Bond values & approach suggestion:
Hi there!
Firstly, thank you Aleksandra G for an extensive and well-structured proposal for discussion.
I would like to focus on one of the key goals outlined in the document:
Introduce measurable accountability. Incorporate bonding and penalty frameworks to align operator behavior with staker interests in a more formal way.
As a contributor within the analytics workstream, I want to share my approach and suggestion on bond values for CMv2, based on the risk mitigation framework utilized within the Risk assessment for community staking incorporating changes that come with Pectra and current network conditions.
This post is structured as follows:
- Evaluating possible impact of risks associated with performing validation duties
- Designing risk scenarios and possible bond structure as a mitigation
- Checking proposed bond structure in terms of Node Operator economics
TL;DR
Suggested default bond structure for 0x02 (2048ETH) validators for Professional Trusted Operator type:
- 11 ETH for the first validator
- 0.6 ETH for each subsequent validator
Based on the current average Curated Module Node Operator size (6,909 x 32 ETH keys, or 108 x 2048 ETH keys), the required bonded capital would be 75.2 stETH per Curated Node Operator, which is ~ 34% of yearly Node Operator rewards at 3.5% fee. The suggested bond requirements are considered to be economically viable both for existing as well as new entrants, whether additional capital is sourced or not (the difference being the time to ramp up to “full capacity”)
Suggested values provide risk mitigation for:
- Slashing for up to six 0x02 validators (for each Node Operator, but not simultaneously), which is more than three times greater than largest historical slashing event (in terms of amount of ETH slashed), considering the reduction on initial penalty with Pectra and change to continuous (on total share of network slashed) nature of correlation penalty
- Offline period for all CMv2 validators for up to 60 hours (three times the most observed offline period in observed Lido incidents). For any subset of validators offline within Node Operator (which is more realistic scenario) covered downtime is even higher
Providing complementary robustness of the protocol in addition to the reputation based model utilized in CMv1, as
It is proposed that CMv2 introduce a bonding mechanism to complement, not replace, reputation.
Scale of impact
The bond is intended to provide mitigation for three primary risks:
- Validator slashings
- Validator downtime
- Rerouting EL rewards
The bond values therefore should be sufficient enough to cover impact of operational incidents, with risk transferring from the protocol to Node Operators intention stated in 6.2 Penalty Framework section.
Assumptions
- 2.84% CL APR, defined based on the total amount of ETH staked via base reward & total emission amount with a conservative assumption on -3.5% of current total staked volume (35 632 302 ETH)
- 0.33% EL APR, defined based on the total ETH staked, and a conservative assumption for a high EL reward level of 0.0432 ETH per block (+50% to current observed vale)
- 0x02 (2048 ETH) validators, as stated in the landscape
Validator slashings
Evaluating the impact of slashing by components for one 0x02 full (2048 ETH) validator:
- Attestation penalty: ~ 3.62 ETH, based on 36 days of accumulated penalties within epochs_per_slashings_vector specification
- Initial slashing penalty: 0.5 ETH based on MIN_SLASHING_PENALTY_QUOTIENT_ELECTRA = 4096
- Correlation penalty: 0.368 ETH based on PROPORTIONAL_SLASHING_MULTIPLIER_BELLATRIX = 3 and continuous nature of this penalty after pectra update
- Missed rewards (CL): ~ 5.80 ETH, based on 36 days of missed CL rewards within epochs_per_slashings_vector specification
- Missed rewards (EL): ~ 0.67 ETH, based on 36 days of missed EL rewards within epochs_per_slashings_vector specification
This leads to an estimation of 10.96 ETH protocol impact for the slashing of one 0x02 validator (as actual value is defined by network conditions: CL & EL reward levels, and potential losses on ETH re-entering the protocol are not considered within this evaluation).
To put the consequences on scale it’s worth highlighting the range of possible impact, considering multiple validators slashings:
As the correlation penalty increases with a greater number of validator slashings, the total impact grows non-linearly:
With an extreme example of a total 5 428 ETH impact for the case all validators for the current size of CM Node operator are slashed (6909 x 32ETH validators, which is equal to 108 x 2048ETH validators).
Therefore, per-validator impact grows linearly with slashing concentration:
As seen above, per-validator impact on slashings on protocol could be quite significant, therefore mitigation should be considered on Node Operator level:
Importantly, bonds will be associated with operators, not individual validators. This design reduces administrative overhead and mitigates cases where a single validator event could exceed per-validator bond coverage.
From this perspective I suggest designing bond structure aiming to cover reasonable risk events from the bond provided on multiple validators, as the impact of 0x02 validator slashings is relatively high and it’s not feasible to expect Node Operators participating in CMv2 to provide per-validator bonds on a level to cover mass-scale slashing events (indeed, there is no available insurance product or Node Operator guarantee for such a level of slashing, either). The idea is to create a direct accountability mechanism for relatively reasonable events to further align incentives of Node Operators and stakers, while also being reasonable in capital requirements from Node Operators to participate.
Based on the impact evaluations I suggest 11 stETH as a minimum (initial) value of bonded capital for each CMv2 Node operator, such that that isolated slashing of 0x02 validators could be covered.
Validator downtime
For this particular risk, the impact on the protocol consists only of attestation penalties and missed rewards, and is linear on the number of validators being offline.
