LDO+stETH dual governance (continuation)

This is the continuation of the initial thread on dual governance. The linked thread contains an important context so please give it a read if you have time.

Since the last mechanism design version was proposed in this post, the protocol contributors working on DG have made several iterations to incorporate the received feedback and make the mechanism simpler, less fragile, and more efficient.

Before presenting the updated version, let me outline the problem we’re trying to solve and briefly trace the chain of reasoning that has led us to the solution being proposed.

The problem

Currently, the Lido protocol code and its parameters are controlled by the Lido DAO via LDO token voting. The protocol takes a 5% fee from the staking rewards and directs it to the DAO treasury (another 5% being distributed to node operators participating in the protocol).

While LDO holders should generally be motivated to maintain the protocol’s well-being since it’s reflected in the LDO token price, it doesn’t necessarily mean that LDO holders efficiently represent the protocol users. For example, imagine that LDO holders collectively decide to increase the protocol fees: while this might have a positive effect on the LDO holders’ immediate well-being, it is clearly against the interests of at least some portion of the protocol users.

This can be generalized as a principal-agent problem (PAP) between the DAO (the agent) and the protocol users (the principal). The problem exists because LDO holders don’t have the exact same incentives as users.

Moreover, as Vitalik highlights in his Moving beyond coin voting essay, the PAP is exacerbated by the fact that economic interest in the protocol’s revenue can be unbundled from the governance power: one could skew the incentives of the DAO token holders by bribing them or borrow the DAO voting token on the open market to try getting enough voting power for pushing a change that’s against the interests of both the DAO and the protocol users.

The presence of the PAP is not great but one can argue that, if users realize that the current agent doesn’t represent them well enough, they can always leave the protocol and choose another agent that’s better aligned with their interests or even decide to remove the agent completely via solo-staking.

This is a very important mechanism generally known as foot voting. In theory, it should protect users from the negative effects of any incentive misalignment between them and the DAO or any attack on the DAO. However, in practice and in the specific case of the Ethereum liquid staking, the efficiency of foot voting is limited due to a number of factors at play.

The first factor is the specifics of how the Ethereum PoS works. To unstake ETH from a validator, one has to wait until the validator is fully exited, and all Ethereum validator exits are processed through a single queue with limited throughput. This means that the time required for leaving the protocol depends on external out-of-protocol factors and can vary by orders of magnitude. This, in turn, implies that imposing a static timelock on DAO decisions cannot guarantee that any user has enough time to leave the protocol before the DAO applies a change that is not in the user’s interests.

The second factor is that a significant portion of users choose liquid staking because they want to re-deploy the staked capital to other forms of economic activities, resulting in liquid staking tokens (LSTs) being widely used in the DeFi, including the protocols that require additional time to withdraw from (e.g. lending markets). This adds one more external dependency that can prevent users from leaving the protocol within a pre-defined timeframe.

The third factor stems from the information asymmetry between the passive majority and active educated minority of users: correctly assessing all risks associated with a particular governance decision, including tail risks, requires the knowledge most of the users don’t possess. Communicating the potential adverse effects of a DAO decision via the social layer takes additional time, reducing the probability of the passive majority leaving the protocol before the decision becomes executable.

Lido DAO has established a number of governance protocols for reducing the information asymmetry (e.g. the GOOSE framework, the Node Operators Sub-Governance Group, the LIP framework, the commitment for the minimum number of audits of any mainnet code change) but they are all social layer agreements between the current LDO holders and thus cannot protect from an external attack on the DAO.

Towards the solution

The ultimate solution to the problem is governance minimization and eventual ossification of the protocol code and parameters. There’s no governance risk if nothing is being governed.

Gradually minimizing the governance scope is something that the protocol contributors see as a necessity in the coming years. However, until the Ethereum specification ossifies, the code upgradeability can only be reduced up to a certain extent (e.g. see EIP-7002, EIP-7251). Additionally, any immutable code has to be formally verified on the bytecode level to exclude the possibility of a compiler bug producing a non-fixable vulnerability.

There’s also the fungibility layer of the protocol that serves as the risk/reward assessment engine and distributes ETH between different validator subsets in a way that balances the yield and the risks of the resulting validator set. The risks here include the tail risks the validator set creates for the Ethereum network, e.g. censorability and correlated slashing risks. There’s ongoing research (see this report for the latest iteration) on whether these risks can be estimated by the protocol with the help of a trustless oracle gadget bringing the required information onchain but it’s a long-term endeavor and it’s not yet clear how the desired outcome can be practically accomplished. Until the protocol has such a trustless mechanism implemented, there has to be some governance at the fungibility layer.

One more potential area of research is looking for ways of introducing an explicit opt-in to new code and parameter set versions for stETH holders and integrations. It’s not yet clear whether it can be done without breaking the LST fungibility and the resulting liquidity fragmentation which, given that liquidity is one of the main factors driving users to LSTs, would destroy the protocol’s competitiveness against other decentralized and centralized liquid staking providers. Nevertheless, it is an interesting research direction.

Now that we’ve established that the protocol will have to live with some kind of governance at least in the medium term, let’s see how we can minimize the risks this governance creates.

Dual governance

As highlighted in the first section, the general problem can be decomposed into 1) the presence of PAP, and 2) the limited efficiency of foot voting. So ideally we’d want to introduce some mechanism that improves both the alignment between the DAO and the protocol users and the efficiency of foot voting.

That’s where we arrive at the proposed dual governance design. It aims at the following improvements:

  1. Give stakers a way to credibly signal their disagreement with the DAO and the commitment to leave the protocol if the DAO doesn’t cooperate in resolving the incentives conflict.
  2. Provide a negotiation device between the stakers and the DAO.
  3. Introduce an extended dynamic timelock on DAO decisions that can be triggered by an active minority of stakers and prolonged as more stakers participate.
  4. Improve foot voting efficiency by allowing stakers to exit the protocol without being subject to new and pending DAO decisions.

An overview of the proposed mechanism design and some ideas for future research on governance risk minimization can be found in this note: Dual Governance design overview - HackMD.

It should be noted that stakers are not the only category of protocol users; there are also node operators. One potential future research direction is looking for ways to also improve the efficiency of foot voting by node operators, e.g. allowing a subset of stakers and node operators to coordinate a protocol and DAO fork by re-pointing validator withdrawal credentials to a new contract (not currently supported by the consensus layer).

Another direction of future research is exploring the non-token and hybrid governance.

Next steps

From here, several things have to happen before the design is finalized, resulting in a more formal Lido Improvement Proposal (LIP) that will be submitted for a DAO vote and the associated Architecture Decision Record (ADR) document:

  1. Evaluating the robustness of the proposed mechanism via scenario and attack modelling.
  2. Evaluating the practicality of the mechanism via prototyping the code.
  3. Gathering the community feedback.

This thread is aimed at accomplishing 3 while the protocol contributors work on 1 and 2 (both being currently in progress) so any feedback is highly appreciated!

It’s important to highlight that, though dual governance is (in my opinion) an important step in reducing governance risks of the protocol, it’s in no way the final step. Some of the ideas for further improvements can be found in the mechanism design document linked above, and I invite everyone interested to discuss those and any other potential improvements by posting a topic on this forum.

