Gm, community stakers!
CSM is getting closer to the mainnet release and it is time to propose the values for the CSM Mainnet Deploy Parameters.
Your comments and feedback are welcome!
The same content is also published on IPFS - https://ipfs.io/ipfs/QmcNrpzS6oeeMK9SNABrWS4qWtEfUcSiYJqkRD43WuMo2f
https://gw3.io/ipfs/QmcNrpzS6oeeMK9SNABrWS4qWtEfUcSiYJqkRD43WuMo2f
CSM parameters
The doc aims to provide values for all configurable and constant CSM parameters and motivations for why they are proposed to be so.
Constants
DEPOSIT_SIZE
uint256 private constant DEPOSIT_SIZE = 32 ether;
Proposed value = 32 ETH
This constant represents the deposit size to activate a validator on the Beacon chain. Until EIP-7251 is implemented, 32 ETH will be the only possible value. Given that CSM would require an upgrade to smart contracts after EIP-7251 i, it is proposed to have a constant value of 32 ETH for the first version of CSM.
BEACON_ROOTS
address public constant BEACON_ROOTS = 0x000F3df6D732807Ef1319fB7B8bB8522d0Beac02;
Proposed value = 0x000F3df6D732807Ef1319fB7B8bB8522d0Beac02
This constant represents the address of the EIP-4788 contract. The address is taken from the official EIP docs.
Immutable variables
INITIAL_SLASHING_PENALTY
uint256 public immutable INITIAL_SLASHING_PENALTY;
Proposed value = 1 ETH
This immutable variable is used by CSM to penalize the Node Operator’s bond in case of validator slashing. Until EIP-7251 is implemented, 1 ETH will be the maximal possible value (given the effective balance is 32 ETH). Given that CSM would require an upgrade to smart contracts after EIP-7251, it is proposed to have an immutable value of 1 ETH for the first version of CSM.
Note: This immutable variable is set indirectly by setting minSlashingPenaltyQuotient = 32.
elRewardsStealingFine
uint256 public immutable EL_REWARDS_STEALING_FINE;
Proposed value = 0.1 ETH
This immutable variable is used by CSM to add an additional fine to the MEV stealing penalty in case the Node Operator has committed EL rewards (MEV) stealing.
It is proposed to set a 0.1 ETH value for this immutable variable since this creates a disincentivisation to commit MEV stealing and compensate it “free of charge”. Several actions are required from the DAO side in case of MEV stealing:
- Detect the fact of stealing;
- Report the fact of stealing to lock bond funds;
- Confirm the fact of stealing using Easy Track motion.
All these actions require effort and gas to perform; hence, the additional fine of0.1 ETHseems reasonable.
maxKeysPerOperatorEA
uint256 public immutable MAX_SIGNING_KEYS_PER_OPERATOR_BEFORE_PUBLIC_RELEASE;
Proposed value = 12
This immutable variable is used by CSM to determine a maximal number of the validators operated by a single Node Operator in CSM during the Early Adoption period.
It is proposed to set a value of 12 for this immutable variable due to the following reasons:
- The Early Adoption period is aimed at attracting solo-stakers who typically operate a few validators due to hardware and financial limitations;
- Running
12validators with CSM will be sufficient to cover operational costs with excess; - Limit of
12validators ensures that professional Node Operators will not be able to flood the module; - Given the fact that bond requirements for the mainnet were reduced compared to the testnet, it is proposed to have the same
~16 ETHworth of bond to correspond to keys limit; - Once the Early Adoption period ends, this limit will be removed.
maxKeyRemovalCharge
uint256 public immutable MAX_KEY_REMOVAL_CHARGE;
Proposed value = 0.1 ETH
This immutable variable is used by CSM to determine a maximal value to be set as keyRemovalCharge.
It is resonable to limit the maximal value of keyRemovalCharge with 0.1 ETH given the maximal operational costs for the protocol assosiated with key removal.
maxCurveLength
uint256 internal immutable MAX_CURVE_LENGTH;
Proposed value = 10
This immutable variable is used by the CSM Accounting contract to determine a maximal number of validators starting from the very first one to have a custom bond requirements.
