LDO+stETH dual governance (continuation)

Thanks a lot for surfacing the important topic of delegation!

I’m all for it, weird that I forgot to mention it in the list of possible governance improvements. Probably it happened since this one was too obvious, will fix that!

Voter and delegate incentivization is imo a more intricate question. Basically, we’re solving for two objectives:

  1. Improve governance safety: increase the probability of an unsafe or malicious governance decision being rejected by the majority of voters.
  2. Keep or improve governance efficiency: increase or at least doesn’t decrease the quality of governance decisions.

Non-incentivised delegation solves for 1 (by increasing participation) and arguably solves for 2 as well since delegates are not incentivized for participating in the votes they don’t have the time or skills to correctly assess. And while incentivized delegation may improve the safety by further increasing voter participation, it might actually decrease the quality of governance decisions since participation is rewarded regardless of the amount of resources the voter spent on evaluating the proposal. There’d be a strong incentive to just support the majority of voters.

So, imo, incentivized delegation should be combined with some form of prediction market to be really efficient. Maybe rewarding with a locked or vested LDO is enough of a prediction market, maybe a more complex mechanism would be required. But researching this is def a good idea!

2 Likes

I agree incentives are tricky, and may not be needed for a first iteration of delegation, but it’s just a matter of carefully choosing what brings the most security and efficiency to Lido. There’s already some good work to take inspiration from in other DAOs that have succeeded with such programs.

Governance compensation, if done right, is akin to Ethereum protocol incentives. The benefit from participating honestly and actively needs to be higher than those from attacking, and by the growth of Lido and the overall staking industry attemps of attacks are imminent imo.

DG is a great last resource way to keep governance in check from absolute disaster, but there’s a lot of room to mess things up before getting to the point where stETH decide to veto a decision.

Great! Thank you Sam for taking the time and answering these questions/ concerns. I guess most of my worries are already resolved by the fact that this will support wstETH directly! I was not able to find this in the original document, so I believe this should definitely be mentioned!

For LDO, as you said, this has to be carefully weighed and planned. I still believe it’s important to bring up the perspective of LDO token holders here as this (arguably if positively or negatively) has an impact on the token design itself. Nonetheless, I think that we’ve got a long way until we figure out the specifics for LDOs future.

Including NOs more into the design should not be a blocker for DG and also not make Governance more complicated. I see this more as an overall topic that I think needs more discussion. It probably makes sense to postpone this to after 7002 though as it gives the DAO more leverage in the discussion!

For DG, I’m looking forward to see the final parameters once modeling concludes.

4 Likes

Hey @skozin, thanks for the great post! Some questions below, particular from the mechanism design questions highlighted in your note.

  • What if you extended some form of veto right or governance recourse to plain ETH?

  • Could you provide more context on how we plan to arrive at specific threshold numbers for the stETH veto? Is there more background data on how much stETH this is given the overall size of the market? Specifically, have we done an analysis on exactly where this stETH can come from given how much may be locked up in DeFi, cold storage, etc.?

  • Could you provide more context on the decision to freely move stETH in and out of veto state without having to lock it up? Are DDOS attacks prevented by the longer timeline required to execute the entire process (~three months)?

  • Local vs. global settlement debate: is this basically local settlement (from the previous thread)?

  • Any considerations for the UX for implementation of veto? This could be very important to average users who may seek to use the veto.

  • What is the penalty for freezing the system? What specific mitigation measures prevent this?

  • What are the background dynamics and context for the Tiebreak Committee? Is there any other way to structure this role?

  • In the absence of a token bonding mechanism, are you concerned about malicious LDO proposer not getting punished and being able to repeat their malicious proposals later?

  • Predictability in governance is likely to be very important if we expect non-active stETH holders to pay attention to Lido governance. Has there been any consideration to forcing major votes to follow a set schedule, so that stETH holders know they must pay attention at one particular time during the year, or biannually?

8 Likes

Hey @Porter_Smith, thanks for the great questions and for the continued feedback on this proposal! And sorry for the delayed reply, I’ve been pretty sick the last week with some kind of flu and just recovered.

What if you extended some form of veto right or governance recourse to plain ETH?

We actually thought a lot about including ETH holders. The upside is that it should bring a more diverse set of potential veto participants and thus make the governance more resilient. The downside, however, is that ETH holders naturally have less skin in the game in relation to the Lido protocol so just assigning the veto power to this group may significantly increase the attack surface created by the dual governance mechanism.

For example, imagine a situation where Lido governance has to push some emergency upgrade to fix a smart contract vulnerability. Allowing ETH holders to block this upgrade without risking anything or paying any cost would enable an almost free attack on the protocol.

The last time we discussed this with Eugene (@ujenjt) we came up with an option that we believe might allow ETH holders to participate in the veto and at the same time seemingly doesn’t introduce significant attack vectors. The idea is roughly the following:

  • ETH holders can join veto signalling escrow, maybe with a discounted veto power compared to stETH holders.
  • ETH holders cannot exit the signalling escrow while Veto Signalling, Rage Quit, or Rage Quit Accumulation state is active, but can switch between supporting and not supporting veto in the Veto Signalling state.
  • Veto Signalling state duration depends on the total amount of veto power (in the signalling escrow) supporting the veto.
  • The rage quit condition remains the same: more than the second threshold stETH should be locked in the veto signalling escrow. ETH holders alone cannot trigger the rage quit.
  • ETH holders can withdraw their ETH from the veto signalling escrow either when the Veto Cooldown state is entered (if rage quit didn’t happen) or when the Rage Quit state is exited (if rage quit happened). This puts them in the same conditions as stETH holders participating in the veto.