34 Likes

First of all, I would like to thank the authors for the work they put into design. It’s well thought through and clearly took a lot of effort to put together. I’m in no way an expert on governance models. The following points are from my perspective as a curious community member, node operator and active LDO governance participant.

1. The VetoSignaling Escrow vs. DEFI
I still consider one of the main usages of LSTs to be used in DeFi. Having to move my stETH from e.g a liquidity pool to the escrow to signal my unhappiness with DAO decisions seems not like a great oracle for stETH holder sentiment over all.
I only see this happening for significant proposals where the stETH holders feel the DAO is strongly going against them in which case I would assume most holders to rather use the good liquidity of stETH to exchange them for another LST or native ETH to quickly exit.
Another point to consider here might be tax implications: In several jurisdictions, there’s a substantial tax distinction between stETH and wstETH. Unwrapping wstETH to join the VetoSignaling Escrow might trigger an expensive, taxable event.

2. VetoFirstSealThreshold
The initial suggestion for this threshold is set to 1% of the current stETH supply. Already looking at regular governance, we can see how hard it is to get people to send a simple transaction for a proposal (even at no gas cost if it’s a snapshot).
With 41% of all stETH in wstETH alone,I envision a massive exit or “bank run” preceding such significant movement to the VetoSignaling Escrow Contract.
Of course, this doesn’t speak against the process itself, but I think an emphasis on this should be taken in the next steps pointed out. (Especially since if the threshold instead would be set too low, it might create a risk of LST competitors using the mechanism to slow down Lidos governance significantly).

3. The evolution of LDO
As a LDO holder, I’m keen to get your point of view how the significance of LDO will (and should) evolve over time, especially considering this dual governance model. If we’re shifting to increased protocol ossification, and concurrently reducing governance activities, LDO in its current design will lose most of its appeal as a governance token. A profit share to give LDO continued value seems like the only feasible solution to me.
Obviously, there is a long road ahead of us before the protocol will get there, but I think it is important to already discuss the future of LDO while planning ahead.

4. Role of Node Operators in Governance:
The document briefly touches upon the role of node operators in governance. I believe that node operators should be more integrated into this process. Beyond just a tie-breaker sub-committee, we should explore mechanisms to engage ALL node operators actively. Given that the protocol isn’t near governance minimization and with current voting turnout being modest, we can use all the voters we can get. Considering the benefits node operators derive from Lido, as well as the nature of their business requiring some sort of day-to-day involvement anyways, this step seems both logical and imperative.

In conclusion, I’m largely supportive of the dual governance design proposition and are hopeful for further insights.

11 Likes

Thanks for the update @skozin! One of the things I look forward the most is the implementation of governance for stETH holders; and I hope other staking protocols follow suit.

After a few weeks thinking through this, I’d love for the DAO and protocol contributors to also consider the inclusion of onchain delegation and a program to attract professional delegates to contribute to Lido. This goes in line with @Hasu’s GOOSE submisssion Goal #1 by bringing a more diverse set of voices with experience all over the Ethereum ecosystem, while potentially even compensating them with $LDO, slowly making the set of token holders bigger and ensuring they’re aligned parties.

This can be started with something as simple as a program to incentivise delegation on Snapshot, and then implementing it at the onchain level if the DAO deems it appropiate.

Anyways, I’m commenting here to signal my support for dual governance, while also hoping to get folks to think about a third layer of governance protection. I hope to write a longer post to expand the discussion on delegation soon, and any initial thoughts here would be very much appreciated.

8 Likes

Thanks for the great questions, happy to provide my perspective on these!

1. The VetoSignaling Escrow vs. DEFI

I still consider one of the main usages of LSTs to be used in DeFi. Having to move my stETH from e.g a liquidity pool to the escrow to signal my unhappiness with DAO decisions seems not like a great oracle for stETH holder sentiment over all. I only see this happening for significant proposals where the stETH holders feel the DAO is strongly going against them in which case I would assume most holders to rather use the good liquidity of stETH to exchange them for another LST or native ETH to quickly exit.

It’s true that an escrow oracle would only efficiently work in the case of a significant misalignment where users might as well decide to swap/withdraw. So DG doesn’t really reduce the risk of users leaving the protocol, at least for the initial batch of users who leave while the secondary market liquidity is not depleted and the withdrawal queue is not saturated.

Foot voting is a very efficient mechanism since it doesn’t require coordination. Any coordination always has an attached cost so, as long as people can foot vote without bearing an additional material cost, they will foot vote, no matter how DG or any other coordination mechanism is implemented.

That said, in the case of a DAO decision that puts stakers’ ETH at risk, the stETH rate will deteriorate pretty fast, and the withdrawal queue will quickly become saturated, leading to an increased panic and incentive to join the bank run (including by stETH LPs). The DG changes this by allowing those who are not the first in the line to coordinate and foot vote in a safer manner plus providing the mechanism for the DAO to try keeping them in the protocol by canceling the decision and potentially negotiating other governance changes.

Can we offer a coordination mechanism that would be more efficient for users than foot voting, right from the beginning? I don’t know but I’m not very positive here due to the coordination cost mentioned above. Even if we allow stakers to signal veto and temporarily freeze the DAO by proving their balance instead of moving (w)stETH to an escrow, I’d still expect the stakers who first notice the DAO decision just to leave the protocol. So the upside of this change is, imo, not very significant while the downside is that it enables an essentially free DoS attack on the DAO.

Overall, it would be great if we could somehow lower the coordination cost without enabling efficient attacks. Let’s think if we can improve the mechanism here without bringing a lot of additional complexity.

Another point to consider here might be tax implications: In several jurisdictions, there’s a substantial tax distinction between stETH and wstETH. Unwrapping wstETH to join the VetoSignaling Escrow might trigger an expensive, taxable event.

Given that wstETH is an immutable in-protocol wrapper around stETH, both tokens will be natively supported by the DG. There will be no need to unwrap anything.

2. VetoFirstSealThreshold

With 41% of all stETH in wstETH alone, I envision a massive exit or “bank run” preceding such significant movement to the VetoSignaling Escrow Contract.

Exiting from wstETH won’t be required but, as I’ve highlighted above, if the DAO clearly goes against the users I believe first stakers (say, up to 3-5% of TVL but it’s not a calculated number since we’re still working on the scenario modeling) will exit the protocol no matter what. But I don’t think that a massive bank run will happen via swaps or direct withdrawals since DG offers better terms for bank runners.

Especially since if the threshold instead would be set too low, it might create a risk of LST competitors using the mechanism to slow down Lidos governance significantly

The idea is to set the VetoSignallingMinDuration in a way that locking only VetoFirstSealThreshold stETH won’t significantly slow down the governance. For example, the initially proposed parameters (that will def need further refinement) allow slowing down the DAO by 8 days given 1% stETH participation. This is not a significant lock considering that regular voting happens at most once a month.

3. The evolution of LDO

As a LDO holder, I’m keen to get your point of view how the significance of LDO will (and should) evolve over time, especially considering this dual governance model. If we’re shifting to increased protocol ossification, and concurrently reducing governance activities, LDO in its current design will lose most of its appeal as a governance token. A profit share to give LDO continued value seems like the only feasible solution to me.

My view on this is that there are both positive and negative aspects to governance power. The power of controlling the DAO treasury or making the protocol safer and more useable is positive; the power of destroying the protocol or breaking its core promises is negative. Ideally, we’d want to maximize the positive aspect while minimizing the negative one.

