LDO+stETH dual governance

I’ve been pitching the Dual Governance concept through this summer conference season and got a couple of ideas on simplifying optics there.

Dual governance is the attempt to resolve (well, ease a bit at least) the principal-agent problem between Lido stakers (stETH) and Lido voters (LDO). The main idea of dual governance is to introduce a veto mechanism that allows stETH holders to stop “bad” votes from being executed.

Besides the Dual Governance option, Sam mentioned another opportunity to eliminate LDO governance altogether by ossifying the protocol. Unfortunately, that ideal is unattainable for at least a couple of years.

Another option that can be considered is a foot voting approach: if staker is unhappy with LDO decision, they should be able to withdraw their funds from the protocol. Foot voting provides a way simpler “unblock governance” mechanics without complex recovery (like burning LDO rogues after a successful veto) & communication (the members of dual governance should agree on unblocking conditions).

The simplest way to allow foot voting is to add a timelock for each Lido vote, allowing the dissenters to leave. The option is currently unavailable because we are still 6-8 months away from withdrawals. But even once available, the withdrawal queue can get months long, so there is no meaningful pre-defined timelock for LDO governance that guarantees successful withdrawals for unhappy stETH holders.

Surprisingly, foot voting mechanics could be implemented similarly to the proposed dual governance approach. The veto state is reached, when a sufficient amount of stETH is locked. Once the veto threshold is reached, no LDO governance motion can be executed, and two option voting by locked stETH starts:

  1. Lift veto from LDO governance and continue normal operations;

  2. Continue LDO governance veto until all the veto voters’ stETH is withdrawn from the protocol.

This vote participation (both for the veto and against) is open to any stETH holder and requires them to lock stETH. In both cases, the protocol returns to the normal LDO governance process after some time.

This mechanic could be augmented with additional options from the original post:

  1. Veto spam protection by burning a portion of the losing side’s stETH;

  2. Grace period after the ending of the vetoed state, so that stETH holders who haven’t managed to withdraw or suffer from last-minute veto lifting could form a new veto coalition;

  3. Allow locked stETH to vote for some passed LDO governance motions to be executed, but only in the “awaiting withdrawal state.”

The third option allows to implement this mechanic even without withdrawals being enabled. In this case, the “awaiting withdrawal state” would be a deadlock state and require an upgrade veto contract along with other protocol contracts to support withdrawals.

I believe this optic reduces architecture decisions space, almost removes governance traits from stETH token (let me out and do whatever you want) and make it more like the dynamic timelock.

10 Likes

Thank you Eugene, I really like the general idea!

I can think of the following specific changes to the mechanism described in the initial post:

  1. There is an explicit voting for applying a global veto state. The voting starts when more than a certain percentage of the total stETH supply is locked in support of the veto.

  2. After the global veto voting is started, one can also lock stETH in opposition to the global veto.

  3. The voting lasts for a fixed amount of time enough for most stETH holders to react. If it’s successful, the global veto state is applied, and withdrawal of all stETH locked in support of the veto is initiated.

  4. Global veto state is active until the aforementioned withdrawal is complete, plus some decent amount of time (e.g. several weeks) sufficient for the latecomers to initiatе withdrawals via the standard mechanism.

  5. If withdrawals are not yet implemented, the veto state is active until the upgrade implementing them is applied (which would require lifting the veto from the specific vote via anti-veto voting).

  6. Anyone who locked stETH (both in support of and in opposition to the global veto) possesses veto voting power effective in anti-veto votings for specific DAO governance decisions.

  7. No stETH is burnt as the result of anti-veto votings for specific DAO decisions. Instead, burning or partial burning could be optionally implemented for stETH used in the global veto voting.

I believe these changes improve the overall incentives, simplify the design, and solve the problem of governance unblocking: by the time veto is lifted, anyone in disagreement with the LDO holders’ decisions has already left the protocol.

That said, I see one issue with this approach: since veto implies stETH withdrawal, any potential disagreement between LDO and stETH holders will cause a massive validator exit queue—and, as a result, a noticeable reduction of the total amount of stake securing the blockchain. This is bad for the network, though it seems that massive stETH withdrawal is anyway inevitable in the case of LDO holders approving a decision directed against the interests of stETH holders.

I’ll prepare a new version of the mechanism description incorporating these ideas. Will try posting it here before the end of the week.

4 Likes

Hey everyone,

Daren and Porter here from a16z.

This is a very strong, deeply thought out proposal that pioneers the dual-governance approach in web3 by designating separate types of representation for different actors in the Lido ecosystem; in this case, adding a limited set of veto powers to stETH holders, separate from traditional LDO token holders’ voting rights. We’re really excited by the possible implications of such a change, and by the thorough exploration of the potential second and third order effects of the proposal in the original post and forum comments. This proposal represents a significant step towards building a more resilient, inclusive governance architecture for Lido, with embedded checks and balances.

We also think this proposal reframes common critiques of traditional token voting arrangements by applying an organizational design lens to the problem: if token-based voting is a tool for achieving consensus, but perhaps not a design in itself, how does a decentralized organization make (or stop) collective decisions by actually incorporating all stakeholders who could be affected by these decisions? This is particularly important for platforms integrated into the infrastructure layer, whose votes could impact the broader Layer-1 ecosystem. Granting veto powers to platform users changes the design of the governance system itself to give agency to these other interests.

