RISC Zero Proposal for a Lido Accounting Oracle Second Opinion under the LEGO Program, February 14, 2025.
Context
Last year LEGO provided grants to three teams for partial replacement / supplement of the Lido Accounting Oracle contracts using zero knowledge proof oracles. This has since been formalized in the LIP-23 proposal. Not all of the three commissioned teams have been able to complete their deliverables in a way that can be used practically for the original intended purpose. However, the reason for three grants having been issued was to put in place multiprover protection for this function, i.e., to allow the Lido community to run the oracle progress on multiple different ZK programs, to mitigate the risk that any one oracle program had a security or other performance flaw.
After discussion with contributors to the Lido on Ethereum protocol, the RISC Zero team proposed to step in and build a ZK oracle to replace one of the two projects that have not been able to complete, thereby restoring the original approach of the work.
We have already implemented a MVP and are applying for a grant to take this into production as an oracle ready to integrate with the Lido on Ethereum protocol. We also plan to integrate the oracle with our upcoming Boundless decentralized proving service which we expect will provide the cheapest proving services along with improved decentralization.
RISC Zero
RISC Zero is the team that pioneered the zkVM market, launching a production ready product 18 months ago. Our team is founded by security industry veterans with the highest standards of code hygiene, audit and integrity. RISC Zero continues to make performance breakthroughs every month, and the code relating to the proving network (more below) is open source. The zkVM allows you to build programs with ‘normal’ programming, natively Rust and now also able to interpret Solidity. In this way, solutions built on RISC Zero zkVM can be easily extended by others, maintained and audited.
In addition to providing a zkVM on which the oracle can run, RISC Zero also provides a centralized proving service called Bonsai, thereby alleviating the cost and complexity for an entity that runs the oracle. Teams that have already gone public with their plans to use RISC Zero include EigenLayer, Taiko, Union and Hashflow all for mission critical, high security production needs.
Boundless
While the oracle will initially use RISC Zero’s centralized prover, RISC Zero is launching Boundless, a universal protocol that brings ZK to every chain through a verifiable compute marketplace that abstracts away complex ZK infrastructure for production applications.
Boundless will provide several key advantages:
- Strong liveness guarantees for proof generation
- Competitive pricing driven by open competition between provers
- Minimizing latency through optimized proof supply chain and economic incentives that reward fast delivery
This ensures proof generation for the Lido SecondOpinion Oracle maintains high reliability while benefiting from market-driven efficiencies.
Technical Details
Our design performs computation over historical beacon and execution state inside the ZKVM to prove the values outlined in the LIP-23 Specification at a specific slot.
The oracle uses a proof composition approach to cache prior computation where possible and minimize the amount of beacon state data needed as input. It also allows the oracle to be stateless minimizing on-chain costs. Two provable guest programs are used to produce the oracle proof that is submitted on-chain.
The first is a membership proof which proves the validity of a bitfield indicating which validators have their withdrawal credentials set to the Lido WithdrawalVault. These values in the beacon state are immutable so proofs can be updated using recursion and only the validators that have entered since the last update need to be processed.
The second is an aggregation proof (called balance_and_exits in the implementation) which consumes a membership proof and aggregates the total balance of all Lido-participating validators and the total number that have exited at the given slot. The validators balance and exit status can change at any time so it is not possible to reuse computation however the membership bitfield means only Lido-participating validators need to be supplied as input to the program.
The proofs compose together as shown in figure (1). Both guest programs use compact SSZ multiproofs to verify the inclusion of all beacon chain data rooted at a given block root.
For further details see the README
Aggregate proofs can be verified on-chain using the existing RISC Zero verifier deployments and our design includes a contract which can store oracle reports and expose them via the SecondOpinionOracle interface.
Existing MVP
A working implementation is available on github under the Apache-2 license. The contracts are currently deployed for testing on Ethereum Mainnet and Sepolia where reports have been submitted and verified.
Generating a balance_and_exits proof for a recent mainnet slot was completed in 4521 mega cycles. This can be proven using the Bonsai proving service in around 3.5 minutes costing ~$4.5. Costs for updating a membership proof depend on the time since last updated but will be minimal compared with aggregation.
The proof was verified and the report stored on-chain for a combined ~350k gas.
Roadmap & Deliverables
Milestone 1 - MVP:
- RISC Zero guest programs capable of proving LIP-23 reports
- Minimal contract for making verified reports available on-chain via the SecondOpinionOracle interface
- This would be completed within a week of the grant being agreed
Milestone 2 - Boundless Integration:
- Modify the oracle contract to make proof requests from the Boundless marketplace contract
- Modify oracle operator program to make proof requests and dynamically price requests to ensure timely proof generation
- This would be technically complete within two weeks of the grant being agreed, for the purposes of testing through testnet phases of Boundless.
Milestone 3 - Productionization:
-
Inclusion of historical Lido WithdrawalVault contract balance in reports. This will be proven in the aggregation guest using RISC Zero Steel
-
End-to-end tests showing report agreement (or within acceptable bounds) for all recent oracle submissions on mainnet
-
Demonstrate that a zkp can be generated by a prover within 30 minutes of the inputs being received for a validator set of around 2 million and costing no more than $50.
-
Internal code review
-
Commission audit from a third party. Costs for audit not included as part of this grant and may be funded under a separate grant. However, we understand from a vendor that it would likely take around a week to complete. .
-
This Milestone is largely dependent on work from Lido contributors and an audit provider. Assuming a supplemental audit grant application is approved before the end of the first week in February, subject to final confirmation of bandwidth availability by an audit company, this could likely be complete by end March 2025.
Milestone 4 - Deployment:
- Deploy final versions of Oracle verifier contract on Ethereum
- Package oracle operator program as a Docker image for simple deployment
- Provide detailed documentation for oracle operator for running and funding the oracle in a production environment
Acceptance Criteria:
-
Validator set size suitable for Mainnet (around 2M validators at the moment).
-
Latency requirements: 2 hours maximum for the report generation.
-
Single proof generation ballpark: not exceeding $50 per-report on average.
-
All software developed for this grant will be open-sourced under a free and permissive license, currently planned as Apache 2.
-
For the avoidance of doubt, the deliverable should work with the Pectra upgrade of Ethereum Mainnet in a timely fashion.
Other notes:
Boundless is a key initiative of the RISC Zero development team: the RISC Zero tech will underlie a prover marketplace launching this year, stewarded by a Foundation and independent funding that would make it sustainable on a stand-alone basis for years to come. Supply in the marketplace will come from a range of providers, independent of RISC Zero. If for any reason there was ongoing interruption to the Boundless marketplace, proofs from this solution could be generated by Lido contributors locally, or via a third party vendor with commodity hardware or cloud services (e.g., AWS), or by one of the several well funded proof generation vendors or marketplaces currently launching to support this fast growing space.
Funding
The RISC Zero team is requesting $50k as a partially retroactive grant, which could be paid as $25k upfront, and $25k upon completion of Milestone 4. This is to help cover the work done to-date as well as to complete the remaining milestones listed above.
This amount does not cover the costs for an external audit which will fall under a separate grant, nor does it include the cost of ongoing operations, maintenance and support.