DG, imo, doesn’t make LDO less valuable. I’d argue that the opposite is true: it derisks the protocol for the users and thus makes it more appealing, and by extension makes LDO more valuable. Yes, users now have the ability to coordinate to oppose the DAO and leave the protocol safely, but in the case of the DAO breaking some of its covenants, the users would’ve left anyway even without DG.

As for further governance minimization and ossification of the critical protocol parts, my opinion is that it 1) has to be done carefully and gradually, and 2) if done right, it won’t diminish the value of LDO. The DAO won’t be able to re-shape the protocol into something completely different but in this case, deploying a new protocol would make more sense anyway.

The question of implementing automated profit sharing or any other LDO tokenomics is, imo, orthogonal to the above. I personally think profit sharing is a good idea and something that will have to be implemented eventually but one has to be reeeally careful here since tokenomics is easy to wreck and almost impossible to fix, as one can see from numerous examples in the space.

4. Role of Node Operators in Governance

Beyond just a tie-breaker sub-committee, we should explore mechanisms to engage ALL node operators actively. Given that the protocol isn’t near governance minimization and with the current voting turnout being modest, we can use all the voters we can get.

Completely agree here! The alignment between the protocol and NOs is a powerful feature that can bring a lot of value. The proposed DG design doesn’t include NOs apart from the tiebreaker committee mostly due to the mechanism simplicity considerations since we have limited time before EIP-7002 (EL triggerable exits) is implemented, and we’d really want DG to be deployed before that. Let’s keep the discussion and research around this ongoing!

6 Likes

Thanks a lot for surfacing the important topic of delegation!

I’m all for it, weird that I forgot to mention it in the list of possible governance improvements. Probably it happened since this one was too obvious, will fix that!

Voter and delegate incentivization is imo a more intricate question. Basically, we’re solving for two objectives:

  1. Improve governance safety: increase the probability of an unsafe or malicious governance decision being rejected by the majority of voters.
  2. Keep or improve governance efficiency: increase or at least doesn’t decrease the quality of governance decisions.

Non-incentivised delegation solves for 1 (by increasing participation) and arguably solves for 2 as well since delegates are not incentivized for participating in the votes they don’t have the time or skills to correctly assess. And while incentivized delegation may improve the safety by further increasing voter participation, it might actually decrease the quality of governance decisions since participation is rewarded regardless of the amount of resources the voter spent on evaluating the proposal. There’d be a strong incentive to just support the majority of voters.

So, imo, incentivized delegation should be combined with some form of prediction market to be really efficient. Maybe rewarding with a locked or vested LDO is enough of a prediction market, maybe a more complex mechanism would be required. But researching this is def a good idea!

3 Likes

I agree incentives are tricky, and may not be needed for a first iteration of delegation, but it’s just a matter of carefully choosing what brings the most security and efficiency to Lido. There’s already some good work to take inspiration from in other DAOs that have succeeded with such programs.

Governance compensation, if done right, is akin to Ethereum protocol incentives. The benefit from participating honestly and actively needs to be higher than those from attacking, and by the growth of Lido and the overall staking industry attemps of attacks are imminent imo.

DG is a great last resource way to keep governance in check from absolute disaster, but there’s a lot of room to mess things up before getting to the point where stETH decide to veto a decision.

Great! Thank you Sam for taking the time and answering these questions/ concerns. I guess most of my worries are already resolved by the fact that this will support wstETH directly! I was not able to find this in the original document, so I believe this should definitely be mentioned!

For LDO, as you said, this has to be carefully weighed and planned. I still believe it’s important to bring up the perspective of LDO token holders here as this (arguably if positively or negatively) has an impact on the token design itself. Nonetheless, I think that we’ve got a long way until we figure out the specifics for LDOs future.

Including NOs more into the design should not be a blocker for DG and also not make Governance more complicated. I see this more as an overall topic that I think needs more discussion. It probably makes sense to postpone this to after 7002 though as it gives the DAO more leverage in the discussion!

For DG, I’m looking forward to see the final parameters once modeling concludes.

4 Likes

Hey @skozin, thanks for the great post! Some questions below, particular from the mechanism design questions highlighted in your note.

  • What if you extended some form of veto right or governance recourse to plain ETH?

  • Could you provide more context on how we plan to arrive at specific threshold numbers for the stETH veto? Is there more background data on how much stETH this is given the overall size of the market? Specifically, have we done an analysis on exactly where this stETH can come from given how much may be locked up in DeFi, cold storage, etc.?

  • Could you provide more context on the decision to freely move stETH in and out of veto state without having to lock it up? Are DDOS attacks prevented by the longer timeline required to execute the entire process (~three months)?

  • Local vs. global settlement debate: is this basically local settlement (from the previous thread)?

  • Any considerations for the UX for implementation of veto? This could be very important to average users who may seek to use the veto.

  • What is the penalty for freezing the system? What specific mitigation measures prevent this?

  • What are the background dynamics and context for the Tiebreak Committee? Is there any other way to structure this role?

  • In the absence of a token bonding mechanism, are you concerned about malicious LDO proposer not getting punished and being able to repeat their malicious proposals later?

  • Predictability in governance is likely to be very important if we expect non-active stETH holders to pay attention to Lido governance. Has there been any consideration to forcing major votes to follow a set schedule, so that stETH holders know they must pay attention at one particular time during the year, or biannually?

9 Likes

Hey @Porter_Smith, thanks for the great questions and for the continued feedback on this proposal! And sorry for the delayed reply, I’ve been pretty sick the last week with some kind of flu and just recovered.

What if you extended some form of veto right or governance recourse to plain ETH?

We actually thought a lot about including ETH holders. The upside is that it should bring a more diverse set of potential veto participants and thus make the governance more resilient. The downside, however, is that ETH holders naturally have less skin in the game in relation to the Lido protocol so just assigning the veto power to this group may significantly increase the attack surface created by the dual governance mechanism.

For example, imagine a situation where Lido governance has to push some emergency upgrade to fix a smart contract vulnerability. Allowing ETH holders to block this upgrade without risking anything or paying any cost would enable an almost free attack on the protocol.

The last time we discussed this with Eugene (@ujenjt) we came up with an option that we believe might allow ETH holders to participate in the veto and at the same time seemingly doesn’t introduce significant attack vectors. The idea is roughly the following:

  • ETH holders can join veto signalling escrow, maybe with a discounted veto power compared to stETH holders.
  • ETH holders cannot exit the signalling escrow while Veto Signalling, Rage Quit, or Rage Quit Accumulation state is active, but can switch between supporting and not supporting veto in the Veto Signalling state.
  • Veto Signalling state duration depends on the total amount of veto power (in the signalling escrow) supporting the veto.
  • The rage quit condition remains the same: more than the second threshold stETH should be locked in the veto signalling escrow. ETH holders alone cannot trigger the rage quit.
  • ETH holders can withdraw their ETH from the veto signalling escrow either when the Veto Cooldown state is entered (if rage quit didn’t happen) or when the Rage Quit state is exited (if rage quit happened). This puts them in the same conditions as stETH holders participating in the veto.

So basically, if DAO proposes smth bad for Lido or Ethereum, active ETH holders can extend the DAO execution timelock up to the max veto signalling duration and use this extra time to reach to stETH holders via social channels and ask them to rage quit the protocol.

