• Slightly over 30% of all stake in Ethereum is staked using Lido; the share used to grow fast, but now is falling slowly.

Lido share graph1100×782 115 KB

• Multiple Ethereans (most prominent being Superphiz, Vitalik Buterin, Danny Ryan) argue that a single staking protocol should have no more than some share amount of stake (with numbers ranging from 15% to 22% to 33%)
• This is a thread to establish all arguments pro and contra limiting Lido to some amount of stake and kick off the discussion
• The team will summarize the history of the topic.
• I would propose an extended timeline for this governance decision: three or four weeks for the discussions, then 1-week vote. We will need to establish, whether: limiting Lido is desirable; if yes, what should be the limit, what should be the mechanism and the timeline to do that. It doesn’t seem like there’s a need for an urgent decision and a few weeks will give the community ample time to have a say in it.
• I would ask the would-be participants of the discussion to wait a few days until we’ve finished on providing all the necessary context. This is a complex topic and it would benefit from having all the required nuance laid out.

UPDATE: the debate so far has been summarized by @sacha, an I’m editing in the whole thing in the first post for visibility.

Is limiting Lido on Ethereum desirable?

Thanks to Vasiliy Shapovalov, Isidoros Passadis, Justin Drake, Tim Beiko, Ryan Berckmans, James, Joe Clapis, and Darren Langley for reading drafts of this

Ethics disclosure: This work has been funded by a LEGO grant. I do not have any direct or indirect economic interests in Lido. I do not hold any LDO, stETH, or any other staking token or associated governance token. I hold an immaterial amount of ETH.

Motivation

Vasiliy has created a Lido forum post that frames the motivation as follows:

Multiple Ethereans (most prominent being Superphiz, Vitalik Buterin, Danny Ryan) argue that a single staking protocol should have no more than some share amount of stake (with numbers ranging from 15% to 22% to 33%.
…
[In preparation for a governance vote] We will need to establish, whether: limiting Lido is desirable; if yes, what should be the limit, what should be the mechanism and the timeline to do that.

Whether you primarily identify yourself as an Etherean, or a Lido community member, this document is an attempt to help you think through the first question – is limiting Lido desirable?

The challenge here is to provide clear and succinct answers to every question that a reasonable Lidonaut or Etherean might have, regardless of their level of education or knowledge.

If Lido is to flourish as a DAO, every LDO holder needs to be able to understand the question they are voting on, even if they are not familiar with the details of the protocol in question.

Prominent Etherean’s in favour of limiting Lido

Summary of views:

Superphiz

I wonder, who will be the first staking provider to publicly commit to limiting themselves to not operating more than 22% of validators on the chain? Who do you want to see step up to the plate and prioritize beacon chain health above profits?

Vitalik

Speculative controversial take: we should legitimize price gouging by top stake pool providers. Like, if a stake pool controls > 15%, it should be accepted and even expected for the pool to keep increasing its fee rate until it goes back below 15%.

Danny

Lido governance controls the operator whitelist and can thus put requirements on them – e.g. exploit multi-block MEV, profitable re-orgs, or censor certain transactions

Unified profit sharing and governance levers, in the extreme, can induce the set to operate as one.

Summary

Why you might be in favour of limiting Lido

You might be in favour of limiting Lido if you agree with one or more of the following:

• You believe that if Lido’s share is > X%, then the possibility of Lido’s governance being used to coerce operators into acting as one – in order to exploit things like multi-block MEV, execute profitable re-orgs, and/or censor certain transactions – poses an existential threat to Ethereum.
• You have faith that exchanges, and other liquid staking solutions – like Alluvial – will follow suit and agree to limit themselves in the same way as Lido.
• You believe that there’s a good chance even more decentralised pools, like Rocket Pool, will rise to meet the demand forfeited by Lido.
• You’re sceptical that Lido holders will take the necessary steps to curtail their governance power over Ethereum over the coming months and/or that these steps – implementing proposal time locks, introducing veto rights to a quorum of stETH holders, and making parts of the protocol immutable – aren’t enough to ensure Ethereum is adequately protected from a Lido governance attack.
• You believe that if stETH growth continues unchecked in the run-up to the merge, it could pose a systemic risk to Ethereum around the time of the merge (and/or when withdrawals are enabled).
• You don’t believe that a winner-takes-most market is inevitable. You’re of the opinion that, after the merge, competing solutions will have a better chance of gaining more share relative to Lido, but that it’s important to ensure Lido’s dominance doesn’t become unassailable before then.

