Future of the Curated Module | CMv2 Landscape

(Proposal for Community Feedback)

This post outlines a proposal for community and DAO feedback on the high-level design of the Curated Module v2 (CMv2), the next iteration of Lido Core’s main staking module.

TL;DR

As Lido’s Curated Module (CM) continues to secure the vast majority of stETH stake, its next evolution – Curated Module v2 (CMv2) – is being proposed for feedback and DAO approval. CMv2 aims to ensure that Lido Core remains competitive, sustainable, and aligned with Ethereum’s decentralization goals.

The module’s design introduces bond-based security, flexible operator classification, improved incentive alignment, and lower governance friction. It reuses components of the Community Staking Module (CSMv2) to ensure efficiency, while introducing mechanisms that bring Lido closer to a staking marketplace model.

This proposal seeks approval for development, testing, and preparations for further implementation of CMv2.

1. Background and Context

As outlined in the broader post Contributor Thoughts on the Future of Lido Core, Ethereum staking has entered a new era. Professional Node Operators now compete globally, offering low fees, robust infrastructure, and risk coverage. At the same time, new staking designs – from restaking protocols to permissionless pools – are reshaping expectations for efficiency and accountability.

The Lido protocol has evolved in response through its modular architecture, composed of:

• the Curated Module (CM) – the core, trusted-operator layer;

• the Community Staking Module (CSM) – for smaller or permissionless operators;

• and the Simple DVT Module (SDVTM) – advancing Distributed Validator Technology adoption.

Among these, the Curated Module v1 (CMv1) remains the foundation of Lido Core, securing around 92% of the total stETH supply. However, this success also brings responsibility: the module must adapt to maintain competitiveness and continue to embody Lido’s values of decentralization, resilience, and Ethereum alignment.

In addition to the existing module architecture, Lido V3 introduces stVaults – a new, modular staking primitive that allows users and integrators to create their own validator setups while optionally accessing stETH liquidity. Importantly, stVaults do not replace Lido Core – they depend on it. CMv2 therefore remains a foundational part of the Lido protocol even in the V3 architecture: stVaults expand the ways users can stake, but the safety, performance, and decentralization guarantees come from Lido Core in general, and CM in particular.

2. Problem Statement

CMv1 has proven resilient and performant. Yet, its current structure – designed in an earlier staking environment – faces limitations:

1. Static economics. CMv1 enforces a fixed 10% protocol fee split (5% for Node Operators, 5% for the DAO). As external operator costs drop and competitors offer flexible rates or additional coverage, this fixed fee places CMv1 at the upper edge of market cost. In addition, Node Operator fees are set at the module level, a technical limitation that does not allow for different Node Operators within the module to have differing fees.

2. Rigid stake allocation. Stake distribution is not dynamic. It doesn’t account for operator performance, contribution to decentralization, or risk profile – all key differentiators in a maturing validator market.

3. Limited accountability mechanisms. Operator trust is currently mostly reputation-based (i.e. professional operators are expected to perform well, and compensate stakers and the protocol if something goes wrong, and this has worked well up until now). While the reputation-based system has worked well for over five years, it could be improved through the addition of tangible coverage from the side of Node Operators in case of potential losses or slashing events.

4. Governance and operational friction. The current module design requires on-chain votes even for simple administrative changes (e.g., address updates), increasing operational overhead and delaying responses to urgent matters.

5. 0x02 readiness and Pectra alignment. Ethereum’s Pectra upgrade introduces a new class of validators with 0x02 withdrawal credentials, tied to EIP-7251. For validators that opt into 0x02, the maximum effective balance increases from 32 ETH to 2048 ETH. For a liquid staking protocol, 0x02 support is not a cosmetic upgrade. The protocol’s routing, accounting, and risk models must understand validators whose balances can move between 32 and 2048 ETH, support top-ups to existing validators instead of only spinning up new ones, and eventually integrate partial withdrawals that can return only a portion of a validator’s balance without a full exit. CMv1 was designed around a world of 32 ETH validators and can only partially adapt to this new model.

These challenges collectively limit adaptability. CMv2 therefore proposes a modernization of incentives and risk mechanisms, building toward a flexible, data-informed, and self-regulating Curated set.

3. Objectives and Guiding Principles

The Curated Module v2 is designed around four guiding principles: sustainability, competitiveness, alignment, and autonomy.

It is proposed that CMv2 aims to:

• Introduce measurable accountability. Incorporate bonding and penalty frameworks to align operator behavior with staker interests in a more formal way.

• Differentiate operator types. Reflect the diversity of Node Operators – from public-good teams to large commercial entities – with tailored incentives and expectations.

• Streamline governance. Reduce operational overhead by allowing self-managed administrative changes, with DAO oversight preserved for critical interventions or overrides of pending actions.

• Reuse and unify infrastructure. Build CMv2 on the CSMv2 codebase, ensuring efficient maintenance and future compatibility with shared tooling and upgrades.

• Make the module adaptable to the market. Implement a flexible stake distribution mechanism that reflects performance, cost, and contribution metrics.

4. Delivery Phases

To ensure smooth adoption and avoid operational disruption, the new version of the Curated Module rollout is suggested to proceed in two major releases:

• Phase 1 | (Q1–Q2 2026): Introduction of core structural upgrades – consolidations, bonding, operator types.

• Phase 2 | (Q4 2026): Direct deposits, flexible stake distribution mechanism, custom fees, strike system.

