Taking Lido as an example, an in-depth discussion on the potential risks of the LSD protocol

Original title: On the risks of LSD

Original Author: sacha

Compilation of the original text: Qianwen, ChainCatcher

Prologue

This article is a response to some of Danny Ryan's views (which will be presented in detail later).

The opposite of a fact is a fallacy, but the opposite of one profound truth may very well be another profound truth. — Niels Bohr

Overall, I think Danny's position is great. But I also think there are equally significant risks to his approach that have not been properly discussed in public.

I don't think Danny's point is wrong per se, but I do think there's another side to his point that isn't communicated clearly enough. That's exactly what this article is about.

Introduction to Dual Governance

Dual governance is an important step in reducing the governance risk of the Lido protocol. It represents a shift from shareholder capitalism to stakeholder capitalism. It also provides a practical way for Ethereum holders to have a say in Lido protocol changes.

Its main purpose is to prevent LDO holders from changing the social contract between the protocol and stETH holders without the consent of the protocol and stETH holders. Currently, LDO holders hold significant power over the protocol and can cause significant changes to this social contract. These powers include:

• Upgrade the Ethereum liquidity calibration protocol code
• Manage the list of members of the Ethereum consensus layer oracle committee
• Changing the way stake is distributed between node operators in potentially harmful or unexpected ways (e.g. adding or removing whitelisted Ethereum node operators)
• Changing the governance structure in unexpected or potentially harmful ways (e.g. minting or burning LDOs, changing voting system parameters)
• Changed the total fee ratio of the Ethereum Liquidity Investment Agreement outside the agreed ranges (as well as defining those ranges).
• Decide how to use the treasury

With the exception of treasury spending, all of these powers directly affect stETH holders. Dual governance fundamentally allows STETH holders to veto any of the aforementioned modifications to the Lido protocol without introducing new attack vectors or placing undue political burden on STETH holders.

Node Operator Governance

Danny believes:

"Determining who is the node operator (node operator, hereinafter referred to as NO) is behind two problems - who is added to the set and who is removed from the set. In the long run, this can be designed in one of two ways , one through governance (token voting or other similar mechanisms), and the other through automated mechanisms around reputation and profitability.

In the former model, which relies on governance to determine NO, governance tokens (such as LDO) become the main risk of Ethereum. If the token can decide who can become this theoretical majority - NO in LSD, then token holders can enforce censorship, multi-block MEV, etc. Cartel activities, otherwise NO will be removed from the set .

There is also an obvious risk in determining the governance of NO, and that is regulatory scrutiny and control. If a collective stake under the LSD protocol exceeds 50%, this collective stake gains the ability to censor blocks (worse, this number goes up to 2/3 due to being able to finalize these blocks). In a regulatory censorship attack, we now have a unique entity — the governance token holder — against whom regulators can place censorship demands. Depending on how tokens are distributed, this could be a much simpler regulatory goal than the entire Ethereum network. In fact, DAO token distribution is generally poor, with only a few entities determining the majority of votes. "

Dual governance largely solves the above problems. Specifically, if an LDO holder attempts to delist NO from the set in an unfair manner, the following will occur:

• A small quorum of stETH holders (say 5% of the total) can extend the governance vote so that a larger quorum (say 15%) can veto the wrong decision.
• If the veto passes, all subsequent LidoDAO proposals will be vetoed by default (vetoed status) - to avoid placing more voting burden on stETH holders. *Importantly, governance can only return to normal if both the LDO governance body and the participating stETH holders agree to resolve the conflict.

In summary, by giving stETH holders the power to veto changes to NO settings, it is impossible for LDO holders to unilaterally enforce cartel activities such as censorship, multi-block MEV, etc., since LDO holders themselves cannot clear dissenting NOs.

Regarding Danny's second concern (regulatory scrutiny and control), st ETH's token distribution is very different and more diverse than that of LDOs. Therefore, the combination of LDO and st ETH is more resistant to such censorship. It is true that the distribution of ETH is not as broad, nor is the distribution of users as diverse as Ethereum, but this will only improve over time.