We might be able to include this mechanism in the initial DG version if time allows.

Could you provide more context on how we plan to arrive at specific threshold numbers for the stETH veto? Is there more background data on how much stETH this is given the overall size of the market? Specifically, have we done an analysis on exactly where this stETH can come from given how much may be locked up in DeFi, cold storage, etc.?

We’re in the process of modeling and analysis so these numbers are just our best guesses for now.

Preliminary analysis shows that around 33% of (w)stETH total supply is held by private addresses, i.e. EOAs and smart contract wallets not belonging to CEXes or custodians.

Could you provide more context on the decision to freely move stETH in and out of the veto state without having to lock it up? Are DDOS attacks prevented by the longer timeline required to execute the entire process (~three months)?

The idea is that we want the DAO and stakers to be able to negotiate and de-escalate while in the Veto Signalling state. The “happy path” scenario is the following:

  1. DAO votes for a misaligned decision.
  2. Some stakers trigger Veto Signalling.
  3. DAO withdraws the decision.
  4. Stakers cancel Veto Signalling by moving stETH out of the escrow.

The DoS attacks are prevented by the Veto Cooldown state that inevitably comes between the Veto Signalling and the Normal state and that allows the DAO to execute pending decisions.

The most damage one can do without withdrawing stETH is locking the DAO for a duration between VetoSignallingMinDuration + VetoSignallingDeactivationDuration and VetoSignallingMaxDuration + VetoSignallingDeactivationDuration, depending on the stETH amount they control.

All stETH that is part of the current Rage Quit (i.e. that was automatically moved from the veto signalling escrow to the rage quit escrow upon the Rage Quit Accumulation state activation or that was moved into the rage quit escrow in the Rage Quit Accumulation state) cannot be moved out of the rage quit; stakers will only be able to withdraw the underlying ETH after all stETH that’s undergoing a rage quit is fully withdrawn and the subsequent RageQuitEthWithdrawalTimelock passes.

Stakers that move stETH into veto signalling escrow while rage quit is ongoing are not joining/prolonging the current rage quit; instead, having enough stETH in the signalling escrow will lead to Veto Signalling being activated after Rage Quit state ends.

Local vs. global settlement debate: is this basically local settlement (from the previous thread)?

Yes, for this version, we propose going with just local settlement.

While global settlement allows for better protection of passive stakers, it also enables an attacker to destroy the protocol in the worst case, and we don’t feel safe enough to implement this until we have the critical parts of the code (specifically stETH minting and transfers) ossified and/or verified on the bytecode level.

Any considerations for the UX for implementation of veto? This could be very important to average users who may seek to use the veto.

UX is indeed very important. We’re planning to develop a dedicated UI for veto participation that will be open-source and deployed on IPFS. It will explain the current state of governance and veto participation and allow to join/leave veto, join rage quit, and track the participant’s current status and allowed actions.

The goal is that any staker can participate in the veto as frictionlessly as possible without dependence on any trusted party.

What is the penalty for freezing the system? What specific mitigation measures prevent this?

For temporarily freezing the DAO (up to VetoSignallingMaxDuration + VetoSignallingDeactivationDuration), the only cost is the opportunity cost of locking stETH for the duration of the DAO lock.

Any longer lock will require possessing at least VetoSecondSealThreshold share of the total stETH supply and exiting this stETH to ETH, thus the total cost consists of the two components:

  1. The opportunity cost of locking stETH for VetoSignallingMaxDuration + RageQuitAccumulationDuration + EthWithdrawalDuration + RageQuitEthWithdrawalTimelock (where EthWithdrawalDuration is the time required for validators to exit).
  2. The cost of non-received protocol rewards, i.e. stETH_APY * stETH_amount * (EthWithdrawalDuration + RageQuitEthWithdrawalTimelock).

To lock the DAO for a longer period, the attacker has to:

  1. Sell the ETH locked for RageQuitEthWithdrawalTimelock to liquid ETH. This will inevitably come with some discount.
  2. Sell the liquid ETH for a stETH wallet/EOA that possesses at least VetoSecondSealThreshold share of total stETH supply for the duration of at least VetoBalSnapshotShift, OR bribe at least VetoSecondSealThreshold share of total stETH supply into triggering the Rage Quit Accumulation state.

We’re still working on scenario modeling and attack cost analysis and would appreciate any input!

What are the background dynamics and context for the Tiebreak Committee? Is there any other way to structure this role?

The Tiebreaker Committee was introduced to address the specific scenario:

  1. An attacker notices a vulnerability in the protocol allowing them to withdraw other users’ ETH.
  2. An attacker blocks the DAO for a prolonged period by either bribing stETH holders, borrowing stETH on the open market, purchasing, or minting stETH, and using it to trigger the Rage Quit state.
  3. The Gate Seal committee notices this and pauses withdrawals to prevent ETH theft. Since governance is blocked, this pause will last until the governance is unblocked. But the governance cannot be unblocked until the Rage Quit state ends, and it ends when the ETH is withdrawn. Since withdrawals are paused, we arrive at a deadlock.

In this specific case, and only in this case, the Tiebreaker Committee gains the power of executing any decision the DAO has approved by voting. So this committee does have the ability to bypass stETH veto but it can only do it in a very specific case, and its power is limited since it can only execute decisions that the DAO has proposed and voted in favor of.

Looking at this from an attack modeling perspective, in order to execute a change bypassing the stETH veto, an attacker has to:

  • Control the DAO.
  • Force stETH holders to trigger a Rage Quit state OR control at least the VetoSecondSealThreshold share of the stETH total supply.
  • Control the Gate Seal committee.
  • Control the Tiebreaker Committee.

It’s still a lot of power, thus the committee should be as resilient as possible. For this committee, speed of reaction should be absolutely sacrificed for security since the committee only activates in the doomsday scenario when there’s no need to take any urgent measures as validator exits and ETH withdrawals are already paused and any code upgrades are blocked.

There are various ways of structuring the committee, the one presented in the design overview document is not the only/final one. For example, @ujenjt proposed the following alternative structure:

  • Social layer sub-committee: representatives from EF and client teams.
  • Validators sub-committee: all active Ethereum validators with voting power weighted by the time since activation.
  • DAOs sub-committee: governance contracts of largest DAOs by TVL.

Each sub-committee requires a majority support, and for the super-committee to execute a DAO decision, approval from all sub-committees is required.

In the future, the Gate Seal committee should be replaced by an autonomous and trustless mechanism, e.g. an invariant-based circuit breaker contract, making it impossible to transition the protocol into a paused state (and thus empower the Tiebreaker Committee) without some critical code invariant being broken.

Whether DG can be altered in a way that makes the committee unnecessary remains an open question. We’ve yet to come up with any practical way of doing so and would appreciate any ideas or hints on potential research directions.

In the absence of a token bonding mechanism, are you concerned about malicious LDO proposer not getting punished and being able to repeat their malicious proposals later?