5. Path towards streamlining governance

It is proposed that a Curated Module Committee (“CMC”) be established to streamline the governance and operational processes of the Curated Module. The committee’s primary role would be to maintain and administer the module on behalf of the DAO, handling routine operational and technical matters that do not require full on-chain votes, while leaving full control with the DAO through the use of optimistic governance.

In practice, the CMC is expected to operate primarily via Easy Track motions with built-in challenge periods, so that routine actions remain transparent to the DAO and can be vetoed if needed, while day-to-day operational changes do not require full governance votes.

Among its key responsibilities would be:

• Assessing and onboarding Node Operators during open application rounds;

• Assigning appropriate Node Operator types;

• Reporting penalties or incidents related to Node Operator performance or compliance;

• Overseeing operational integrity and coordinating with other protocol components as needed.

The detailed scope of responsibilities, as well as the committee’s composition, mandate, and accountability mechanisms, will be outlined and submitted to the DAO for approval in a separate proposal.

6. Features Overview | Phase 1

6.1 Node Operator Bond

In CMv1, reputation is the primary guarantee of alignment and reliability. It has been effective, but as the ecosystem matures, reputation alone is insufficient to provide measurable coverage for operational risks.

It is proposed that CMv2 introduce a bonding mechanism to complement, not replace, reputation.

Each Node Operator would provide a bond – denominated in ETH, stETH, or wstETH – to cover operational risks such as slashing, execution layer (EL) reward violations, or significant validators downtime. Bonds will be held as stETH to ensure capital efficiency for operators’ bonded positions.

Importantly, bonds will be associated with operators, not individual validators. This design reduces administrative overhead and mitigates cases where a single validator event could exceed per-validator bond coverage.

This approach mirrors emerging best practices in permissioned staking frameworks while maintaining a lower bond requirement than fully permissionless models, recognizing that Curated Operators have undergone rigorous DAO-vetted onboarding.

Bond sizing, risk calibration, and parameters will be explored in a dedicated follow-up analysis.

6.2 Penalty Framework

To ensure fair enforcement, CMv2 proposes a clear, transparent penalty process governed by DAO oversight mechanisms (e.g., Easy Track motions with challenge periods).

Bond deductions may occur for:

• Validator slashing: After slashing finalization, the Curated Module Committee reports the penalty amount via Easy Track. The Node Operator’s bond is burned to compensate for losses and missed rewards.

• EL rewards violations: If an investigation shows that rewards were diverted from Lido’s Execution Layer Rewards Vault, the equivalent amount plus a fixed fine for committing a violation is locked from the operator’s bond. Operators can return funds before penalties are finalized.

• Operational failures: Other penalization factors may include extended and/or serious downtime, delayed exits, and other violations of protocol rules or expectations.

The inclusion of challenge periods preserves decentralization of oversight while ensuring rapid responses to confirmed misbehavior.

6.3 Support for 0x02 Validators

CMv2 is proposed as the Curated Module’s 0x02-native evolution: it assumes high-balance validators from the start, recalibrates bond and penalty parameters for up to 2048 ETH per validator, and aligns the Curated set with the Lido’s Roadmap to Pectra.

To align with Ethereum protocol changes that aim at reducing the network congestion, CMv2 will support only 0x02 validators. It requires adjusting all penalty amounts under the assumption of a maximum 2048 ETH balance per validator, ensuring compatibility with new validator specifications.

During Phase 1, validators in CMv1 would be migrated to 2048 ETH balance validators in CMv2 via the use of consolidations.

6.4 Node Operator Types

The mechanics of Node Operator types offer a way to categorize Node Operators based on shared properties, characteristics, or unique behaviors. This approach allows for the formation of distinct types, enabling more precise management, targeted incentives, and risk-mitigation mechanisms within the Curated Module.

Node Operators may differ across several dimensions, including but not limited to:

• Reward structures

• The processes through which they are onboarded

• Their risk profiles

• The underlying technologies they utilize

• Other relevant operational or technical factors

By segmenting Node Operators in this manner, it becomes possible to optimize performance, enhance protocol security, and ensure deeper alignment with the Ethereum ecosystem.

Sub-operators

Operators may operate multiple sub-operators of different types under a single entity. This flexibility allows the system to more accurately represent the diversity of infrastructure and operational strategies within a single organization, while maintaining clear governance and risk boundaries.

For instance, an operator could hold two types simultaneously – Professional Trusted Operator and Decentralization Operator – if part of their infrastructure is located in underrepresented geographic regions, while the rest of their setup follows the default professional operator configuration. Another example would be an operator who runs a portion of their keys under a DVT setup, qualifying that part as an Intra-Operator DVT Cluster, while the remainder remains under the Professional Trusted Operator type.

Creation of new sub-operators is a permissioned function that is governed by the Curated Module Committee via Easy Track, ensuring transparent management of hybrid setups while supporting operational flexibility.

image1600×856 144 KB

Types

Based on the current participants of the Curated set and prospective ones, it is proposed to introduce the following list of Node Operator types:

• Professional Operator – an entity that joined after the CMv2 release (newcomers) and has not yet established a strong record of performance and reliability within the Lido Protocol. It is assumed that new entrants will initially fall into this category after onboarding to CMv2. This type is meant to serve as a “trial” stage in their validation journey within the Curated Module of the protocol. For this type of operator, the lack of an established trust component is balanced by higher bond requirements. A defined set of criteria will allow a Professional Operator to graduate to the Professional Trusted Operator category after the trial phase.

