In-depth analysis of LSD's governance risk, capital risk and protocol risk

Author: sacha, hackdm.io; Compiler: Lynn

A section-by-section response to an article written by Danny Ryan. Originally posted on notes.ethereum.org on May 30, 2022 and later copied to github.

Thanks to Hasu, Jon, Barnabé, Sam, Victor, Vasiliy, and Izzy for reading drafts of this article.

Preface

The opposite of a fact is a lie, but the opposite of one profound truth may very well be another profound truth.

— Niels Bohr

Overall, I think the position Danny is taking is great. But I also think his approach has equally important risks that have not been properly discussed in public.

I don’t think Danny is wrong per se, but I do think there’s another side that hasn’t been communicated clearly enough. Doing so is the goal of this document.

Introduction to Dual Governance

Dual governance is an important step in reducing the governance risk of the Lido Protocol. It represents a shift from shareholder capitalism to stakeholder capitalism. And provide a practical way for Ethereum stakers to have a say in changes to the Lido protocol.

The main goal is to prevent LDO holders from changing the protocol and the social contract between stETH holders without consent. Today, LDO holders wield significant power over the protocol, potentially causing major changes to that social contract. These include:

• Upgrade the Ethereum Liquidity Staking Protocol code.
• Manage the list of members of the Ethereum consensus layer oracle committee.
• Changing the distribution of stake among node operators in a potentially harmful or unexpected way (e.g. adding or removing whitelisted Ethereum node operators).
• Changing the governance structure in unexpected or potentially harmful ways (e.g. minting or burning LDOs, changing the parameters of the voting system).
• Changing the total fee percentage for the Ethereum Liquidity Staking Protocol goes beyond agreed boundaries (and defines those boundaries).
• Decide how to use the treasury

All of these powers directly affect stakeholders, in addition to fiscal spending. Dual governance essentially allows stETH holders to veto any of the aforementioned changes to the Lido protocol without introducing new attack vectors or placing excessive political burden on stETH holders.

GOVERNANCE OF NODE OPERATORS

Danny wrote:

Deciding “who” becomes “no” depends on two questions - who is added to the set and who is removed from the set. In the long run, this can be designed in one of two ways - either through governance (coin voting or other similar mechanisms), or through automated mechanisms around reputation and profitability.

In the former—governance decides or not—governance tokens such as LDOs become the main risk for Ethereum. If the token can decide who can be a node operator in this theoretical majority LSD, then token holders can enforce censorship, multi-block MEV, etc. Cartel activities, otherwise NO will be removed from the set.

……

There is another obvious risk of governance decisions NO, namely regulatory scrutiny and control. If the collective stake under an LSD protocol exceeds 50%, that collective stake gains the ability to censor blocks (worse, 2/3 due to being able to finalize such blocks). In a regulatory censorship attack, we now have a unique entity — governance token holders — that regulators can make censorship requests. Depending on the distribution of tokens, this may be a much simpler regulatory goal than the entire Ethereum network. In fact, the distribution of DAO tokens is often so poor that only a few entities determine the majority of votes.

Dual governance can go a long way in addressing the above issues. Specifically, if an LDO holder tries to unfairly remove a node operator from the set, it works as follows:

• A small quorum of stETH holders (say 5% of the total) can extend the governance vote long enough for a larger quorum (say 15%) to overrule the poor decision.
• If the veto passes, all subsequent Lido DAO proposals will be vetoed by default (vetoed status) - to avoid burdening stETH holders with further voting.
• Importantly, governance will return to normal only if both LDO governance and participating stETH holders agree to resolve the conflict.

In summary, by giving stETH holders the power to veto node operator set changes, it is impossible for LDO holders to unilaterally force cartel activities such as censorship, multi-block MEV, etc., because LDO holders cannot remove dissenting node operators themselves.

Regarding Danny’s second concern (regulatory scrutiny and control), stETH’s token distribution is very different from LDO’s and more diverse. Therefore, the combination of LDO and stETH is more resistant to such censorship. It’s still not as diverse as the distribution of ETH or the distribution of Ethereum users, but this will only improve over time.

