Institutional
web3 infrastructure
How to Choose A Staking Provider: A Complete Evaluation Checklist
Learn how to choose a staking provider for institutions. Complete evaluation checklist: track record, slashing coverage, security, fees, and compliance.
APR 16, 2026
Last updated APR 29, 2026 · V1
How do you choose a staking provider when the decision carries fiduciary weight?
Quick Summary
To choose a staking provider, evaluate the candidate across six categories:
- validator track record (uptime above 99.9%, zero slashing events),
- security infrastructure (MPC or HSM key management, double-sign protection, multi-region redundancy),
- slashing coverage (provider treasury, operator commitments, insurance),
- fees (5 to 15% commission on gross rewards; compare net rewards against the network benchmark),
- regulatory compliance (SOC 2 Type II, ISO 27001), and contractual protections (written SLA with uptime and defined incident response).
This guide gives CFOs, treasury leads, and risk officers a 30-point checklist of staking provider criteria covering track record, security architecture, slashing coverage, regulatory compliance, and reporting transparency.
Use it to run a structured staking provider comparison and evaluate any validator before delegating institutional capital.
Everstake is committed to delivering reliable, institution-grade staking infrastructure for institutional clients.
Why Choosing the Right Staking Provider Matters
The Core Risks You Are Delegating
When an institution delegates to a staking provider, it delegates exposure to:
- slashing penalties,
- key-management risk,
- infrastructure downtime,
- and (depending on the custody model) counterparty risk over the assets themselves.
The provider’s operational discipline determines whether staked capital generates staking rewards or silently leaks value through missed attestations and avoidable penalties.
An institutional assessment must distinguish between:
| Term | Meaning |
|---|---|
| Slashing | Penalization for consensus violations, such as double-signing |
| Operational Penalties | Missed attestations due to downtime |
| Inactivity Leaks | Prolonged offline periods during network finality failures |
Conflating these categories leads to incomplete risk models and poor provider selection.
Why Fees Are Not the Primary Criterion
Commission rates are the most visible differentiator between providers, and the least informative.
A provider charging 8% commission with 99.95% uptime, strong slashing protection, and SOC 2 Type II attestation will consistently outperform a provider charging 5% on shared cloud infrastructure with no redundancy.
Focus on net rewards after missed rewards, penalties, and operational failures rather than the headline fee.
Types of Staking Providers
Centralized Exchanges
Exchange-based staking (CEX staking) offers operational simplicity: assets remain within the exchange account, and staking is activated with minimal configuration. The trade-off is full custodial risk.
The exchange holds the private keys and withdrawal credentials. In the event of an exchange insolvency, bankruptcy stay, or regulatory enforcement, staked assets may be inaccessible or treated as part of the exchange’s estate.
Institutions subject to fiduciary obligations should assess whether this model is consistent with their custody requirements.
Non-Custodial Validators
Non-custodial staking providers like Everstake, often called Tier-1 institutional validators, operate validator infrastructure without taking custody of the assets they delegate.
The institution retains control of its private keys and withdrawal credentials, while the provider manages:
- node operations,
- monitoring,
- and protocol upgrades.
This model reduces counterparty risk and aligns with most institutional custody mandates, though it requires more active engagement with key management and provider oversight.
Liquid Staking Protocols
Liquid staking protocols issue derivative tokens (such as stETH or LsETH) that represent the underlying staked position while remaining tradeable and composable across DeFi.
This model addresses the liquidity constraint of native staking: assets remain productive during the unbonding period, which is abstracted away.
However, liquid staking introduces smart-contract risk, depeg risk on the derivative token, and additional counterparty layers.
Institutions must evaluate whether the liquidity benefit justifies the added complexity.
Track Record and Performance
Uptime History
Validator uptime history directly determines reward generation.
Every missed attestation or block proposal leads to lost rewards.
Institutional-grade providers should demonstrate uptime exceeding 99.9% across all supported networks, verified through on-chain data rather than self-reported metrics.
Ask for historical uptime by network, not a blended average, and request data covering at least 12 months.
Slashing History
Slashing events are rare but consequential. On Ethereum, for example, validators have been slashed fewer than 500 times since the Beacon Chain launched.