• Professional Trusted Operator – a for-profit entity that was onboarded to CMv1 and does not fall into any other operator type. This category represents the default type for professional operators who have consistently demonstrated strong performance and reliability, building their reputation as Lido Node Operators over time. It includes both existing CMv1 Operators migrating to CMv2, as well as new Operators who have successfully completed the Professional Operator trial stage. The parameters for this type are considered default and form the operational baseline for Curated Module participants.

• Public Good Operator – an entity developing, or substantially supporting in a financial manner, an Ethereum Execution or Consensus Layer client, or contributing to the broader public infrastructure of the ecosystem. This type is expected to have an increased reward share, reflecting Lido’s mission to support Ethereum public goods.

• Decentralization Operator – an entity maintaining its infrastructure in underrepresented geographic regions in terms of Ethereum decentralization, or running unique client and infrastructure combinations. These operators play a key role in geographical and client diversity and may be granted greater performance tolerance to accommodate such setups.

• Extra Effort Operator – an entity that demonstrates strong alignment with the Lido Protocol through additional contributions — for example, bringing stake via stETH vaults, participating in early testing of new technologies, or operating Lido Oracle infrastructure. This type may be incentivized through an increased rewards share.

• Multi-Operator DVT Cluster – a distributed validator cluster composed of multiple verified participants that are independent entities. This type may be incentivized for running distributed validator (DV) technologies through increased rewards and decreased bond requirements, given their significantly different risk profile compared to single-entity setups.

• Intra-Operator DVT Cluster – a distributed validator cluster composed of validators belonging to the same entity. This type may be incentivized for running DV technologies with slightly increased rewards, acknowledging their improved resilience but lower decentralization factor compared to multi-operator clusters.

Proposed Operator Types

Note: As values for the parameters that can be influenced by NO type will only be finalized once work on the module has been mostly finalized and implementation has begun, the below serve as suggested values in relation to the default baseline.

Operator Types1488×1111 61 KB

This taxonomy enables the DAO to reward contributions that further decentralization and ecosystem resilience, while managing risks with appropriate bond levels and performance guardrails.

Node Operator types in CMv2 are intended to replace the legacy tiers used in CMv1. These types are scoped specifically to the Curated Module: the tiers and configuration options used for stVaults remain a separate abstraction layer built on top of Lido Core and are not meant to mirror or map one-to-one to CMv2 operator types.

6.5 Rewards Splitter

Building on the proposal for Intra-Operator DVT Guidelines, CMv2 introduces the Rewards Splitter — a mechanism that allows Node Operators to distribute rewards to multiple recipients.

This feature simplifies integrations with DVT infrastructure providers (e.g., Obol, SSV) and enables optional contributions to public goods such as the Protocol Guild.

Only the operator reward portion (see “Rewards Distribution” in Section 8 below for details), not bond rebase rewards, will be subject to splitting. Operators can configure recipient addresses autonomously, reflecting their operational partnerships or contribution preferences.

6.6 Node Operator Address Management

It is proposed that CMv2 allow Node Operators to self-manage their manager and reward addresses directly, reducing governance friction and response latency.

Currently, these changes require full on-chain DAO votes. Under CMv2, such updates would be permissioned to the operator, while the DAO retains the right to override via vote or via an emergency committee in cases of serious security incidents.

This shift significantly reduces administrative overhead while maintaining security and oversight.

6.7 Additional Operator Properties

CMv2 also adds the ability for operators to set their name and description fields. Both can be edited by the operator or the Curated Module Committee, enabling more human-readable, transparent metadata in interfaces and on-chain registries.

7. Features Overview | Phase 2

While the immediate goal is to implement 0x02 support, operator bond, and operator types, it is important to view it as a stepping stone toward the envisioned end-state of the Curated set.

Phase 2 of CM v2 aims to establish a Validator Market (“ValMart”), where stake flows dynamically among operators based on transparent parameters such as fees, performance, and ecosystem contribution. To enable the ValMart functionality, it is required to implement the following features:

7.1 Custom Fee Curves

Node Operators could set nonlinear fee curves, allowing flexible pricing per tranches of ETH staked. This reflects real-world cost structures, enabling fairer competition and efficient stake distribution.

The system would then allocate stake dynamically, balancing DAO-defined decentralization parameters with operator-offered fee levels.

image1600×1040 85.7 KB

7.2 Strike System

CMv2 Phase 2 envisions a strike-based accountability system, tracking cumulative misbehavior across categories like poor performance, delayed exits, or policy violations.Strikes act as a long-term disincentive, progressively reducing an operator’s stake allocation weight rather than relying solely on immediate penalties, where a sufficient number of strikes over a certain timeframe can also result in ejection from the Curated Module set.

7.3 Additional Bond Reserve

Operators may opt to contribute additional stETH bond voluntarily, boosting their weight in stake allocation. This creates a direct incentive for operators to further secure the assets that are staked via their infrastructure, increasing alignment with stakers.

7.4 LDO Lock and Delegation

Operators could lock LDO tokens and delegate them (or vote themselves) to weigh in on DAO decisions. Active governance engagement would improve their stake allocation weight, encouraging alignment between validator operators and Lido governance.