Since the DAO has the power of transferring or burning LDO on any address, it can still punish a malicious proposer in the case the attacker controls less LDO than the active and honest DAO participants:

  1. An attacker obtains/bribes more than a quorum LDO and tricks the DAO into accepting malicious proposals (or benefits from voter apathy).
  2. Stakers notice this and trigger Veto Signalling.
  3. While in Veto Signalling, honest DAO members outvote the attacker and kill all pending proposals, including the attackers’ proposals (by voting for the KillAllPendingProposals special proposal). This guarantees that the DAO won’t be able to execute any proposal before stakers can re-trigger Veto Signalling.
  4. Honest DAO members communicate to stakers that, after the veto is lifted, they will burn or jail the attacker’s LDO.
  5. Stakers cancel the veto state. After a timelock, the DAO gains the ability to execute new proposals.

Then, two scenarios are possible. The happy one:

  1. The honest DAO members submit the proposal for burning/jailing the attacker’s LDO and outvote the attacker.
  2. The DAO continues normal operation.

The unhappy one:

  1. The honest DAO members don’t submit the proposal for burning/jailing the attacker’s LDO or are unable to outvote the attacker.
  2. Stakers re-trigger Veto Signalling and potentially exit the protocol via Rage Quit.

Bonding changes the default outcome of an attack in the case the DAO for some reason is malfunctioning or the attacker controls more LDO than honest and active DAO members. Since opposition from stakers automatically results in either the proposal being killed or LDO being jailed/burned, voter bribing attacks become much less efficient.

Predictability in governance is likely to be very important if we expect non-active stETH holders to pay attention to Lido governance. Has there been any consideration to forcing major votes to follow a set schedule, so that stETH holders know they must pay attention at one particular time during the year, or biannually?

Honestly, I won’t expect the majority of stETH holders to pay any attention to the Lido governance no matter its cadence, and neither do I think Lido governance should rely on this in any form since it’s incompatible with the LST holders’ incentives. DG was proposed in part to address this problem/assumption by allowing a minority of stETH holders who are actively monitoring the DAO to trigger an extended timelock on pending decisions, giving the time for the majority of stakers to react.

I imagine the veto-triggering scenario to be closer to this (and I mean this scenario when I say “stakers trigger Veto Signalling”):

  1. Lido DAO approves some controversial or malicious change.
  2. The interested parties notice the change. These parties could be individual stakers but a more realistic expectation is that they would be the protocols/companies integrated with or holding stETH, Lido DAO contributors, and the wider tech community. They don’t necessarily hold stETH.
  3. These parties socially amplify the information about the controversial decision.
  4. This information reaches the active minority of stETH holders who pay attention to CT or crypto news.
  5. Active minority of stETH holders trigger an extended timelock by joining veto and further amplify the information.
  6. Gradually, less active stETH holders join, potentially triggering a rage quit.

To accommodate this scenario, the dynamically expanding timelock mechanism (as more stakers join) was included in the proposal.

That said, limiting the governance cadence for the most major changes is a good idea since it improves the overall predictability of the protocol changes. To my knowledge, no contributors are currently working on limiting it onchain so it remains a future research direction.

One thing to note here is that some Ethereum consensus changes, especially around staking mechanics, might require some level of support from Lido contracts, and this support almost certainly will require upgrades of core contracts. Since Ethereum forks are not bound to any pre-defined schedule, just pinning major Lido upgrades to a pre-defined schedule most probably won’t work and a more complex mechanism would be required. It should also be synchronized with the GOOSE/LIP processes adopted by the DAO to avoid governance locks resulting from different offchain and onchain schedules.

3 Likes

One more thought: given that we currently see no way around having the Tiebreaker Committee, maybe having the balance snapshotting mechanism is not so critical?

The balance snapshotting mechanism, i.e. the calculation of veto power as min(current stETH balance, stETH balance X days ago) was introduced to protect from an attacker exploiting a potential unbacked minting vulnerability following this scenario:

  1. An attacker finds the vulnerability and mints a huge stETH amount (say, more than the current total supply) without providing the proportional amount of ETH.
  2. They immediately use this stETH to trigger Veto Signalling, blocking the DAO from deploying any fix.
  3. After the Veto Signalling maximum duration passes, the Rage Quit starts since the signalling escrow contains more than the second threshold stETH.
  4. As the result of the Rage Quit, the attacker steals the whole protocol TVL in ETH.

Calculating veto power as a minimum from current and past stETH balances would require the attacker to mint the unbacked stETH X days before using it in the veto and thus give the protocol governance the time to react, pause the protocol and deploy a fix:

  1. An attacker finds the vulnerability and mints a huge stETH amount without providing the proportional amount of ETH. Due to the balance snapshotting mechanism, they have to wait at least X days before being able to use it in veto, where X exceeds the time required for the DAO to approve and execute a proposal.
  2. The Gate Seal committee notices the exploit and pauses withdrawals.
  3. The DAO prepares, approves, and executes a proposal fixing the vulnerability and unpausing withdrawals before Gate Seal-induced withdrawals pause elapses.

However, in the presence of the Tiebreaker Committee, the DAO, the Gate Seal committee, and the Tiebreaker committee can cooperate and execute a recovery from this attack even in the absence of balance snapshotting:

  1. An attacker finds a vulnerability and mints a huge stETH amount without providing the proportional amount of ETH.
  2. They immediately use this stETH to trigger Veto Signalling, blocking the governance from deploying any fix.
  3. The Gate Seal committee notices the exploit and pauses withdrawals. Since DAO execution is currently blocked, the pause will last until it’s unblocked.
  4. After the Veto Signalling maximum duration passes, the Rage Quit starts. Since withdrawals are paused, this leads to a governance/withdrawals deadlock and thus the Tiebreaker Committee gains the power of executing any DAO-approved decision.
  5. The DAO prepares and approves a proposal fixing the vulnerability and unpausing withdrawals. In contrast to the balance snapshotting scenraio, the DAO is not strictly time-constrained in preparing and deploying the fix since withdrawals are not getting automatically unpaused.
  6. The Tiebreaker Committee executes the proposal.

The downsides:

  1. As the result of an attack, protocol users experience a prolonged pause in withdrawals that can easily last months.
  2. Intervention from the Tiebreaker Committee is required.

However, given that the Tieberaker Committee is needed for other reasons anyway, that a vulnerability allowing unbacked stETH minting is already a doomsday scenario, and that stETH remains backed in the end, maybe this is an acceptable compromise. The upsides of removing the balance snapshotting are significant:

  1. Allows users having stETH deposited in DeFi protocols and CeFi services to participate in veto (by withdrawing to stETH/wstETH first).
  2. Significantly simplifies the DG implementation.
  3. Improves the UX for participants since no access to an archival Ethereum node is required anymore.

WDYT?

2 Likes

Hello,
to channel the voice of users and stakers, could we use a Citizens’ Assembly like model as a proxy? We are working on this in the tradpol world with quite a lot of success and also starting experimentation and piloting in web3. Happy to present the approach, explore collaborations, testing. Here is the report of the first pilot in the Atom ecosystem: forum.cosmos.network/t/discussion-onboarding-managing-offboarding-the-aez-a-set-of-draft-propositions/12054

And aez.global for background

2 Likes

Thanks for putting this together @skozin and team! The principle-agent problem and it’s potential implications on the ETH consensus layer are the biggest concerns for most Ethereans so I definitely like the direction and the intent of the dual governance model.

Before I share my thoughts, I’d first like to admit that I may not be entirely up to speed with all prior governance proposals/discussions on this + related topics so do give me some rope!

