g., AWS, GCP, and bare metal), whether failover is automated, and what the expected recovery time is in the event of a regional outage.

Double-Sign Protection

Double-signing (broadcasting two conflicting messages for the same slot) is the most common trigger for slashing on Proof-of-Stake networks.

Mature providers implement remote-signer architectures with built-in safeguards that prevent a validator from signing conflicting blocks, even if failover activates a second node, which is a non-negotiable control.

Slashing Risk and Coverage

What Is Slashing

Slashing is a protocol-level penalty mechanism that confiscates a portion of a validator’s staked tokens for provably malicious or negligent consensus behavior, such as double-signing or surround-voting.

The penalty severity varies by network and by the number of validators slashed simultaneously (correlated slashing).

On Ethereum, a single validator slashing event incurs a minimum penalty of 1/32 of the validator’s stake, plus additional penalties proportional to the number of other validators slashed in the same period.

Slashing Coverage Programs

Several providers and protocols now offer structured slashing coverage. These programs could typically combine

• an internal coverage treasury (funded by a percentage of staking rewards),
• node-operator commitments (operators liable for penalties caused by their infrastructure),
• and third-party insurance.

Insurance Partners

Dedicated staking insurance is an emerging but growing category. Nexus Mutual provides decentralized coverage that pays out on individual slashing incidents up to a predetermined amount.

Chainproof, in partnership with IMA Financial Group, offers a product that is said to provide a minimum yearly rewards rate benchmarked against the Composite Ether Staking Rate (CESR): if staking rewards fall below 95–98% of CESR due to slashing or penalties, the policy is supposed to reimburses the difference.

Institutions should ask whether a provider offers or integrates with any slashing coverage and review the specific terms, limits, and claims process.

Fees and Commission Structure

Staking providers typically charge a commission of 5% to 15% on gross staking rewards, depending on the network, service tier, and volume.

Some providers offer tiered pricing based on staked volume, or flat monthly fees for dedicated infrastructure. When evaluating fees, calculate the effective net rewards after all commissions and compare them against the network’s benchmark rate.

Beware of hidden costs:

• onboarding fees,
• exit fees,
• minimum commitment periods,
• and charges for reporting or API access.

A transparent provider does not impose penalties for unstaking within standard protocol unbonding periods.

Regulatory and Compliance Standards

SOC 2 Type II and ISO 27001

SOC 2 Type II attestation verifies that a provider’s internal controls over security, availability, processing integrity, confidentiality, and privacy have been independently audited over a sustained observation period (typically 6 to 12 months). ISO 27001 certification demonstrates a formal information-security management system.

These certifications are not guarantees of performance, but they confirm that an independent auditor has validated the provider’s operational and security controls. Request the most recent audit report.

Reporting and Transparency

Real-Time Dashboards

Institutional clients need real-time visibility into validator performance, reward accruals, and operational status, not through monthly PDF reports delivered after the fact.

Evaluate whether the provider offers a real-time dashboard with per-validator metrics (uptime, rewards, penalties), API access for integration with internal systems, and configurable alerting for operational events.

Audit Trail and Tax Reporting

The receipt of staking rewards is a taxable event in most jurisdictions.

Providers should provide exportable records of all reward distributions, including timestamps, amounts, and token values at the time of receipt (if possible).

These records may be sufficient for tax-lot accounting and audit-trail purposes.

Ask whether the provider integrates with institutional accounting platforms or supports custom reporting formats.

Service-Level Agreements

A formal service-level agreement (SLA) converts a provider’s marketing claims into contractual obligations with uptime percentage (99.9% or higher) as the key factor.

If a provider is unwilling to commit to the SLA, treat that as a meaningful signal about the maturity of its operations.

Red Flags: What to Avoid When Choosing a Provider

Watch for these warning signs during evaluation:

• Opaque key management. If a provider cannot explain how validator signing keys are generated, stored, and protected, the risk profile is unknown.
• No slashing history disclosure. Refusal to share on-chain slashing data suggests either a lack of transparency or a record that the provider does not want scrutinized.
• Single-cloud, single-region infrastructure. Geographic and provider concentration create systemic risk that other controls cannot offset.
• Self-reported uptime without on-chain verification. Uptime claims should be verifiable against public block-explorer data, not taken on faith.
• No SOC 2 or equivalent certification. For institutional allocations, the absence of independent security audits is a disqualifying gap.
• Lock-in clauses beyond protocol unbonding periods. Contractual exit penalties that exceed the native unbonding period suggest misaligned incentives.
• Reluctance to sign an SLA. A commitment to measurable service standards demonstrates operational maturity.

