Deep analysis of governance risks, capital risks, and protocol risks of LSD.

In-depth analysis of governance, capital, and protocol risks of LSD.

Original Title: On the Risks of LSD

Original Author: sacha

Original Source: hackdm.io

Translation: Lynn

• AI FOMO sweeps the world profits surge 8 times, NVIDIA emerges as the biggest winner.
• Experience the Tu Dog hype type SocialFi platform friend.tech it may be boring and even ridiculous at times, but it has unlimited potential.
• What is the security foundation of the post-POS era? A quick look at the newly proposed theory in the Ethereum community, Proof of Validator

A point-by-point response to an article written by Danny Ryan. Originally published on notes.ethereum.org on May 30, 2022, and later copied to GitHub.

Thanks to Hasu, Jon, Barnabé, Sam, Victor, Vasiliy, and Izzy for reading the draft of this article.

Introduction

The opposite of a fact is falsehood, but the opposite of a profound truth may well be another profound truth.

– Niels Bohr

Overall, I think Danny’s stance is great. But I also believe that his approach carries equally important risks that have not been adequately discussed in public forums.

I don’t think Danny is wrong per se, but I do think there is another side that hasn’t been conveyed clearly enough. That is the goal of this document.

Introduction to Dual Governance

Dual governance is an important step in reducing governance risks in the Lido protocol. It represents a transition from shareholder capitalism to stakeholder capitalism. It also provides Ethereum stakers with a practical way to have a say in the changes to the Lido protocol.

The main goal is to prevent LDO holders from changing the social contract between the protocol and stETH holders without their consent. Currently, LDO holders have significant power over the protocol, which could lead to significant changes in this social contract. These include:

• Upgrading the Ethereum liquidity staking protocol code.

• Managing the list of Ethereum consensus layer oracle committee members.

• Changing the distribution of rights between node operators in potentially harmful or unexpected ways (e.g., adding or removing whitelisted Ethereum node operators).

• Changing the governance structure in unforeseen or potentially harmful ways (e.g., minting or burning LDO, changing parameters of the voting system).

• Changing the total fee percentage for the Ethereum liquidity staking protocol beyond agreed-upon boundaries (and defining those boundaries).

• Deciding how to use the treasury.

Except for fiscal expenditures, all of these powers directly impact stakeholders. Dual governance essentially allows stETH holders to veto any changes to the Lido protocol mentioned above without introducing new attack vectors or burdening stETH holders with excessive political responsibility.

Governance of Node Operators

Danny writes:

“Deciding ‘who’ becomes ‘no’ depends on two questions – who gets added to the set and who gets removed from it. In the long run, this can be designed in one of two ways – either through governance (coin voting or similar mechanisms) or through automated mechanisms based around reputation and profitability.”

In the former case, governance determines whether governance tokens (such as LDO) become the main risk of Ethereum. If tokens can determine who can be the node operator in this theoretical majority LSD, then token holders can enforce scrutiny, multi-block MEV, and other cartel activities, otherwise NO will be removed from the collective.

……

Governance decisions also have another obvious risk, which is regulatory scrutiny and control. If the collective ownership under an LSD protocol exceeds 50%, the collective ownership will have the ability to review blocks (worse still, due to the ability to eventually determine such blocks, it is 2/3). In regulatory scrutiny attacks, we now have a unique entity-governance token holders-regulatory agencies can make review requests. Depending on the distribution of tokens, this may be a much simpler regulatory target than the entire Ethereum network. In fact, the distribution of DAO tokens is usually very poor, and only a few entities determine the majority of votes.

Double governance is helpful in addressing the above issues. Specifically, if LDO holders try to unfairly remove node operators from the collective, the operation is as follows:

• A small fraction of stETH holders (such as 5% of the total) can extend the governance vote for a long enough time for more stETH holders (such as 15%) to veto this bad decision.

• If the veto is passed, all subsequent Lido DAO proposals will be automatically vetoed (vetoed state) – to avoid further burdening stETH holders with voting.

• Importantly, governance can only return to normal if both LDO governance and participating stETH holders agree to resolve the conflict.

