Metalayer validators secure messages passed between chains within the Metalayer. A quorum of validators must verify that a message was actually sent prior to being delivered. Validating is a permissioned operation, and the Metalayer mantains a validator set to secure the entire network.

What is a Metalayer Validator?

Metalayer is a cross‑chain message‑passing protocol that wraps Hyperlane-authored but Metalayer-deployed contracts and runs its own off‑chain agent network. This means that validators may run the same executable as a Hyperlane network validator, with a different config. Validators sign the latest Mailbox dispatched messages each origin chain and publish those signatures so Metalayer relayers can aggregate and forward messages.

How Metalayer Differs from Hyperlane

TopicHyperlaneMetalayer
Contract addressesPublic hyperlane‑registry repoConfig bundle supplied by Caldera – do not copy Hyperlane values
Agents networkGlobal Hyperlane meshIsolated Metalayer mesh
CLI, flags, binaryhyperlane-agentSame binary (Abacus Works image)
Staking / PoSHyperlane POS contractsN/A – no on‑chain staking for Metalayer

Operational commands and flags are otherwise identical.

Requirements

RequirementNotes
Secure signing keyAWS KMS, Vault HSM, or raw hex. Same CLI flags as Hyperlane (--validator.*).
Available gas balanceThe signer must hold enough native token to broadcast the on‑chain announce tx. The same signer MAY be reused across multiple chains.
Public storage (checkpoint syncer)S3 bucket (prod).
Machine2 vCPU / 2 GB RAM / 4 GB disk is sufficient.
RPC endpointsProvide ≥ 2 per chain. Private RPCs ensure validator security.
Max 1 chain per validator instanceEach validator instance only supports 1 chain at most. For redundancy, operators may choose to run multiple validator instances (e.g., across different availability zones) pointing to the same S3 bucket.

Quick‑Start

# 1  Get our chain config bundle (replace link when public)
wget https://docs.metalayer.xyz/configs/<version>/ethereum.yaml -O ethereum.yaml

# 2  Pull the Abacus Works agent image
docker pull --platform linux/amd64 gcr.io/abacus-labs-dev/hyperlane-agent:agents-v1.4.0

# 3  Run the validator (example for Ethereum mainnet)
docker run -it --rm \
  -v $(pwd)/ethereum.yaml:/config/validator.yaml:ro \
  -v $(pwd)/data:/metalayer_db \
  -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
  -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
  gcr.io/abacus-labs-dev/hyperlane-agent:agents-v1.4.0 \
  validator --config /config/validator.yaml

If everything is wired correctly you’ll see signed‑root logs and JSON blobs appearing in your S3 bucket or local folder.

Step‑by‑Step Setup

Coordinate With Caldera (allow‑list)

Provide Caldera with:

  • Intended origin chain(s)
  • Signer address(es) – one per validator instance.

Create / Secure Signing Keys

Choose one of:

  • AWS KMS (recommended)

    aws kms create-key --key-usage SIGN_VERIFY --customer-master-key-spec ECC_SECG_P256K1
aws kms create-alias --alias-name alias/metalayer-validator-ethereum --target-key-id <keyId>

  • Raw hex key – fine for testnet

Prepare Checkpoint Storage

  • S3 (prod) – bucket metalayer-validator-sigs-<YOU>
  • Local (test) – any directory; flag -checkpointSyncer.type localStorage

Fetch the Binary

Use the Abacus Works image or build from source.

Docker

docker pull gcr.io/abacus-labs-dev/hyperlane-agent:agents-v1.4.0

Source

$ git clone https://github.com/hyperlane-xyz/hyperlane-monorepo.git
$ cd hyperlane-monorepo/rust
$ cargo build --release -p validator

Write Your Config

A minimal validator.json (replace placeholders; defaults noted):

{
  "db": "/metalayer_db",
  "validator": {
    "type": "aws",
    "region": "us-east-1",
    "id": "alias/metalayer-validator-ethereum"
  },
  "checkpointSyncer": {
    "type": "s3",
    "bucket": "metalayer-validator-sigs-you",
    "region": "us-east-1",
    "folder": "ethereum"
  },
  "originChainName": "ethereum",
  "chains": {
    "ethereum": {
      "domainId": 1,
      "name": "ethereum",
      "chainId": 1,
      "protocol": "ethereum",
      "rpcUrls": [
        {
          "http": "https://eth-mainnet.g.alchemy.com/v2/demo"
        },
        {
          "http": "https://rpc.ankr.com/eth"
        }
      ],
      "nativeToken": {
        "name": "Ether",
        "symbol": "ETH",
        "decimals": 18
      },
      "blocks": {
        "reorgPeriod": "0"
      },
      "index": {
        "from": 0
      },
      "mailbox": "0x0000000000000000000000000000000000000000",
      "validatorAnnounce": "0x0000000000000000000000000000000000000000",
      "merkleTreeHook": "0x0000000000000000000000000000000000000000",
      "interchainGasPaymaster": "0x0000000000000000000000000000000000000000",
      "signer": {
        "type": "aws",
        "region": "<your region>",
        "id": "<your key>"
      }
    }
  }
}

Start & Verify Announcement

Run the Docker command from Quick‑Start. The agent will automatically broadcast announce(); fund the signer with a small amount of native token first.

Deployment Recipes

docker‑compose

version: "3.9"
services:
  validator:
    image: gcr.io/abacus-labs-dev/hyperlane-agent:agents-v1.4.0
    platform: linux/amd64
    command: ./validator
    volumes:
      - /config/validator.json:/config/validator.json
      - ./data:/metalayer_db
    environment:
      CONFIG_FILES: /config/validator.json
      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
    restart: unless-stopped

Helm (values snippet – sample only)

validator:
  image:
    repository: gcr.io/abacus-labs-dev/hyperlane-agent
    tag: agents-v1.4.0
  args: ["./validator"]
  env:
    CONFIG_FILES: "/config/validator.json" # needs to be mounted as a volume
    AWS_ACCESS_KEY_ID: ""
    AWS_SECRET_ACCESS_KEY: ""
  persistence:
    size: 5Gi
  resources:
    requests:
      cpu: "200m"     
      memory: "256Mi"
    limits:
      cpu: "500m"
      memory: "512Mi"

Running Multiple Validators

  • Reuse the same signing key or create one per instance – both valid.
  • Each validator needs a unique checkpointSyncer.folder (S3 prefix) and -db path.
  • Expose metrics on unique ports.

Monitoring & Troubleshooting

SymptomLikely CauseFix
not enough gasSigner wallet unfundedTop‑up with native token
No signatures in S3Bad bucket policy / wrong regionCheck IAM & checkpointSyncer section
High db: prune requiredDisk too smallGive ≥ 5 GB or mount volume

Prometheus metrics exposed on :9090/metrics by default. We suggest implementing Hyperlane’s Grafana dashboard.