Proposal: Onboard Drop to the Lido Alliance

Proposal

  • This document outlines the rationale for onboarding Drop, a cross-chain liquid staking protocol for the Interchain, to the Lido Alliance.
  • It follows the Lido Alliance framework and is for consideration by Lido DAO token holders
  • The interim Lido Alliance Workgroup will review the proposal.
  • Following the recommendation of the team or committee, the approval of Drop as a Lido Alliance partner will be voted on by Lido DAO token holders through Snapshot

Summary

  • How will Drop help the Lido Alliance achieve its mission
    • Sponsoring the decentralization of Ethereum ecosystem dependencies such as bridges and data-availability layers, sponsoring innovation/experimentation that benefits Lido and Ethereum
    • Supporting distribution and use cases for wstETH in the Interchain, restaking opportunities, native ETH staking with Lido through Drop
    • Opportunity to apply to Drop’s validator onboarding
  • What is Drop’s Security Culture?
    • Open-source, open-license software development, encapsulating complexity, rigorous unit and e2e testing, auditing, formal verification, real-time 24/7 monitoring and alerting.
  • What does Drop expect from the Lido Alliance
    • Endorsement, integration and communication support, liquidity bootstrapping, network, strategic advisory
  • How much alignment collateral will be locked in the Foundation
    • 10% of Drop’s token supply

Background

The Interchain is a rapidly growing network of blockchains connected via a common, secure interoperability standard called the Inter Blockchain Communication protocol (IBC). In recent years, the Interchain has experienced tremendous growth in user experience, developer functionality, and market cap.

Throughout this time, the Interchain has maintained a close connection with Ethereum through both its cultural values (decentralization and credible neutrality) and its technology stack. Notably, the Interchain stack has inspired the Ethereum development community to work on single-slot finality, protocol-enforced proposer commitments, application-specific rollups, Ethereum IBC, liquid staking modules, and more.

To address the challenges of building Interchain DeFi applications, a team spun out of P2P to form Hadron Labs and helped launch Neutron, a secure, feature-rich smart contract platform capable of hosting Integrated Applications like Drop.

Taking Neutron to market, Hadron Labs, in collaboration with Lido contributors, spearheaded the introduction of wstETH into the Interchain while prioritizing security and safeguarding the DAO against vendor lock-in. As part of this initiative, Hadron Labs and Axelar collaborated to deploy the initial bridge solution and incentivize the adoption of the canonical wstETH standard.

Drop is the spiritual successor of the Lido for the Interchain vision. Its software was initially developed by Hadron Labs engineers, and an independent Drop Foundation was incorporated to support the protocol’s long-term growth and development.

Protocol Overview

Drop is a cross-chain liquid staking protocol implemented as an Integrated Application on the Neutron network. Its CosmWasm smart-contract architecture leverages the Inter-Blockchain Communication (IBC) protocol and Neutron’s Interchain Transaction (ICTX) and Interchain Queries (ICQ) capabilities to read the state of other blockchains and adjust delegations made by the protocol’s remotely controlled accounts.

This architecture enables Drop to provide trust-minimized liquid staking services and scale with minimal additional overhead and risk: provided they are compatible with the IBC protocol, new networks and assets can be onboarded to the solution in a single transaction. The smart-contract components can be reused to provide new products and services (such as alternative LST models - rebasing, auto-compounding, bLuna-esque, etc.) with minimal or no additional code or attack surface.

Since on-chain performance metrics such as uptime and governance participation can be retrieved in a trust-minimized manner through ICQs, Drop’s validator set management baseline can be automated:

This frees up resources that can be invested in the active curation of excellent validator sets for the supported network. To further the decentralization of stake and infrastructure, the Drop DAO may incorporate off-chain considerations such as geography, infrastructure, and signing setups into its curation policy.

Future iterations of Drop Protocol will likely implement Scaling Delegations, distributing stake across validators dynamically to maximize stake/infrastructure distribution, and to minimize slashing risks if an operator’s performance degrades.

As an Integrated Application, Drop is synchronously composable with an array of DeFi primitives, including Duality (Neutron’s in-protocol orderbook), Astroport (Curve v2 style AMM), Mars (credit protocol enabling lending/borrowing, margin trading, and perps), Levana (perps), Apollo (vault strategies), Fission (yield splitting), Amulet (self-repaying loans), and more. This ecosystem forms a strong, coordinated set of use cases for Drop’s LSTs and their initial distribution, and provides a streamlined, synchronous UX for more advanced use cases such as delta-neutral or leveraged staking/farming.