I am curious hear your thoughts on a model where stETH holders can trigger a voting process (vs only veto) for the dismissal/replacement of permissioned node operators if they find that such NOs no longer represent their interests.

My thought process below:

  1. There is an argument being made on how Lido can theoretically exert “soft powers” on and coerce permissioned NOs to do their bidding

  2. In an ideal world, stETH are equivalent to ETH in terms of voting powers on the consensus layer - e.g. voting for the chain head / forkchoice - but I imagine this would be super complex to implement

  3. Having 100% permissionless NOs can also mitigate (1). However, this comes with it’s own set of challenges such as eroding Lido’s ability to (i) generate the highest yield for it’s stakers (via institutional NOs), and (ii) service large TVLs, as permissionless NOs require hard capital to participate in (vs reputational capital). There is a definitely a risk of TVL flowing to custodied alternatives if Lido’s efficiencies on these 2 fronts fall short.

  4. Borrowing from politics in the real world, representatives can be freely voted in and out by the people

Having said that, I do recognise that there will be new problems to deal with by doing this:

  1. Malicious actors (to Lido) can acquire stETH for the sole purpose of dismissing all permissioned NOs, causing a large amount of TVL to become unproductive in an attempt to drive TVL to other platforms. They can also short LDO at the same time to profit directly.

  2. Everyday stakers will likely not have the expertise in selecting and evaluating the best NOs

An expanded approach could perhaps look like the following:

  1. To solve the expertise problem: A list of suitable NOs is community-sourced and submitted periodically (e.g. once per quarter) by not only LDO holders, but also stETH holders, and even ETH holders (e.g. ETHstaker, EF). Inclusion and exclusion lists could require 2 out of 3 sets to agree on.
  1. To prevent governance attacks via stETH: A high threshold could be used - e.g. 66% or 75% of stETH voting required to trigger dismissal/replacement of existing permissioned NOs - increasing the cost of such attacks. Each dismissal must be accompanied with a replacement candidate. LDO holders has a higher weightage when selecting replacement NOs from the community-voted list. New stETH holders need to lock their stETH in escrow for a period to prevent abuse and ensuring they have skin in the game.

Thanks for reading and I look forward to the insights from the community here!

Cool concept, but I’m afraid introducing * more * governance to Lido adds more complexity and potential vector attacks. Specially when talking about NO politics.

IMO, NO sets should be managed by quantifiable metrics, which we can automate as well. So like if a NO doesn’t meet certain performance criteria, or if there’s clear attempts of attacking the network, they can be kicked out of the set. Introducing a place for NO politics will only make Lido a very opinionated protocol in a space (Ethereum security) that benefits the most from diversity.

Anyways, NOs must be voted on to enter the set and unless I’m wrong, LDO holders already can vote to take out members of the set, which is sufficient and even too much governance already. @Izzy can shed some light here.

1 Like

Hi @Antoine_Vergne, and thanks for sharing the idea!

In general, having a well-representing proxy to the most active subset of users would be imo a nice thing to have, we can use it e.g. as a part of the “users’ sentiment oracle” in the DG model (so that it can trigger an extended timelock) or maybe even include it into the governance process at some point.

My main concern regarding the introduction of additional agents, especially in the case where they’re assigned broader governance rights, is that it creates one more PAP: there’s no guarantee that the new agent adequately represents all groups of users at all times so, imo, just having a proxy doesn’t bring enough user protection and additional mechanisms are still needed.

I’m still a huge fan of foot voting and minimization of the “bad” part of governance powers. That doesn’t mean that I’m against exploring user proxies, just that I think we need to do it carefully.

I’d be happy to explore the suggested mechanism in more detail. Where can I read more about the composition and governance principles of the Citizens Assembly? The linked post seems to report the results of the first session of the Assembly, and I’d like to find out more about its mechanics.

2 Likes

Thanks for joining the discussion @Stakesaurus!

Currently, the curated list is managed with the help of the Lido Node Operators Sub-Governance Group (LNOSG) that evaluates current and new node operators and suggests the inclusion/exclusion lists to the DAO, the latter having the ultimate decision rights on whether to implement the recommendations.

So, if I get it right, what you suggest is basically:

  1. Adding more parties to the LNOSG.
  2. Adding stETH holders to the LNOSG.
  3. Allowing LNOSG to perform inclusion and exclusion without consent from the DAO.

I think 1) is worth pursuing in general, given that new parties possess the required expertise. For 3) to work for the curated set, the LNOSG should have significant skin in the game and be composed of a very wide range of actors to make attacks on the protocol and the network extremely expensive.

As for 2), i.e. giving stETH broad governance rights, in contrast to governance minimization and making foot voting as easy as possible, I think it’s a dangerous path currently because it gives outsized power to various agents holding stETH on behalf of others, e.g. bridges, L2s, CEXes/custodians, and, to some extent, DeFi protocols. Together they control a sizeable portion of stETH, which will only increase with time, and most of them are governed (sometimes by a multisig) and thus can act independently. The cumulative coordination cost for these large agents is significantly smaller than it is for regular stETH holders.

Setting a participation threshold might theoretically help but I’m afraid it won’t work in practice because, if you set it low, then few large agents will be able to coordinate protocol changes without participation from users, and if you set it high, users won’t be able to coordinate any change. I’m 100% sure that coordination between even 30% of the regular stETH holders is practically impossible, except when it’s required to save their ETH; at the same time, various agents already hold more than 30% of the stETH total supply.

In general, I believe in the end state where the protocol governance risk is minimized not because the governance process includes many parties but instead because the governance has no ability to sharply and significantly change the protocol and its covenants, controls the minimal set of meta-parameters of the protocol instead of micro-managing its operations, and because users can easily leave or fork the protocol if its governance becomes misaligned with them.

That said, I’m not against exploring the alternative class of solutions that keep the DAO in check by involving more parties; even the current DG proposal includes the negotiation mechanism between the DAO and the stETH holders that are intending to leave. Just trying to explain why the proposal currently relies on foot voting as the most efficient mechanism.

Btw, the current mechanism allows stETH holders to join veto escrow and thus trigger negotiation with the DAO even in the absence of a proposal. This allows them to demand removing a node operator from the set (for example, if it starts censoring) and leave the protocol if the DAO doesn’t cooperate.

6 Likes

First and foremost, thank you, @skozin, for the excellent research and the clear presentation of the proposed solution.

I like your suggestion to eliminate the balance snapshotting mechanism from the design. In my view, the drawbacks of this feature outweigh its benefits.

Additionally, I propose considering the option of allowing users to place pending withdrawal NFTs in the veto signaling escrow. This change could protect against scenarios where the DAO is compromised when a significant portion of stETH is locked in the Withdrawal Queue. In such a scenario, there might not be enough stETH available to activate the rage quit phase, potentially enabling malicious LDO holders to update the Withdrawal Queue implementation and pilfer unclaimed ETH.

I’d also like to take a closer look at how efficient the proposed solution is from the perspective of the stETH holders. As articulated in the specification:

Dual governance mechanism is an iteration on the protocol governance that gives stakers a say by allowing them to block DAO decisions and providing a negotiation device between stakers and the DAO.

Another way of looking at dual governance is that it implements

  1. a dynamic user-extensible timelock on DAO decisions and
  2. a rage quit mechanism for stakers taking into account the specifics of how Ethereum withdrawals work.