In summary, by giving stETH holders the power to veto changes in node operators in the collective, LDO holders cannot unilaterally enforce scrutiny, multi-block MEV, and other cartel activities, as LDO holders cannot remove dissenting node operators on their own.

Regarding Danny’s second concern (regulatory scrutiny and control), the token distribution of stETH is very different from that of LDO and is more diverse. Therefore, the combination of LDO and stETH is more resistant to such scrutiny. It is still not as diverse as the distribution of ETH or Ethereum users, but this will only improve over time.

Economic choices for node operators

In alternative designs-based on economic and reputation-based NO-we actually end up in a similar, albeit automated, cartelization.

……

Excluding from the profit-setting NO may be the only non-governance method to ensure that NO is beneficial to the pool.

Defining profitability is problematic… the system cannot be designed with only some absolute indicators-it must allow for significant variations in economic activity over time.

When all operators use “honest” technology, this profitability metric works well. However, if any number of NOs betray and use disruptive technology, such as multi-block MEV or adjusting block release time to capture more MEV, they will distort the profitability goal. In this way, if honest NOs do not join the disruptive technology, they will eventually be automatically expelled.

This means that no matter which method is adopted (NO governance or economic choice/expulsion), such a pool that exceeds the consensus threshold will become a cartelized class. It is either a direct cartel in governance or a disruptive and profitable cartel designed through smart contract design.

This analysis feels too binary. For Lido (or Ethereum), both extremes (LDO governance over NO or purely algorithmic/economic choice/exclusion) are impossible or desirable.

Double governance is crucial to minimize the risk of cartel abuse. And, as Danny correctly pointed out, profitability is a too simplistic metric to rely on alone.

There are many important factors that are difficult to verify on-chain—think geographic distribution or jurisdictional diversity—meaning that humans may always need to be involved somewhere in the loop—although this may eventually be reduced to once a year voting to rebalance the equity between node operators (new and old).

ETH staking governance backup plan

Some people believe that LSD ETH holders can have a voice in the governance of the underlying LSD protocol, thus becoming a secure backstop for potentially poorly distributed rich token holders.

It is important to note here that, by definition, ETH holders are not Ethereum users, and in the long run, we expect Ethereum users to be far more numerous than ETH holders (those who hold ETH exceed the amount required for transactions). This is a critical and important fact about Ethereum governance—on-chain governance is not granted to ETH holders or stakeholders. Ethereum is a protocol that is run by user choice.

In the long run, ETH holders are just a subset of users, and therefore, staking ETH holders are even a subset of users. In the extreme case where all ETH becomes staked ETH under LSD, governance voting weight or staking ETH suspension does not protect the Ethereum platform for users.

Therefore, even if the LSD protocol and LSD holders remain consistent in subtle attacks and capture, users will not and will be able to/react.

Hassu’s response largely addresses these concerns.

The insidious nature of governance

Even with a time delay in LSD governance that allows pooled capital to exit the system before changes occur, the LSD protocol is still vulnerable to “boiling frog” governance attacks. Small and slow changes are unlikely to cause staked capital to exit the system, but over time, significant changes can still occur.

Although it is true, this is the case with any governance mechanism, whether it is primarily informal (soft) or formal (hard).

In order to counter Danny’s view, EF-driven small and slow protocol changes are unlikely to cause DAO/users to exit Ethereum, but the Ethereum protocol (and spirit) can still undergo significant changes over time.

In particular, it can change the protocol and break the social contract perceived by early contributors/OGs.

In Eriks words:

In Micahs words:

While I am far from a maximalist of immutability, I do believe that governance minimalism exists as a philosophy upstream of both soft and hard governance.

While there have been many articles about the shortcomings of hard governance, soft governance also has its own – subtler and often obscured – issues involving unrecognized/unaccountable power, how to exercise power without sacrificing trust neutrality, and how to handle power vacuum (in the event of death or tragic accidents). This is certainly not a panacea for eliminating all tail risks.

In other words, there is often a significant amount of unrecognized power in soft governance.

Unrecognized power is irresponsible power. Irresponsible power inevitably leads to situations far from ideal over a long enough time period.

While Gwern’s view here is humorous :), it does reveal a deeper potential tension between the need to protect the protocol and the concentration of soft power among key participants.