Why you might be against limiting Lido

You might be against limiting Lido if you agree with one or more of the following:

• You believe there’s a real risk an exchange-led KYC-standard would come to dominate the staking market if Lido were to self-limit, and that this would pose a greater existential threat to Ethereum than Lido governance capture.
• You trust that, during the coming months, Lido holders will take the necessary steps to curtail their potential governance power over Ethereum.
• You don’t trust that exchanges, and liquid staking solutions – like Alluvial – will agree to limit themselves and commit to transparency around their infrastructure and staking flows in the same way that Lido does today.
• You don’t believe that other more decentralised pools, like Rocket Pool, can scale quickly enough to meet the demand that would be forfeited by Lido.
• You believe that singling out a protocol as a detriment to the health of the network goes against Ethereum’s ethos of credible neutrality.
• You share the view that the staking market is a winner-takes-most market, and hence the winner should be as good as we can make it.

FAQ

This FAQ is an attempt to help you think through the above summary from first principles. It doesn’t have to be read completely or in order. It aims to answer every question a reasonable community member might have (while assuming as little background knowledge as possible).

What is Lido’s raison-d’être?

In the core team’s words:

The core reason we started Lido was to prevent a centralized exchange or group of exchanges from winning the staking market.

A key part of Lido’s value proposition is liquid staking. Lido’s stETH is a liquid token representative of staked ETH. When a user stakes their ETH with Lido, they are granted an stETH token. This token rebases once a day to reflect their staking rewards, and is redeemable for ETH once withdrawals on the beacon chain are supported.

Although Lido uses many independent operators, the Lido validator set is currently permissioned such that Lido takes a view as to what a good/healthy validator set backing a staking looks like. This is to prevent stETH holders from getting slashed by node operators with nothing at stake.

The other way to solve this problem is to require validators to post capital up front. This is the approach Rocket Pool takes. The upside here is that anyone can become a validator. The downside is that this approach lacks capital efficiency, which hinders growth.

What % of total ETH staked is staked through Lido?

At time of writing, slightly over 30%. While Lido’s share has more or less doubled over the last two months, it has declined slightly over the last week.

How does Lido improve the health of the Ethereum network today?

There are 6 keys ways in which Lido improves the health of the network:

1. Legally and physically distributed validator set

Although Lido acknowledges it is currently overreliant on Europe and the U.S, it is still harder for governments to exert legal pressure on Lido than on a centralised exchange

2. Opinionated validator set

Lido actively shapes a good validator set. There are currently 20+ independent providers who adhere to high community standards and have less than 2% of the total staked ETH each (the goal is to reduce this further, Lido believes no operator should hold >1%).

3. Better client diversity

The statistics speak for themselves.

4. Non custodial nature

Instead of large amounts of stake sitting in custodial solutions, stakers control their own ETH.

5. Higher economic security

Instead of complexity and opportunity cost keeping many stakers out, stETH has unlocked the ability for far more (non-custodial) capital to secure the Beacon Chain.

6. Permissionless building block

Instead of staking confined to a walled garden, stETH is a fundamental building block for permissionless Defi.

Where can Lido improve?

See Lido’s self-assessment.

1155×623 117 KB

The main issues today have to do with governance and the validator market.

With respect to governance, there is currently no timelock between DAO vote finalization and execution . If governance were to be captured, this could lead to a situation in which bad decisions are made before the community can intervene.

Another problem with governance today is the lack of a robust delegate set : the delegate set is limited and, a a result, a significant amount of voting power is undelegated and dormant.