7.5 Validator Marketetplace (ValMart) Algorithm

Stake distribution in CMv2 after Phase 2 release will be determined by a weighting model considering multiple parameters:

• Operator fee curve;

• Node Operator type;

• Strike count;

• Additional stETH bond;

• LDO locked.

Together, these parameters create a dynamic, self-regulating marketplace for validator slots, balancing decentralization, competition, and protocol risk limits.

A key design constraint will ensure maximum stake caps per operator, thereby preserving decentralization.

7.6 Direct Deposits

Certain allowlisted integrations (e.g., DeFi protocols, or institutional products) could deposit directly into a chosen Node Operator’s pool, minting stETH 1:1 without an intermediate vault. This supports B2B integrations and new staking use cases while keeping protocol control. Potential use cases are for protocols that want to specifically deposit to validators using technology like DVT, pre-confirmation sidecars, etc. This mechanism would be limited in capacity on a per Node Operator level, and complementary in nature to stVaults.

8. Operator Lifecycle in CMv2

The CMv2 operator lifecycle is designed for efficiency and clarity:

Onboarding

• The onboarding process begins with a public announcement that the Curated Module onboarding window is open. During this period, interested Node Operators can submit their applications to join the Curated set.

• Applications are assessed by the Curated Module Committee.

• The onboarding of new Node Operators is then initiated via Easy Track motion from the Curated Module Committee.

• Each approved operator is assigned a Node Operator type based on its profile and contribution characteristics.

• Once allowlisted, the Node Operator sets its manager and reward addresses, name, and description to complete initial onboarding steps, followed by coordination with Lido DAO Contributors to become active within the Curated Module.

Key Uploading

• Each uploaded key requires a corresponding bond contribution, added to the operator’s bond balance and staked as stETH.

Stake Allocation

• Phase 1: Allocation follows the MinFirstAllocation algorithm, as in CMv1, but allows custom weights per operator type. This empowers the DAO to prioritize certain operator types (e.g., decentralization operators or client teams) for larger stake allocations.

• Phase 2: Allocation follows the MinFirstAllocation algorithm, with weights for Node Operators being determined by multiple parameters:

  • Operator fee curve;

  • Node Operator type;

  • Strike count;

  • Additional stETH bond;

  • LDO locked.

Rewards Distribution

Node Operators in CMv2 receive two types of rewards:

• Node Operator rewards: a share of rewards from staker locked stake amount, calculated per active key and distributed in fixed-length frames (7-14 days, configurable), after which they can be claimed by Node Operators.

• Bond rebase: staking rewards generated from the bonded tokens ((w)stETH) – distributed daily

  

  image1312×368 47.5 KB

Rewards Claiming

• Node Operators claim rewards at their discretion, providing flexibility for accounting, taxation, or fiscal management.

• Operators can assign a separate claiming address restricted to pulling rewards, minimizing the need to access high-security manager addresses frequently; such an address can be used to create an automated bot that claims rewards whenever there is a balance to claim.

9. Migration from CMv1 to CMv2

Since CMv2 is not just an upgrade of the existing module but a new deployment of smart contracts and supporting tooling, a stake migration process will be required.

The migration will take place through consolidations, ensuring that:

• Each Node Operator who decides to migrate receives a relative amount of stake equivalent to their allocation in CMv1;

• The Lido Protocol remains ready to receive stake and deposit validator keys in either CMv1 or CMv2 throughout the migration period;

• The migration is performed in a way that makes economic sense, with efforts made to minimize costs even though they are expected to be material.

A detailed migration plan from CMv1 to CMv2 will be prepared and shared with Node Operators and the community beforehand for feedback.

10. Conclusion

The Curated Module v2 proposal represents a significant step toward a more flexible, data-driven, and accountable Lido Core.

By combining reputation-based trust with economic alignment, differentiated operator types, and parameter-based stake distribution mechanism, CMv2 strengthens the foundation of Lido’s staking ecosystem.

This proposal seeks community and DAO feedback and approval on the high-level design of CMv2.

bond would be associated with operators or sub-operators?

Hey @satBalwyn.

In the current design draft it is associated with a sub-operator.

Thanks for sharing this. From a legal and governance lens, the move from a reputation-only model to one that includes measurable commitments from operators makes a lot of sense. In most decentralized systems I have studied, reputation works well until the ecosystem grows large enough that the cost of a single mistake becomes too heavy for “trust” to carry on its own. A bond tied to operator performance introduces a clearer line of responsibility without turning the whole process into heavy bureaucracy.

I also appreciate the attempt to reduce the amount of governance friction. A lot of DAOs get stuck in cycles where every small adjustment needs a full vote, and over time it slows down the very people who are supposed to keep the system running. Using a committee with transparent challenge periods feels like a reasonable middle ground. It keeps the DAO in control but still lets the operational work flow without constant roadblocks.

The flexibility around operator types and fee structures matches what I see across other validator ecosystems as well. Not every operator brings the same strengths, and treating everyone as if they were identical rarely leads to fair or efficient outcomes. A more adaptive system that rewards performance and reliability will probably serve both stakers and the protocol better.

Finally, the alignment with the 0x02 shift stands out. Many DAOs underestimate how much work goes into preparing their systems for a major change in the underlying chain. It is good to see this being addressed ahead of time instead of waiting until it becomes a crisis.

Overall, this feels like a step toward a more resilient and accountable module. I am looking forward to seeing how the community shapes the details, especially around the bonding framework and the strike system later on.