So basically, if DAO proposes smth bad for Lido or Ethereum, active ETH holders can extend the DAO execution timelock up to the max veto signalling duration and use this extra time to reach to stETH holders via social channels and ask them to rage quit the protocol.

We might be able to include this mechanism in the initial DG version if time allows.

Could you provide more context on how we plan to arrive at specific threshold numbers for the stETH veto? Is there more background data on how much stETH this is given the overall size of the market? Specifically, have we done an analysis on exactly where this stETH can come from given how much may be locked up in DeFi, cold storage, etc.?

We’re in the process of modeling and analysis so these numbers are just our best guesses for now.

Preliminary analysis shows that around 33% of (w)stETH total supply is held by private addresses, i.e. EOAs and smart contract wallets not belonging to CEXes or custodians.

Could you provide more context on the decision to freely move stETH in and out of the veto state without having to lock it up? Are DDOS attacks prevented by the longer timeline required to execute the entire process (~three months)?

The idea is that we want the DAO and stakers to be able to negotiate and de-escalate while in the Veto Signalling state. The “happy path” scenario is the following:

  1. DAO votes for a misaligned decision.
  2. Some stakers trigger Veto Signalling.
  3. DAO withdraws the decision.
  4. Stakers cancel Veto Signalling by moving stETH out of the escrow.

The DoS attacks are prevented by the Veto Cooldown state that inevitably comes between the Veto Signalling and the Normal state and that allows the DAO to execute pending decisions.

The most damage one can do without withdrawing stETH is locking the DAO for a duration between VetoSignallingMinDuration + VetoSignallingDeactivationDuration and VetoSignallingMaxDuration + VetoSignallingDeactivationDuration, depending on the stETH amount they control.

All stETH that is part of the current Rage Quit (i.e. that was automatically moved from the veto signalling escrow to the rage quit escrow upon the Rage Quit Accumulation state activation or that was moved into the rage quit escrow in the Rage Quit Accumulation state) cannot be moved out of the rage quit; stakers will only be able to withdraw the underlying ETH after all stETH that’s undergoing a rage quit is fully withdrawn and the subsequent RageQuitEthWithdrawalTimelock passes.

Stakers that move stETH into veto signalling escrow while rage quit is ongoing are not joining/prolonging the current rage quit; instead, having enough stETH in the signalling escrow will lead to Veto Signalling being activated after Rage Quit state ends.

Local vs. global settlement debate: is this basically local settlement (from the previous thread)?

Yes, for this version, we propose going with just local settlement.

While global settlement allows for better protection of passive stakers, it also enables an attacker to destroy the protocol in the worst case, and we don’t feel safe enough to implement this until we have the critical parts of the code (specifically stETH minting and transfers) ossified and/or verified on the bytecode level.

Any considerations for the UX for implementation of veto? This could be very important to average users who may seek to use the veto.

UX is indeed very important. We’re planning to develop a dedicated UI for veto participation that will be open-source and deployed on IPFS. It will explain the current state of governance and veto participation and allow to join/leave veto, join rage quit, and track the participant’s current status and allowed actions.

The goal is that any staker can participate in the veto as frictionlessly as possible without dependence on any trusted party.

What is the penalty for freezing the system? What specific mitigation measures prevent this?

For temporarily freezing the DAO (up to VetoSignallingMaxDuration + VetoSignallingDeactivationDuration), the only cost is the opportunity cost of locking stETH for the duration of the DAO lock.

Any longer lock will require possessing at least VetoSecondSealThreshold share of the total stETH supply and exiting this stETH to ETH, thus the total cost consists of the two components:

  1. The opportunity cost of locking stETH for VetoSignallingMaxDuration + RageQuitAccumulationDuration + EthWithdrawalDuration + RageQuitEthWithdrawalTimelock (where EthWithdrawalDuration is the time required for validators to exit).
  2. The cost of non-received protocol rewards, i.e. stETH_APY * stETH_amount * (EthWithdrawalDuration + RageQuitEthWithdrawalTimelock).

To lock the DAO for a longer period, the attacker has to:

  1. Sell the ETH locked for RageQuitEthWithdrawalTimelock to liquid ETH. This will inevitably come with some discount.
  2. Sell the liquid ETH for a stETH wallet/EOA that possesses at least VetoSecondSealThreshold share of total stETH supply for the duration of at least VetoBalSnapshotShift, OR bribe at least VetoSecondSealThreshold share of total stETH supply into triggering the Rage Quit Accumulation state.

We’re still working on scenario modeling and attack cost analysis and would appreciate any input!

What are the background dynamics and context for the Tiebreak Committee? Is there any other way to structure this role?

The Tiebreaker Committee was introduced to address the specific scenario:

  1. An attacker notices a vulnerability in the protocol allowing them to withdraw other users’ ETH.
  2. An attacker blocks the DAO for a prolonged period by either bribing stETH holders, borrowing stETH on the open market, purchasing, or minting stETH, and using it to trigger the Rage Quit state.
  3. The Gate Seal committee notices this and pauses withdrawals to prevent ETH theft. Since governance is blocked, this pause will last until the governance is unblocked. But the governance cannot be unblocked until the Rage Quit state ends, and it ends when the ETH is withdrawn. Since withdrawals are paused, we arrive at a deadlock.