Select NO based on economic factors

Danny believes:

“In choosing NO based on economics and reputation, we still end up with a similar cartelization, albeit an automated one.

Determining the NO list based on profitability may be the only trustless (non-governance) way to ensure NO is beneficial to the pool.

Defining profitability is problematic...Since the economic activity of the system varies greatly over time, the system cannot be designed with some absolute metric that must earn X transaction fees.

This profitability comparison metric works well when all operators are using "honest" technology, but if a certain number of bad operators switch to disruptive technologies like multi-block MEV or adjustment zones block release time to get more MEV, then they skew the profitability target so that honest NO's will eventually be automatically phased out if they don't also use disruptive technology.

This means that no matter which method is used - NO governance or economic selection/culling - such pools above the consensus threshold will become the cartel layer. Either a cartel is formed directly through governance, or a destructive profitable cartel is formed through smart contract design. "

This analysis feels too binary. Neither extreme (LDO governance NO or purely algorithmic/economic selection/culling) is possible or desirable for Lido (or Ethereum).

Dual governance is essential to minimize the risk of cartel abuse. And, as Danny rightly points out, profitability is too simplistic a metric to rely on entirely.

There are a number of important factors that are difficult to verify on-chain, such as geographic distribution or diversity of jurisdictions, which means that one may always need to function in a certain loop - though, perhaps this could eventually be reduced to annual (old and new) to vote on rebalancing stakes.

Pledge ETH Governance Scheme

Danny believes:

“Some believe that LSD ETH holders can have a say in the management of its underlying LSD protocol, making it possible to support the unfair distribution and plutocratization of tokens.

The caveat here is that ETH holders are by definition not Ethereum users, and in the long run we expect Ethereum users to far outnumber ETH holders (holding more ETH than is needed to facilitate transactions) quantity). This is a key and important fact affecting Ethereum governance - ETH holders or depositors have no on-chain governance rights. Ethereum is the protocol that users choose to run.

In the long run, ETH holders are only a subset of users, therefore, ETH holders are even a subset of them. In the extreme case where all ETH becomes staked ETH under one LSD, voting weight or suspension of staked ETH governance does not protect users of the Ethereum platform.

Therefore, even if the LSD protocol and LSD holders are aligned on micro-attacks and captures, users will not and cannot/will react. "

Hasu's response largely addresses these concerns.

The Evil Nature of Governance

Danny believes:

“Even if there is a time delay in LSD governance such that pooled capital can exit the system before the change occurs, the LSD protocol is still vulnerable to boil-and-frog governance attacks. Small, slow changes are unlikely to cause invested capital to exit the system, but the system will still change drastically over time. That said, this is true of any governance mechanism, whether predominantly informal (soft) or formal (hard).”

Looking at Danny's argument in reverse, small, slow protocol changes driven by EF are unlikely to take DAOs/users out of Ethereum, but the Ethereum protocol (and spirit) could still change dramatically over time.

In particular, it can change the way the protocol works, thereby breaking the social contract of early contributors.

While I'm far from an immutability maximalist, I do believe that governance minimization as a philosophy exists upstream of soft versus hard governance.

The downsides of hard governance have been written a lot, while soft governance has its own (more subtle and often glossed over) problems with unacknowledged/irresponsible power, how it can be exercised without sacrificing credible neutrality Power, and how to deal with a power vacuum (in the event of a death or tragic accident). This is certainly not a panacea for eliminating all tail risks.

In other words, under soft governance, there is usually a lot of power that is not known. Unrecognized power is irresponsible power. Irresponsible power almost inevitably leads to undesirable situations over a long enough time horizon.

Gwart once tweeted that “Social punishment is Justin Drake driving up to your door with a machete, cutting your computer network cable, pointing at you and saying ‘You are a badass. '"

While this is a humorous expression, it does reveal a deeper underlying tension between the need to preserve agreements and the centralization of soft power among key actors.

In Dankrad's slightly more serious words: "Yes, we may have an issue with what you're doing at the pledge layer, which may include messing with your protocol and breaking it."