Given the focus of CSM on the Community Stakers and security considerations regarding MEV stealing protection, it is assumed that having a differing value for the bond of the 10th and further validators for CSM Node Operators makes no meaningful sense. Hence, it is proposed to allow custom bond values for the first 10 validators controlled by the CSM Node Operators while keeping the bond requirement constant for the rest of the validators.
minBondLockRetentionPeriod
uint256 public immutable MIN_BOND_LOCK_RETENTION_PERIOD;
Proposed value = 4 weeks
This immutable variable is used by the CSM Accounting contract to determine a minimal value for the configurable bondLockRetentionPeriod parameter, which determines the time for which bond funds will be locked, given no further actions.
bondLockRetentionPeriod is introduced to ensure that locked bond funds will be unlocked automatically once the bondLockRetentionPeriod ends. Since MEV stealing confirmation requires some time from the Lido DAO side (verification of the MEV stealing fact + actual confirmation by EasyTrack that takes 72 hours), setting the lower boundary for the bondLockRetentionPeriod value to 4 weeks is considered safe.
maxBondLockRetentionPeriod
uint256 public immutable MAX_BOND_LOCK_RETENTION_PERIOD;
Proposed value = 365 days
This immutable variable is used by the CSM Accounting contract to determine a maximal value for the configurable bondLockRetentionPeriod parameter, which determines the time for which bond funds will be locked, given no further actions.
bondLockRetentionPeriod is introduced to ensure that locked bond funds will be unlocked automatically once the period ends. To provide a feasible unlock time without actions from the Lido DAO side, it is proposed to set the upper boundary for the period to 1 year (or 365 days).
earlyAdoptionTreeRoot
bytes32 public immutable TREE_ROOT;
Proposed value = 0x359e02c5c065c682839661c9bdfaf38db472629bf5f7a7e8f0261b31dc9332c2
This variable is used by the CSM Early Adoption contract to determine the root of the Early Adoption eligible participants.
See Community Staking Module - #62 by dgusakov for details
Storage variables
keyRemovalCharge
uint256 public keyRemovalCharge;
Proposed value = 0.05 ETH
This variable is used by CSM to determine the amount of ETH to be confiscated from the Node Operator’s bond in case deposit data is deleted. Due to CSM’s optimistic FIFO stake allocation queue, deletion of deposit data might require a call to the cleanDepositQueue method to ensure proper queue operation.
According to the approximate gas estimations, a call of the csm.cleanDepositQueue(150) (clean the next 150 queue items) with 1 invalid batch in the queue costs around 1,000,000 gas. With a gas cost of 50 gwei (extreme value), the call will cost ~ 0.05 ETH.
Note:
keyRemovalChargevalue is configurable after deployment, hence, it can be set to a different value later (can even be0)
chargePenaltyRecipient
address public chargePenaltyRecipient;
Proposed value = 0x3e40D73EB977Dc6a537aF587D48316feE66E9C8c (Lido Treasury)
This variable is used by the CSM Accounting contract to determine the recipient of the charge type penalty. A penalty that is not burned but confiscated with the following transfer.
Given that all operational costs for the Lido On Ethereum protocol are covered by the Lido DAO Treasury, it is proposed to transfer funds confiscated from the Node Operator’s bond to the Lido DAO Treasury.
bondLockRetentionPeriod
uint256 bondLockRetentionPeriod;
Proposed value = 8 weeks
This variable is used by the CSM Accounting contract to determine the time for which bond funds will be locked, given no further actions.
Given the limitations above, it is proposed to set the actual value for the bondLockRetentionPeriod to 8 weeks. This will give enough time for the Lido DAO to act in case of MEV stealing detection and ensure no excessive lock time in case no actions are taken by the Lido DAO.
setResetBondCurveAddress
Proposed value = 0xC52fC3081123073078698F1EAc2f1Dc7Bd71880f (CSM multisig)
This address will be granted with two roles: SET_BOND_CURVE_ROLE and RESET_BOND_CURVE_ROLE.
With these roles, the address will be able to set and reset the bond curve for the particular Node Operator.
bondCurve
Proposed value = [2.4 ether, 3.7 ether]
- Validator 1 -
2.4 ETH - Validator >= 2 -
1.3 ETH
This variable is used by the CSM Accounting contract to determine the default bond requirements for the CSM Node Operators.
