Redirecting incoming revenue stream from insurance fund to DAO treasury

Posting on behalf of Lido DAO founders:

Background

"The Ethereum Beacon Chain was launched on 1 December 2020 and signalled a major milestone in the move from Proof of Work (PoW) to Proof of Stake (PoS). Lido was launched just a few weeks later, found market-fit rapidly and grew to become the leading liquid staking provider on Ethereum.

Lido works by connecting stakers (of any amount of ETH) with a network of independent professional Node Operators that run validators on their behalf. This design socializes both staking rewards from securing the Beacon Chain, as well as any slashing or inactivity penalties that may arise, across the entire pool of Lido stakers.

On Slashing

Slashing is a mechanism designed to detect activity that may be potentially harmful to the network and suppress any further activity from that validator. An example of a slashable offense includes validator keys being run on two machines concurrently. Slashing can also occur if a node operator proposes or attests to two conflicting blocks in the same slot.

The effect of slashing is significant and leads to the validator losing some portion of its staked ETH over a period of time and eventually being ejected from the Beacon Chain network. It is not possible to appeal against a slashing incident or avoid this outcome for the validator in question.

Insurance

Lido initially took out cover against slashing penalties via Unslashed Finance. The premium for this was modelled to account for ~25% of the DAO’s annual revenue. A detailed study was conducted by the analytics team which modelled a number of scenarios, which you can read here:

The Lido DAO decided (in a vote that concluded on 20 July 2021) to explore ‘self-insurance’ options, rather than spend such a large amount of income on this premium. Current protocol fees are 10% of staking rewards, with half of that (5%) going to Node Operators and the other half (5%) going to the Treasury (marked as usable for insurance purposes). At the time of writing the DAO holds 4,565 stETH in this fund. An equivalent of 920.08 wstETH will also be added to the insurance fund that was used to cover the latest RCC and operating expenses (OpEx)

Switching from Insurance to DAO Treasury

It is proposed that the DAO cap this slashing insurance fund and formally redirect revenues to the DAO treasury to build reserves and meet ongoing capital and operating expenses as it continues to build. A snapshot signalling vote to confirm this direction will begin later today, with an on-chain Aragon vote to formalise the change to protocol fee distribution pending that initial vote outcome.

If approved, the precise amount of stETH in the fund will be determined at the time of switching the fee flow. At current run rate, it can be estimated at >5500 stETH and an updated analysis of slashing incident costs and probabilities is being prepared. The insurance fund will change over time with daily rebasing of staking rewards and will be eventually moved to a separate address (fully controlled by the DAO) that is clearly labelled for ease of reference.

In the event of a widespread Slashing incident

This change means that if penalties from a widespread slashing incident (which remains possible, but remote given the quality of the Lido validator set and its proven track record) were to exceed the amount of the insurance fund, any excess loss would be socialized across Lido stakers (holders of stETH).

We welcome feedback on this proposal from the community below and encourage all stakeholders to vote accordingly.

You can find the relevant Snapshot vote here once live: Snapshot"

The snapshot is now live and waiting for your votes!

https://snapshot.org/#/lido-snapshot.eth/proposal/0xb99f87eb8e168b8ad28a70fabbe94fe5e0d9023b04c112331df0880480f96a63

Is it possible to get an update on the potential slashing risk? At the time of the original model, the draconian scenario modeled a 3.1k stETH loss. Given the significant growth since then, how accurate is this still today?

In general, I am a fan of redirecting income to DAO treasury at some point. But I would like some assurance as to the appropriateness of the size of the insurance fund. I downloaded the py model above and will toy with it.

We’ve started updating the model and will post here the outcomes within 2 weeks.

This is not in line with the process and should be discussed fully (typically over a 7-day period) before voting begins.

Assuming your model construction is adequate, I updated the treasury inputs on for deposits and daily treasury earnings which are much higher today. In the expected base case you outlined, I calc the impact to 5 year earnings as roughly 5% on a going forward basis. In my mind that is an adequate risk to self insurance if we have confidence in this being a once in 5 year type of event.

However, I think its worth calling out the probability of tail risk events, especially because we have reached your models future state already with the top operators with 9.9 and 10k and Lido market share of 32% with obvious potential to continue growing until the merge.