Smart contract risk is also worth mentioning here. Although multiple audits have been undertaken on all smart contract upgrades, no formal verification or symbolic execution based tests have been carried out . The risk of a contract exploit cannot be ruled out.

What does Lido’s on-chain voting process look like today?

Lido on Ethereum is controlled by LDO token voting via an Aragon DAO. According to BlockScience’s DAO vulnerability report, this includes the Lido treasury, ETH withdrawal keys, node and oracle operator lists, DAO Access Control List (ACL) permissions, the execution of EVM scripts, and more. As such, the voting app is effectively root access to Lido.

At time of writing (May 2022), the permissions on the Lido DAO are set such that:

• Any address with vested or unvested LDO tokens can create a new vote
• For a vote to pass at least 5% of all LDO tokens need to participate in the vote (approval/quorum)
• Of those who vote, 50% need to approve a proposal for it to pass (support/threshold) at the end of the voting window
• The current voting window is 3 days

What can we learn from previous votes?

When looking at previous votes is easy to see that a small number of wallets are making most of the decisions . Most votes are passed with close to the minimum required quorum of 5%.

How well distributed is LDO?

The top 100 wallets control ~95% of LDO tokens . From the Ethereum perspective, this concentration of power represents a core risk to both the protocol and the Ethereum ecosystem.

What’s the worst that could happen vis-a-vis voting?

The most worrying case is one in which an attacker makes a malicious proposal, and procures just enough LDO to swing a vote at the last minute.

The minimum number of tokens required to pass a vote is 5% of the total supply (1 billion) = 50 million LDO tokens.

Since LDO is trading at $1.12 today, the cost to procure enough tokens to pass a vote is on the order of $60M. On the other hand, stETH is close to a $10bn dollar bounty.

Note that there are plans to mitigate this concern in the short term by only allowing for votes against a proposal on the last day of a proposal. In the medium term, Lido is planning on hardening their governance by giving stETH holders and/or the operator set veto powers over proposals (however this is at least a few months away).

Would the risks be different if Lido only used a single operator / infrastructure provider?

Even if Lido has X% of the market, that X% has the underlying work split between a group of several different independent validators / node operators.

Today, at both the key and operator layer, Lido has not tested the 1/3 threshold. However, the aggregate product has tested, and even briefly passed, the 1/3 threshold. Is this the same?

Intuitively, these cases feel different. In Degen Spartan’s words:

i think the distinction must be made between numerous pool operators operating under a unified liquid staking protocol banner

vs

a single pooled staking entity having absolute control over the eth being staked with them, and has the ability to be malicious

lido is the former

On the other hand, Danny Ryan doesn’t believe the distinction is all that important:

I do think that there are larger and more direct risks with a single operator, but a governance layer around a large liquid stake (>1/3, >1/2, >2/3) in the extreme can degrade to coercion of the operators acting as one

Danny’s key concern here seems to be that Lido’s governance layer could lead to its operators acting as one.

While Vasiliy acknowledges that this is a tail risk that needs to be addressed, he believes it is better addressed by directly focusing on curtailing Lido’s governance power rather than market share:

That’s much harder to exploit in practice than in theory, but it must be addressed. I just think it should be addressed by throttling the governance power of Lido (or whatever liquid staking protocol is winning) rather than throttling Lido.

What influence can Lido’s governance have over Ethereum?

The most important concern is probably the validator/operator whitelist. If Lido continues to gain market share, there’s a risk that LDO holders would be able to effectively determine the majority of the Ethereum validator set.

Governance could then shepherd Lido’s operators into working together to exploit multi-block MEV, execute profitable re-orgs, and/or censor certain transactions.

How likely is a LDO governance attack on Ethereum?

If you trust the current validator set, then the main risk Lido poses for Ethereum is through the selection of a bad validator set over time. While this could happen either suddenly or gradually, it is far more likely to occur gradually.

In “The Next Chapter for Lido”, Hasu explains why this is the case:

To understand why a sudden coup in Lido is impossible, one has to understand the constraints imposed by the Beacon Chain. Lido cannot yet unselect an operator after delegating to it. That means that any stake Lido has delegated thus far will not be able to change until withdrawals become available.