In this specific case, and only in this case, the Tiebreaker Committee gains the power of executing any decision the DAO has approved by voting. So this committee does have the ability to bypass stETH veto but it can only do it in a very specific case, and its power is limited since it can only execute decisions that the DAO has proposed and voted in favor of.

Looking at this from an attack modeling perspective, in order to execute a change bypassing the stETH veto, an attacker has to:

  • Control the DAO.
  • Force stETH holders to trigger a Rage Quit state OR control at least the VetoSecondSealThreshold share of the stETH total supply.
  • Control the Gate Seal committee.
  • Control the Tiebreaker Committee.

It’s still a lot of power, thus the committee should be as resilient as possible. For this committee, speed of reaction should be absolutely sacrificed for security since the committee only activates in the doomsday scenario when there’s no need to take any urgent measures as validator exits and ETH withdrawals are already paused and any code upgrades are blocked.

There are various ways of structuring the committee, the one presented in the design overview document is not the only/final one. For example, @ujenjt proposed the following alternative structure:

  • Social layer sub-committee: representatives from EF and client teams.
  • Validators sub-committee: all active Ethereum validators with voting power weighted by the time since activation.
  • DAOs sub-committee: governance contracts of largest DAOs by TVL.

Each sub-committee requires a majority support, and for the super-committee to execute a DAO decision, approval from all sub-committees is required.

In the future, the Gate Seal committee should be replaced by an autonomous and trustless mechanism, e.g. an invariant-based circuit breaker contract, making it impossible to transition the protocol into a paused state (and thus empower the Tiebreaker Committee) without some critical code invariant being broken.

Whether DG can be altered in a way that makes the committee unnecessary remains an open question. We’ve yet to come up with any practical way of doing so and would appreciate any ideas or hints on potential research directions.

In the absence of a token bonding mechanism, are you concerned about malicious LDO proposer not getting punished and being able to repeat their malicious proposals later?

Since the DAO has the power of transferring or burning LDO on any address, it can still punish a malicious proposer in the case the attacker controls less LDO than the active and honest DAO participants:

  1. An attacker obtains/bribes more than a quorum LDO and tricks the DAO into accepting malicious proposals (or benefits from voter apathy).
  2. Stakers notice this and trigger Veto Signalling.
  3. While in Veto Signalling, honest DAO members outvote the attacker and kill all pending proposals, including the attackers’ proposals (by voting for the KillAllPendingProposals special proposal). This guarantees that the DAO won’t be able to execute any proposal before stakers can re-trigger Veto Signalling.
  4. Honest DAO members communicate to stakers that, after the veto is lifted, they will burn or jail the attacker’s LDO.
  5. Stakers cancel the veto state. After a timelock, the DAO gains the ability to execute new proposals.

Then, two scenarios are possible. The happy one:

  1. The honest DAO members submit the proposal for burning/jailing the attacker’s LDO and outvote the attacker.
  2. The DAO continues normal operation.

The unhappy one:

  1. The honest DAO members don’t submit the proposal for burning/jailing the attacker’s LDO or are unable to outvote the attacker.
  2. Stakers re-trigger Veto Signalling and potentially exit the protocol via Rage Quit.

Bonding changes the default outcome of an attack in the case the DAO for some reason is malfunctioning or the attacker controls more LDO than honest and active DAO members. Since opposition from stakers automatically results in either the proposal being killed or LDO being jailed/burned, voter bribing attacks become much less efficient.

Predictability in governance is likely to be very important if we expect non-active stETH holders to pay attention to Lido governance. Has there been any consideration to forcing major votes to follow a set schedule, so that stETH holders know they must pay attention at one particular time during the year, or biannually?

Honestly, I won’t expect the majority of stETH holders to pay any attention to the Lido governance no matter its cadence, and neither do I think Lido governance should rely on this in any form since it’s incompatible with the LST holders’ incentives. DG was proposed in part to address this problem/assumption by allowing a minority of stETH holders who are actively monitoring the DAO to trigger an extended timelock on pending decisions, giving the time for the majority of stakers to react.

I imagine the veto-triggering scenario to be closer to this (and I mean this scenario when I say “stakers trigger Veto Signalling”):

  1. Lido DAO approves some controversial or malicious change.
  2. The interested parties notice the change. These parties could be individual stakers but a more realistic expectation is that they would be the protocols/companies integrated with or holding stETH, Lido DAO contributors, and the wider tech community. They don’t necessarily hold stETH.
  3. These parties socially amplify the information about the controversial decision.
  4. This information reaches the active minority of stETH holders who pay attention to CT or crypto news.
  5. Active minority of stETH holders trigger an extended timelock by joining veto and further amplify the information.
  6. Gradually, less active stETH holders join, potentially triggering a rage quit.

To accommodate this scenario, the dynamically expanding timelock mechanism (as more stakers join) was included in the proposal.

That said, limiting the governance cadence for the most major changes is a good idea since it improves the overall predictability of the protocol changes. To my knowledge, no contributors are currently working on limiting it onchain so it remains a future research direction.

One thing to note here is that some Ethereum consensus changes, especially around staking mechanics, might require some level of support from Lido contracts, and this support almost certainly will require upgrades of core contracts. Since Ethereum forks are not bound to any pre-defined schedule, just pinning major Lido upgrades to a pre-defined schedule most probably won’t work and a more complex mechanism would be required. It should also be synchronized with the GOOSE/LIP processes adopted by the DAO to avoid governance locks resulting from different offchain and onchain schedules.