Drop is being integrated into key infrastructure and distribution channels such as the Skip API (the most widely used cross-chain router in the Interchain), Nexus (the leading bridge for TIA to Celestia rollups), and more to facilitate 1-click access to Drop’s LSTs from any network or application in the Interchain.

How will Drop help the Lido Alliance achieve its mission?

Ethereum alignment / decentralized validation

Firstly, through its validator set management, Drop could contribute to the decentralization of data-availability layers (e.g. Celestia) and bridges (e.g. Axelar) that Ethereum rollups and wstETH rely on.

As a more nimble DAO, Drop is likely to be the first to implement technologies that could prove valuable to Lido on Ethereum, such as scaling delegations, generating strategic insight and data on their effectiveness and trade-offs, and helping design and prioritize improvements to the core protocol.

More broadly, Drop will contribute to the success of the Interchain, which has consistently generated research, innovation, and technologies that benefit Ethereum and its ecosystem, such as single-slot finality, protocol-enforced proposer commitments, application-specific rollups, Ethereum IBC, etc.

Use cases for stETH adoption

Drop already allocates significant resources to helping design and build distribution and use cases for LSTs in the Interchain. Onboarding Drop to the Lido Alliance would empower Drop to actively drive the distribution and integration of wstETH alongside dAssets, and reduce the operational overhead and focus cost on Lido DAO contributors.

Drop will contribute to the security, resilience, and user experience of the bridges upon which wstETH and dAssets depend. Thanks to its strategic proximity with the Cosmos Hub’s security aggregation, Mesh Security, and other key projects, it is also well positioned to sponsor the adoption of wstETH as restaking collateral in the Interchain.

As a member of the Lido Alliance, Drop would be an ideal partner to explore restaking opportunities for wstETH. Drop’s architecture minimizes systemic risk to Lido on Ethereum, and incentive alignment between Lido and Drop would prevent the incentive to vampire attack that other providers may be tempted with.

Eventually, the Lido DAO could use Drop’s protocol architecture as a local outpost for Lido on Ethereum, enabling ETH to be staked with Lido on Ethereum remotely and conveniently.

Opportunities for node operators

While inclusion in Lido on Ethereum’s set does not guarantee node operators will be onboarded to Drop’s validator sets, excellent operators that are active in both ecosystems may apply and be onboarded to Drop’s validator sets in the Interchain, driving adoption and strengthening alignment between Lido and its ecosystem.

What is Drop’s Security Culture?

Drop’s codebase is open-source and open-licensed. As a cross-chain protocol, Drop’s architecture minimizes the complexity of asynchronous interactions by following the principle of encapsulated complexity:

Most protocol functions are broken down into minimal components, which can interface with one another according to strictly defined interfaces. This makes the protocol and its components formally verifiable and helps create a library of secure, battle-tested contracts. This prevents the creation of large, complex, monolithic contracts, which are harder to audit and reason about, and minimizes the risk of human error. It also enables basic components to be securely reused in different combinations to provide new products while minimizing code changes.

Drop’s codebase has, and will continue to be, thoroughly tested throughout its development cycle. Drop employs both unit tests and comprehensive E2E tests using cosmopark. The framework’s purpose is to set up the most realistic testing environment possible by spinning up multiple networks, each with its own nodes and the same software versions as their mainnet counterparts, along with IBC channels and relayers, before conducting a battery of tests on the protocol.

Drop recently completed its first audit with Oak Security, a leading CosmWasm auditing firm. The final audit report will be attached to this proposal upon release from Oak Security. A second audit is being scheduled with OtterSec ahead of launch.

Starting on the 27th of May, Drop will also undergo formal verification by Informal Systems using Quint. This process aims to increase confidence in Drop’s design by ensuring that the system’s behavior—defined within a formal model—satisfies specific properties, which are also delineated in the formal model.

An early version of Drop is currently deployed on pion-1, Neutron’s persistent testnet. The protocol’s instance is being updated to match changes made as part of the Oak Security audit. Once Drop is deployed on mainnet, any further code or protocol parameters changes will be required to undergo comprehensive tests using Rehearsal, a mainnet forking and testing tool that ensures tests are conducted within the context of the network’s existing state. Drop’s development team has an established set of practices for any on-chain operations through the process of creating detailed launch policies with the set of actions to be performed, check-lists, and emergency scenarios.