As a result, Lido has no significant leverage to coerce operators that are already participating to do something they don’t want to do: they can’t even unstake them. Even when Lido is able to rotate operators, the mechanics of the staking queue mean that it will likely take months to do so.

The second and bigger risk is for Lido to gradually worsen the validator set, especially once forced exits and withdrawals are possible. If this happens, it will likely be the result of governance capture.

Hasu’s analysis breaks down however if you don’t completely trust the current operator set. Once Lido is able to rotate operators, LDO holders could coerce one or several from the current set of operators to do their bidding on pain of being kicked out of the set.

What is Lido doing to mitigate governance risk?

In order to protect against governance capture, Lido plans to rely on three measures of defense:

1. Mechanics that prevent untelegraphed changes to Lido. This will take the form of time-locks and giving veto rights to a quorum of stETH holders (an active area of r&d).
2. The ability for stETH holders to voluntarily unstake and move to a competitor (post merge + withdrawals).
3. The ability for Ethereum core developers to fork Lido as a last resort. From a technical PoV all it takes is to switch a few bits in the governance contract to revoke Lido’s current permissions and transfer them to a community-owned contract. From a social perspective however, it’s far from certain whether the entire community would choose to adopt such a fork.

Is liquid staking on Ethereum necessarily a winner-takes-most market?

Paradigm believes the game theory around liquid staking leads to a winner-takes-most outcome. Lido’s dominance on Ethereum adds weight to this hypothesis so far, but the jury’s still out as to whether this is a fundamental law of PoS.

In particular it’s perfectly possible that after the merge (and withdrawals have been enabled), competing solutions will have a better chance of gaining more share relative to Lido.

What are the factors outside of Lido’s control that have contributed to Lido’s dominance?

While it’s difficult to quantify, if the base protocol issued nonfungible validator specific staking tokens, the barrier to competition would probably be lower.

More importantly however, Lido’s dominance seems to be an unavoidable consequence of making staked ETH non liquid (not withdrawable). Stakers particularly value liquidity and the ability to withdraw during a bear market. As such, the longer it takes for the merge to go live, the more likely Lido’s share of the liquid staking market is to increase.

If there’s one lesson for protocol designers here it’s that protocols should try to ensure that the market can express itself with counter trade options. Without these, you risk the build up of systemic risk.

Why does Lido believe it is a winner-takes-most and not a winner-takes-all market?

The thinking here is that stakers will always hold a diversity of views and values, and will therefore not allow the winning protocol to over-capture.

To quote Vasiliy:

I think this a power law market, not monopolistic (winner takes most, not winner takes all), and the leader position is hard to defend, sort of how stablecoins work.

Does Lido dominance increase the risk of a monopoly on MEV?

This is certainly a risk worth keeping an eye on. Having said that, if liquid staking turns out to be winner-takes-most, and not winner-takes-all, then an extractive MEV monopoly is unlikely.

Block builder centralisation, which applies whether Lido exists or not, is arguably a far more real and pronounced concern from this perspective.

Does limiting Lido run the risk of handing more power to large exchanges?

There is a good to argument to be made that, if it were not for Lido, the majority of the stake would be in the hands of exchanges (Coinbase, Kraken, Binance et al.). And a world in which exchanges – who already have ecosystem power – have private control over chain security, is strictly worse than the situation we’re in today.

The question we need to ask ourselves is whether limiting Lido will lead to a larger share being captured by exchanges as opposed to other more decentralised solutions? In particular it’s not obvious whether the other decentralised pools would be able to meet the extra demand forfeited by Lido.

If a pool like Rocket Pool is able to meet this demand, then, from a dispersion of stake perspective, we would end up with a more decentralised Ethereum.

On the other hand, if RP and other decentralised version cannot scale quickly enough to meet the demand, then the most likely scenario is that exchanges eat it up.