I’m broadly supportive of CMv2. It feels like the Curated Module needs to evolve if Lido wants to stay competitive, and Ethereum’s trajectory (0x02 / EIP-7251, consolidation, balance management) makes a more dynamic setup feel inevitable.

The lens I’m using is the mindset shift that has been getting louder this year - most explicitly in GOOSE-3 and in the token holder calls. My takeaway is that we are moving toward being more cost-aware and outcome-driven, with token value much closer to the center of the conversation than it used to be. “Sustainability” is not abstract anymore - it means we should be able to defend why we spend what we spend, and what the DAO and ultimately token holders get in return.

With that lens, the timing matters: the curated module fee change snapshot passed this week, and it introduced meaningful economic differentiation between operator categories:

• Standard: 3.50%

• Extra Effort: 4.00%

• Client-Team: 4.50%

That means Client-Team is +1.00 percentage point vs Standard (about 28.6% more relative to 3.50%), and +0.50 percentage point vs Extra Effort (12.5% more relative to 4.00%). This is not a tiny symbolic premium. It is the kind of gradient that shapes incentives and expectations, and it will influence how people think about CMv2 types and future stake routing - even if CMv2 replaces legacy tiers rather than mapping them 1:1.

So the core of what I’m trying to say is simple: as we push CMv2 forward and get closer to market-like allocation, we should be extremely deliberate about what we embed into validator economics. Once something becomes “paid through fees or stake,” it tends to become sticky and hard to unwind.

Client teams are the cleanest example. I strongly support client diversity, and onboarding client teams as node operators was strategically smart for Lido and good for Ethereum. But client teams as node operators are still node operators - they provide the same core service as everyone else: running validators, meeting operational expectations, and contributing to protocol performance. If we pay them more through validator economics, the reason should sit inside that service boundary and be clearly auditable.

The current justification is a mix of things: client development work, being a resource to other Lido NOs, and strengthening client diversity. Those might be valid, but the proposal does not yet make the “what do we buy for the premium” legible enough for the magnitude of the premium. What exactly is the DAO receiving for the extra 0.5-1.0 percentage point?

• specific Lido-focused SLAs or development?

• incident response expectations?

• measurable support obligations to the wider Lido NO set?

• other deliverables that reduce Lido risk in ways we can verify?

If the premium is effectively subsidizing ecosystem client R&D that sits outside the node operator service, then validator fees and stake allocation are a strange place to do it in a cost-disciplined, token-value-first mindset. At that point it becomes a subsidy that is hard to measure, hard to challenge, and permanently bundled into ongoing validator economics.

This ties into a second concern: the “Extra Effort” criteria already references Ethereum ecosystem contributions and public goods work. That’s well intentioned, but it blurs the line between (a) paying for a service the DAO directly consumes and (b) paying for broad ecosystem value. In a more cost-aware world, that line matters. Otherwise categories become a grab bag of “good things,” and the DAO loses the ability to reason cleanly about what each additional basis point is buying.

On public goods more broadly - I support public goods. I just do not love the idea of encoding “public good-ness” directly into operator categorization and stake routing as a high-priority signal. Once public goods become a path to more stake or higher fees, incentives shift from “do the highest impact work” to “do the work that best unlocks stake.” That is exactly where politics, signaling games, and subjective judgments creep in.

If the DAO wants to fund public goods, a cleaner approach is explicit public good grants or explicit budgets with scope, milestones, evaluation, and accountability. And from the token-value-first lens: public good grants feel like something the DAO does when it can clearly afford it, not something that silently takes precedence inside validator economics before token holders see credible, sustainable value capture.

Now, on CMv2 itself - one thing I’d like clarity on is how much “type preference” is intended to matter versus market-like competition. CMv2 seems to keep operator type as a real lever for stake allocation (Phase 1 weights by type, Phase 2 combines multiple levers including fee curves and type). My concern is that if types are heavily value-laden (public goods, ecosystem contribution), the allocation mechanism risks becoming policy-driven and subjective, instead of converging toward “lowest cost while satisfying security and decentralization constraints.”

In a market-driven design, my instinct is that stake should mostly flow to the lowest-cost operators that meet strict minimum standards, with decentralization and risk managed by enforceable constraints and caps (client concentration, cloud concentration, geographic exposure). That feels more robust than relying on broad categorizations that are hard to measure and easy to game. This is especially true for decentralization signals - having been involved in onboarding node operators to Lido from the very beginning, I know how non-trivial it is to define and verify “real” geographic decentralization in practice.

One more governance angle: I’m wary of any design where LDO lock or delegation materially influences stake allocation. If governance-linked signals become an input to routing, bribery and financialization dynamics are highly likely - whether through contracts or offchain agreements. Even if this ends up being a minor lever, it deserves explicit guardrails and careful design.

Finally, bonds. I’d appreciate clarity on whether bonding is intended to economically bound liability (excluding gross negligence), or whether it is purely an onchain enforcement and alignment layer alongside broader legal obligations. This matters for operators to understand the actual risk profile of CMv2 participation.

To close: I support the CMv2 direction. I’m taking a more contrarian stance on incentive design because I think the DAO is shifting toward cost discipline and token value being closer to the core. In that world, every premium category and every stake preference should be treated like a real expense and justified as something that advances Lido-specific resilience, competitiveness, and sustainability - not as a default way to subsidize broad ecosystem goals through validator economics. This is just my personal view, and I’m very open to being proven wrong on any of the points above. Also, none of this is meant as an attack on public goods or value alignment, and definitely not as a knock on client teams - I deeply appreciate the work they do every day and the value they bring to Ethereum and to Lido.