We’re really looking forward to seeing the final proposal come out in the coming weeks, but in the meantime also wanted to illuminate a few open considerations that came to mind.

  • stETH veto quorum. In describing the veto mechanics, @skozin outlined how, “a quorum of stETH holders can apply a veto, switching Lido governance into the adversarial state where no LDO vote can be executed unless it’s specifically un-vetoed (veto state).” One consideration is the size of the quorum required for veto. This was updated on a later forum comment to likely include a set percentage of all stETH supply as the quorum, including stETH that can actually vote against the veto. What are the key considerations dictating that percentage, and would it make sense to include a threshold amount above any stETH that is “anti-veto”?

  • Creating a predictable legislative process so stETH holders can responsibly engage in governance when required. stETH holders would rarely be expected to vote, but if and when required, their vote would be important. This creates a gap between stETH holders’ governance engagement patterns (low) and the importance of their vote when it does occur (high). One way to address these concerns would be to consolidate “veto-able” votes into quarterly, or biannually, legislative sessions. This engenders predictability for stETH holders should they need to vote, and guards against apathy that often occurs in continuous governance models. stETH holders would need time to (1) receive information about a possible vote, (2) mobilize, and (3) actually vote. A second path to educating stETH holders would be to include an “stETH veto voting guide” on the Lido staking landing page for ETH staking, and possibly incentivize stETH holders to conduct a trial run of veto voting with a small, fixed, LDO payout. The broader point here is the necessity of conducting a trial run versus relying on stETH holders to mobilize for a first vote, especially if there is a time constraint involved.

  • Addressing concerns of opportunity cost, potential penalties, and unknown “locked” periods for stETH locked in “veto state.” It may be helpful to weigh the proportional risk of an stETH “veto attack” (e.g. freezing the system) versus a design that actively facilitates stETH veto participation. Given the likelihood of execution friction (not knowing how to vote, institutions not actually being able to vote if stETH is in cold storage, etc.), this type of proposal could also introduce potential costs (stETH can’t be actively used in other protocols, possible penalties against holders if the stETH veto vote is deemed a governance attack, etc.) that could lead to reduced participation in the event of a vote. We think it could be important to consider all the potential barriers to stETH holders voting, and address them in a transparent manner. The system design should ensure a veto will only be used when stETH holders are at risk of losing funds.

  • Importance of timing. As stated in the post, “Post-Capella (probably 2023H1), due to the upgradeability of the withdrawal smart contract, Lido DAO would be able to steal the withdrawn ETH given that the withdrawal process is assisted by a node operator. For this, the DAO would need to maliciously upgrade the withdrawal contract to allow extracting the received ETH and then persuade or trick a node operator into initiating the exit.” Consequently, these changes would need to be implemented well before the potential upgradeability of the withdrawal smart contract.

  • Downstream governance changes to create a more robust system design. Two supporting governance ideas that could help with implementation for this proposal: (1) increasing LDO quorum requirements, or requiring greater LDO participation to pass a vote that concerns designated “veto categories;” (2) give approved node operators non-transferable NFTs that would enable a “node operator (super) majority approve to the veto state in order for it to be applied and using quadratic weighting based on the amount of stake,” per the “Including More Governance Parties’’ section of the post, although we recognize the smart contract and complexity risks associated with adding further participants to the voting mix.

13 Likes

I second @Porter_Smith and a16z in praising this governance proposal.

Although yet incomplete, it is a great step forward in moving away from simplistic one-token-one-vote straight simple majority frameworks that proved their inability with dealing with complex DAO issues. I am looking forward to hear more from the team on how the governance reform is going to be shaped.

A while back, I have had some fun synthesising the problems of straight one-token-one-vote governance and the potential benefits of the dual system.

9 Likes

Please take a look at the updated mechanism proposal incorporating some of the feedback and arguably simplifying the whole construct: LDO+stETH Dual Governance v3 - HackMD.

It’s currently a working draft, expecting to finish polishing in a week or so.

4 Likes

So far, we’ve made several iterations on the dual governance mechanism design sharing the basic idea but differing in details. Now, I’d like us to zoom out a bit and explore the design space, highlighting how specific aspects of the mechanism affect its global properties.

We’ll explore three major variations of the design proposed so far and discuss the associated benefits, compromises, and possible improvements. We encourage the community to take part in the discussion and help us answer the following questions:

  1. Have we missed any new attacks the proposed mechanisms enable? This includes both attacks from LDO governance on stakers and from stakers on the governance.
  2. Have we missed any important mechanism properties or behavior dynamics potentially affected by the differences in the design?
  3. What design is the most optimal among the considered ones?
  4. Can a simpler mechanism be designed that would yield the same or comparable set of properties?