The 30-Point Provider Evaluation Checklist

#	Category	Criterion	What to Verify	Red Flag
1	Track Record	Uptime history	On-chain attestation data ≥ 12 months; per-network breakdown	Self-reported uptime only; no on-chain proof
2	Track Record	Slashing history	Zero slashing events or documented root-cause analysis	Refusal to disclose or explain past incidents
3	Track Record	Years of operation	Continuous operation through at least one bear-market cycle	Less than 12 months of operating history
4	Track Record	TVL	Total value staked across networks; number of institutional clients	Total value staked not disclosed or unverifiable
5	Track Record	Protocol breadth	Number of supported PoS networks and active validator sets	Single-network operator with no diversification
6	Security	Key management model	MPC or HSM-based signing; documented key lifecycle	Keys stored in software wallets; single-person access
7	Security	Key rotation policy	Defined rotation schedule; audit trail for key changes	No rotation policy or ad-hoc manual process
8	Security	Double-sign protection	Remote-signer architecture with anti-slashing safeguards	No dedicated slashing-prevention mechanism
9	Security	Withdrawal credential control	Client retains withdrawal keys (non-custodial models)	Provider controls both signing and withdrawal keys
10	Security	Penetration testing	Regular pen test with remediated findings	No external security testing conducted
11	Infrastructure	Cloud/bare-metal architecture	Multi-cloud or dedicated hardware; documented topology	Single cloud provider, single region
12	Infrastructure	Geographic distribution	Nodes across ≥ 2 geographic regions	All infrastructure is co-located in one data center
13	Infrastructure	Automated failover	Documented failover procedure; tested recovery time	Manual failover only; no tested DR plan
14	Infrastructure	Monitoring and alerting	24/7 monitoring with defined escalation procedures	Business-hours-only monitoring
15	Infrastructure	Client diversity	Runs multiple consensus/execution clients (where applicable)	Single-client dependency
16	Slashing Coverage	Insurance partner	Named insurer; policy limits	Vague claims of “insurance” without documentation
17	Fees	Commission rate	Published rate per network; tiered pricing if applicable	Undisclosed or variable rates without a schedule
18	Fees	Fee transparency	Full fee schedule and ancillary costs	Hidden fees discovered during contracting
19	Fees	Net rewards benchmarking	Effective rewards compared to the network benchmark rate (e.g., CESR)	Only gross rewards quoted; no net-of-fee data
20	Fees	Minimum commitments	Clear minimum stake amounts	Lock-in periods exceeding protocol unbonding windows
21	Compliance	SOC 2 Type II	Current attestation report available for review	No independent security audit
22	Compliance	ISO 27001	Valid certification from an accredited body	Expired or pending certification with no timeline
23	Reporting	Data dashboard	Per-validator metrics, reward tracking, and operational status	No reports
24	Reporting	API access	Documented API for portfolio-system integration	No programmatic access to performance data
25	Reporting	Tax reporting	Details provided upon request or automatically	No reward-distribution records
26	Reporting	Audit trail	Immutable log of all operational actions and configuration changes	No audit trail for key operational events
27	SLA & Legal	Service-level agreement	Custom SLA	Provider unwilling to commit to an SLA
28	SLA & Legal	Incident response	Documented incident-response plan with defined severity levels	No IR plan or post-incident reporting
29	SLA & Legal	Exit provisions	Clear unstaking and offboarding procedure	Contractual penalties for early termination
30	Custody Model	Custody classification	Clear designation as custodial, non-custodial, or hybrid	Ambiguous custody model; unclear key-control boundaries

Frequently Asked Questions

How do I choose a reliable staking provider?

Evaluate providers across five dimensions: uptime track record, security architecture and key management, slashing protection, regulatory compliance (SOC 2, ISO 27001), and SLA commitments. Use on-chain data to verify claims.

What is slashing, and how is it covered?

Slashing is a protocol penalty that confiscates staked tokens for consensus violations, such as double-signing. Coverage options may include provider-funded treasuries, operator commitments, and third-party insurance from firms such as Nexus Mutual or Chainproof.

What certifications should a staking provider have?

At a minimum, SOC 2 Type II attestation. ISO 27001 is a strong signal. 

What fees do staking providers charge?

Most charge 5 to 15% commission on gross staking rewards. Some offer tiered or flat-fee models. Always calculate net rewards after commissions, then compare them against the network benchmark rate.

What is the difference between custodial and non-custodial staking?

In custodial staking, the provider holds your private keys and withdrawal credentials. In non-custodial staking, you retain full key control while the provider operates only the validator infrastructure.

How do I check a validator’s uptime history?

Use public block explorers (e.g., beaconcha.in for Ethereum) to verify attestation effectiveness and missed proposals. Request per-network uptime data directly from the provider and cross-reference against on-chain records.

Are staking rewards insured?

Not universally. Some providers integrate slashing insurance. Policies vary in scope: some cover individual incidents, others stipulate minimum annual rewards. Review terms carefully.

What is SOC 2 compliance in staking?

SOC 2 Type II is an independent audit confirming that a provider maintains effective controls for security, availability, and data integrity over a sustained period. It is the baseline institutional standard for third-party service providers.

Final Considerations

Institutional staking due diligence is a structured process for assessing whether a provider can sustain secure, performant operations across market cycles and network upgrades.

The staking provider checklist above gives treasury teams, risk officers, and asset managers a repeatable framework for evaluating any staking provider against the criteria that institutional allocators care about: verifiable performance, defensible security, contractual accountability, and regulatory readiness.

The best decisions result from combining technical analysis, documentation review, and direct conversation about limits, assumptions, and responsibilities. 

Disclaimer:

This guide is provided for informational purposes only and does not constitute legal, financial, tax, or investment advice. The information contained herein reflects the state of applicable regulations and market practices as of the date of publication and is subject to change without notice. Readers should not rely on this material as a substitute for independent professional advice tailored to their specific circumstances.

The regulatory analysis in this guide is provided as general background only. Compliance obligations vary by jurisdiction, entity type, and individual facts. Institutions should consult qualified legal and compliance counsel before making any decisions relating to staking arrangements, custody models, or regulatory status.

The information provided is not intended for recipients residing in the United Kingdom.