Hey everyone, here’s our analysis of the optimal design for a stETH veto.
In summary, in the initial implementation, the power balance between LDO and stETH should be heavily skewed towards LDO (i.e., the veto threshold should be very high). Why?
Giving stETH too much power has the risk of completely destroying the Lido protocol, but giving stETH not enough power is still a notable improvement from the existing system because just the threat of a veto makes a potential governance attack much more risky. Importantly, LDO holders can always cede more power over time as the system is tested. The reverse, however, may not be possible because any changes to the dual governance system itself would presumably be subject to the stETH veto (and potential blocking).
Detailed thoughts below:
-
The key problem with settlement is that stETH holders can always choose to exit the protocol rather than deal with the trouble of vetoing, whether settlement is local or global. Creating penalties for vetoing—which could be valuable for preventing malicious vetoes—makes this problem worse by further reducing the already low-to-zero incentive for stETH holders to pay attention and veto. From a business perspective, asking stETH holders to pay attention and to be ready to bear the burden of vetoing seems problematic, too. Ideally, we would like to find another way to align the incentives of potential vetoers with the interests of the protocol that helps to overcome this problem.
-
The veto threshold should be very high to start. If the stETH veto threshold is set too low, it could create irreversible thrashing in which a small number of malicious stETH holders veto everything they can—including any effort to alter the veto system to overcome their opposition. Therefore it seems critical to start with a high threshold that avoids this problem. The threat alone of a potential veto may be a major deterrent for actors seeking to take advantage of Lido’s governance system. Ensuring that incorporating stETH veto power doesn’t harm core LDO holders or the protocol at large is equally as important.
-
Delegation or the creation of a stETH “council” may be a way to address the collective action problem, in the long run. The key challenge to local or global settlement is that stETH holders do not have strong incentives to pay the cost of vetoing malicious governance proposals, and may be unlikely to pay attention to governance continuously to detect attacks. Although it may be more difficult to set up in the short run, stETH delegation as proposed in option 3b seems promising in the long run, if delegates are given strong incentives. If delegates are paid and can rely on future payments if the protocol continues to succeed, then they have good incentives to monitor for governance attacks.
We offer responses to the post’s specific questions below.
(1) Have we missed any new attacks the proposed mechanisms enable? This includes both attacks from LDO governance on stakers and from stakers on the governance.
LDO holders overriding definition of “critical votes.” We want to make sure that there is no way that 51% of LDO voters can redefine an upcoming “critical” vote to be non-critical so as to avoid the stETH veto, as this would be an obvious attack vector if it’s possible to do. In short, how do we ensure that rules and definitions are fixed from the outset, and not subject to “procedural” attacks?
(2) Have we missed any important mechanism properties or behavior dynamics potentially affected by the differences in the design?
-
General drawback to settlement. As outlined above, we worry that any form of settlement suffers from a collective action problem in which it’s always easier for stETH holders to simply exit the protocol rather than deal with a difficult and potentially costly veto process.
-
Challenges to global settlement. Global settlement is a severe end to the negotiation period. As has already been flagged, we worry that (a) it does not give good incentives to stETH holders to pay attention and veto things, since everyone can “free ride” on those who do attempt to veto; and (b) it may create an incentive to exit the protocol as a stETH holder if you worry global settlement is going to be triggered.
-
Challenges to local settlement. Basic local settlement is challenging, because it provides no protection to passive stETH holders while creating an incentive for stETH holders to veto regardless of whether they think it’s a good idea to or not. Creating a cost to vetoing may help avoid this latter problem, but by raising the burden of vetoing, it makes it more likely people will exit the protocol (or never enter in the first place) instead of going to the trouble of vetoing.
Delegation for passive stETH holders may help with these challenges by creating a smaller group of people who have the information and the incentive to exercise a veto when it’s needed rather than just exiting the protocol. However, to achieve this, delegates would need to have good incentives to become delegates, to pay attention, and to pay the potential costs of vetoing.
One additional nuance could be to add a waiting period prior to any local settlement becoming official, so stETH holders have time to join the veto or exit the system by selling their stETH. The only drawback to this option is it could result in a flood of stETH being sold, negatively impacting the exchange rate within a short period of time; we think this is still a better outcome than shutting the entire system down.
(3) What design is the most optimal among the considered ones?
We believe Option 3b is the best option so far, though we are concerned about the possible unintended effects of levying a cost to vetoing, and would like to learn more about how it will work in practice. What incentives can we give to good people to become stETH delegates? Should there be some decentralized process to “white list” certain delegates? If most stETH holders are passive then default delegation options will be influential and should be chosen carefully.
(4) Can a simpler mechanism be designed that would yield the same or comparable set of properties?
LDO Slashing. We’d like to learn more about a simpler mechanism in which malicious LDO proposers are slashed in some form when the stETH veto is triggered. This would avoid the complexities of the negotiation process, we know that the previous proposal mentions this was considered and rejected, so it would be great to learn more about why this has been ruled out.
Best,
Andy, Daren, and Porter at a16z