For one 0x02 (2048 ETH) validator, being offline for 1 day (225 epochs):
- Attestation & expected value on sync comitee penalty: ~ 0.1 ETH
- Missed rewards (CL): ~ 0.154 ETH
- Missed rewards (EL): ~ 0.0185 ETH
This leads to a total impact of 0.272 ETH per day of downtime.
Based on this, I suggest a minimum value of 0.3 ETH as per-validator bond, ensuring coverage of at least one day of the whole infrastructure being offline.
Rerouting EL rewards
Given the minimum suggested value of 11 stETH for one operator, the share of blocks exceeding this amount in rewards is less than 0.1%, and given that Node Operator bond in aggregate can be utilized for compensation (which would increase based on number of validators operated, and with the bond combined with reputation as a risk mitigation, there is no need for additional capital provided for this separate risk.
Risk scenarios & proposed bond structure
The proposed structure aligns with the intent for bonded capital to primarily cover operational, relatively low-impact risks (in terms of scale), consistent with the proposal:
It is proposed that CMv2 introduce a bonding mechanism to complement, not replace, reputation.
It’s suggested to evaluate the following risk scenarios:
- Slashing of one 0x02 (2048) validator ~ 11 ETH of total impact
- Triple the most observed ETH slashing historically (108 x 32 = 3 456 ETH) ~ 63 ETH of total impact
- Slashing of most observed number of validators in protocol history (20 validators), scaled to 0x02 (2048 ETH) validators ~ 359 ETH of total impact
- One day of offline (slightly above 20 hours of most downtime within observed Lido incidents) ~ 0.272 ETH per validator of total impact
Not explicitly focusing on mitigating all risks, based on the assumption of a Node Operator size similar to the current observed distribution (6909 x 32ETH keys ~ 108 x 2048 keys)
Suggested bond structures are:
- Conservative: 11 ETH for the first key + 1 ETH per subsequent keys
- Default: 11 ETH for the first key + 0.6 ETH per subsequent keys
- Reduced: 11 ETH for the first key + 0.35 ETH per subsequent keys
| Metrics | Conservative: [11, (1)] | Default: [11, (0.6)] | Reduced: [11, (0.35)] |
|---|---|---|---|
| Capital required for current size NO (108 0x02 keys ~ 6909 x 0x1 keys) | 118 stETH | 75.2 stETH | 48.45 stETH |
| Risk scenario: Slashing of one 0x02 (2048) validator | 100% covered | 100% covered | 100% covered |
| Risk scenario: Triple of largest historical slashing event (in terms of amount of ETH slashed) - 10 368 ETH slashed | 100% covered | 100% covered | Partial coverage:77% |
| Risk scenario: Slashing of largest historical slashing event (in terms of number of validators slashed) -20 validators | Partial coverage: 33% | Partial coverage: 21% | Partial coverage:13% |
| Risk scenario: One day of validator inactivity affecting all node operator validators | 100% covered | 100% covered | 100% covered |
| Maximum number of (full 0x02) validators slashings coverage | 8 | 6 | 4 |
| Maximum offline period coverage Considering 100% of validators downtime | 96 hours (~4 days) | 61 hours (~2.5 days) | 40 hours (~1.65 days) |
Default option is suggested for Professional Trusted Operator type, which would likely entail sufficient coverage for incidents up to ~3x the largest historical slashing and full coverage for a 2-2.5 day offline period, with a possibility to utilize Node Operator Types approach with reduced bond requirements for Inter-Operator DVT Cluster and increased for Professional Operator (newcomers)
Capital required to rewards comparison
While greater bond values and coverage provide more robust mitigation for more severe risk events, it’s crucial to keep the Curated Module scalable and sustainable for participating Node Operators.
Assuming 3.5% Node operator fee, aligned with recent Proposal: Curated Module Fee Changes and 2.85% staking APR, the relation between capital required and level of rewards for Node operator with 108 0x02 (2048ETH) keys:
| Metrics | Conservative: [11, (1)] | Default: [11, (0.6)] | Reduced: [11, (0.35)] |
|---|---|---|---|
| Capital required for current size of one NO (108 0x02 keys ~ 6909 x 0x1 keys) | 118 stETH | 75.2 stETH | 48.45 stETH |
| Share of yearly rewards required to provide as bond | 53% | 34% | 22% |
| Days of rewards required for accumulating bonded capital | 195 | 124 | 80 |
In all cases, the time to accumulate the required capital investment (which is also rewards-accruing, as bonds are provided in stETH) is less than a year. Therefore, Node Operators could consider borrowing on a secondary market or accumulating in anticipation of the CMv2 release.
For new participants with an initial capital < 20 stETH (10 keys), the time to accumulate the required capital through Node Operator rewards (for current-sized CMv1 Node Operators) is also within reach:
- 456 days (<2 years) for Conservative: [11, (1)] bond structure
- 279 days (<1 year) for Default: [11, (0.6)] bond structure
- 168 days (<0.5 year) for Reduced: [11, (0.35)] bond structure
Providing an operational plan even considering relatively low initial capital.
Summarizing the section, the suggested bonds design provides a reasonable opportunity for Node Operators to collect sufficient capital for participation, via:
- Utilizing rewards for current operations (for participants of CMv1)
- Possible borrowing on secondary market with opportunity to covered borrowed capital in less than a year
- Accumulating sufficient capital for the newcomers through participation with relatively lower initial capital provided and utilizing rewards for bonds for additional validators
As it’s an external view on Node operator economics I’m looking forward to getting community feedback and Node Operators opinions on the numbers suggested.