The design space

Among all affected global properties, let’s pick the ones that are most important for the mechanism to efficiently function:

  • Incentive for stETH holders to support veto. Given a malicious governance proposal, the active subset of stETH holders should be incentivized to support the veto compared to doing nothing or withdrawing stETH to ETH via the regular mechanism. While it’s true that the veto will most probably be driven by a non-economic incentive, the presence of any strong economic disincentive might significantly hinder the mechanism’s effectiveness and force a bank run.
  • Incentive for stETH and LDO holders to negotiate. Both LDO holders and stakers that support the veto should be as incentivized to resolve the conflict as possible.
  • Whether passive stETH holders are protected. From the safety perspective, we want holding stETH to be as close as possible to holding ETH. At the same time, we assume that most stETH holders won’t be able to participate in the dual governance process, remaining passive. Thus, a really desirable property of the dual governance mechanism is protecting those passive holders: given opposition from an active minority of stETH holders, LDO governance shouldn’t be able to take profit by stealing the passive majority’s ETH or by blackmailing them.
  • The cost and effectiveness of an LDO attack on stETH. We want active stETH holders to be able to block any adversarial proposal by LDO governance by participating in the dual governance process. Additionally, we want to minimize the potential profit that LDO governance can take by blackmailing these participating stETH holders.
  • The cost and effectiveness of a stETH attack on LDO. We want to maximize the potential cost of adversarial stETH holders attacking the LDO governance (by locking it) and the protocol in general (by destroying it).

It turns out that these properties are significantly affected by the way we answer the following four questions:

  1. Is settlement allowed in the case of disagreement between LDO holders and stakers?
  2. If the settlement is allowed, what type: global or local?
  3. If the settlement is allowed, is any penalty applied?
  4. Is one-sided de-escalation by stakers allowed?

Settlement here means the guaranteed ETH withdrawal before the controversial governance change is executed. Local settlement only applies to stETH holders that explicitly state their disagreement with the governance. Global settlement applies to all stETH holders, effectively dismantling the protocol.

All options discussed below can be derived from the latest proposed mechanism design by either removing the Global Settlement state or transforming it to involve only the actively participating stakers. The discussion below assumes that you’ve reviewed that proposal.

It should be noted that, until smart contract-triggerable withdrawals are implemented in the base layer (i.e. definitely not before mid-2023), neither global nor local settlement can be practically implemented. Thus, the only design flavors we’re left with until then are the ones lacking settlement (options 1 and 1a).

We are still yet to find an optimal solution as any design flavor we have explored so far comes with a compromise or two. Let’s now discuss these flavors, how they differ and how it affects the global properties of the mechamism.

Option 1. No settlement, only cooperative de-escalation

The first option is to disallow settlement, for example by adopting the mechanism described in the latest proposal with the Global Settlement state removed.

In this case, while the active minority of stETH holders (say, 30% of the total stETH supply) keeps disagreeing with the LDO governance by having their stETH locked in the veto escrow, no critical governance decision can be executed unless stETH holders explicitly approve it.

The only way to exit this state is through successful negotiations between the LDO and stETH holders, resulting in both groups agreeing to transfer the governance back to the normal state and unlock the participating stETH tokens.

This way, both groups are incentivized to negotiate: while governance and stakers are in disagreement, LDO holders suffer from not being able to effectively run the protocol and the resulting LDO value decrease, and stETH holders suffer from their stETH being locked in the veto escrow.

This, in turn, protects passive stETH holders: they don’t need to participate in order to get the same upside from the dual governance process as the active minority of stakers.

The downside is that LDO holders, being able to indefinitely delay the transition of the governance to the normal state (since both they and stETH holders should agree on this transition), have effectively unbounded leverage to blackmail stETH holders participating in the veto. And while stETH holders have the same power of delaying the transition and governance unlock, the combined cost for stETH holders might be significantly larger depending on the relation between stETH total supply and the LDO FDV.

This also decreases the incentive for the active minority of stakers to participate and protect the protocol in the first place: when the governance proposes a malicious decision, it may seem more economically feasible for stakers to withdraw their stETH ASAP instead of supporting the veto effort. The perceived risk of doing the former might be significantly less than the risk of locking stETH for a potentially infinite amount of time controlled by the presumably malicious governance. This perception might result in a bank run given any tensions between stakers and the governance.

The potential for an attack of malicious stETH holders on the protocol is low, though, given that it bears a significant cost since the stETH used to perform the attack can be locked for an indefinite amount of time.

:red_circle: Incentive to support veto: low.
:green_circle: Incentive to negotiate: high.
:green_circle: Passive stakers protected: yes.
:red_circle: LDO can blackmail stETH: yes.
:yellow_circle: stETH attack effect: potentially infinite governance lock + bank run.
:green_circle: stETH attack cost: high (potentially infinite stETH lock).

Option 1a. No settlement, allow one-sided de-escalation

To decrease the power the governance has over the stakers participating in the veto, we can make the negotiations phase finite. It could be designed as follows:

  • Allow unlocking stETH tokens from the veto escrow during both Veto Voting and Veto Negotiation phases. The unlock is performed in two phases:
    1. The staker initiates the unlock. The tokens are immediately transferred from the Veto Escrow smart contract to the Veto Exit Timelock smart contract, where they’re locked for some fixed but significant amount of time (say, half a year if the current state is Veto Negotiation and one month if the current state is Veto Voting). The veto voting power of the staker is immediately destroyed.
    2. After the timelock passes, the staker can obtain their stETH tokens from the Veto Exit Timelock smart contract.
  • While stETH tokens of a staker are in the Veto Exit Timelock contract, the staker can change their mind and cancel the unlock. In this case, the timelock is reset and the tokens are immediately transferred back to the Veto Escrow smart contract.
  • If, while the governance is in Veto Negotiation state, the total amount of tokens in the Veto Escrow becomes less than VETO_NEGOTIATION_THRESHOLD, the governance is transferred to the Normal state, initiating the unlock of all stETH tokens currently in the Veto Escrow (by moving them to the Veto Exit Timelock contract).

