Consensus Layer Setup

The consensus layer implements the proof-of-stake protocol, managing validators, attestations, and finality. Inception uses Prysm as the consensus client.

Prerequisites

Before starting, ensure you have:

• Execution layer (Geth) installed and syncing
• JWT secret file created (shared with Geth)
• Server meeting the hardware requirements
• Firewall configured properly

Installing Prysm

Using Prysm.sh (Recommended)

# Create directory for Prysm
mkdir -p ~/prysm
cd ~/prysm

# Download Prysm.sh
curl https://raw.githubusercontent.com/prysmaticlabs/prysm/master/prysm.sh --output prysm.sh

# Make executable
chmod +x prysm.sh

Build from Source (Advanced)

# Install Bazel
sudo apt install apt-transport-https curl gnupg
curl -fsSL https://bazel.build/bazel-release.pub.gpg | gpg --dearmor > bazel.gpg
sudo mv bazel.gpg /etc/apt/trusted.gpg.d/
echo "deb [arch=amd64] https://storage.googleapis.com/bazel-apt stable jdk1.8" | sudo tee /etc/apt/sources.list.d/bazel.list
sudo apt update && sudo apt install bazel

# Clone Prysm
git clone https://github.com/prysmaticlabs/prysm
cd prysm

# Build beacon chain
bazel build //cmd/beacon-chain:beacon-chain

# Build validator
bazel build //cmd/validator:validator

Running the Beacon Node

The beacon node is the consensus layer client that connects to other beacon nodes and manages the consensus protocol.

Command Line

./prysm.sh beacon-chain \
  --datadir ~/prysm-data/beacon \
  --execution-endpoint http://127.0.0.1:8551 \
  --jwt-secret ~/inception-data/jwt.hex \
  --genesis-state ~/inception-data/genesis.ssz \
  --chain-config-file ~/inception-data/config.yaml \
  --accept-terms-of-use \
  --checkpoint-sync-url https://checkpoint.inceptionera.com \
  --genesis-beacon-api-url https://checkpoint.inceptionera.com

Flag explanations:

• --datadir: Directory for beacon chain data
• --execution-endpoint: Geth's Engine API endpoint (must match Geth's authrpc port)
• --jwt-secret: Path to JWT secret (same file as Geth)
• --genesis-state: Initial beacon chain state file
• --chain-config-file: Inception network configuration
• --checkpoint-sync-url: Checkpoint sync endpoint for faster sync
• --genesis-beacon-api-url: Genesis state provider

Checkpoint Sync

Using checkpoint sync allows you to sync from a recent finalized checkpoint instead of from genesis, significantly reducing sync time. This is safe and recommended.

Required Configuration Files

You'll need these files from the Inception network:

1. genesis.ssz: Initial beacon chain state
2. config.yaml: Network configuration parameters

Download these from the Transparency & Addresses page:

# Download genesis state
wget -O ~/inception-data/genesis.ssz https://inceptionera.com/genesis.ssz

# Download config
wget -O ~/inception-data/config.yaml https://inceptionera.com/config.yaml

Checkpoint Sync Recommended

Using checkpoint sync (via --checkpoint-sync-url) allows you to sync from a recent finalized checkpoint instead of from genesis, significantly reducing sync time. See the Transparency & Addresses page for checkpoint URLs.

Systemd Service (Beacon Node)

Create a systemd service for the beacon node:

sudo nano /etc/systemd/system/prysm-beacon.service

Add this content:

[Unit]
Description=Inception Prysm Beacon Node
After=network.target geth-inception.service
Wants=network.target

[Service]
Type=simple
User=inception
Group=inception
Restart=always
RestartSec=5
ExecStart=/home/inception/prysm/prysm.sh beacon-chain \
  --datadir /home/inception/prysm-data/beacon \
  --execution-endpoint http://127.0.0.1:8551 \
  --jwt-secret /home/inception/inception-data/jwt.hex \
  --genesis-state /home/inception/inception-data/genesis.ssz \
  --chain-config-file /home/inception/inception-data/config.yaml \
  --accept-terms-of-use \
  --checkpoint-sync-url https://checkpoint.inceptionera.com \
  --genesis-beacon-api-url https://checkpoint.inceptionera.com

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl daemon-reload
sudo systemctl enable prysm-beacon
sudo systemctl start prysm-beacon
sudo systemctl status prysm-beacon

Running the Validator Client

The validator client runs separately from the beacon node and handles your validator duties.

Don't Run Yet

Don't start your validator client until you've generated validator keys and made your deposit! See Keys and Deposit first.