2 Likes

One more thought: given that we currently see no way around having the Tiebreaker Committee, maybe having the balance snapshotting mechanism is not so critical?

The balance snapshotting mechanism, i.e. the calculation of veto power as min(current stETH balance, stETH balance X days ago) was introduced to protect from an attacker exploiting a potential unbacked minting vulnerability following this scenario:

  1. An attacker finds the vulnerability and mints a huge stETH amount (say, more than the current total supply) without providing the proportional amount of ETH.
  2. They immediately use this stETH to trigger Veto Signalling, blocking the DAO from deploying any fix.
  3. After the Veto Signalling maximum duration passes, the Rage Quit starts since the signalling escrow contains more than the second threshold stETH.
  4. As the result of the Rage Quit, the attacker steals the whole protocol TVL in ETH.

Calculating veto power as a minimum from current and past stETH balances would require the attacker to mint the unbacked stETH X days before using it in the veto and thus give the protocol governance the time to react, pause the protocol and deploy a fix:

  1. An attacker finds the vulnerability and mints a huge stETH amount without providing the proportional amount of ETH. Due to the balance snapshotting mechanism, they have to wait at least X days before being able to use it in veto, where X exceeds the time required for the DAO to approve and execute a proposal.
  2. The Gate Seal committee notices the exploit and pauses withdrawals.
  3. The DAO prepares, approves, and executes a proposal fixing the vulnerability and unpausing withdrawals before Gate Seal-induced withdrawals pause elapses.

However, in the presence of the Tiebreaker Committee, the DAO, the Gate Seal committee, and the Tiebreaker committee can cooperate and execute a recovery from this attack even in the absence of balance snapshotting:

  1. An attacker finds a vulnerability and mints a huge stETH amount without providing the proportional amount of ETH.
  2. They immediately use this stETH to trigger Veto Signalling, blocking the governance from deploying any fix.
  3. The Gate Seal committee notices the exploit and pauses withdrawals. Since DAO execution is currently blocked, the pause will last until it’s unblocked.
  4. After the Veto Signalling maximum duration passes, the Rage Quit starts. Since withdrawals are paused, this leads to a governance/withdrawals deadlock and thus the Tiebreaker Committee gains the power of executing any DAO-approved decision.
  5. The DAO prepares and approves a proposal fixing the vulnerability and unpausing withdrawals. In contrast to the balance snapshotting scenraio, the DAO is not strictly time-constrained in preparing and deploying the fix since withdrawals are not getting automatically unpaused.
  6. The Tiebreaker Committee executes the proposal.

The downsides:

  1. As the result of an attack, protocol users experience a prolonged pause in withdrawals that can easily last months.
  2. Intervention from the Tiebreaker Committee is required.

However, given that the Tieberaker Committee is needed for other reasons anyway, that a vulnerability allowing unbacked stETH minting is already a doomsday scenario, and that stETH remains backed in the end, maybe this is an acceptable compromise. The upsides of removing the balance snapshotting are significant:

  1. Allows users having stETH deposited in DeFi protocols and CeFi services to participate in veto (by withdrawing to stETH/wstETH first).
  2. Significantly simplifies the DG implementation.
  3. Improves the UX for participants since no access to an archival Ethereum node is required anymore.

WDYT?

2 Likes

Hello,
to channel the voice of users and stakers, could we use a Citizens’ Assembly like model as a proxy? We are working on this in the tradpol world with quite a lot of success and also starting experimentation and piloting in web3. Happy to present the approach, explore collaborations, testing. Here is the report of the first pilot in the Atom ecosystem: forum.cosmos.network/t/discussion-onboarding-managing-offboarding-the-aez-a-set-of-draft-propositions/12054

And aez.global for background

2 Likes

Thanks for putting this together @skozin and team! The principle-agent problem and it’s potential implications on the ETH consensus layer are the biggest concerns for most Ethereans so I definitely like the direction and the intent of the dual governance model.

Before I share my thoughts, I’d first like to admit that I may not be entirely up to speed with all prior governance proposals/discussions on this + related topics so do give me some rope!

I am curious hear your thoughts on a model where stETH holders can trigger a voting process (vs only veto) for the dismissal/replacement of permissioned node operators if they find that such NOs no longer represent their interests.

My thought process below:

  1. There is an argument being made on how Lido can theoretically exert “soft powers” on and coerce permissioned NOs to do their bidding

  2. In an ideal world, stETH are equivalent to ETH in terms of voting powers on the consensus layer - e.g. voting for the chain head / forkchoice - but I imagine this would be super complex to implement

  3. Having 100% permissionless NOs can also mitigate (1). However, this comes with it’s own set of challenges such as eroding Lido’s ability to (i) generate the highest yield for it’s stakers (via institutional NOs), and (ii) service large TVLs, as permissionless NOs require hard capital to participate in (vs reputational capital). There is a definitely a risk of TVL flowing to custodied alternatives if Lido’s efficiencies on these 2 fronts fall short.

  4. Borrowing from politics in the real world, representatives can be freely voted in and out by the people

Having said that, I do recognise that there will be new problems to deal with by doing this:

  1. Malicious actors (to Lido) can acquire stETH for the sole purpose of dismissing all permissioned NOs, causing a large amount of TVL to become unproductive in an attempt to drive TVL to other platforms. They can also short LDO at the same time to profit directly.