User Representative

Danny believes:

“As mentioned above, LSD holders are not equivalent to Ethereum users. LSD holders may accept some kind of governance vote premised on censorship, but this is still an attack on the Ethereum protocol, users and developers will Mitigate this attack with the means at their disposal - social intervention."

We can also look at this problem from the opposite angle.

Almost everywhere, we see that user-led decisions tend to encourage market concentration in all important respects.

99.9% of users probably care less about forms of timeliness review not directly relevant to them, whereas most contributors to a liquidity protocol tied to Ethereum probably care about that.

For example, most users don't and shouldn't care about issues such as the geographic distribution of Ethereum nodes or judicial diversity, but contributors to the Ethereum-bound liquidity protocol certainly do, and can take practical steps to address these issues. Keep Ethereum resilient.

Capital risk and agreement risk

Danny believes:

“Most of the above discussion has focused on the risks that LSD pools (like Lido) pose to the Ethereum protocol, rather than the risks faced by those who hold capital in the pools. So, this may be a tragedy of the commons - everyone rational It is a good decision for users, but it is an increasingly bad decision for the protocol. But in fact, when the consensus threshold is exceeded, the risks faced by the Ethereum protocol and the allocation of The risks faced by the capital of the LSD protocol are linked.

Cartelization, abusive MEV extraction, censorship, etc. are all threats to the Ethereum protocol that users and developers will respond to in the same way as traditional centralized attacks — leaks or burns through social intervention. Therefore, funneling capital into this class to cartelize would not only jeopardize the Ethereum protocol, but would in turn jeopardize the pooled capital.

This may seem like a "tail risk" that is difficult to take seriously or may never happen, but if we have learned anything in the field of cryptocurrency, it is that if this risk will be exploited or has some unlikely " critical edge case", then it can be exploited or broken sooner than you think. In this open and dynamic environment, brittle systems break down again and again, and fragile systems are exploited again and again. "

In the words of Nikolai Mushegian, in an open system with which the whole world can interact, incentives are more than a suggestion. They are more similar to the laws of physics, such as the laws of gravity or entropy. As long as there is even one part of the system that is incompatible with incentives, it is only a matter of time before it is exploited. No amount of naive thinking can reduce this risk.

Relying on promises to deter bad actors opens the door to tail risks that are arguably as serious, if not more serious, than those highlighted by Danny.

Self Limitation

Danny believes:

“The Ethereum protocol and users can recover from LSD’s centralization and governance attacks, but it’s not rosy. I recommend that Lido and similar LSD products self-limit for their own benefit, and that allocators of capital acknowledge the inherent Due to the inherent extreme risk, capital allocators should not allocate more than 25% of the total Ether staked to the LSD protocol. Artificially imposing limits does not guarantee good outcomes.”

In fact, artificially restricting the liquidity of staking products will probably not lead to good results.

Because the commitment can be maintained for a limited period of time.

The end result is likely to be one that the community can't influence wins: liquid staking on exchanges, institutional (and permissioned) staking products, or more immutable (and less resilient) protocols.

These idealistic ideas have a good starting point, but they are divorced from the actual situation, which is like the blind spot that EF often appears. It was this type of mistake that led to the exchange's dominance long before Lido's planned launch.

Supplement: Public goods are very beneficial

So what does a world where Lido wins mean for the future of public goods on Ethereum (especially the role of the Lido DAO in facilitating that future)?

In the words of Kelvin Fichter, EF is an independent non-profit organization with a closed governance structure and cannot (and should not) be the main coordinator of public goods in the Ethereum community.

Therefore, I think good validators are a public good that needs to be funded, and EF should not rely on them to provide funding (partly because its closed governance structure and super soft power are not very good at enacting credible neutrality. rules), only a successful liquid staking protocol (>50% market share) will have enough leeway in fees to afford the financial inefficiencies required to do so: maintaining a good validation market, expensive sponsorship validators, providing ecosystem support, while still being profitable in the long run (next 100 years).