Of note, I do not believe your model addresses the probability of slashing from a technical issue or bug. Realistically this might be impossible to truly quantify. However, your model makes it clear that such a tail risk event is catastrophic If anything more than a single big operator is slashed 30% occurs. Even the most likely scenario of 1 operator, 30% slashed wipes out nearly 65% of the treasury’s stETH.

Of equal importance is the approach of assessing risk by 5 year treasury revenue. I am not sure this approach is logical given the fast paced environment. Running it by 1 year, we see the risk is much more severe with the treasury spending annually 5x > revenue, accounting for emissions.

Couple of actionable items:

1. Have we seriously searched for alternative insurance options? Competitors like Block Daemon offer 100% coverage to their stakers and I am sure they are not doing it out of the kindness of their heart. It obviously makes economical sense too…

2. Could we reopen the tranche conversation with one or more tranches accepting these tail risks and others not.

3. Could we offer a 3rd party insurance tranche where the fees are deducted from staker revenue instead of the DAO treasury?

Overall, it seems like this risk has not been adequately explored or mitigated… which is a risk unknowingly accepted by stakers.

Dears,

I’m working as an Atomica integration team lead. Atomica is a Protofire subsidiary company. Our team is developing an automated risk market protocol and DeFi insurance as a service platform.

We are afraid LIDO can’t cover all risks with their own balance sheets. The tail risk shortfall event may kill one or two years of the DAO revenue.

Hopefully in the next few months we can offer you Safety Module as a service. By using LIDO Safety Module users can stake underwriting collateral and contribute to the LIDO protocol safety.

Also we are planning to launch:

• Eth/stEth peg parametric protection;
• Slashing Protection for stackers, node operators and validators.

Our risk platform uses underwriting funds more efficiently. We can provide a lower rate for the Slashing Protection.

May I ask you which percentage of the annual revenue will be acceptable for the Slashing Protection?

As we calculated at the current 4% Eth 2.0 stacking rates and 0.5% cover rate, Slashing Protection cover cost can be compensated after 1.5 months. At the 0.5% cover rate, Slashing Protection can cost you about 12.5% of the annual revenue.

Also we can cover not only Eth 2.0 Slashing risk, but also all the other Slashing risks such as Solana, Polkadot, Cosmos, etc.

Please check the sample Eth 2.0 Slashing Protection calculator

LIDO DAO you can create their own risk markets and earn additional fees from running risk markets and paid insurance premiums.

If you would like to see more details about Slashing Protection, we can prepare a technical proposal.

Best regards,
Jaroslav Alekseev
Atomica integration team

The Snapshot passed! Thank you for your votes!
Results:
Yes, redirect - 61M LDO - 99.99%
No, do not redirect - 7.8K LDO - 0.01%

Today, around 2 PM UTC, we plan to start the Aragon vote on switching the flow of fee from the insurance fund to the treasury fund. Get your keys ready!

Would need to do a deeper dive, but from the looks of it the cover is provided for 7% penalty of the sum max — am I reading this correctly? Any short doc on cover terms would be awesome

Aragon vote to redirect Insurance fund fees to the DAO treasury is now live.
Please note that the main voting phase will last 48 hours and end on
Thursday, July 14 at 2 PM UTC.
Until then, you can vote both for and against the proposal.
After that the Objection phase will start and will last 24 hours.

https://vote.lido.fi/vote/134

Please, cast your votes!

Hi Kadmil,
Thank you for your reply.

1-7% was chosen as an example. I tried to show how slashing risk can affect the LIDO revenue. Our team can create any policy covering the range you need. We are more flexible vs legacy DeFi protocols such Nexus or Unslashed.

I’m working on the Slashing policy wording template, but we can use LIDO DAO Slashing policy wording templates as well. It’s still an early draft version

It’s better to know your requirements. Who is the best person in LIDO to talk about the risks?

We have our own fund to cover mild slashing events such as 1-7% slashing of a single node operator. While it would be detrimental to our balance sheet, its not a risk to the operation going forward. The community has previously expressed interest / voted to self insure this risk.

The real risk worth discussing is extreme tail events such as 1- 2 nodes being 30 -100% slashed. What coverage is available for these types of events.

The real risk worth discussing is extreme tail events such as 1- 2 nodes being 30 -100% slashed. What coverage is available for these types of events.

Apart from understanding if coverage is available the most important question is whether that coverage is practical (i.e. from a protocol sustainability perspective) and realizable (from a “if this event were to actually happen, how would this actually get covered?” perspective).