Hey @katernoir , this is a really good post and feedback, thank you for sharing it.

I agree with a lot of your points in spirit (and have quite a few responses where even though I may agree in spirit I disagree from a practical perspective in terms of outcomes that may lead to). I’d like to note that the current proposal was largely a result of contributors trying to weigh between a more cost-optimized and leaner approach as you describe and the previous way things were done.

There’s quite a bit of time in between now and the final values of CMv2 being finalized to address your and Stefan’s viewpoints, ideas, and concerns, and personally I welcome discussions like this and am happy to see them come about.

I’ll write up a more detailed response in the coming days, but just wanted to say thanks for dropping your thoughts.

Please tell me, does active participation mean independent voting or do delegations also count as such?

This is a really important discussion to surface, especially now that Lido is actively pushing toward a more modular and pluralistic staking landscape.

To me, the core tension around CMv2 isn’t whether curated sets are “good” or “bad,” but what role they are meant to play over time. Historically, the curated module has served as a credibility anchor — a way to bootstrap trust, performance, and risk management at scale. That function has clearly been valuable.

The challenge is that as alternative modules mature, the same properties that once made the curated set a stabilizing force can start to look like structural inertia. If CMv2 remains the default simply because it is familiar and large, that could unintentionally slow experimentation elsewhere, even without any explicit exclusion.

I think it would help to more explicitly frame CMv2 not as a permanent “center of gravity,” but as one module among many whose relative weight should be justified continuously — by performance, risk characteristics, and ecosystem needs, not legacy alone.

In that sense, the future of CMv2 feels less like a binary choice and more like an ongoing calibration problem for governance.

One additional angle that might be worth exploring is the transition experience for operators themselves.

If curated status becomes less central over time, operators may need clearer signals about what excellence looks like in a more competitive, multi-module world. Otherwise, there’s a risk that incentives lag behind structure, leaving high-quality operators uncertain about where to invest effort and capital.

Explicit criteria, mobility between modules, or even time-bound expectations around curation could make the landscape feel more intentional rather than implicit.

Thank you for your feedback, @katernoir! I think it is very well thought through, and I genuinely appreciate you sharing it publicly.

I’d like to share my thoughts on the points you raised.

First, it is important to note that in Phase 2 all operators will compete on fees in the same way, with the only difference being a higher maximum allowed fee for some operator types (including client teams) as proposed in the table in the original proposal. This means that client teams are not excluded from competition. Under the current framework, while a Client Team might be able to set a higher maximum fee, if they do not compete in the marketplace they would likely run a smaller portion of stake. That said, I agree that the magnitude of this “difference” is negotiable, especially given the community feedback so far (including your comment here). The exact fee values for Phase 1, as well as the maximum allowed fees for Phase 2, are intended to be revisited in a separate discussion as we move closer to the Phase 1 and Phase 2 launches.

I agree that, as an end state, a separate and explicit channel through which the Lido DAO supports public goods (including client teams) could be a cleaner solution. However, this alone does not fully resolve the concern you raised about “what do we buy for the premium” unless such a funding mechanism itself includes a well-designed framework for defining success, measuring outcomes, and evaluating performance. Designing and operating that kind of mechanism would also require additional DAO resources and spending to define, maintain, and enforce.

I partially agree with this point. Tying client-related contributions into validator economics is not necessarily ideal in the long term. At the same time, the proposed design allows the protocol to differentiate between client teams based on their concrete contribution to Lido through multiple parameters included in ValMart. For example, if a client team operator sets the highest possible fee but does not participate in governance or underperforms operationally, the effective “premium” they receive would be lower than for teams that actively participate and perform well across these dimensions, as they would likely be running a lower amount of total stake.

Here I want to add some clarification on the current thinking. Custom fees are intended to be the primary driver of stake allocation, not operator type weights. Operator type weighting is designed as a powerful but flexible lever that the DAO can use to respond to changes in the staking landscape. For example, if the validator set trends too far toward centralization, the DAO could increase the weight of decentralization-focused operators; similarly, if the DAO decides to accelerate DVT adoption, it could adjust weights accordingly. At this stage, I personally do not see client teams receiving an increased operator type weight by default.

This is broadly aligned with what CMv2 Phase 2 aims to achieve. The current expectation is that the fee rate will be the most weighted factor under ValMart. Node operator onboarding already requires meeting standards, which are continuously monitored by the NOM team throughout the operator lifecycle. It is also expected that there will be at least a maximum amount of stake that each node operator should operate via Lido Core. However, I do not believe it is efficient to encode every desirable property as a hard minimum requirement, as that risks all operators clustering around the same baseline. Instead, ValMart is designed to allow node operators to express different forms of contribution that make sense for them: whether through lower fees, governance participation, or other measurable inputs.

That is a fair point. Going forward, this should be addressed as part of the assessment process, with an honest acknowledgment of the practical limits of verification. At this stage, I cannot say to what extent this can be fully or reliably solved, but I agree it is a real challenge.