ECONOMICAL OPTION FOR NODE OPERATORS

In an alternative design - a NO based on economics and reputation - we actually end up in a similar, albeit automated, cartelization.

……

Cutting out NO from profitability setting is probably the only trustless (non-governance) way to ensure NO is good for the pool.

Defining profitability is problematic…the system cannot be designed to have only some absolute metric - must make the transaction fee X - because the economic activity of the system varies greatly over time.

This profitability comparison metric works well when all operators are using “honest” techniques, but if any number of NO betrayals use disruptive techniques such as multi-block MEV or adjusting block release times to capture more MEV , then they will distort profit targets such that if honest NOs don’t join disruptive technologies, they will eventually be automatically expelled.

This means that no matter which method is used (NO governance or economic selection/eviction), such a pool that exceeds the consensus threshold will become a class of cartelization. It is either a direct cartel in governance, or a destructive, profitable cartel designed through smart contracts.

This analysis feels too binary. Both extremes (LDO governance of NO or purely algorithmic/economic selection/culling) are neither possible nor desirable for Lido (or Ethereum).

Dual governance is essential to minimize the risk of cartel abuse. And, as Danny rightly points out, profitability is too simplistic a metric to rely on alone.

There are a number of important factors that are difficult to verify on-chain - think geographical distribution or jurisdictional diversity - which means that humans will likely always need to participate in the cycle somewhere - though this may ultimately be reduced to an annual vote re Balance stake between node operators (old and new).

Pledge ETH governance backup plan

Some argue that LSD ETH holders could have a say in the governance of its underlying LSD protocol, acting as a safety net for potentially poorly distributed rich tokens.

The caveat here is that by definition, ETH holders are not Ethereum users, and in the long run we expect to have far more Ethereum users than ETH holders (more people holding ETH than needed for a transaction) quantity). This is a key and important fact of Ethereum governance - there is no on-chain governance granted to ETH holders or stakeholders. Ethereum is the protocol that users choose to run.

In the long run, ETH holders are only a subset of users, so staked ETH holders are even a subset of users. Governance vote weight or staked ETH suspension does not protect the Ethereum platform for users in the extreme case where all ETH becomes staked ETH under one LSD.

So even if the LSD protocol and LSD holders are aligned on subtle attacks and captures, users will not and can/will react.

Hasselblad’s response largely addressed those concerns.

The Insidious Nature of Governance

Even if there is a time delay in LSD governance, allowing pooled capital to exit the system before changes can occur, the LSD protocol is subject to a “frog boil” governance attack. Small, slow changes are unlikely to take staked capital out of the system, but the system can still change dramatically over time.

While true, this is true of any governance mechanism, whether primarily informal (soft) or formal (hard).

To reverse Danny’s point, small, slow protocol changes driven by EF are unlikely to take DAOs/users out of Ethereum, but the Ethereum protocol (and ethos) can still change dramatically over time.

In particular, it can change the protocol, thereby breaking the social contract perceived by early contributors/OGs.

In Eric’s words:

In Micah’s words:

While I’m far from being an immutability maximalist, I do believe that governance minimization as a philosophy exists upstream of soft versus hard governance.

While much has been written about the downsides of hard governance, soft governance also has its own — more subtle and often glossed over — issues involving unacknowledged/irresponsible power, how to The question of exercising power and how to deal with it sucks (in the event of a death or tragic accident). This is certainly not a panacea for eliminating all tail risks.

In other words, there is usually a lot of unrecognized power under soft governance.

Unrecognized power is irresponsible power. Irresponsible power almost inevitably results in far-flung ideal situations over sufficiently long timescales.

While Gewart’s take here is humorous :), it does reveal a deeper underlying tension between the need to protect agreements and the concentration of soft power among key players.

In Dankrad’s slightly more serious words:

Yes, we may have a problem with what you are doing on the pledge layer, which may include messing with your protocol and breaking it.