I think we should critically question whether such scenarios (and especially the more catastrophic ones) are practically coverable or not, regardless of whether an organization (a competitor or a 3rd party insurer) offers a promise that it is. We also need to consider that Lido is an on-chain protocol and coverage via 3rd parties which likely hinges on the continued operation and solvency of 3rd party is not a guarantee. Note that in certain cases of catastrophic scenarios (e.g. client bugs), the issue would be widespread across the Ethereum staking ecosystem and non-Lido specific, which means that these coverage providers would all be getting claims at the same time, drastically reducing the likelihood of actually being able to meet the required obligations (or at the very least the timeliness of claim payouts).

Additionally, I think it’s reasonable to consider reframing this discussion and understand that Lido stAssets are financial primitives that basically create optionality for users (e.g. one of the points is that stETH should be substitutive of ETH). Does it really fall on the protocol itself to identify and execute coverage solutions for users, or perhaps it should embrace the nature of DeFi and instead work to provide users with information, education, and options (via integrations)?

There are already ways for users to reduce their risk exposure to stETH (e.g. through using tranching products such as IDLE Finance’s Junior and Senior Tranches, or purchasing cover via Nexus Mutual).

I think it makes sense to consider an approach like this:

• Make it clearer to users in what cases / up to what amount the DAO basically can and would self-cover losses (this can and should extend to Lido understanding whether its constituent Node Operators have insurance over the services that they provide to Lido or not);
• Improve the showcasing of DeFi integrations on the Lido frontend, especially with regards to risk-management or insurance options, and make them more easily accessible to users who want to utilize them.

I agree completely improving transparency on the Lido frontend. I think that would add tremendous value in both articulating the risks and offering convenient solutions such as Idle and Nexus.

More importantly, I think explicitly stating what the DAO will cover in such an event is vital. Articulating this point could change the economics / affordability of cover if Idle / Nexus had some assurances.

From the practical stand point of protection in a tail event, I agree its a complex issue. Widespread events would certainly compromise the insurance providers. I believe there are still risks of isolated slashing events that could be insured. Did not one happen early on that was an implementation issue from a NO? However, is it even economical to insure, I am not sure?

Ultimately, your suggests are the simplest to implement and best align with the culture of DeFi. I think we should reframe this conversation on how to implement your suggestions and work to explicitly define the DAO’s responsibility.

No slashing has ever occurred on Lido validators on Ethereum mainnet. We had a sustained downtime/operator by Operator that they reimbursed stETH holders for (see here). Generally, insurance does not cover events like this (unless you get specific insurance for this via some sort of “operational guarantee” or SLA with restitution clauses, but I’ve never seen it within the scope of “slashing insurance”).

Just added 2 cents.

The operating margins for Lido are relatively thin unless asset APRs jump and sustain for the long period. This is most likely the case for most protocols in the space.

Those that do offer full coverage are most likely charing an increased fee which would require massive technical lift to implement on our side and as Izzy mentioned goes against the ethos a bit.

I agree that leveraging 3rd party providers to offer this as an ala cart service to Lido stakers would be the ‘simplest.’

Aragon #134 passed and was enacted!

Thank you for your votes!!!

4 546,38 wstETH to be transferred to the Insurance fund after it is moved to a separate address

The updated model can be found here
As we did before, we consider basic 4 scenarios for current and future state of BC:
#Scenario 1: max risk offline (single big operator, 100% validators offline for 7 days)
#Scenario 2: min risk slashings (300 validators slashed)
#Scenario 3: medium risk slashings (single big operator, 30% validators slashed, 100% validators offline for 7 days)
#Scenario 4: max risk slashings (single big operator, 100% validators slashed)
The updated model includes Bellatrix spec that provides harsher penalties.
In the first three scenarios, the impact varies from 177 to 5,132 ETH and they can be covered with the proposed 5500 stETH.
The last scenario (tail one) requires alternative options that in my opinion should be related with proactive risk management like validator diversity management, risk and response planning, etc. rather than insurance.

image981×1051 44.2 KB

Thank you for the update!

I agree on your assessment of risk and our inability to cover large tail risk.

@Izzy can we workout a roadmap for updating the front end to state risk parameters and mitigation options. Alternatively, it may fit well in the documentation section and interested stakers will find it.