Let’s consider a scenario where a DAO proposal has accumulated sufficient stETH in the veto escrow but still lacks enough to activate the rage quit accumulation phase. In such a case, two potential outcomes emerge:

  • The DAO opts to cancel the proposal:
    Users can withdraw their stETH from the veto escrow without exiting the protocol. Yet, it appears improbable that the engaged minority of users involved in the veto will opt to stay in the protocol. There is no guarantee that the DAO won’t reintroduce a similar proposal later, forcing stETH holders to put their funds in the veto escrow again, potentially leading to a loss of profit.
  • The DAO chooses not to cancel the proposal:
    In this scenario, stETH holders who vetoed the proposal still need to adhere to the regular withdrawal process of the protocol. Consequently, a more optimal strategy for them would be to join the Withdrawal Queue directly, expediting the release of their funds and facilitating a swift transition to another platform.

Given the absence of assurance that the DAO will cancel a potentially controversial (but still not malicious, as the rage quit mechanics would likely be activated in such a case) proposal for a minor portion of stakers, dissenting users are more likely to find regular withdrawals more appealing. In other words, in the event of disagreement with DAO decisions, foot voting mechanics remain a more optimal choice for stETH holders than engaging in a negotiation process.

In another potential scenario, a DAO proposal accumulates enough stETH to initiate the rage quit phase, signifying a significant part of users choosing to exit the protocol. Such events are likely a consequence of obviously malicious actions from the DAO, compelling all stETH holders to withdraw their funds promptly. In such critical situations, the global settlement mechanics (or a similar mechanism safeguarding all users) offer better protection for stETH holders than a local settlement.

Possible Alternative

Addressing the challenge of unbacked stETH minting, a proposed solution involves leveraging the Tiebreak Committee to handle critical situations. This committee should have extensive powers to enact any approved DAO proposal; however, this may still prove insufficient if malicious actors control the DAO.

Considering reliance on this committee in the most critical situations, perhaps we can consider delegating a portion of the veto power to this committee instead of concentrating 100% of it in the hands of stETH holders. This approach may contribute to simplifying and enhancing the sustainability of the system.

Alternatively, a Veto Committee could be established in place of the Tiebreak Committee. This committee would consist of protocol participants and external influencers, each allocating a portion of the veto power. For instance, the distribution of veto power could be as follows:

  • stETH holders - 40%
  • node operators - 25%
  • major protocols using stETH as an asset - 20%
  • ETH foundation members & client teams - 15%

The precise list of participants and distribution of veto power requires thorough research, with a key consideration being adherence to the rule: There is no party with veto power equal to or exceeding the quorum (50%).

Additionally, the calculation of the veto power may happen using a flat scale, departing from the approach commonly used in multisigs. For instance, each node operator might possess a veto power proportional to NodeOperatorsVetoPower * nodeOperatorValidatorsCount / totalProtocolValidatorsCount. Similarly, for stETH holders, the veto power could be tied to the amount of stETH locked in the veto escrow contract: StEthHoldersVetoPower * stETH.balanceOf(holder) / stETH.totalSupply(). This approach ensures that each participant wields influence in the veto process, distinguishing it from multisigs, where the voices of dissenters are merely added to the majority.

A mechanism akin to extending the veto signaling phase may be employed to allow sufficient time for veto committee members to cast their votes. For instance, depending on the gathered veto power, the duration of the voting period may vary from 3 to 60 days. Determining the exact timeframes necessitates further research to select durations that provide sufficient time for slower participants—such as protocols represented by their DAOs or stETH holders requiring time to retrieve their funds from DeFi protocols to express their opinions.

Following the attainment of the quorum by the veto proposal, the subsequent actions depend on the specific implementation. For example, consider two primary options:

  • Global Settlement of the Protocol:
    In this scenario, the execution of proposals becomes impossible, and all users may withdraw their funds from the protocol.
  • Discarding the Malicious Proposal:
    The malicious proposal is discarded. In this case, all LDO holders who voted for the harmful proposal undergo a measure that deprives them of their voting power. After this measure is taken, the protocol returns to its regular operations. The specifics of implementing such an approach necessitate additional research.

The latter option seems preferable, introducing the “skin in the game” concept. Moreover, in contrast to the first option, it enables unlocking the protocol without forking, even when the DAO is captured.

Simultaneously, LDO holders can adjust their decisions throughout the ongoing voting process (LDO voting and objection phases). This flexibility empowers honest LDO holders to respond promptly if the veto begins accumulating power, thereby safeguarding their voting power.

The described high-level overview of the solution introduces certain pros in various aspects. For example:

  • In the case of unbacked stETH minting, an attacker cannot veto the DAO proposal to address the issue. Even if the attacker controls 100% of the stETH supply, it falls short of reaching the veto quorum.
  • stETH participants who disagree with DAO decisions can exit safely using regular Withdrawal Queue mechanics.
  • If malicious actors capture the DAO, the veto committee can cancel harmful DAO decisions and exclude LDO holders who supported these proposals from the voting process. Additionally, allowing stETH holders to participate in the veto using pending Withdrawal NFTs may provide a secure exit from the captured protocol.
  • The veto committee has a strictly defined action, limited to vetoing the DAO proposal. This contrasts with the proposed Tiebreaker committee, which must be granted a broader scope of actions.

However, granting veto power to the tiebreak committee members may still seem controversial. On the one hand, it empowers them, but on the other, it confines their actions solely to vetoing proposals instead of executing any accepted DAO decision. These committee members are integral to the protocol, and providing them with the right to express their opinions in the event of disagreement with the DAO is not necessarily a negative aspect. Additionally, in a catastrophic scenario, their participation in vetoing malicious proposals can be crucial in safeguarding users’ funds.

8 Likes

Thanks for the detailed and well-thought-out post @psirex! I really like the discussion we’re having here with you and the others, it’s extremely valuable and necessary for arriving at a proper design.

I’ll try addressing all the concerns and ideas you’ve highlighted but pls let me know if I missed something.

Additionally, I propose considering the option of allowing users to place pending withdrawal NFTs in the veto signaling escrow

I like the idea! I’d go as far as allowing converting stETH already locked in the escrow to a withdrawal NFT.

I’d also like to take a closer look at how efficient the proposed solution is from the perspective of the stETH holders

The DAO chooses not to cancel the proposal… Consequently, a more optimal strategy for them would be to join the Withdrawal Queue directly, expediting the release of their funds and facilitating a swift transition to another platform.

It depends on the current size of the Ethereum withdrawal queue and whether ETH is at risk. If the queue is large and the decision is malicious, then joining the Veto Escrow will be more optimal. If we allow using withdrawal NFTs in the Veto Escrow as you suggest, then it may be optimal even when the ETH is not at risk.

I agree, though, that in the case of a controversial but not malicious decision, plain foot voting (without joining the veto escrow) is a more optimal strategy for stETH holders. But that’s fine, we won’t beat foot voting efficiency (imo) since it bears no coordination cost, and it still protects users.

In such critical situations, the global settlement mechanics (or a similar mechanism safeguarding all users) offer better protection for stETH holders than a local settlement.