Most incidents stem from software bugs or configuration errors, not malicious intent.
Any provider that has experienced a slashing event should be able to explain the root cause, the remediation steps, and the systemic changes implemented.
A provider with zero slashing events on major networks across a multi-year operating history demonstrates strong operational controls.
Total Value Staked
Total value staked might be considered a proxy for institutional trust.
Providers managing large staked positions across multiple Proof-of-Stake networks have economic incentives to maintain operational excellence.
That said, total value staked alone is not a strong signal of quality. It must be evaluated alongside
- uptime data,
- security certifications,
- and the breadth of supported protocols.
Security and Infrastructure
Key Management (MPC, HSM)
How a provider manages validator signing keys is the single most critical security consideration.
Leading providers use hardware security modules (HSMs) for key storage and multi-party computation (MPC) for key operations, ensuring that no single individual or process can unilaterally sign a transaction.
Evaluate whether the provider can explain its key-management architecture, including key generation, rotation schedules, access controls, and disaster-recovery procedures.
Redundancy and Geographic Distribution
Infrastructure concentrated in a single data center or cloud region is a single point of failure.
Institutional providers should operate across multiple cloud providers or bare-metal environments, distributed across at least two geographic regions.
Ask whether the provider uses multi-cloud architecture (e.g., AWS, GCP, and bare metal), whether failover is automated, and what the expected recovery time is in the event of a regional outage.
Double-Sign Protection
Double-signing (broadcasting two conflicting messages for the same slot) is the most common trigger for slashing on Proof-of-Stake networks.
Mature providers implement remote-signer architectures with built-in safeguards that prevent a validator from signing conflicting blocks, even if failover activates a second node, which is a non-negotiable control.
Slashing Risk and Coverage
What Is Slashing
Slashing is a protocol-level penalty mechanism that confiscates a portion of a validator’s staked tokens for provably malicious or negligent consensus behavior, such as double-signing or surround-voting.
The penalty severity varies by network and by the number of validators slashed simultaneously (correlated slashing).
On Ethereum, a single validator slashing event incurs a minimum penalty of 1/4096 of the validator’s stake, plus additional penalties proportional to the number of other validators slashed in the same period.
Slashing Coverage Programs
Several providers and protocols now offer structured slashing coverage. These programs could typically combine
- an internal coverage treasury (funded by a percentage of staking rewards),
- node-operator commitments (operators liable for penalties caused by their infrastructure),
- and third-party insurance.
Insurance Partners
Dedicated staking insurance is an emerging but growing category. Nexus Mutual provides decentralized coverage that pays out on individual slashing incidents up to a predetermined amount.
Chainproof, in partnership with IMA Financial Group, offers a product that is said to provide a minimum yearly rewards rate benchmarked against the Composite Ether Staking Rate (CESR): if staking rewards fall below 95–98% of CESR due to slashing or penalties, the policy is supposed to reimburses the difference.
Institutions should ask whether a provider offers or integrates with any slashing coverage and review the specific terms, limits, and claims process.
Fees and Commission Structure
Staking providers typically charge a commission of 5% to 15% on gross staking rewards, depending on the network, service tier, and volume.
Some providers offer tiered pricing based on staked volume, or flat monthly fees for dedicated infrastructure. When evaluating fees, calculate the effective net rewards after all commissions and compare them against the network’s benchmark rate.
Beware of hidden costs:
- onboarding fees,
- exit fees,
- minimum commitment periods,
- and charges for reporting or API access.
A transparent provider does not impose penalties for unstaking within standard protocol unbonding periods.
Regulatory and Compliance Standards
SOC 2 Type II and ISO 27001
SOC 2 Type II attestation verifies that a provider’s internal controls over security, availability, processing integrity, confidentiality, and privacy have been independently audited over a sustained observation period (typically 6 to 12 months). ISO 27001 certification demonstrates a formal information-security management system.
These certifications are not guarantees of performance, but they confirm that an independent auditor has validated the provider’s operational and security controls. Request the most recent audit report.
Reporting and Transparency
Real-Time Dashboards
Institutional clients need real-time visibility into validator performance, reward accruals, and operational status, not through monthly PDF reports delivered after the fact.