Corresponding research with regard to the bond curves can be found here.
earlyAdoptionBondCurve
Proposed value = [1.5 ether, 2.8 ether]
- Validator 1 -
1.5 ETH - Validator >= 2 -
1.3 ETH
This variable is used by the CSM Accounting contract to determine the bond requirements for the Early Adoption participants.
Corresponding research with regard to the bond curves can be found here. Early Adoption benefits approach is described here.
elRewardsStealingReporter
Proposed value = 0xC52fC3081123073078698F1EAc2f1Dc7Bd71880f (CSM multisig)
This address will be granted with the role: REPORT_EL_REWARDS_STEALING_PENALTY_ROLE.
With this role, the address will be able to report the facts of MEV or EL rewards stealing by CSM Node Operators to lock a bond amount equal to stolen ETH. Penalty application is performed by easyTrackEVMScriptExecutor granted with the SETTLE_EL_REWARDS_STEALING_PENALTY_ROLE role.
CSM Oracle
avgPerfLeewayBP
uint256 public avgPerfLeewayBP;
Proposed value = 500 BP
This variable is used by the CSM FeeOracle contract to determine the difference between average network validator performance and CSM validator performance that is treated as “good performance”. The actual formula is performanceThreshold = avgPerformance - avgPerfLeewayBP.
It is proposed to set the avgPerfLeewayBP to 500 BP (5%) to provide meaningful leeway for the community validator’s performance while keeping the threshold high enough to maintain compatible APR for the stETH holders.
oracleReportEpochsPerFrame
Proposed value = 225 * 28
This variable indicates the length of the CSM Performance Oracle frame. It is proposed that it be set at 28 days.
Note: One day = (3600 * 24) / (32 * 12) = 225 epochs.
Motivation is presented in the CSM Architecture document.
oracleMembers
Proposed value = current Lido Oracle members
0x140bd8fbdc884f48da7cb1c09be8a2fadfea776e [Chorus One]
0x404335bce530400a5814375e7ec1fb55faff3ea2 [Staking Facilities]
0x007de4a5f7bc37e2f26c0cb2e8a95006ee9b89b5 [p2p]
0x946d3b081ed19173dc83cd974fc69e1e760b7d78 [Stakefish]
0xe57B3792aDCc5da47EF4fF588883F0ee0c9835C9 [MatrixedLink]
0x61c91ECd902EB56e314bB2D5c5C07785444Ea1c8 [bloXroute]
0x1ca0fec59b86f549e1f1184d97cb47794c8af58d [Instadapp]
0xA7410857ABbf75043d61ea54e07D57A6EB6EF186 [Kyber Network]
0xc79F702202E3A6B0B6310B537E786B9ACAA19BAf [Chainlayer]
Given that CSM Oracle has a form of the common Lido Oracle module, it is reasonable to ask existing Lido Oracle members to run CSM Oracle instances.
hashConsensusQuorum
Proposed value = 5
Given that CSM Oracle will have the same members as the common Lido Oracle, it is reasonable to use the same value for the quorum = 5.
fastLaneLengthSlots
Proposed value = 1800
The ‘fast lane’ was introduced in the Lido v2 upgrade to monitor the Oracle runners’ performance and participation. Given the data observed on the testnet, it is proposed to set the value to 6 days (1800 slots).
GateSeal
gateSealFactory
Proposed value = 0x6C82877cAC5a7A739f16Ca0A89c0A328B8764A24
The address of the deployed gateSealFactory.
sealDuration
Proposed value = 6 days
This variable indicates the length of pause activated by the corresponding GateSeal instance. It is proposed that it be set at 6 days (the same as for the WithdrawalQueue). 6 days is sufficient to prepare for an emergency upgrade and initiate on-chain votes to upgrade contracts or prologue pause.
sealExpiryTimestamp
Proposed value = deployTime + 365 days
This variable indicates the period during which the corresponding GateSeal instance can be used. It is proposed to set it at deployTime + 365 days (the same as for the WithdrawalQueue). 365 days is sufficient to ensure CSM code reliability or to deploy a new GateSeal instance.
sealingCommittee
Proposed value = 0xC52fC3081123073078698F1EAc2f1Dc7Bd71880f (CSM multisig)
It is proposed that CSM Multisig be used as the sealingCommittee address in CSM to allow for a fast reaction to unexpected situations during CSM operation.