How to Secure a Sui Validator by Delegating its Capabilities
2 min readJan 23, 2024
A key handed from above (by ChatGPT)

Running a Sui validator securely is no easy task. Luckily, there are methods to increase your security posture, one of which is explained below.

A Sui validator is identified by an address. The keypair for this address is called account.key and must be kept cold as it controls all assets used for staking, including rewards.

The responsiblity of signing the validator’s consensus operations is delegated to a set of keys namedprotocol.key , network.key and worker.key.

This would allow for account.key to be kept in cold storage, most of the times. However, there are other kind of operations that a Sui validator operator might want to perform on the network: updating the Reference Gas Price, or reporting faulty validators.

In Sui, validators determine the gas price based on external factors. Updating it regularly is a validator’s duty. Operation Capabilities to the rescue!

Operation Capability

Sui uses an Object Model, which means that every on-chain action involves manipulating an object.

This is also true for the capability to delegate validator operations: whoever holds the unverifiedValidatorOperationCap object may submit such operations.

By default, the object belongs to the validator. But you can send it to any other address. This address can be kept in hot storage, so you can automatically perform Gas Price updates.

Generate a new address:

sui keytool generate ed25519
sui keytool import "<mnemonic>" ed25519
# add some gas coin to pay gas later
sui client transfer-sui --amount 1 --to 0x<new address> \
--sui-coin-object-id 0x<obj id from 'sui client objects'> \
--gas-budget 2000000

Find out the object’s address and transfer it. With the validator address active, run the following:

sui client objects | grep validator_cap
# grab the address starting with 0x then
sui client transfer --object-id 0x<validator cap object 40 byte hex> --to 0x<validator cap address> --gas-budget 1000000

At this point, the validator address can no longer update the gas price:

sui validator update-gas-price 1739
OperationCap 0x<validator cap object> is not owned by the sender address
0x<validator address> but AddressOwner(0x<validator cap address>)

However, the owner of the object is able to do it. Here, it updates the gas price to 1739:

sui client switch --address 0x<the address owning the object>
sui client call --package 0x3 --module sui_system \
--function request_set_gas_price --args 0x5 \
0x<validator cap object id> 1739 --gas-budget 10000000


Shall the Operation Cap object be misplaced or compromised, it is possible to rotate to new one with the validator key:

sui client call --package 0x3 --module sui_system \
--function rotate_operation_cap --args 0x5 --gas-budget 10000000

For more info about the Operation Cap, please consult the Sui Documentation.

We are We help you validate on various blockchain networks, including Sui. Contact us at