Along these lines, Coinbase has recently announced that it is entering the liquid staking game, through its support for an institutional liquid staking protocol built by Alluvial. In Hasu’s words:

I think, they plan to make the USDC of staking tokens (compliant centralized alternative to stETH)

If we were to normalise placing limits on relatively more decentralised and transparent pools like Lido, at the very least we would probably need an equally credible commitment from the likes of Alluvial and Coinbase. In particular it might make more sense to think about placing limits at the token level rather than at the staking pool level.

What’s Rocket Pool’s perspective on its ability to scale enough to meet the demand that would be forfeited by Lido?

As time of writing, Rocket Pool has space for around 2500 rETH (which is around 3 days worth of new stake for Lido).

After this point, the staking pool is technically saturated and RP needs more node operators to match the collateral. However, an important counter-force here is that the node operator onboarding is growing week-on-week: minipool growth, for example, is around 140% (annualised) over the last two weeks.

For some added context, here is Rocket Pool’s latest bi-weekly update:

• rETH supply has grown 1.56% to 88,107k - annualised growth of 40%
• Minipool count has grown 3.62% to 5,581 - annualised growth of 94%
• Effective RPL staked has grown 2.69% to 4.96mil - annualised growth of 70%
• Node operator count has grown 4.30% to 1,189 - annualised growth of 112%

Nevertheless, the main bottleneck today is that there are more people looking to deposit than to operate nodes – under the current design, operators must put up 16 ETH worth of collateral (not a small sum for a solo staker!).

Rocket Pool is well aware that this high collateral requirement is slowing their growth and believe they have found a way to significantly lower it without significantly increasing the rETH risk.

In parallel, the team is working on ways to support multiple parties coming together in a trust-minimised setup – so that ETH and RPL can be deposited without trusting the node operator with custody.

While neither of these improvements are expected to be ready pre-merge, they could allow RP to seriously increase its scale post-merge + withdrawals (on the order of 10-20x according to General Manager Darren Langley).

Are the risks around non-custodial staking pools like Lido greater than the centralization risk from large exchanges?

It’s hard to say. The risks are different, and it’s really hard to compare them to each other. One key difference regarding exchanges though, is that the risks aren’t hypothetical. The susceptibility of these entities to government pressure has already been demonstrated.

More broadly, if a KYC standard were to dominate the staking market – and become a key DeFi building block – this could become a gatekeeper problem that ends up killing the permissionless soul of Ethereum.

Is a dynamic fee rate preferable to a hard limit?

A dynamic fee rate, as proposed by Vitalik, is probably a better option than a hard cap since remaining permissionless is important, and a dynamic limit would get around the problem of pools cementing themselves with early adopters only.

Having said that, if the limit were placed below Lido’s share, then this would negatively impact current users who have no way to withdraw today.

Is a basket of liquid staking tokens preferable to a dominant token?

Some have suggested that a meta staking token, or a basket of liquid staking tokens token would help reduce the power that any one protocol has.

While this does sound intuitively appealing, it’s at least unclear whether such a token would be a net improvement.

There’s a good chance that such a token would lead to an intermediary with the same power as Lido, but in a stronger position vis-a-vis fee extraction, and without the obligation to do anything useful for the protocol (for example spending time and resources curating a quality validator set or researching and developing distributed validator technology).

Would capital seek alternatives if certain financial risks were better understood?

In Danny’s words:

I’m not suggesting throttling Lido, I’m suggesting users understand the risks of pooling assets beyond 1/3, 1/2, 2/3

If the financial risks were better understood, that capital would seek alternatives

Is this an education problem at it’s root?

While it’s true that many leveraged stakers do not realise that they are taking out a short position on ETH, that their position may be difficult to unwind, and that there are major penalty risks associated with co-ordinated failures of > 1/3 of the total stake, it’s generally true that people tend to overlook long-term, more abstract, risks (e.g. Lido being compromised) in favour of immediate returns. This is probably not something that education can fix at a surface level.

Rather than blaming it on lack of education, it might be better for protocol designers to work under the assumption that users will almost always opt for the simpler option (or better product) when the tail risks feel abstract / hard to grasp.

Why does Lido choose to incentivise stETH liquidity?

