Hey there!
Thank you @KimonSh for an amazingly formulated proposal!
I wanted to share my opinion on how possible expanding Simple DVT module would affect the risk profile for the protocol validator set. With really on-point questions from @Tane I’m convinced it’s necessary to do so, so the decision on the module share could be made with transparency on underlying factors.
Technology risk effect:
Increasing the share of Simple DVT module correspondingly increases protocol subjectivity to technology risk unique for DVT-based module due to malfunction of the SSV client or Obol’s Charon middleware.
Within initial Simple DVT proposal the most risk-averse approach on valuating those risks was utilised for catastrophic scenario of simultaneous slashings of all Simple DVT validators, as, at that moment the technology were
unknown unknowns, due to the new codebase which hasn’t been battle tested like the current, trusted Lido staking module
But, as were stated within initial discussion:
The level of uncertainty is expected to drastically drop: with extensive testnet trials and, finally, starting operation on mainnet.
It’s reasonable to re-evaluate risk scenarios and mitigation, given the observed data and experience with mentioned technologies, determining more realistic tail risks and risk mitigation in case they occur:
With assumptions on 2.8% CL APR | 0.3% EL APR
- Major bug in one of the technologies leading to half of simple DVT going offline (5 380 Validators) leading to total losses of ~24.53 ETH per day, with the cover fund sufficient to provide ~250 days to solve the issue or exit affected validators
- Slashing one of the Super Simple DVT Clusters of 500 validators would lead to ~582 ETH losses which can be covered by the fund.
- Complete slashing of all simple DVT validators is, indeed, couldn’t be covered by the fund as slashing of 10 760 Validators (76x80 + 500x10) would lead to loss of ~12 526 ETH for the protocol (inc. missed rewards) and may lead to correlation penalty of 1 ETH (as total number of slashed validators could exceed 1.04% of network), increasing total loss furthermore to ~23 286 ETH.
And while it’s crucial to remain transparent on consequences of most catastrophic scenario (3), it’s reasonable to operate under extreme risk-averse, but pragmatic assumptions, and, given that SSV client or Obol’s Charon middleware doesn’t bring a possibility for running a cluster on multiple instances (which could lead to double attestation as most common slashing violation), were battle-tested and updated within rigorous safe procedures this scenario could be taken as impossible for realisation.
Operational risk effect:
On the other hand increasing the share of Simple DVT modules correspondingly increases protocol protection from risk scenarios caused by intentional or unintentional operational errors.
Quantifying this effect is subjective on multiple assumptions, but the general magnitude could be evaluated under the assumptions on probabilities of errors with or without using DVT technology.
With:
- p - determining the probability of operational error without running DVT technology
- Pdvt (n,k,q) - probability of operational error with running DVT (n out of k), with q as probability of operational error for single DVT cluster participant
Pdvt (n,k,q) is based on binomial distribution (probability simultaneous operational error for more than n participants out of k):
For the example case of n=5 out of k = 7 reduction in operational error risk could be quantified through the relation p / Pdvt (5,7, q) (how much greater the risk of not running DVT) within different assumptions on p, q values and its relations.
Objective probabilities are dependent multiple factors and unique across the set of Node Operators, but, even for extreme risk-averse case if q is significantly greater than p (operational error for single Node operator from SDVT is greater than for professional Node operator) risk mitigation effect of utilising DVT technology lowering the risk:
For q = 5p (5X higher probability of operational error for NO from SDVT)
Risk reduction (y-axis, log) is greater, the lower the initial operational error probability is. And actual reduction is starting from X100 operational risk reduction for extreme assumption on 2% chance of operational error, leading to magnitude reduction in risk for lower initial p values (risk thousands and million times less probable than without using DVT)
Closing Thoughts
DVT technology, while bringing in additional risk, conditioned to using required tech, provides a unique unreachable level of mitigation for operational risks (without professional demand on participants level) that outpaces technology risk effect which could be managed and limited.
Therefore increasing share for SDVT module and share of Lido Validators utilising DVT technology benefits risk-profile on the protocol level, lowering the general exposure compared to current modules share structure.