Drop contributors are also setting up comprehensive monitoring and alerting for balance states, code versions, processing of the protocol’s buffers, validator performance, IBC channel statuses, and more. Lastly, granular kill switches have been implemented into the protocol, and an emergency playbook is being developed for the DAO. These kill switches enable the pausing of specific protocol functions to properly respond to any incident without unnecessarily hindering the user experience or third-party integrations.

A bug bounty program with Immunefi will be set up shortly after mainnet deployment.

As an Integrated Application on Neutron, Drop inherits the full economic security of more than $2bn ATOM restaked on the Cosmos Hub through Replicated Security.

What does Drop expect from the Lido Alliance

  • Endorsement - the DAO endorses Drop, and Drop becomes the first member of the Lido Alliance
  • Integration and communication support - to the extent possible and where appropriate, integrate Drop with community distribution channels, such as websites, etc, and support large Drop announcements
  • Liquidity bootstrapping - coordinate activities and research with LOL to support Drop/wstETH liquidity on Interchain
  • Network - Lido DAO contributors support the adoption of Drop through their network of partners
  • Consultation - Drop anticipates benefiting from the Lido contributor groups’ extensive expertise in different aspects of the ecosystem and technology

All other core responsibilities will be handled by the Drop team.

How much alignment collateral will be locked in the Alliance legal vehicle?

100,000,000 DROP tokens (10% of the total supply) will be sent to a Lido Alliance legal entity after TGE, with a 12 months lock followed by 24 months linear vesting with no cliff.


May 2024

Author: @d_argunov, with thanks to @kai, @adcv and @spaydh for their thoughts and comments

Edit:

Modified the collateral lock requirement based on the community feedback

18 Likes

How do you see alignment from tokens that must be held in perpetuity?

In my view, Lido DAO would be incentivized in the success of Drop only when profits can actually be realized. A selling ban shouldn’t be in Drop’s own interest either, because that’s the same as holding no tokens at all.

edit: Didn’t know this term apparently comes from the Alliance itself. I disagree with it in that case.

4 Likes

Thanks @Hasu - this comment makes a lot of sense.

We replaced the collateral lock requirement with the standard vesting terms for the token to make sure the incentives are better aligned.

2 Likes

It is recommended that project parties lock up 100 million LDO tokens. This is more convincing.

Thanks @ross001 - would you please elaborate on how you envision this mechanism working? I honestly did not get it from the description

I think you guys are too early stage for Lido’s commitment. You’ve made a clunky post to say in a few things Drop may collaborate on. You should list them objectively on a bullet list just like you did for your expectations with Lido

1 Like

Drop - Alliance Workgroup (temporary) Review

Key Terms

Ethereum-alignment and commitment to decentralize validation

Drop’s Ethereum alignment is incidental and second-order to some extent. There is no explicit threat to Ethereum decentralization by supporting a project building liquid staking on Neutron, but there is no immediate driver of it either.

That being said, Cosmos has long been a harbinger of technical solutions and research that have percolated into Ethereum. Drop is in a good position to provide a first-look at experiments in validator set curation, for instance.

Finally, many services that Ethereum users and decentralized applications rely on, such as Axelar, are built on IBC. To the extent that Drop is able to decentralize the validator set for these services, it will also contribute to decentralizing Ethereum’s broader ecosystem of supporting services.

Use-cases for stETH adoption and integration

Use-cases are mostly related to using wstETH on new domains with domain-specific applications, or combining with Drop to execute more complex strategies.

The most important use-case for stETH users is the ability to use wstETH collateral on new domains, such as Neutron. Pairing with another liquid staking token is a no-brainer in terms of collateral efficiency on these venues. LP and yield farming opportunities with wstETH on Neutron will open up new use-cases for stETH holders beyond Ethereum.

Opportunities for node operators

Lido operators that are active in the IBC ecosystem may apply to Drop and be onboarded to its validator set, creating strong alignment between both protocols to the extent that they grow in tandem.

Security Review

Please see “Security Culture” section here for further detail

What are the processes for putting code into production?

What is the release flow from the security perspective?