Lido believes that financial protocols need stETH to be liquid in order for it to be accepted as quality collateral. Once beacon chain withdrawals are enabled, stETH’s liquidity is ensured by the fact that it’s possible to unstake and withdraw it with a slight delay. Since this is not the case today, incentives are necessary to ensure liquidity.

Why did Lido increase incentives recently?

Some people had overused leveraged staking to the point where as little as a 3% change in discount would have wiped them out.

If these people had been liquidated on their positions they would have had to enter the books as forced sellers, which would have created an incentive for large players to hunt them for profit.

Lido temporarily increased the liquidity incentives on the ETH/stETH pair in order to give these leveraged stakers enough liquidity to deleverage. At the end of the day, it’s LDO holders who have to pay for this.

In Vasiliy’s words:

we’ve been open about price risks forever, loud about these risks for days, and yesterday’s intervention of extra LP incentive allowed many positions to unwind a lot.

The cynical take is that this is the price Lido has to pay to avoid the negative press associated with mass liquidations.

The charitable take is a lot of folks feel they almost got burned badly and are now being more cautious. Looking at the Aave risk monitoring charts it is apparent that the amount of leverage has decreased since the incident (albeit slowly), and the amount of risky leverage present in the system today is low.

While it’s true that the deleveraging of stETH/ETH is a good thing to happen significantly before the merge occurs, it remains to be seen whether a moral hazard has been created.

Has Lido’s referral program contributed to Lido’s dominance?

The short answer is yes. The referral program has been responsible for around 1/4 of the ETH staked through Lido so far.

Lido pays out a lot of money in referrals (to partners such as Ledger and Argent) in order to continue increasing its market share. Previously Lido paid out 15 LDO tokens for every 1 ETH staked; today they pay 0.75% of the deposited ETH in LDO.

A snapshot vote has recently gone live to lower Ethereum Referral rewards from 0.75% to 0.50% starting in the month of June.

To quote frontalpha:

This is a continuation of Lido’s efforts to gradually reduce rewards to a more sustainable level without drastically cutting rewards for partners that rely on the referral program for revenue.

How is the stETH/ETH peg maintained?

Today, liquidity incentives (in the form of LDO emissions) are used to maintain the stETH/ETH peg. These are needed until at least the merge + withdrawals.

Once beacon chain withdrawals are enabled, stETH’s liquidity will be ensured by the fact it’s possible to unstake and withdraw it with a slight delay. This means incentives will no longer be strictly required.

What happens if we have a X% depeg?

Staked positions are backed, but not redeemable until well after the merge. These positions are safe, no matter the size of the depeg, if held until redemption (assuming the merge is a success).

However, leveraged staking positions can get liquidated if the peg temporarily dislocates. You can think of this as the bounty available for temporarily moving the peg.

In short, the main concern is folks recursively borrowing ETH with stETH as collateral and staking that ETH to borrow stETH against it again (and so on). At a certain point, the ETH/stETH peg becomes very sensitive to downside risk (under some reasonable assumptions, a sustained 5% depeg could be enough to cause a series of cascading liquidations).

How could such a depeg happen?

The stETH/ETH pool can be moved with high leverage. For example you could use Lido to stake ETH for stETH, sell stETH for ETH, and repeat until you are out of capital.

Breaking the peg doesn’t look profitable today, but that could change if the leverage staking bounty were to grow relative to total liquidity in the run-up to the merge.

Why is the merge so important for stETH?

In Tarun Chitra’s words:

The premise of stETH yield is that you get:

(a) Beacon Chain yield
(b) LDO yield

While you can realise (b) immediately, (a) only really exists post merge [+ withdrawals]. Until then you can think of it as an IOU.

If people start using more leverage to multiply their expected yield from the merge this has consequences if they get liquidated right around the time withdrawals are enabled.

Post withdrawals, a liquidation cascade has the potential to dramatically reduce the % of the ETH supply staked (the signs to watch out for here are a high Lido market share combined with a high stETH average leverage ratio).