User Representative

Also, as mentioned above, LSD holders are not the same as Ethereum users. LSD holders may accept governance votes required for some kind of censorship, but this is still an attack on the Ethereum protocol that users and developers will mitigate through means at their disposal (social intervention).

This can also be viewed from the opposite perspective.

Almost everywhere we look, we see that user-led decisions tend to encourage market concentration across important dimensions.

The 99.9% of users probably don’t care much about forms of time-sensitive censorship that aren’t directly relevant to them, whereas most contributors to Ethereum’s consistent liquid staking protocol probably do.

For example, most users don’t and shouldn’t care about things like the geographic distribution of Ethereum nodes or jurisdictional diversity, but contributors to an Ethereum-consistent liquid staking protocol certainly do, and can take tangible steps to maintain Ethereum’s Resilience spans such dimensions.

Capital risk and agreement risk

Much of the discussion above has focused on the risks that LSD pools (such as Lido) pose to the Ethereum protocol, not actually the risks to those holding capital in the pool system. So this seems to suffer from the tragedy of the commons - everyone makes a rational decision to stake on the LSD protocol, which is a good decision for the users but an increasingly bad decision for the protocol . But in fact, when the consensus threshold is exceeded, the risk of the Ethereum protocol and the risk of the capital allocated to the LSD protocol are linked.

Cartelization, misuse of MEV extraction, censorship, etc. are all threats to the Ethereum protocol, and users and developers will respond in the same way as traditional centralized attacks - leak or burn through social intervention. Therefore, pooling capital into this cartel layer not only puts the Ethereum protocol at risk, but also pools capital in turn.

These may seem like “tail risks” that are hard to take seriously or that may never happen, but if we’ve learned anything in cryptocurrency it’s that - if it can be exploited or has some unlikely “key” edge cases", then it will be exploited or broken much sooner than you think. In this open and dynamic environment, fragile systems break down again and again, and fragile systems are exploited again and again for fun and profit.

In the words of Nikolai Mushegian, in a system that is open to the world to interact with, an incentive is more than just a suggestion. They are more similar to the laws of physics, such as gravity or entropy. If a part of the system is incompatible with incentives, it is only a matter of time before it is exploited. No amount of wishful thinking will reduce that risk.

Relying on the promise of deterring bad actors opens the door to tail risks that are arguably as serious, if not more serious, than those highlighted by Denny.

Self-limiting

The Ethereum protocol and users can recover from LSD centralization and governance attacks, but it won’t be pretty. I recommend that Lido and similar LSD offerings self-limit for their own benefit, and I recommend that capital allocators acknowledge the pooling risks inherent in the LSD protocol design. Due to the inherent and extreme risks associated, capital allocators should allocate no more than 25% of the total amount of ETH pledged to the LSD protocol.

There is really no guarantee that imposing artificial limits will have good results.

In fact, imposing artificial restrictions on liquid collateral products is likely to lead to poor results.

Promises can only last so long.

The end game here is likely to be a victory for parties that the community cannot exert influence on: liquidity staking on exchanges, institutional (and permissioned) staking products, or more immutable (and less resilient) protocols.

These idealistic ideas, while well-meaning, are divorced from pragmatic reality and feel like a recurring EF blind spot. It was this mistake that led to the dominance of the exchange before Lido was launched.

Addendum: Public goods are good

So what does a world where Lido wins mean for the future of public goods on Ethereum (specifically the role of Lido DAO in contributing to that future)?

In the words of Kelvin Fichte:

Along these lines, I believe that a good validator set is a public good that requires funding and should not be relied upon for funding from EF (in part because its closed governance structure and excessive soft power don’t lend itself well). trusted neutrality rules at ), and only winning liquid staking protocols (>50% market share) have enough leeway in fees to absorb the financial inefficiencies required to do so: in order to maintain a healthy validator market form, sponsor expensive validator sets, and provide ecosystem support while still being profitable in the long-term (next 100 years).