This prevents the governance from inifinetly delaying the unlock of stETH participating in the veto, making such participation safer. The leverage to blackmail veto participants is also removed from the governance since no governance action can decrease the stETH unlock timeout.

At the same time, the incentive to negotiate for both sides is still high: stakers are incentivized to resolve the conflict to prevent stETH value loss while their tokens are being timelocked, and LDO holders are incentivized because stakers have the power to block the execution of any governance decision indefinitely, incapacitating the governance and decreasing the value of the LDO governance token.

The cost of the attack of malicious stETH on the governance depends on the desired effect since stETH should be locked for the period of the governance lock plus some fixed timeout. However, locking the governance even for a short period, combined with a properly executed social campaign, might trigger a bank run in the presence of withdrawals.

:yellow_circle: Incentive to support veto: medium.
:green_circle: Incentive to negotiate: high.
:green_circle: Passive stakers protected: yes.
:green_circle: LDO can blackmail stETH: no.
:yellow_circle: stETH attack effect: governance lock + bank run.
:red_circle: stETH attack cost: low (finite stETH lock).

Option 2. Global settlement

The recently published variation of the dual governance mechanism adds the Global Settlement state: if LDO governance and stakers cannot reach the agreement for some extended amount of time, or if the supermajority of stETH holders opposes the governance, the protocol is dismantled and all ETH is unconditionally withdrawn and returned to stETH holders.

This adds finality to the negotiations phase and thus increases the incentive for stETH holders to support veto and for LDO holders to negotiate. However, the incentive for participating stETH holders to negotiate with the governance is decreased since they have a guarantee of getting the funds back within some final amount of time. Overall, the negotiation incentive remains high.

The main reason for considering global settlement, though, is the protection of the passive stakers: in the event of an attack from the LDO governance, they are guaranteed to be able to unwrap stETH to ETH even without any participation in the dual governance process. This is an important feature to consider given that, under our assumptions, passive stakers constitute a larger part of the stakers community.

Another change compared to the design with no settlement is that now governance is unable to blackmail stakers. This follows from the finality of the negotiations phase and the guarantee that protocol either returns to its normal operations, unlocking stETH participating in dual governance, or gets dismantled and stETH exchanged to ETH.

On the other hand, a potential attack from malicious stETH holders now becomes much cheaper: the only cost of blocking the protocol governance and eventually destroying the protocol is the opportunity cost of locking the threshold amount of stETH (VETO_NEGOTIATION_THRESHOLD in the proposal) for the sum of the max period of negotiations (GLOBAL_SETTLEMENT_TIMEOUT in the proposal) and ETH withdrawal period. Regardless of the parameters, this cost will probably be insignificant compared to the upside one could gain from this kind of attack.

Another important property of global settlement is the increased incentive for node operators to blackmail stakers after the global settlement is triggered: the protocol is already provably dead so they don’t lose much by doing so. At the same time, they still have the power to destroy stakers’ funds by slashing their validators. This makes the global settlement state less attractive for stakers, including veto participants: they have to choose between trying to negotiate with the governance and exposing themselves to the risk of blackmail from node operators.

:green_circle: Incentive to support veto: high.
:green_circle: Incentive to negotiate: high (lower for stETH holders).
:green_circle: Passive stakers protected: yes.
:green_circle: LDO can blackmail stETH: no.
:red_circle: stETH attack effect: protocol death.
:red_circle: stETH attack cost: low.

Option 2a. Global settlement with a penalty

To assign a more adequate cost to a potential stETH attack, we can induce a penalty on the ETH withdrawn as the result of global settlement. This can be done in the following way: if global settlement is triggered, withdrawing stETH to ETH burns a fixed percentage (say, 7-10%) of the withdrawn ETH.

This significantly increases the overall attack cost by adding the cost of the burnt ETH to the opportunity cost of locking the funds.

This also improves the incentive for stETH holders participating in the dual governance process to negotiate with LDO holders to transfer the governance back to the normal state and avoid global settlement, as this would allow them to get stETH back without the penalty being inflicted.

At the same time, the incentive to support veto is decreased compared to just withdrawing stETH ASAP since the latter allows (with some probability) to get the underlying ETH without any inflicted penalty.

One negative effect of the penalty is that it allows LDO governance to blackmail stakers participating in the dual governance by demanding to pay up to the total amount of penalty in order to avoid the global settlement.

:yellow_circle: Incentive to support veto: medium.
:green_circle: Incentive to negotiate: high.
:green_circle: Passive stakers protected: yes.
:yellow_circle: LDO can blackmail stETH: limited by the penalty size.
:red_circle: stETH attack effect: protocol death.
:green_circle: stETH attack cost: high (but limited by the penalty size).

Option 3. Local Settlement

Alternatively, we can allow ETH withdrawal, but only for those who explicitly elected to do so while the governance is blocked:

  1. Modify the Veto Negotiation phase from the latest proposal to have a maximum duration and remove the Global Settlement phase.
  2. During the Veto Negotiation phase, anyone having stETH locked in the veto escrow can elect to withdraw their tokens if the negotiations don’t yield a positive result.
  3. If, while Veto Negotiation phase is active, both LDO governance and participating stETH holders agree to resolve the conflict, the governance is transferred to the normal state and all stETH locked in the veto escrow is released.
  4. Otherwise, a withdrawal of all stETH elected to do so is initiated. Until it’s completed, no critical governance decision can be executed unless explicitly approved by anti-veto voting.
  5. After the withdrawal is completed, the governance is transferred back to the normal mode, subject to a timelock.