Further Reading

• Lido Forum discussion
• Lido scorecard (self-assessed)
• “Concerning stETH liquidity” by Vasiliy Shapovalov
• “The Next Chapter for Lido” by Core Lido and Hasu
• “The Road to Trustless Ethereum Staking” by Hasu, Georgios, Konstantin, Vasiliy, Isidoros, Arjun, Jordan
• “On Staking Pools” by Georgios Konstantopoulos & Hasu
• “DAO Vulnerabilities: A Map of Lido Governance Risks & Opportunities” by BlockScience

Vitalik had suggested that this could be handled through free structure. Above a certain percentage of total stake (15% was suggested, but up for debate), the pool starts charging a premium for its services. If/when total stake percentage falls below that threshold again, the premium is removed. This could be a sliding scale as well, with the premium increasing as the total stake percentage increases.

This gives users an incentive to choose other pools, and gives the pool earnings as long as users keep choosing it.

Heads up: we’re getting delayed a bit on the write-up. We’re sourcing reviews/comments from the ecosystem to make sure all positions are adequately steelmanned, and it takes time.

I know patience was requested for the discussion, but I’d like to suggest that this is actually a very simple topic and additional context is largely unnecessary.

Any one organization with dominance over the beacon chain introduces serious existential risks to Ethereum.

If Lido wishes to preserve the health and ultimate existence of Ethereum, stETH generation must be limited. Any potential arguments against limitations should focus on refuting this very simple argument.

The update will be posted today - I think the author’s done a very good job of making a summary of the problem.

This is the document in question

As written, it’s focused very much on the first part of Vasiliy’s question: Is limiting Lido on Ethereum desirable?

Inspired by the Swiss referendum booklets, the challenge here is to provide clear and succinct answers to every question that a reasonable Lidonaut or Etherean might have, regardless of their level of education or knowledge. It is my belief that if Lido is to flourish as a DAO, every LDO holder needs to be able to understand the question they are voting on, even if they are not familiar with the details of the protocol in question.

In an attempt to remain as neutral and impartial as possible, in addition to talking directly with both Vasiliy and Izzy, I’ve sought reviews, and integrated feedback from Ethereum researchers and the Rocket Pool team.

Hope you find it useful

Just to flag that Rocket pool isn’t the only ‘alternative’ out there. StakeWise has been rock solid in the liquid staking space for over a year now and has no scaling issues given a similar architecture to Lido. Community owned DAO, leading node operators (including T-Systems/Deutsche Telekom and Finoa as announced last week), they have even helped out Lido and Rocket pool in the past. If there are discussions around the ETH staking ecosystem they need to be a part of it @sacha .

Awesome write-up Vasiliy & Sacha! Very thorough, and thoughtfully presents all the pros and cons - much appreciated.

There is one spot where I’m not fully following, which is that an increased fee would adversely impact current users who have no way to withdraw today.

Every current stETH user can simply sell their stETH on the secondary market.

Here’s the mechanism as I’m envisioning it:

1. Slightly increase stETH fee
2. Users who are not okay with the higher fee will sell stETH (let’s call these exits). New users who are okay with the higher fee are directed to buy the exits’ stETH, and then mint new stETH over and above that.
3. If the adds continue to exceed the exits, inch up the fee again.
4. Continue raising the fee until the adds equal the exits. When that happens, the adds are entirely buying stETH, not minting new stETH, so total ETH staked stops increasing.
5. Keep the total staked flat (at this higher fee) until the market share drops to 15%. Lido holders / DAO treasury benefits from this higher fee.
6. Once below the 15%, lower the fee again to resume growing

The above mechanism shouldn’t upset any existing stETH holder since they can just be one of the exists any time they want, get their ETH equivalent back, and reshuffle it to another staking pool.

The interesting question is regarding the price elasticity of the fee. In other words, would the total fee income going to the treasury end up being lower, on par, or higher vs a lower fee % plus higher market share.