All parameters that influence stake allocation are intended to have explicit limits on their impact. This applies even to custom fees, which are expected to be the dominant factor. The same is true for LDO lock (as a proxy for governance participation). Under the current design, this parameter is expected to have the lowest weight in the overall stake allocation, while still providing a modest incentive for operators to engage in governance.

Bonds in CMv2 aim to cover mostly the latter case. The intention is for node operators to have some “skin in the game” in addition to their future expectations of validator rewards that are at risk if their validators are slashed, experience extended downtime, or otherwise negatively impact staking rewards to the protocol. The tricky aspect here is that there are many edge cases related to Node Operator penalization that need to be considered. The penalty framework suggests that the Curated Module Committee will be responsible for investigating incidents (e.g. EL reward stealing, slashing, extended downtime) and if an incident is determined to occur, the committee would report the penalty amount via Easy Track. This system provides a mechanism for penalization of Node Operators while maintaining a check/balance from the DAO via the challenge period, while also maintaining flexibility in terms of what kind of incidents are penalized.
To this point, we expect to share more information and analysis before the introduction of the bond system around prior incidents that have affected stakers, and share a framework for how the Committee would be expected to react under different scenarios.

Thanks @Aleksandra_G for taking the time and responding! I’ll generally understand your points and positions (not agreeing to all, but most ). At this time, it’s really hard to constructively argue about the individual mechanics because there are just not enough details known to me. I hope we will soon see some more in-depth descriptions posted here. Once this happens, I’ll happily see if any of my concerns are still open or if I take issues with some.

Bond values & approach suggestion:

Hi there!
Firstly, thank you Aleksandra G for an extensive and well-structured proposal for discussion.
I would like to focus on one of the key goals outlined in the document:

Introduce measurable accountability. Incorporate bonding and penalty frameworks to align operator behavior with staker interests in a more formal way.

As a contributor within the analytics workstream, I want to share my approach and suggestion on bond values for CMv2, based on the risk mitigation framework utilized within the Risk assessment for community staking incorporating changes that come with Pectra and current network conditions.

This post is structured as follows:

1. Evaluating possible impact of risks associated with performing validation duties
2. Designing risk scenarios and possible bond structure as a mitigation
3. Checking proposed bond structure in terms of Node Operator economics

TL;DR

Suggested default bond structure for 0x02 (2048ETH) validators for Professional Trusted Operator type:

• 11 ETH for the first validator
• 0.6 ETH for each subsequent validator

Based on the current average Curated Module Node Operator size (6,909 x 32 ETH keys, or 108 x 2048 ETH keys), the required bonded capital would be 75.2 stETH per Curated Node Operator, which is ~ 34% of yearly Node Operator rewards at 3.5% fee. The suggested bond requirements are considered to be economically viable both for existing as well as new entrants, whether additional capital is sourced or not (the difference being the time to ramp up to “full capacity”)

Suggested values provide risk mitigation for:

• Slashing for up to six 0x02 validators (for each Node Operator, but not simultaneously), which is more than three times greater than largest historical slashing event (in terms of amount of ETH slashed), considering the reduction on initial penalty with Pectra and change to continuous (on total share of network slashed) nature of correlation penalty
• Offline period for all CMv2 validators for up to 60 hours (three times the most observed offline period in observed Lido incidents). For any subset of validators offline within Node Operator (which is more realistic scenario) covered downtime is even higher

Providing complementary robustness of the protocol in addition to the reputation based model utilized in CMv1, as

It is proposed that CMv2 introduce a bonding mechanism to complement, not replace, reputation.

Scale of impact

The bond is intended to provide mitigation for three primary risks:

• Validator slashings
• Validator downtime
• Rerouting EL rewards

The bond values therefore should be sufficient enough to cover impact of operational incidents, with risk transferring from the protocol to Node Operators intention stated in 6.2 Penalty Framework section.

Assumptions

• 2.84% CL APR, defined based on the total amount of ETH staked via base reward & total emission amount with a conservative assumption on -3.5% of current total staked volume (35 632 302 ETH)
• 0.33% EL APR, defined based on the total ETH staked, and a conservative assumption for a high EL reward level of 0.0432 ETH per block (+50% to current observed vale)
• 0x02 (2048 ETH) validators, as stated in the landscape

Validator slashings

Evaluating the impact of slashing by components for one 0x02 full (2048 ETH) validator:

1. Attestation penalty: ~ 3.62 ETH, based on 36 days of accumulated penalties within epochs_per_slashings_vector specification
2. Initial slashing penalty: 0.5 ETH based on MIN_SLASHING_PENALTY_QUOTIENT_ELECTRA = 4096
3. Correlation penalty: 0.368 ETH based on PROPORTIONAL_SLASHING_MULTIPLIER_BELLATRIX = 3 and continuous nature of this penalty after pectra update
4. Missed rewards (CL): ~ 5.80 ETH, based on 36 days of missed CL rewards within epochs_per_slashings_vector specification
5. Missed rewards (EL): ~ 0.67 ETH, based on 36 days of missed EL rewards within epochs_per_slashings_vector specification

This leads to an estimation of 10.96 ETH protocol impact for the slashing of one 0x02 validator (as actual value is defined by network conditions: CL & EL reward levels, and potential losses on ETH re-entering the protocol are not considered within this evaluation).