I agree here as well. However, global settlement is a very dangerous thing, both to the protocol and to various integrators, and thus should require very high participation from actors with skin in the game. Given that the currently proposed mechanism relies on stETH holders as the trigger, this would give an outsized power of destroying the protocol to agents holding stETH on behalf of users, as I’ve highlighted in my previous reply in this thread. Moreover, since stETH minting and transfers code is currently not formally verified on the bytecode level, we cannot be sure it doesn’t contain a vulnerability that would enable a malicious actor to destroy the protocol.

Possible Alternative

This committee should have extensive powers to enact any approved DAO proposal; however, this may still prove insufficient if malicious actors control the DAO.

The committee only gains this power if the Gate Seal committee pauses withdrawals while rage quit is ongoing, so this power is not unlimited.

So, for the protection to be insufficient, malicious actors should control both the DAO and the Gate Seal committee (so that they can pause withdrawals indefinitely while also blocking the DAO), or the DAO should’ve introduced some vulnerability allowing them to steal users’ ETH and executed the corresponding proposal without users opposing it (so that the Gate Seal committee has to pause withdrawals indefinitely to protect users’ ETH).

While these scenarios are realistic, the proposed mechanism still adds significant protection in all other scenarios. Moreover, the end state doesn’t allow the DAO to steal the ETH, the most they can do is to keep it hostage.

Alternatively, a Veto Committee could be established in place of the Tiebreak Committee. This committee would consist of protocol participants and external influencers, each allocating a portion of the veto power.

If I understood it correctly, what you propose boils down to (using the language of the current proposal):

  1. Adding more participants to the Veto Signalling phase: holders of withdrawal NFTs, NOs, protocols, EF, and client teams.
  2. Replacing rage quit (i.e. a protected foot voting pathway) with either global settlement (i.e. sunsetting the protocol) or blocking unexecuted proposals + burning/jailing all LDO that voted for them.

My personal opinion is that 1) is a good thing since it allows more involved actors to protect stETH holders. However, I think that stETH holders shouldn’t rely on these additional actors in order to be protected; instead, additional actors’ involvement should increase the probability of (but not be necessary for) the positive outcome.

As for 2), I’m strictly against a global settlement that can be triggered by external out-of-protocol actors with no or limited skin in the game. Even if we require support by, say, 30% of stETH, it would still be dangerous since a large share of stETH is held by agents with unknown and/or unquantifiable incentives.

I think global settlement should require support from a supermajority of at least stETH and node operators (and probably more actors). It should be a doomsday scenario mechanism, and, imo, there’s a wide range of scenarios between those that are covered by regular foot voting and the doomsday ones.

So, imo, GS is a mechanism that comes as an addition to less drastic forms of users’ protection. We haven’t included it in the current proposal since correctly and safely implementing GS is highly non-trivial and we’re time-constrained by triggerable exits.

Let’s now consider the second alternative to rage quit:

The malicious proposal is discarded. In this case, all LDO holders who voted for the harmful proposal undergo a measure that deprives them of their voting power. After this measure is taken, the protocol returns to its regular operations.

Imo, potential burning/jailing LDO that happens by default as the result of users’ opposition would be a huge counter-incentive for governance participation/delegation, especially from large holders. Also, I assume the DAO voting for deploying a mechanism like this would be highly controversial.

There’s an alternative mechanism, though, that was ideated by @vsh and that I tried to formalize
in the “DAO voter bonding” section of the design overview as a potential next iteration. Basically, if a proposal is successfully opposed by users, it becomes unexecutable unless DAO members explicitly decide to counter-escalate by locking the LDO amount proportional to the users’ opposition and accepting the risk of these LDO being burned/jailed if users win this escalation game. This mechanism still protects users from malicious proposals (since they have the power to block them) but also protects LDO holders since they have to explicitly agree to risk their LDO.

In general, I think replacing the rage quit with this escalation game might work, but I’m not sure I like it from the more philosophical point of view: I still firmly believe that foot voting is the best mechanism and, instead of trying to invent a gadget that would fix a broken/captured DAO, we should concentrate on making foot voting as efficient and safe for users as possible, in all scenarios (which would disincentivize malicious actors from capturing the DAO in the first place), and work on governance formalization, increasing its predictability, and gradual minimization where it’s possible.

But that position stems mostly from my intuition and not proper modelling.

Overall, I think that, given the impending addition of triggerable exits, we need to settle on the first iteration of the DG mechanism soon (say, in a month), be it the currently proposed mechanism or one of the alternative versions, and continue research towards improving it in the second iteration. I don’t think we’ll be able to arrive at the most optimal design from the first take, but imo we need something to be deployed in the first half of the next year and then iterate.

2 Likes

I propose considering the option of allowing users to place pending withdrawal NFTs in the veto signaling escrow

this is really interesting. consequences obviously need to be analyzed

in the event of disagreement with DAO decisions, foot voting mechanics remain a more optimal choice for stETH holders than engaging in a negotiation process

not sure i buy this. i don’t think you can confidently make an absolute statement like this that applies to all, or even the majority, of cases. will likely be case dependent

In another potential scenario, a DAO proposal accumulates enough stETH to initiate the rage quit phase, signifying a significant part of users choosing to exit the protocol… n such critical situations, the global settlement mechanics (or a similar mechanism safeguarding all users) offer better protection for stETH holders than a local settlement.

again, not sure i buy this. whether this sentiment should be applicable globally depends on veto thresholds and concentration/distribution of vetoing stake imo

The malicious proposal is discarded. In this case, all LDO holders who voted for the harmful proposal undergo a measure that deprives them of their voting power. After this measure is taken, the protocol returns to its regular operations. The specifics of implementing such an approach necessitate additional research.

really dislike this. this has 2nd order consequences on voting participation and outcomes imho. you inevitably push people to vote for the status quo / less controversial thing

The latter option seems preferable, introducing the “skin in the game” concept… This flexibility empowers honest LDO holders to respond promptly if the veto begins accumulating power, thereby safeguarding their voting power.

this sounds nice in theory. but cognitive burden on voters is real and should not be discounted. also not clear how this plays out in a world where a substantial amount of LDO is delegated

If malicious actors capture the DAO, the veto committee can cancel harmful DAO decisions and exclude LDO holders who supported these proposals from the voting process.

this is true even if malicious actors don’t capture the DAO and even if the decision isn’t harmful. a lot can go wrong here

3 Likes

Gm, I’ve just updated the current version of the mechanism high-level description, incorporating the following changes:

  • Removed the stETH balance snapshotting mechanism since the Tiebreaker Committee already allows recovering from an infinite stETH mint vulnerability; see this post for more details.
  • Added support for veto signalling using withdrawal NFTs (thanks @psirex).

The previous version of the document can be found here: Dual Governance mechanism design overview (2023-10-23) - HackMD.

After these changes, the difference between the current mechanism and the one proposed by @psirex is the following:

  1. Add more participants to the Veto Signalling phase: NOs, protocols, EF, and client teams.
  2. Replace rage quit (i.e. a protected foot voting pathway) with either global settlement (i.e. sunsetting the protocol) or the killing of all unexecuted proposals + burning/jailing LDO that voted for them.
1 Like

Perhaps I misunderstand, but if there’s a chance my LDO is stolen from me and burnt 'cos I voted for the wrong proposal in good faith there’s no chance that I will ever participate in governance again. The DAO already has a governance participation problem, this feature of dual governance will only exacerbate that in my view. Not at all obvious why such punitive measures need to be taken

2 Likes