Evaluate whether the provider offers a real-time dashboard with per-validator metrics (uptime, rewards, penalties), API access for integration with internal systems, and configurable alerting for operational events.
Audit Trail and Tax Reporting
The receipt of staking rewards is a taxable event in most jurisdictions.
Providers should provide exportable records of all reward distributions, including timestamps, amounts, and token values at the time of receipt (if possible).
These records may be sufficient for tax-lot accounting and audit-trail purposes.
Ask whether the provider integrates with institutional accounting platforms or supports custom reporting formats.
Service-Level Agreements
A formal service-level agreement (SLA) converts a provider’s marketing claims into contractual obligations with uptime percentage (99.9% or higher) as the key factor.
If a provider is unwilling to commit to the SLA, treat that as a meaningful signal about the maturity of its operations.
Red Flags: What to Avoid When Choosing a Provider
Watch for these warning signs during evaluation:
- Opaque key management. If a provider cannot explain how validator signing keys are generated, stored, and protected, the risk profile is unknown.
- No slashing history disclosure. Refusal to share on-chain slashing data suggests either a lack of transparency or a record that the provider does not want scrutinized.
- Single-cloud, single-region infrastructure. Geographic and provider concentration create systemic risk that other controls cannot offset.
- Self-reported uptime without on-chain verification. Uptime claims should be verifiable against public block-explorer data, not taken on faith.
- No SOC 2 or equivalent certification. For institutional allocations, the absence of independent security audits is a disqualifying gap.
- Lock-in clauses beyond protocol unbonding periods. Contractual exit penalties that exceed the native unbonding period suggest misaligned incentives.
- Reluctance to sign an SLA. A commitment to measurable service standards demonstrates operational maturity.
The 30-Point Provider Evaluation Checklist
| # | Category | Criterion | What to Verify | Red Flag |
| 1 | Track Record | Uptime history | On-chain attestation data ≥ 12 months; per-network breakdown | Self-reported uptime only; no on-chain proof |
| 2 | Track Record | Slashing history | Zero slashing events or documented root-cause analysis | Refusal to disclose or explain past incidents |
| 3 | Track Record | Years of operation | Continuous operation through at least one bear-market cycle | Less than 12 months of operating history |
| 4 | Track Record | TVL | Total value staked across networks; number of institutional clients | Total value staked not disclosed or unverifiable |
| 5 | Track Record | Protocol breadth | Number of supported PoS networks and active validator sets | Single-network operator with no diversification |
| 6 | Security | Key management model | MPC or HSM-based signing; documented key lifecycle | Keys stored in software wallets; single-person access |
| 7 | Security | Key rotation policy | Defined rotation schedule; audit trail for key changes | No rotation policy or ad-hoc manual process |
| 8 | Security | Double-sign protection | Remote-signer architecture with anti-slashing safeguards | No dedicated slashing-prevention mechanism |
| 9 | Security | Withdrawal credential control | Client retains withdrawal keys (non-custodial models) | Provider controls both signing and withdrawal keys |
| 10 | Security | Penetration testing | Regular pen test with remediated findings | No external security testing conducted |
| 11 | Infrastructure | Cloud/bare-metal architecture | Multi-cloud or dedicated hardware; documented topology | Single cloud provider, single region |
| 12 | Infrastructure | Geographic distribution | Nodes across ≥ 2 geographic regions | All infrastructure is co-located in one data center |
| 13 | Infrastructure | Automated failover | Documented failover procedure; tested recovery time | Manual failover only; no tested DR plan |
| 14 | Infrastructure | Monitoring and alerting | 24/7 monitoring with defined escalation procedures | Business-hours-only monitoring |
| 15 | Infrastructure | Client diversity | Runs multiple consensus/execution clients (where applicable) | Single-client dependency |
| 16 | Slashing Coverage | Insurance partner | Named insurer; policy limits | Vague claims of “insurance” without documentation |
| 17 | Fees | Commission rate | Published rate per network; tiered pricing if applicable | Undisclosed or variable rates without a schedule |
| 18 | Fees | Fee transparency | Full fee schedule and ancillary costs | Hidden fees discovered during contracting |
| 19 | Fees | Net rewards benchmarking | Effective rewards compared to the network benchmark rate (e.g., CESR) | Only gross rewards quoted; no net-of-fee data |