  • First, all code is peer reviewed by other core team developers
  • Then it’s thoroughly tested (see proposal security section): unit, end-to-end, mainnet forks testing
  • Then it’s audited by a reputable auditor, and bugfixes are implemented
  • Then it’s tested again, and the deployment is rehearsed on a mainnet fork where the integrity of the protocol with the new code is verified
  • Then it’s either deployed (early on) or submitted to a DAO vote (once the Drop DAO is available)

How does the team decide the code is ready for mainnet?

  • Code is covered with tests
  • Code successfully passed an audit and all the fixes were implemented
  • Code successfully worked on testnet for a reasonable time
  • There is an advanced monitoring implemented that checks for both liveness and security invariants of the protocol
  • Protocol has functionality that allows to mitigate the security incidents (i.e. pauses)
  • The deployment plan is detailed and covered with potential “what can go wrong” scenarios and action plans on what to do in every case

Does the protocol have public audits? What parties conducted the audits?

Drop protocol has been audited by Oak Security, the final audit report has been scheduled for publication on the week of Jun 2.

Second and third audits/formal verification by Otter Sec and Informal Systems are starting by the end of June, and scheduled to be completed by the time of the main net launch in early July.

Drop commits to proceeding with the main net launch only after a successful testnet launch, and completed / published smart contract audit report.

What’s the issue summary (total issues / total fixed / crits and highs / crits and highs fixed)

54/39 fixed

5 critical / 5 fixed

14 major / 10 fixed

How is the deployment verified against the audit?

The audit report contains the commit hash of the code version that was audited. One can build contracts and verify whether the deployed version corresponds to the one that was audited. (there’s no other way to do it better in Cosmos at the moment).

Drop team will provide documentation for this verification procedure once the audit report is published.

What are the processes for managing security through TVL growth?

Is there a bug bounty? if yes — which and where

Not currently, but we are planning to set one up with ImmuneFi for ~1M max payout.

Are there limits / thresholds on the project / TVL? Who controls those?

Technically there are limits on how many assets can be under the protocol management and they’re controlled by the protocol administrator which is initially ecosystem 5/7 multisig and eventually Drop DAO.

Are there any user funds on a multisig?

No, all the user funds are handled by smart contracts or interchain accounts owned by smart contracts.

Is the code upgradable? How and who controls upgradability?

The code will be upgradeable, and will be controlled by an ecosystem 5/7 multisig until the Drop token and DAO launch later this year. At which point, the DAO will be the only controller for contract upgrades. A committee appointed by the DAO will likely retain the ability to pause specific contracts to respond rapidly to potential vulnerabilities without unnecessarily stopping unaffected protocol functions.

What is the likelihood that the project will endure?

Is the project incorporated? How the legal structure looks like?

Drop is incorporated as a combination of:

  • The Drop Foundation, a Cayman ownerless non-profit mandated to sponsor the growth and secure development of the protocol
  • Hadron Labs, a software development company contracted by the Drop Foundation for the development of Drop’s software

What’s the funding situation?

The Drop Foundation is in the process of closing an initial round of funding with CoinFund as a committed round lead, raising $4m at $40m valuation. The round was >3x oversubscribed so extra interest is being rolled over into a follow up round at a higher valuation.

What is the team size?

5 full time engineers including a CTO

1 full time CEO

1 full time Head of BD

Plus support from: Front-end, QA, DevOps, HR, Legal, Accounting/Finance, Marketing, and other functions at Hadron Labs

Additional engineers, devops, front-end, master of validators roles are being opened for Drop.

Is the code open source? What’s the license?

The code is open-sourced with an Apache 2 license: GitHub - hadronlabs-org/drop-contracts: Drop is an integrated cross-chain liquid staking protocol

Executive Summary

Dimension Conclusion
Security Evaluation Good practice during testnet launch and multiple audits under the belt, with more on the way. Not the first protocol
Ethereum Decentralization Second-order benefits
stETH Adoption Use-cases on new domains, new pairings with efficient collateral
Benefits to Node Operators Some synergies for existing node operators

Recommendation: Accept

The temporary Alliance Workgroup recommends accepting Drop and endorsing it for the Lido Alliance.

3 Likes

Snapshot vote started

We’re starting the Lido Alliance application: Drop Snapshot, active till Thu, 06 Jun 2024 15:00:00 GMT . Please don’t forget to cast your vote!

2 Likes

Snapshot vote ended

The Lido Alliance application: Drop Snapshot has reached a quorum and completed!
The results are:
Onboard Drop to Lido Alliance: 56.5M LDO
No action: 639 LDO