In Dankrad’s slightly more serious words:

Yes, we may have objections to what you are doing at the staking layer, which may include disrupting your protocol and breaking it.

User Representatives

Furthermore, as mentioned above, LSD holders are different from Ethereum users. LSD holders may accept governance votes required for certain scrutiny, but this is still an attack on the Ethereum protocol, and users and developers will mitigate this attack through the means they have at their disposal (social intervention).

This can also be seen from the opposite perspective.

Almost anywhere we see, user-led decision-making tends to encourage market centralization across important dimensions.

99.9% of users may not care much about time-sensitive forms of scrutiny that they have no direct relationship with, while most contributors to Ethereum’s consensus-based staking protocol might.

For example, most users should not and should not be concerned about the geographical distribution or jurisdictional diversity of Ethereum nodes, but contributors to Ethereum-consistent liquid staking protocols will certainly care and can take concrete measures to maintain Ethereum’s resilience across such dimensions.

Capital Risk and Protocol Risk

Most of the above discussion focuses on the risks that LSD pools (such as Lido) pose to the Ethereum protocol, rather than the risks posed to those holding capital in the pool system. Therefore, this seems to suffer from the tragedy of the commons – everyone makes rational decisions to stake on the LSD protocol, which is a good decision for users, but a increasingly bad decision for the protocol. However, in fact, when the consensus threshold is exceeded, the risks of the Ethereum protocol and the risks of the capital allocated to the LSD protocol are linked.

Cartelization, abuse of MEV extraction, censorship systems, etc. are all threats to the Ethereum protocol, and users and developers will respond in the same way as traditional centralized attacks – by leaking or burning through social intervention. Therefore, concentrating capital into this cartel layer not only exposes the Ethereum protocol to risks, but also exposes the aggregated capital to risks.

These may seem like tail risks that are difficult to take seriously or may never happen, but if we have learned anything in cryptocurrency, it is that if it can be exploited or there are some unlikely “critical edge cases”, it will be exploited or collapse much earlier than you think. In this open and dynamic environment, fragile systems break down time and time again, and fragile systems are exploited time and time again for fun and profit.

In the words of Nikolai Mushegian, in a system that is open and interactive with the world, incentives are not just suggestions. They are more like physical laws, such as gravity or entropy. If a part of the system is incompatible with the incentives, it is only a matter of time before it is exploited. No amount of wishful thinking can reduce this risk.

Relying on commitments to prevent bad actors opens the door to tail risks, which can be said to be as serious as the risks emphasized by Danny, if not more so.

Self-limitation

The Ethereum protocol and users can recover from LSD centralization and governance attacks, but it is not ideal. I suggest that Lido and similar LSD products engage in self-restraint for their own benefit, and I suggest that capital allocators recognize the inherent pooling risks in the design of LSD protocols. Due to the associated inherent risks and extreme risks, the funds allocated to the LSD protocol by capital allocators should not exceed 25% of the total ETH staked.

It is indeed not guaranteed that imposing artificial restrictions will yield good results.

In fact, imposing artificial restrictions on liquidity staking products is likely to not produce good results.

Commitments can only last for so long.

The ultimate game here may be a victory for parties that the community cannot influence: liquidity staking on exchanges, institutional (and licensed) staking products, or more immutable (and less flexible) protocols.

While these idealistic ideas may have good intentions, they are detached from pragmatic reality and feel like recurring blind spots for the EF. It was this mistake that led to exchanges dominating before Lido was launched.

Appendix: Public Goods Are Good

So, what does a world where Lido wins mean for the future of public goods on Ethereum (especially the role Lido DAO plays in contributing to the future)?

In the words of Kelvin Fichter:

Following these thoughts, I believe a good set of validators is a public good that requires funding and should not rely on the EF to provide funding (partly due to its closed governance structure and excessive soft power not being suitable for its own trusted neutrality rules), and only a winning liquidity staking protocol (>50% market share) can afford the financial inefficiency required to maintain a healthy validator market: sponsoring expensive sets of validators and providing ecosystem support while still being profitable in the long term (next 100 years).

We will continue to update Blocking; if you have any questions or suggestions, please contact us!