The main reason for considering the local settlement mechanics is that it’s not biased towards either stETH or LDO holders. It also allows resuming normal protocol functioning even in the presence of an unresolvable conflict between governance and part of the stakers, allowing the disagreeing stakers to perform a protected exit. This effectively removes any leverage for blackmailing stETH holders from the governance. On the flipside, stETH holders cannot mount an efficient attack on the governance: the most they can achieve is a finite governance lock.

However, we give up the very desirable protection of passive stakers: now, simply holding stETH doesn’t guarantee funds’ safety in the event of LDO governance capture.

Additionally, the finite nature of the veto state significantly reduces the incentive for the parties to negotiate and resolve the conflict in the interest of all stakers.

Another serious downside of the local settlement is that, by providing a guarantee of protected withdrawal of the full ETH amount, it provides an economical incentive for any stETH holder to participate in an existing veto state and trigger the settlement, regardless of whether this veto state was triggered reasonably or this is an ongoing attack on the governance. By doing so, stakers increase their chances of getting their funds back in full. This, in turn, amplifies the effect of a possible stETH attack by triggering a bank run in addition to locking the governance.

:green_circle: Incentive to support veto: high.
:red_circle: Incentive to negotiate: low.
:red_circle: Passive stakers protected: no.
:green_circle: LDO can blackmail stETH: no.
:yellow_circle: stETH attack effect: finite governance lock + bank run.
:red_circle: stETH attack cost: low.

Option 3a. Local settlement with a penalty

To improve the incentive for stakers to negotiate and reduce the incentive to perform ETH withdrawal via joining veto and blocking negotiations, we can penalize ETH withdrawal, just like we did in option 2a.

Burning a fixed percentage of the ETH withdrawn via local settlement forces would-be veto participants to assess the risk of losing capital due to the current governance conflict and compare this risk with the fixed settlement penalty cost. It also incentivizes the already participating stakers to try resolving the conflict and thus avoid paying the penalty, which helps passive stakers as well.

The main downside of the penalty is that it leverages LDO governance to blackmail participating stETH holders, extracting up to the total penalty amount in exchange for agreeing to transfer the governance to the normal state and avoid triggering the settlement.

Another downside is the decreased incentive to support veto: just withdrawing stETH ASAP via the regular withdrawal mechanism might be perceived by active stakers as a safer option since it potentially allows them to get the underlying ETH without any inflicted penalty.

On the other hand, inflicting penalty significantly increases the cost of malicious stETH holders blocking the governance operations.

:yellow_circle: Incentive to support veto: medium.
:green_circle: Incentive to negotiate: high.
:red_circle: Passive stakers protected: very limited.
:yellow_circle: LDO can blackmail stETH: limited by the penalty size.
:green_circle: stETH attack effect: finite governance lock.
:green_circle: stETH attack cost: high (but limited by the penalty size).

Option 3b. Local settlement with a penalty + delegation

To allow some degree of the passive stakers protection, we could enable passive stakers to delegate the decision of being included in the settlement to one or more active stakers:

  • When a delegate joins veto by locking their tokens, all tokens delegated to that address should also become automatically locked. These delegated tokens are not counted towards any threshold so, from the standpoint of veto or settlement mechanism activation, the total delegated amount makes no difference, only explicitly locked stETH amount matters.
  • If a local settlement is triggered, the decision of a stETH holder to withdraw their tokens automatically triggers the withdrawal of stETH from all stakers that have delegated to that address.

Importantly, this delegation shouldn’t increase the delegate’s voting power in the process of veto mechanism activation, deactivation, and veto lift voting. The only effect of the delegation is triggering the delegatee’s ETH withdrawal if the conflict between the active stETH holders and LDO governance cannot be resolved and the delegate elects to withdraw.

One danger of the delegation mechanism is that it might amplify the effect of a stETH attack on the protocol: if the attacker is able to convince or bribe delegates of the majority of stETH supply and trigger the local settlement, the effect of such an attack would be comparable to the global settlement. Thus, the delegate set should be properly distributed.

It should be also noted that this mechanism doesn’t protect all passive stakers. For example, stETH locked in smart contracts (e.g. DEXes and lending protocols) would be left unprotected unless specifically supported by a particular smart contract.

:yellow_circle: Incentive to support veto: medium.
:green_circle: Incentive to negotiate: high.
:yellow_circle: Passive stakers protected: partially.
:yellow_circle: LDO can blackmail stETH: limited by the penalty size.
:green_circle: stETH attack effect: finite governance lock.
:green_circle: stETH attack cost: high (but limited by the penalty size).

What’s next?

In this post, I’ve tried to outline the design space and set the basis for the discussion about selecting the specific dual governance flavor. All of them come with their own set of strengths and weaknesses, so, to pick one, we should answer the following questions:

  1. Which properties of the mechanism are the most important for the protocol and the ecosystem, and which can be compromised?
  2. Do you think each flavor is described correctly? Have we missed any important behaviors, incentives, or attacks specific to each flavor?
  3. Is there a simpler design offering a similar or better set of guarantees for stakers and the governance?