| 20 | Fees | Minimum commitments | Clear minimum stake amounts | Lock-in periods exceeding protocol unbonding windows |
| 21 | Compliance | SOC 2 Type II | Current attestation report available for review | No independent security audit |
| 22 | Compliance | ISO 27001 | Valid certification from an accredited body | Expired or pending certification with no timeline |
| 23 | Reporting | Data dashboard | Per-validator metrics, reward tracking, and operational status | No reports |
| 24 | Reporting | API access | Documented API for portfolio-system integration | No programmatic access to performance data |
| 25 | Reporting | Tax reporting | Details provided upon request or automatically | No reward-distribution records |
| 26 | Reporting | Audit trail | Immutable log of all operational actions and configuration changes | No audit trail for key operational events |
| 27 | SLA & Legal | Service-level agreement | Custom SLA | Provider unwilling to commit to an SLA |
| 28 | SLA & Legal | Incident response | Documented incident-response plan with defined severity levels | No IR plan or post-incident reporting |
| 29 | SLA & Legal | Exit provisions | Clear unstaking and offboarding procedure | Contractual penalties for early termination |
| 30 | Custody Model | Custody classification | Clear designation as custodial, non-custodial, or hybrid | Ambiguous custody model; unclear key-control boundaries |
Frequently Asked Questions
How do I choose a reliable staking provider?
Evaluate providers across five dimensions: uptime track record, security architecture and key management, slashing protection, regulatory compliance (SOC 2, ISO 27001), and SLA commitments. Use on-chain data to verify claims.
What is slashing, and how is it covered?
Slashing is a protocol penalty that confiscates staked tokens for consensus violations, such as double-signing. Coverage options may include provider-funded treasuries, operator commitments, and third-party insurance from firms such as Nexus Mutual or Chainproof.
What certifications should a staking provider have?
At a minimum, SOC 2 Type II attestation. ISO 27001 is a strong signal.
What fees do staking providers charge?
Most charge 5 to 15% commission on gross staking rewards. Some offer tiered or flat-fee models. Always calculate net rewards after commissions, then compare them against the network benchmark rate.
What is the difference between custodial and non-custodial staking?
In custodial staking, the provider holds your private keys and withdrawal credentials. In non-custodial staking, you retain full key control while the provider operates only the validator infrastructure.
How do I check a validator’s uptime history?
Use public block explorers (e.g., beaconcha.in for Ethereum) to verify attestation effectiveness and missed proposals. Request per-network uptime data directly from the provider and cross-reference against on-chain records.
Are staking rewards insured?
Not universally. Some providers integrate slashing insurance. Policies vary in scope: some cover individual incidents, others stipulate minimum annual rewards. Review terms carefully.
What is SOC 2 compliance in staking?
SOC 2 Type II is an independent audit confirming that a provider maintains effective controls for security, availability, and data integrity over a sustained period. It is the baseline institutional standard for third-party service providers.
Final Considerations
Institutional staking due diligence is a structured process for assessing whether a provider can sustain secure, performant operations across market cycles and network upgrades.
The staking provider checklist above gives treasury teams, risk officers, and asset managers a repeatable framework for evaluating any staking provider against the criteria that institutional allocators care about: verifiable performance, defensible security, contractual accountability, and regulatory readiness.
The best decisions result from combining technical analysis, documentation review, and direct conversation about limits, assumptions, and responsibilities.
Disclaimer:
This guide is provided for informational purposes only and does not constitute legal, financial, tax, or investment advice. The information contained herein reflects the state of applicable regulations and market practices as of the date of publication and is subject to change without notice. Readers should not rely on this material as a substitute for independent professional advice tailored to their specific circumstances.
The regulatory analysis in this guide is provided as general background only. Compliance obligations vary by jurisdiction, entity type, and individual facts. Institutions should consult qualified legal and compliance counsel before making any decisions relating to staking arrangements, custody models, or regulatory status.
The information provided is not intended for recipients residing in the United Kingdom.
Share with your network