Lido Permissionless Withdrawals

GM Lido Community

As a LDO holder, let me start by saying that the continuous progressive and development by the Lido team has made investing in this protocol one of my best experiences.

In saying this, I’m still concerned over the lack of transparency regarding a plan towards permissionless withdrawals, which - in my eyes - is Lido’s biggest potential point of failure.

To those who don’t understand what I mean: in simple terms, Lido validators are instructed to sign the exit messages for staked ETH (back to those who have staked their ETH through Lido). In theory, a Lido validator could refuse to sign this exit message and essentially hold such ETH hostage - demanding a payout in order to release the tokens.

I’m well aware that the chance of this happening is practically zero, but I can see a situation where the ETH Withdrawals Period after the Shanghai Upgrade extends to over 30 days. Should this happen, the opportunity for FUD around ETH Withdrawals is high - and Lido could be one Twitter Thread away from CT panicking about Lido’s permissioned withdrawals.

I have read Lido’s recent Withdrawal Design and its use of the Buffer for withdrawals is excellent, but this doesn’t fix the permissioned withdrawals issue if there isn’t enough ETH in the Buffer.

Let me reiterate that the chance of this occurring is extremely low and I’m certain that the Lido Team is already three steps ahead in its plans to solve this issue. All I’m asking for is a better level of transparency and understanding, because failing to do so could result in unnecessary FUD that could temporarily damage the performance of the protocol (LSD liquidity, Staked ETH etc).

Kind regards,

This issue is that the way Lido is designed, the operators hold the keys. Given the current Ethereum spec, you cannot withdraw using only the withdrawal credentials. The only way that Lido will be able to solve for permissionless withdrawals is to create an EIP to change the Ethereum specification to allow for withdrawals using only the withdrawal credentials.

There are other interim solutions, for example to create a system where the node operators sign exit messages periodically for x% of their validators. This way, Lido can exit those validators using only the withdrawal credentials. The problem there is that the exit messages only last 2 forks, so, not long at all, and there is no way to force the operators to actually sign the messages. So even if it it’s automated, if their system breaks or they just halt signing of the exit messages, Lido cannot force them to rectify that situation. Having said that, I still think it’s a fairly good system for the average scenario and is better than where we are at today.

Alternatively, a final option is to create an EIP which makes exit messages permanent, the same way deposit messages are. If that were to happen, then operators could sign exit messages a single time. However, Lido would be required to hold those messages, which creates a lot of centralization risk there. Personally, I find this an acceptable interim solution, but many would disagree. My logic is that it’s better than our current situation, and so it’s preferable in my opinion.

Hopefully this gives some helpful context as to the challenge of making withdrawals permissionless.