We cannot answer these questions without the involvement of the community, so please share your thoughts!

If you prefer communicating in the meatspace, some folks from our team will be at the Devcon in Bogotá, including Vasiliy @vsh, one of the co-authors of this proposal. Please approach him if you have any ideas, feedback, or just want to discuss something.

8 Likes

Hey everyone, here’s our analysis of the optimal design for a stETH veto.

In summary, in the initial implementation, the power balance between LDO and stETH should be heavily skewed towards LDO (i.e., the veto threshold should be very high). Why?

Giving stETH too much power has the risk of completely destroying the Lido protocol, but giving stETH not enough power is still a notable improvement from the existing system because just the threat of a veto makes a potential governance attack much more risky. Importantly, LDO holders can always cede more power over time as the system is tested. The reverse, however, may not be possible because any changes to the dual governance system itself would presumably be subject to the stETH veto (and potential blocking).

Detailed thoughts below:

  1. The key problem with settlement is that stETH holders can always choose to exit the protocol rather than deal with the trouble of vetoing, whether settlement is local or global. Creating penalties for vetoing—which could be valuable for preventing malicious vetoes—makes this problem worse by further reducing the already low-to-zero incentive for stETH holders to pay attention and veto. From a business perspective, asking stETH holders to pay attention and to be ready to bear the burden of vetoing seems problematic, too. Ideally, we would like to find another way to align the incentives of potential vetoers with the interests of the protocol that helps to overcome this problem.

  2. The veto threshold should be very high to start. If the stETH veto threshold is set too low, it could create irreversible thrashing in which a small number of malicious stETH holders veto everything they can—including any effort to alter the veto system to overcome their opposition. Therefore it seems critical to start with a high threshold that avoids this problem. The threat alone of a potential veto may be a major deterrent for actors seeking to take advantage of Lido’s governance system. Ensuring that incorporating stETH veto power doesn’t harm core LDO holders or the protocol at large is equally as important.

  3. Delegation or the creation of a stETH “council” may be a way to address the collective action problem, in the long run. The key challenge to local or global settlement is that stETH holders do not have strong incentives to pay the cost of vetoing malicious governance proposals, and may be unlikely to pay attention to governance continuously to detect attacks. Although it may be more difficult to set up in the short run, stETH delegation as proposed in option 3b seems promising in the long run, if delegates are given strong incentives. If delegates are paid and can rely on future payments if the protocol continues to succeed, then they have good incentives to monitor for governance attacks.

We offer responses to the post’s specific questions below.

(1) Have we missed any new attacks the proposed mechanisms enable? This includes both attacks from LDO governance on stakers and from stakers on the governance.

LDO holders overriding definition of “critical votes.” We want to make sure that there is no way that 51% of LDO voters can redefine an upcoming “critical” vote to be non-critical so as to avoid the stETH veto, as this would be an obvious attack vector if it’s possible to do. In short, how do we ensure that rules and definitions are fixed from the outset, and not subject to “procedural” attacks?

(2) Have we missed any important mechanism properties or behavior dynamics potentially affected by the differences in the design?

  • General drawback to settlement. As outlined above, we worry that any form of settlement suffers from a collective action problem in which it’s always easier for stETH holders to simply exit the protocol rather than deal with a difficult and potentially costly veto process.

  • Challenges to global settlement. Global settlement is a severe end to the negotiation period. As has already been flagged, we worry that (a) it does not give good incentives to stETH holders to pay attention and veto things, since everyone can “free ride” on those who do attempt to veto; and (b) it may create an incentive to exit the protocol as a stETH holder if you worry global settlement is going to be triggered.

  • Challenges to local settlement. Basic local settlement is challenging, because it provides no protection to passive stETH holders while creating an incentive for stETH holders to veto regardless of whether they think it’s a good idea to or not. Creating a cost to vetoing may help avoid this latter problem, but by raising the burden of vetoing, it makes it more likely people will exit the protocol (or never enter in the first place) instead of going to the trouble of vetoing.

Delegation for passive stETH holders may help with these challenges by creating a smaller group of people who have the information and the incentive to exercise a veto when it’s needed rather than just exiting the protocol. However, to achieve this, delegates would need to have good incentives to become delegates, to pay attention, and to pay the potential costs of vetoing.

One additional nuance could be to add a waiting period prior to any local settlement becoming official, so stETH holders have time to join the veto or exit the system by selling their stETH. The only drawback to this option is it could result in a flood of stETH being sold, negatively impacting the exchange rate within a short period of time; we think this is still a better outcome than shutting the entire system down.

(3) What design is the most optimal among the considered ones?

We believe Option 3b is the best option so far, though we are concerned about the possible unintended effects of levying a cost to vetoing, and would like to learn more about how it will work in practice. What incentives can we give to good people to become stETH delegates? Should there be some decentralized process to “white list” certain delegates? If most stETH holders are passive then default delegation options will be influential and should be chosen carefully.

(4) Can a simpler mechanism be designed that would yield the same or comparable set of properties?

LDO Slashing. We’d like to learn more about a simpler mechanism in which malicious LDO proposers are slashed in some form when the stETH veto is triggered. This would avoid the complexities of the negotiation process, we know that the previous proposal mentions this was considered and rejected, so it would be great to learn more about why this has been ruled out.