  2. Everyday stakers will likely not have the expertise in selecting and evaluating the best NOs

An expanded approach could perhaps look like the following:

  1. To solve the expertise problem: A list of suitable NOs is community-sourced and submitted periodically (e.g. once per quarter) by not only LDO holders, but also stETH holders, and even ETH holders (e.g. ETHstaker, EF). Inclusion and exclusion lists could require 2 out of 3 sets to agree on.
  1. To prevent governance attacks via stETH: A high threshold could be used - e.g. 66% or 75% of stETH voting required to trigger dismissal/replacement of existing permissioned NOs - increasing the cost of such attacks. Each dismissal must be accompanied with a replacement candidate. LDO holders has a higher weightage when selecting replacement NOs from the community-voted list. New stETH holders need to lock their stETH in escrow for a period to prevent abuse and ensuring they have skin in the game.

Thanks for reading and I look forward to the insights from the community here!

Cool concept, but I’m afraid introducing * more * governance to Lido adds more complexity and potential vector attacks. Specially when talking about NO politics.

IMO, NO sets should be managed by quantifiable metrics, which we can automate as well. So like if a NO doesn’t meet certain performance criteria, or if there’s clear attempts of attacking the network, they can be kicked out of the set. Introducing a place for NO politics will only make Lido a very opinionated protocol in a space (Ethereum security) that benefits the most from diversity.

Anyways, NOs must be voted on to enter the set and unless I’m wrong, LDO holders already can vote to take out members of the set, which is sufficient and even too much governance already. @Izzy can shed some light here.

1 Like

Hi @Antoine_Vergne, and thanks for sharing the idea!

In general, having a well-representing proxy to the most active subset of users would be imo a nice thing to have, we can use it e.g. as a part of the “users’ sentiment oracle” in the DG model (so that it can trigger an extended timelock) or maybe even include it into the governance process at some point.

My main concern regarding the introduction of additional agents, especially in the case where they’re assigned broader governance rights, is that it creates one more PAP: there’s no guarantee that the new agent adequately represents all groups of users at all times so, imo, just having a proxy doesn’t bring enough user protection and additional mechanisms are still needed.

I’m still a huge fan of foot voting and minimization of the “bad” part of governance powers. That doesn’t mean that I’m against exploring user proxies, just that I think we need to do it carefully.

I’d be happy to explore the suggested mechanism in more detail. Where can I read more about the composition and governance principles of the Citizens Assembly? The linked post seems to report the results of the first session of the Assembly, and I’d like to find out more about its mechanics.

2 Likes

Thanks for joining the discussion @Stakesaurus!

Currently, the curated list is managed with the help of the Lido Node Operators Sub-Governance Group (LNOSG) that evaluates current and new node operators and suggests the inclusion/exclusion lists to the DAO, the latter having the ultimate decision rights on whether to implement the recommendations.

So, if I get it right, what you suggest is basically:

  1. Adding more parties to the LNOSG.
  2. Adding stETH holders to the LNOSG.
  3. Allowing LNOSG to perform inclusion and exclusion without consent from the DAO.

I think 1) is worth pursuing in general, given that new parties possess the required expertise. For 3) to work for the curated set, the LNOSG should have significant skin in the game and be composed of a very wide range of actors to make attacks on the protocol and the network extremely expensive.

As for 2), i.e. giving stETH broad governance rights, in contrast to governance minimization and making foot voting as easy as possible, I think it’s a dangerous path currently because it gives outsized power to various agents holding stETH on behalf of others, e.g. bridges, L2s, CEXes/custodians, and, to some extent, DeFi protocols. Together they control a sizeable portion of stETH, which will only increase with time, and most of them are governed (sometimes by a multisig) and thus can act independently. The cumulative coordination cost for these large agents is significantly smaller than it is for regular stETH holders.

Setting a participation threshold might theoretically help but I’m afraid it won’t work in practice because, if you set it low, then few large agents will be able to coordinate protocol changes without participation from users, and if you set it high, users won’t be able to coordinate any change. I’m 100% sure that coordination between even 30% of the regular stETH holders is practically impossible, except when it’s required to save their ETH; at the same time, various agents already hold more than 30% of the stETH total supply.

In general, I believe in the end state where the protocol governance risk is minimized not because the governance process includes many parties but instead because the governance has no ability to sharply and significantly change the protocol and its covenants, controls the minimal set of meta-parameters of the protocol instead of micro-managing its operations, and because users can easily leave or fork the protocol if its governance becomes misaligned with them.

That said, I’m not against exploring the alternative class of solutions that keep the DAO in check by involving more parties; even the current DG proposal includes the negotiation mechanism between the DAO and the stETH holders that are intending to leave. Just trying to explain why the proposal currently relies on foot voting as the most efficient mechanism.

Btw, the current mechanism allows stETH holders to join veto escrow and thus trigger negotiation with the DAO even in the absence of a proposal. This allows them to demand removing a node operator from the set (for example, if it starts censoring) and leave the protocol if the DAO doesn’t cooperate.

5 Likes

First and foremost, thank you, @skozin, for the excellent research and the clear presentation of the proposed solution.

I like your suggestion to eliminate the balance snapshotting mechanism from the design. In my view, the drawbacks of this feature outweigh its benefits.

Additionally, I propose considering the option of allowing users to place pending withdrawal NFTs in the veto signaling escrow. This change could protect against scenarios where the DAO is compromised when a significant portion of stETH is locked in the Withdrawal Queue. In such a scenario, there might not be enough stETH available to activate the rage quit phase, potentially enabling malicious LDO holders to update the Withdrawal Queue implementation and pilfer unclaimed ETH.