To put the consequences on scale it’s worth highlighting the range of possible impact, considering multiple validators slashings:
As the correlation penalty increases with a greater number of validator slashings, the total impact grows non-linearly:

image779×574 72.8 KB

With an extreme example of a total 5 428 ETH impact for the case all validators for the current size of CM Node operator are slashed (6909 x 32ETH validators, which is equal to 108 x 2048ETH validators).
Therefore, per-validator impact grows linearly with slashing concentration:

image764×583 62.6 KB

As seen above, per-validator impact on slashings on protocol could be quite significant, therefore mitigation should be considered on Node Operator level:

Importantly, bonds will be associated with operators, not individual validators. This design reduces administrative overhead and mitigates cases where a single validator event could exceed per-validator bond coverage.

From this perspective I suggest designing bond structure aiming to cover reasonable risk events from the bond provided on multiple validators, as the impact of 0x02 validator slashings is relatively high and it’s not feasible to expect Node Operators participating in CMv2 to provide per-validator bonds on a level to cover mass-scale slashing events (indeed, there is no available insurance product or Node Operator guarantee for such a level of slashing, either). The idea is to create a direct accountability mechanism for relatively reasonable events to further align incentives of Node Operators and stakers, while also being reasonable in capital requirements from Node Operators to participate.

Based on the impact evaluations I suggest 11 stETH as a minimum (initial) value of bonded capital for each CMv2 Node operator, such that that isolated slashing of 0x02 validators could be covered.

Validator downtime

For this particular risk, the impact on the protocol consists only of attestation penalties and missed rewards, and is linear on the number of validators being offline.

For one 0x02 (2048 ETH) validator, being offline for 1 day (225 epochs):

1. Attestation & expected value on sync comitee penalty: ~ 0.1 ETH
2. Missed rewards (CL): ~ 0.154 ETH
3. Missed rewards (EL): ~ 0.0185 ETH

This leads to a total impact of 0.272 ETH per day of downtime.

Based on this, I suggest a minimum value of 0.3 ETH as per-validator bond, ensuring coverage of at least one day of the whole infrastructure being offline.

Rerouting EL rewards

Given the minimum suggested value of 11 stETH for one operator, the share of blocks exceeding this amount in rewards is less than 0.1%, and given that Node Operator bond in aggregate can be utilized for compensation (which would increase based on number of validators operated, and with the bond combined with reputation as a risk mitigation, there is no need for additional capital provided for this separate risk.

Risk scenarios & proposed bond structure

The proposed structure aligns with the intent for bonded capital to primarily cover operational, relatively low-impact risks (in terms of scale), consistent with the proposal:

It is proposed that CMv2 introduce a bonding mechanism to complement, not replace, reputation.

It’s suggested to evaluate the following risk scenarios:

1. Slashing of one 0x02 (2048) validator ~ 11 ETH of total impact
2. Triple the most observed ETH slashing historically (108 x 32 = 3 456 ETH) ~ 63 ETH of total impact
3. Slashing of most observed number of validators in protocol history (20 validators), scaled to 0x02 (2048 ETH) validators ~ 359 ETH of total impact
4. One day of offline (slightly above 20 hours of most downtime within observed Lido incidents) ~ 0.272 ETH per validator of total impact

Not explicitly focusing on mitigating all risks, based on the assumption of a Node Operator size similar to the current observed distribution (6909 x 32ETH keys ~ 108 x 2048 keys)

Suggested bond structures are:

• Conservative: 11 ETH for the first key + 1 ETH per subsequent keys
• Default: 11 ETH for the first key + 0.6 ETH per subsequent keys
• Reduced: 11 ETH for the first key + 0.35 ETH per subsequent keys

Default option is suggested for Professional Trusted Operator type, which would likely entail sufficient coverage for incidents up to ~3x the largest historical slashing and full coverage for a 2-2.5 day offline period, with a possibility to utilize Node Operator Types approach with reduced bond requirements for Inter-Operator DVT Cluster and increased for Professional Operator (newcomers)

Capital required to rewards comparison

While greater bond values and coverage provide more robust mitigation for more severe risk events, it’s crucial to keep the Curated Module scalable and sustainable for participating Node Operators.

Assuming 3.5% Node operator fee, aligned with recent Proposal: Curated Module Fee Changes and 2.85% staking APR, the relation between capital required and level of rewards for Node operator with 108 0x02 (2048ETH) keys:

In all cases, the time to accumulate the required capital investment (which is also rewards-accruing, as bonds are provided in stETH) is less than a year. Therefore, Node Operators could consider borrowing on a secondary market or accumulating in anticipation of the CMv2 release.

For new participants with an initial capital < 20 stETH (10 keys), the time to accumulate the required capital through Node Operator rewards (for current-sized CMv1 Node Operators) is also within reach:

• 456 days (<2 years) for Conservative: [11, (1)] bond structure
• 279 days (<1 year) for Default: [11, (0.6)] bond structure
• 168 days (<0.5 year) for Reduced: [11, (0.35)] bond structure

Providing an operational plan even considering relatively low initial capital.

image771×584 60.2 KB

Summarizing the section, the suggested bonds design provides a reasonable opportunity for Node Operators to collect sufficient capital for participation, via:

• Utilizing rewards for current operations (for participants of CMv1)
• Possible borrowing on secondary market with opportunity to covered borrowed capital in less than a year
• Accumulating sufficient capital for the newcomers through participation with relatively lower initial capital provided and utilizing rewards for bonds for additional validators

As it’s an external view on Node operator economics I’m looking forward to getting community feedback and Node Operators opinions on the numbers suggested.