Best,

Andy, Daren, and Porter at a16z

6 Likes

Sorry for the silence, I’ve been pretty sick the last month with smth like a long covid that significantly decreased my ability to concentrate on non-trivial things.

In the past couple of months, we’ve had multiple chats with researchers both inside and outside the Lido community. Thank you to everyone involved, and especially @Porter_Smith for diving into the problem space and stating your and your team’s view and questions publicly. This is extremely valuable feedback!

Let me describe some of the ideas we’ve been discussing and outline the next steps.

The assumptions

Let’s start by stating some of the important assumptions we make:

  1. The majority of current stETH holders are passive and either doesn’t monitor the Lido governance decisions or cannot react to them in a reasonable time.
  2. There’s some fraction of stETH holders (I’d say less than 10%) who pay attention to the governance decisions and can react in a short time, and a larger fraction (say, 20%) who can react given significantly more time.
  3. There are actors who might want to join the veto even though they’re not currently holding stETH (for example, Ethereum community members).
  4. There are actors possessing a significant percentage of ETH supply (e.g. centralized entities) who might want to attack Lido by abusing the dual governance mechanism.
  5. Not all market participants are economically rational, at least when considering only the effects on LDO and stETH value. For example, some community members might want to join a veto to protect ETH value even though the most economically rational action considering their ETH-denominated wealth would be to immediately convert stETH to ETH. At the same time, an attacker might want to sacrifice part of their capital to damage Ethereum and offset the losses by increasing the relative value of some other chain’s token.

These assumptions are not set in stone. If you think some of them might be wrong or that this list is incomplete (which is certainly the case), please weigh in!

On global settlement

Global settlement is the only option that allows to efficiently protect passive stakers. However, as @Porter_Smith noted, it comes with a huge cost of a mistake, both in the code and in setting the configuration values like the veto threshold. At the same time, estimating the configuration values relies on assumptions about the market and behavior of its actors so the probability of mistake is significant.

Given this, I think it makes sense to reject this option, at least in this iteration of the dual governance system. We can reconsider it later, after the first version of the mechanism goes live and we can gain more understanding of the market by observing the real-world interaction between different actors.

Problem: cost asymmetry

Even without global settlement, the general problem of cost asymmetry is still present.

Depending on the circumstances, the cost for the governance might be both extremely high and non-linear. For example, a veto being applied while the governance has to perform a critical upgrade in order for the protocol to continue functioning properly bears a very high cost for the protocol and its governance.

This might allow a malicious actor to time the attack exploiting the veto mechanism in a way that makes such an attack cost-effective.

To avoid this, we need to design the mechanism in a way that ensures that locking the governance for a prolonged period either requires participation from a significant percentage of stakers or bears a significant cost at least proportional to the amount of time the governance is being locked for.

At the same time, given the assumption that most of the stakers are passive, we cannot set the veto threshold to a really high value, e.g. 80%. And increasing the cost of participation in veto decreases the incentive for stakers to use the mechanism compared to just exiting the protocol.

Given these considerations, let’s inspect the two proposed options we’re left with after discarding global settlement.

Local settlement

As currently specified, the local settlement mechanism suffers from cost asymmetry. Indeed, one can apply the veto, wait until local settlement ends (thus getting back ETH minus the fixed penalty percentage), and immediately re-initiate the veto. The total cost would be linearly proportional to the lock period.

To avoid this, one can enforce a “cooldown period”, i.e. a fixed period after the veto ends during which no new veto can be applied. But this. in turn, allows the governance to attack stakers by approving a bait malicious proposal that forces stakers to apply a veto, waiting until local settlement ends, then approving the actual malicious proposal and executing it while the cooldown period is in force.

One idea of how to improve this:

  1. After a local settlement ends, enforce a cooldown period during which no new veto can be initiated, but only the proposals that were approved by the governance before the cooldown period started can be executed.
  2. To allow blocking the newly-appeared malicious proposals, support new stakers joining and thus extending the already ongoing veto, given that some minimal threshold of new veto participants reached.
  3. To make the cost of locking the governance non-linearly dependent on the lock period, define the penalty for joining veto as a piecewise non-linear function of time. For example, those who join initially or during the first day get the full ETH amount minus the minimal 0.1% penalty, those who join on the second day get 0.001% less, those who join on the third day get 0.003% less, etc.
  4. Governance approving a proposal while the veto is active resets the time argument passed to the penalty function for further stakers joining the veto back to zero, thus resetting the penalty to the minimal one.

The described mechanism assigns a non-linear cost to completely blocking the governance for a significant period. At the same time, it allows more stakers to join (and thus extend) the veto with a minimal cost given that a previously unseen proposal appears.

No settlement

The “no settlement” option might seem better from the cost asymmetry perspective given that the cost for veto participants is non-fixed and depends on the cooperation from the governance.

However, here we actually face the other end of the cost asymmetry spectrum: given that normal protocol functioning doesn’t currently require governance actions, the cost for the governance can be close to zero. At the same time, the cost for veto participants remains unknown, potentially 100% of the stETH used in the veto.

This may significantly disincentivize stakers from joining veto in comparison to withdrawing their stake. This, in turn, would decrease the overall protection the dual governance offers for the protocol, its stakers, and the Ethereum ecosystem: given our assumption about most stakers being passive and unable to react to a malicious proposal in time, and given that the active minority of stakers will most probably just exit without touching the veto mechanism, the said mechanism doesn’t actually disincentivize the governance from behaving maliciously—which is the whole idea behind the dual governance.