I’d also like to take a closer look at how efficient the proposed solution is from the perspective of the stETH holders. As articulated in the specification:

Dual governance mechanism is an iteration on the protocol governance that gives stakers a say by allowing them to block DAO decisions and providing a negotiation device between stakers and the DAO.

Another way of looking at dual governance is that it implements

  1. a dynamic user-extensible timelock on DAO decisions and
  2. a rage quit mechanism for stakers taking into account the specifics of how Ethereum withdrawals work.

Let’s consider a scenario where a DAO proposal has accumulated sufficient stETH in the veto escrow but still lacks enough to activate the rage quit accumulation phase. In such a case, two potential outcomes emerge:

  • The DAO opts to cancel the proposal:
    Users can withdraw their stETH from the veto escrow without exiting the protocol. Yet, it appears improbable that the engaged minority of users involved in the veto will opt to stay in the protocol. There is no guarantee that the DAO won’t reintroduce a similar proposal later, forcing stETH holders to put their funds in the veto escrow again, potentially leading to a loss of profit.
  • The DAO chooses not to cancel the proposal:
    In this scenario, stETH holders who vetoed the proposal still need to adhere to the regular withdrawal process of the protocol. Consequently, a more optimal strategy for them would be to join the Withdrawal Queue directly, expediting the release of their funds and facilitating a swift transition to another platform.

Given the absence of assurance that the DAO will cancel a potentially controversial (but still not malicious, as the rage quit mechanics would likely be activated in such a case) proposal for a minor portion of stakers, dissenting users are more likely to find regular withdrawals more appealing. In other words, in the event of disagreement with DAO decisions, foot voting mechanics remain a more optimal choice for stETH holders than engaging in a negotiation process.

In another potential scenario, a DAO proposal accumulates enough stETH to initiate the rage quit phase, signifying a significant part of users choosing to exit the protocol. Such events are likely a consequence of obviously malicious actions from the DAO, compelling all stETH holders to withdraw their funds promptly. In such critical situations, the global settlement mechanics (or a similar mechanism safeguarding all users) offer better protection for stETH holders than a local settlement.

Possible Alternative

Addressing the challenge of unbacked stETH minting, a proposed solution involves leveraging the Tiebreak Committee to handle critical situations. This committee should have extensive powers to enact any approved DAO proposal; however, this may still prove insufficient if malicious actors control the DAO.

Considering reliance on this committee in the most critical situations, perhaps we can consider delegating a portion of the veto power to this committee instead of concentrating 100% of it in the hands of stETH holders. This approach may contribute to simplifying and enhancing the sustainability of the system.

Alternatively, a Veto Committee could be established in place of the Tiebreak Committee. This committee would consist of protocol participants and external influencers, each allocating a portion of the veto power. For instance, the distribution of veto power could be as follows:

  • stETH holders - 40%
  • node operators - 25%
  • major protocols using stETH as an asset - 20%
  • ETH foundation members & client teams - 15%

The precise list of participants and distribution of veto power requires thorough research, with a key consideration being adherence to the rule: There is no party with veto power equal to or exceeding the quorum (50%).

Additionally, the calculation of the veto power may happen using a flat scale, departing from the approach commonly used in multisigs. For instance, each node operator might possess a veto power proportional to NodeOperatorsVetoPower * nodeOperatorValidatorsCount / totalProtocolValidatorsCount. Similarly, for stETH holders, the veto power could be tied to the amount of stETH locked in the veto escrow contract: StEthHoldersVetoPower * stETH.balanceOf(holder) / stETH.totalSupply(). This approach ensures that each participant wields influence in the veto process, distinguishing it from multisigs, where the voices of dissenters are merely added to the majority.

A mechanism akin to extending the veto signaling phase may be employed to allow sufficient time for veto committee members to cast their votes. For instance, depending on the gathered veto power, the duration of the voting period may vary from 3 to 60 days. Determining the exact timeframes necessitates further research to select durations that provide sufficient time for slower participants—such as protocols represented by their DAOs or stETH holders requiring time to retrieve their funds from DeFi protocols to express their opinions.

Following the attainment of the quorum by the veto proposal, the subsequent actions depend on the specific implementation. For example, consider two primary options:

  • Global Settlement of the Protocol:
    In this scenario, the execution of proposals becomes impossible, and all users may withdraw their funds from the protocol.
  • Discarding the Malicious Proposal:
    The malicious proposal is discarded. In this case, all LDO holders who voted for the harmful proposal undergo a measure that deprives them of their voting power. After this measure is taken, the protocol returns to its regular operations. The specifics of implementing such an approach necessitate additional research.

The latter option seems preferable, introducing the “skin in the game” concept. Moreover, in contrast to the first option, it enables unlocking the protocol without forking, even when the DAO is captured.

Simultaneously, LDO holders can adjust their decisions throughout the ongoing voting process (LDO voting and objection phases). This flexibility empowers honest LDO holders to respond promptly if the veto begins accumulating power, thereby safeguarding their voting power.

The described high-level overview of the solution introduces certain pros in various aspects. For example:

  • In the case of unbacked stETH minting, an attacker cannot veto the DAO proposal to address the issue. Even if the attacker controls 100% of the stETH supply, it falls short of reaching the veto quorum.
  • stETH participants who disagree with DAO decisions can exit safely using regular Withdrawal Queue mechanics.
  • If malicious actors capture the DAO, the veto committee can cancel harmful DAO decisions and exclude LDO holders who supported these proposals from the voting process. Additionally, allowing stETH holders to participate in the veto using pending Withdrawal NFTs may provide a secure exit from the captured protocol.
  • The veto committee has a strictly defined action, limited to vetoing the DAO proposal. This contrasts with the proposed Tiebreaker committee, which must be granted a broader scope of actions.