Command Line

./prysm.sh validator \
  --datadir ~/prysm-data/validator \
  --wallet-dir ~/prysm-data/wallet \
  --wallet-password-file ~/prysm-data/wallet-password.txt \
  --beacon-rpc-provider 127.0.0.1:4000 \
  --accept-terms-of-use \
  --suggested-fee-recipient YOUR_INCEPTION_ADDRESS

Flag explanations:

• --datadir: Validator data directory
• --wallet-dir: Directory containing validator keys
• --wallet-password-file: File containing wallet password
• --beacon-rpc-provider: Beacon node RPC endpoint
• --suggested-fee-recipient: Your address to receive transaction fees and MEV

Fee Recipient

Set this to an Inception address you control. This is where you'll receive transaction fees from blocks you propose.

Systemd Service (Validator)

Create a systemd service for the validator:

sudo nano /etc/systemd/system/prysm-validator.service

Add this content:

[Unit]
Description=Inception Prysm Validator Client
After=network.target prysm-beacon.service
Wants=network.target

[Service]
Type=simple
User=inception
Group=inception
Restart=always
RestartSec=5
ExecStart=/home/inception/prysm/prysm.sh validator \
  --datadir /home/inception/prysm-data/validator \
  --wallet-dir /home/inception/prysm-data/wallet \
  --wallet-password-file /home/inception/prysm-data/wallet-password.txt \
  --beacon-rpc-provider 127.0.0.1:4000 \
  --accept-terms-of-use \
  --suggested-fee-recipient YOUR_INCEPTION_ADDRESS

[Install]
WantedBy=multi-user.target

Enable and start (after making deposit):

sudo systemctl daemon-reload
sudo systemctl enable prysm-validator
sudo systemctl start prysm-validator
sudo systemctl status prysm-validator

Firewall Configuration

Open required ports for the beacon node:

# Allow consensus layer P2P
sudo ufw allow 13000/tcp
sudo ufw allow 12000/udp

# Beacon API (optional, only if needed)
# sudo ufw allow 3500/tcp

# Enable firewall
sudo ufw enable

Beacon API

Only expose the Beacon API (port 3500) if you need external access. For most validators, keep it on localhost only.

Monitoring Prysm

Check Beacon Node Logs

# View beacon node logs
sudo journalctl -u prysm-beacon -f

# Check for sync status
sudo journalctl -u prysm-beacon | grep "Synced"

Check Validator Logs

# View validator logs
sudo journalctl -u prysm-validator -f

# Look for attestations and proposals
sudo journalctl -u prysm-validator | grep "Submitted"

Verify Sync Status

# Check beacon node is synced
curl -s http://localhost:3500/eth/v1/node/syncing | jq

# Should return: {"data":{"is_syncing":false,...}}

Check Validator Status

# List your validators
./prysm.sh validator accounts list --wallet-dir ~/prysm-data/wallet

# Check validator performance
curl -s http://localhost:3500/eth/v1/beacon/states/head/validators | jq

Important Concepts

Attestations

Validators attest to the state of the chain every epoch (32 slots, ~6.4 minutes). Missing attestations results in small penalties.

Block Proposals

Validators are occasionally selected to propose blocks. Successful proposals earn extra rewards.

Sync Committees

Every ~27 hours, validators may be selected for the sync committee, earning additional rewards.

Troubleshooting

Beacon Node Won't Sync

Check these issues:

• Geth connection: Ensure Geth is running and synced
• JWT secret: Verify both clients use the same jwt.hex file
• Peers: Check peer count in logs
• Genesis files: Ensure genesis.ssz and config.yaml are correct
• Time sync: Verify system time is accurate (use NTP)

"Could not connect to execution endpoint"

• Verify Geth is running: sudo systemctl status geth-inception
• Check Engine API is listening: sudo netstat -tulpn | grep 8551
• Verify JWT secret path is correct in both services
• Check file permissions on jwt.hex

Validator Not Attesting

• Beacon node sync: Ensure beacon node is fully synced
• Keys imported: Verify validator keys are properly imported
• Deposit made: Confirm your 32 INCP deposit is recognized
• Activation queue: You may be waiting in the activation queue

High Memory Usage

Prysm can use significant memory:

• Ensure you have at least 16 GB RAM (32 GB recommended)
• Monitor with htop or free -h
• Consider increasing swap if needed

Security Best Practices

Critical Security

Never expose the Engine API (port 8551), HTTP RPC (8545), or WS RPC (8546) to the public internet. Bind them to 127.0.0.1 and use a shared jwt.hex file for EL↔CL authentication.

Additional security requirements:

• Never run the same validator keys on multiple machines - this will get you slashed
• Keep your validator keys secure and backed up
• Use strong passwords for wallet encryption
• Restrict SSH access and use key-based authentication
• Keep software updated
• Monitor logs for suspicious activity

Next Steps

With both execution and consensus layers running:

1. Generate Validator Keys: Create keys and make your 32 INCP deposit
2. Monitor Performance: Watch logs and track your validator's performance
3. Stay Updated: Keep Geth and Prysm updated with the latest releases

Additional Resources

• Prysm Documentation
• Inception Protocol
• Validator Overview
• Status Page