One can try improving this by allowing non-cooperative de-escalation, i.e. the ability for stakers participating in the veto to unlock their stETH from the veto escrow without the governance approval, potentially lifting the veto state if the total amount of locked stETH becomes less than the threshold one.

But now we have a problem similar to the one with the local settlement: the cost for stakers is linearly proportional to the lock period, and the cost for the governance is potentially non-linear. This makes it impossible to set the parameters (veto threshold, penalty percentage) in a way that would guarantee that the veto mechanism cannot be abused to extract more value from the attack than the penalty for doing so would amount to.

Probably it makes sense to put more thought into how a dynamic cost mechanism similar to the one described in the section on the local settlement could be implemented. I’m yet to come up with a clear way of introducing it here.

The proposed design

Given all these considerations, I think that local settlement combined with the dynamic cost mechanism yields the most balanced incentives structure. However, it’s a pretty new design so I think we need to have more discussions around it.

Next steps

Due to the planned date of the Capella hardfork being shifted to the beginning of the spring, I’ll have to temporarily switch my main attention from dual governance to help the dev team implement withdrawals in time. This is a temporary distraction, I’m expecting to switch back to the dual governance in the middle of February, aiming to kick off the implementation in the second half of February or the first half of March.

In the meantime, we’re planning to have a community call dedicated to discussing the dual governance motivation and design options. Please stay tuned, we’ll announce it both here and on Twitter.

3 Likes

We’d like to learn more about a simpler mechanism in which malicious LDO proposers are slashed in some form when the stETH veto is triggered. This would avoid the complexities of the negotiation process, we know that the previous proposal mentions this was considered and rejected, so it would be great to learn more about why this has been ruled out.

This is a great question!

LDO slashing indeed allows to assign finality to the veto process and thus avoid the governance being locked indefinitely. However, it also makes the overall incentives structure much more complex by introducing second- and third-order effects and handling much more power and leverage in the hands of malicious actors willing to abuse the veto mechanism.

For example, someone possessing LDO could abstain from supporting a governance proposal that gained significant support from other LDO holders, and then use their capital to veto this proposal, increasing via slashing the value of the LDO that didn’t participate in the vetoed vote. Thus, malicious LDO holders could try abusing the veto mechanism to concentrate LDO in their hands.

This kind of power should come at a significant cost, meaning that either the veto threshold should be set extremely high, or the penalty for participating in the veto should be significant. However, given our assumption about most of the stakers being passive, setting the veto threshold to some really high value or significantly penalizing veto participants might render the dual governance mechanism ineffective, as detailed above in the section on the “no settlement” option.

Another important effect to consider is that the slashing mechanism disincentivizes honest governance participants from voting on decisions, further increasing the voting apathy the governance’s already suffering from.

We want to make sure that there is no way that 51% of LDO voters can redefine an upcoming “critical” vote to be non-critical so as to avoid the stETH veto, as this would be an obvious attack vector if it’s possible to do. In short, how do we ensure that rules and definitions are fixed from the outset, and not subject to “procedural” attacks?

The idea is to make re-defining the list of critical action a critical action itself.

Technically, the dual governance contract would act as a proxy between governance voting systems and the contracts the governance actions are applied to. All critical permissions, as well as the permission to manage these permissions, will be gradually assigned to the dual governance contract. Thus, downgrading a governance action to a non-critical one would entail going through the dual governance process.

3 Likes

Hi there, I would like to ask if the information in the proposals are still valid in today’s date.
The main points I would like to know are regarding: Lido DAO’s ability to add and remove node operators, and the Worst-case scenarios mentioned in the proposal.

2 Likes

Hi, the information on the worst-case scenarios and the governance power the DAO possesses over the protocol is still valid.

The proposed dual governance design has undergone several iterations, though. I’m planning to focus back on polishing it, formulating a technical proposal, and starting working on the code in the middle of March, after the dev team mostly finishes the preparations for the v2 upgrade.

4 Likes

Thank you very much, skozin!
Could you tell me your position in Lido DAO, please? Are you a co-founder?
I have to add this as a reference in my article.

Best regards,
Pakapon

2 Likes

Nope, I’m not a co-founder. I’m a protocol contributor (dev/research).

3 Likes

I see. Thank you very much for the reply. Hope you have a great day!

3 Likes

Hey-hey! Please, share the link once published =)

1 Like

I look forward to your technical proposal @skozin! Meanwhile, for anyone interested cc @Pakkaponwiwatk1, here is the Messari Govenor team’s note on this proposal, Governor Note: Lido DAO’s LDO and stETH Dual Governance.

4 Likes

Wow, thank you for share — will be checking the thing up before going further with details on implementation!

2 Likes

@skozin is there a way to transfer tokens incorrectly sent to stETH contract address? I’m looking for help.

1 Like

Sorry, there’s no way to do that atm

1 Like

Gm everyone!

It’s been quite a long since I posted the last update on this proposal. It might seem as if nothing was happening but actually, the protocol contributors have made several iterations on the design and now we’re ready to present the draft version of the updated design proposal incorporating the feedback from the community and fellow researchers.

I’m starting a new forum thread since the current one grew to a point where it’s painful to navigate so let’s continue there.

5 Likes