However, granting veto power to the tiebreak committee members may still seem controversial. On the one hand, it empowers them, but on the other, it confines their actions solely to vetoing proposals instead of executing any accepted DAO decision. These committee members are integral to the protocol, and providing them with the right to express their opinions in the event of disagreement with the DAO is not necessarily a negative aspect. Additionally, in a catastrophic scenario, their participation in vetoing malicious proposals can be crucial in safeguarding users’ funds.

8 Likes

Thanks for the detailed and well-thought-out post @psirex! I really like the discussion we’re having here with you and the others, it’s extremely valuable and necessary for arriving at a proper design.

I’ll try addressing all the concerns and ideas you’ve highlighted but pls let me know if I missed something.

Additionally, I propose considering the option of allowing users to place pending withdrawal NFTs in the veto signaling escrow

I like the idea! I’d go as far as allowing converting stETH already locked in the escrow to a withdrawal NFT.

I’d also like to take a closer look at how efficient the proposed solution is from the perspective of the stETH holders

The DAO chooses not to cancel the proposal… Consequently, a more optimal strategy for them would be to join the Withdrawal Queue directly, expediting the release of their funds and facilitating a swift transition to another platform.

It depends on the current size of the Ethereum withdrawal queue and whether ETH is at risk. If the queue is large and the decision is malicious, then joining the Veto Escrow will be more optimal. If we allow using withdrawal NFTs in the Veto Escrow as you suggest, then it may be optimal even when the ETH is not at risk.

I agree, though, that in the case of a controversial but not malicious decision, plain foot voting (without joining the veto escrow) is a more optimal strategy for stETH holders. But that’s fine, we won’t beat foot voting efficiency (imo) since it bears no coordination cost, and it still protects users.

In such critical situations, the global settlement mechanics (or a similar mechanism safeguarding all users) offer better protection for stETH holders than a local settlement.

I agree here as well. However, global settlement is a very dangerous thing, both to the protocol and to various integrators, and thus should require very high participation from actors with skin in the game. Given that the currently proposed mechanism relies on stETH holders as the trigger, this would give an outsized power of destroying the protocol to agents holding stETH on behalf of users, as I’ve highlighted in my previous reply in this thread. Moreover, since stETH minting and transfers code is currently not formally verified on the bytecode level, we cannot be sure it doesn’t contain a vulnerability that would enable a malicious actor to destroy the protocol.

Possible Alternative

This committee should have extensive powers to enact any approved DAO proposal; however, this may still prove insufficient if malicious actors control the DAO.

The committee only gains this power if the Gate Seal committee pauses withdrawals while rage quit is ongoing, so this power is not unlimited.

So, for the protection to be insufficient, malicious actors should control both the DAO and the Gate Seal committee (so that they can pause withdrawals indefinitely while also blocking the DAO), or the DAO should’ve introduced some vulnerability allowing them to steal users’ ETH and executed the corresponding proposal without users opposing it (so that the Gate Seal committee has to pause withdrawals indefinitely to protect users’ ETH).

While these scenarios are realistic, the proposed mechanism still adds significant protection in all other scenarios. Moreover, the end state doesn’t allow the DAO to steal the ETH, the most they can do is to keep it hostage.

Alternatively, a Veto Committee could be established in place of the Tiebreak Committee. This committee would consist of protocol participants and external influencers, each allocating a portion of the veto power.

If I understood it correctly, what you propose boils down to (using the language of the current proposal):

  1. Adding more participants to the Veto Signalling phase: holders of withdrawal NFTs, NOs, protocols, EF, and client teams.
  2. Replacing rage quit (i.e. a protected foot voting pathway) with either global settlement (i.e. sunsetting the protocol) or blocking unexecuted proposals + burning/jailing all LDO that voted for them.

My personal opinion is that 1) is a good thing since it allows more involved actors to protect stETH holders. However, I think that stETH holders shouldn’t rely on these additional actors in order to be protected; instead, additional actors’ involvement should increase the probability of (but not be necessary for) the positive outcome.

As for 2), I’m strictly against a global settlement that can be triggered by external out-of-protocol actors with no or limited skin in the game. Even if we require support by, say, 30% of stETH, it would still be dangerous since a large share of stETH is held by agents with unknown and/or unquantifiable incentives.

I think global settlement should require support from a supermajority of at least stETH and node operators (and probably more actors). It should be a doomsday scenario mechanism, and, imo, there’s a wide range of scenarios between those that are covered by regular foot voting and the doomsday ones.

So, imo, GS is a mechanism that comes as an addition to less drastic forms of users’ protection. We haven’t included it in the current proposal since correctly and safely implementing GS is highly non-trivial and we’re time-constrained by triggerable exits.

Let’s now consider the second alternative to rage quit:

The malicious proposal is discarded. In this case, all LDO holders who voted for the harmful proposal undergo a measure that deprives them of their voting power. After this measure is taken, the protocol returns to its regular operations.

Imo, potential burning/jailing LDO that happens by default as the result of users’ opposition would be a huge counter-incentive for governance participation/delegation, especially from large holders. Also, I assume the DAO voting for deploying a mechanism like this would be highly controversial.

There’s an alternative mechanism, though, that was ideated by @vsh and that I tried to formalize
in the “DAO voter bonding” section of the design overview as a potential next iteration. Basically, if a proposal is successfully opposed by users, it becomes unexecutable unless DAO members explicitly decide to counter-escalate by locking the LDO amount proportional to the users’ opposition and accepting the risk of these LDO being burned/jailed if users win this escalation game. This mechanism still protects users from malicious proposals (since they have the power to block them) but also protects LDO holders since they have to explicitly agree to risk their LDO.

In general, I think replacing the rage quit with this escalation game might work, but I’m not sure I like it from the more philosophical point of view: I still firmly believe that foot voting is the best mechanism and, instead of trying to invent a gadget that would fix a broken/captured DAO, we should concentrate on making foot voting as efficient and safe for users as possible, in all scenarios (which would disincentivize malicious actors from capturing the DAO in the first place), and work on governance formalization, increasing its predictability, and gradual minimization where it’s possible.

But that position stems mostly from my intuition and not proper modelling.

Overall, I think that, given the impending addition of triggerable exits, we need to settle on the first iteration of the DG mechanism soon (say, in a month), be it the currently proposed mechanism or one of the alternative versions, and continue research towards improving it in the second iteration. I don’t think we’ll be able to arrive at the most optimal design from the first take, but imo we need something to be deployed in the first half of the next year and then iterate.

2 Likes

I propose considering the option of allowing users to place pending withdrawal NFTs in the veto signaling escrow

this is really interesting. consequences obviously need to be analyzed

in the event of disagreement with DAO decisions, foot voting mechanics remain a more optimal choice for stETH holders than engaging in a negotiation process

not sure i buy this. i don’t think you can confidently make an absolute statement like this that applies to all, or even the majority, of cases. will likely be case dependent

In another potential scenario, a DAO proposal accumulates enough stETH to initiate the rage quit phase, signifying a significant part of users choosing to exit the protocol… n such critical situations, the global settlement mechanics (or a similar mechanism safeguarding all users) offer better protection for stETH holders than a local settlement.

again, not sure i buy this. whether this sentiment should be applicable globally depends on veto thresholds and concentration/distribution of vetoing stake imo

The malicious proposal is discarded. In this case, all LDO holders who voted for the harmful proposal undergo a measure that deprives them of their voting power. After this measure is taken, the protocol returns to its regular operations. The specifics of implementing such an approach necessitate additional research.

really dislike this. this has 2nd order consequences on voting participation and outcomes imho. you inevitably push people to vote for the status quo / less controversial thing

The latter option seems preferable, introducing the “skin in the game” concept… This flexibility empowers honest LDO holders to respond promptly if the veto begins accumulating power, thereby safeguarding their voting power.

this sounds nice in theory. but cognitive burden on voters is real and should not be discounted. also not clear how this plays out in a world where a substantial amount of LDO is delegated

If malicious actors capture the DAO, the veto committee can cancel harmful DAO decisions and exclude LDO holders who supported these proposals from the voting process.

this is true even if malicious actors don’t capture the DAO and even if the decision isn’t harmful. a lot can go wrong here

3 Likes

Gm, I’ve just updated the current version of the mechanism high-level description, incorporating the following changes:

  • Removed the stETH balance snapshotting mechanism since the Tiebreaker Committee already allows recovering from an infinite stETH mint vulnerability; see this post for more details.
  • Added support for veto signalling using withdrawal NFTs (thanks @psirex).

The previous version of the document can be found here: Dual Governance mechanism design overview (2023-10-23) - HackMD.

After these changes, the difference between the current mechanism and the one proposed by @psirex is the following:

  1. Add more participants to the Veto Signalling phase: NOs, protocols, EF, and client teams.
  2. Replace rage quit (i.e. a protected foot voting pathway) with either global settlement (i.e. sunsetting the protocol) or the killing of all unexecuted proposals + burning/jailing LDO that voted for them.
1 Like

Perhaps I misunderstand, but if there’s a chance my LDO is stolen from me and burnt 'cos I voted for the wrong proposal in good faith there’s no chance that I will ever participate in governance again. The DAO already has a governance participation problem, this feature of dual governance will only exacerbate that in my view. Not at all obvious why such punitive measures need to be taken

2 Likes

Hi @Jack_Freckle, the disincentivisation of governance participation that you mention is the reason why the burning mechanism is not present in the current proposal.

I think that, if we settle on the alternative proposal, the straight burning mechanism should be replaced with an escalation game where, if stakers oppose a proposal, DAO members have to explicitly bond LDO for the proposal to remain executable which might lead to their LDO being jailed if they cannot collectively outbond stakers. This makes the risk of LDO jailing explicit and disconnected from voting, so you’re not automatically risking LDO when voting, you have to perform an explicit action to take on this risk. I’ve roughly described the game here.

That said, I’m still in favor of the main proposal (without the burning/jailing mechanism and relying on negotiations and foot voting instead) since I think foot voting, if it can be done easily and safely, is superior to any mechanism that tries to fix the DAO somehow.

5 Likes

Oh I see, okay that’s far more reasonable - thank you for the response

Do you consider to apply Dual Governance principles to easy track also? Will it be possible to make objections using stETH?

Yep, the DG technical design allows supporting multiple voting systems at once, including Easy Tracks.

That said, I don’t think governance decisions not related to changing the rules of the node operator set, upgrading the code, or making other significant changes like adding/removing oracle operators, should be under the scope of the DG.

4 Likes