Assuming Lido would otherwise maintain 30% share, dropping it to 15% share would imply that the portion of the fee going to the DAO would need to be double in order to maintain breakeven. My understanding is that out of the current 10% fee, 30% (or 3pts) goes to the Treasury. So for that to double to 6pts, the breakeven fee would need to be 13%. So if it goes above 13%, this is actually more profitable for the DAO treasury vs status quo, and if it doesn’t then it is less profitable.

To me Lido is just like a collective of honest indoor shrimp farmers gathering together to fight against the mega-shrimpfarming conglomerate.
It’s the exact same struggle.

This unecessary battle between aligned collectives is distracting us from our real goal.

I’m against the limits because they favor the big shrimpers

Hi All,

I want to thank the Lido governance community for having this important discussion.

Let me present my view, with supporting arguments, and my suggested course of action.

In short, my view is that Lido may do best (for ethereum) to self limit market share for, say, two years. Vitalik’s suggested method of a Lido system upgrade to automatically increase the end-user fee when market share exceeds the target sounds good to me. With this method, I like that Lido effectively converts its market leader position into excess fees in exchange for promoting the overall health and neutrality of the liquid staking market.

However, it makes sense to me that if Lido self limits, that may help any competitor that’s positioned for unbounded growth to rapidly grow its market share and potentially become the “new Lido”. It sounds like Coinbase and Kraken may be considered to be candidates to benefit the most from a Lido self limit.

Yet, Kraken’s ETH staking program is 5x smaller than Lido today (I don’t have Coinbase numbers handy), so the idea of Kraken or Coinbase growing to become a Lido-sized-share concern would require a 5x gain in market share, which in my view, is effectively impossible as other competitors will grow at the same time and work to balance share.

As well and, imo, more importantly, may we reasonably expect Kraken or Coinbase to rapidy launch a fully fledged staking token? By “fully fledged”, I mean it seems to be insufficient for Kraken or Coinbase to merely launch a liquid staking token, they also may need to engage in the practical work of growing that tokens importance in defi to solidify the Lido-sized-share network effect. This practical work may include encouraging stakers to withdraw their tokens from the CEX and use it in DeFi, and doing the community and partnership work to grow defi integrations for the CEX token, which may have regulatory implications. Crucially, if Lido self limits and Coinbase fills that void by growing to, say, 25% market share, but if Coinbase doesn’t have a token with a mature Lido-sized-share network effect, then the potential credible neutrality threat to eth would be, in my view, an order of magnitude or two less because, as established by Georgios and Hasu’s seminal article on the topic, what may make a Lido-sized share threatening to eth is not that it has 33% share, it’s that it has 33% share in the context of a heavily entrenched, strong defi-side network effect for stETH. If Coinbase has a 25% share but no/a weak token, it seems to be no true problem for eth, as Coinbase’s 25% share would be unsustainable without being fueled and defended by a strong token.

In short, I think that if Lido self limits, the risk of Kraken or Coinbase becoming the “new Lido” may be effectively zero.

imo, an important context item for my view is that a Lido self limit should be explicitly temporary. Say, for two years. There is a popular view that if Ethereum needs altruistic self-limiting to work, then it’s not going to work writ large. I think this view is substantially correct in general, but, imo, Lido’s current monopoly seems to be highly circumstantial in the early lack of “competitive competitors”. So I think there may just be a temporary need for Lido to self limit for two years, during which time Lido would hover around 1/3 stake or even exceed it, depending on the fee targeting tuning parameters, per Vitalik’s method. At the end of the two years, I’d be interested to see Lido consider removing the self limit-- or perhaps the Lido governance community may end up finding that they enjoy earning the extra fee revenue associated with the self limit.

To zoom out for moment, at a high level, there are roughly two kinds of decisions, reversible ones and irreversible ones. If Lido self limits now and asap, it sets the stage to maximize ecosystem health going into the merge, and if a CEX token threatens to catch up and become the “new Lido”, the community may easily revisit the self limit fee target tuning parameters.

I love the idea of the Lido community shipping Vitalik’s method of fee targeting now and asap, before the merge.

For example, Lido could initially target a market share of 30% with a high fee penalty for exceeding that. Then, if a CEX token threatened to take over, that 30% share target could be adjusted to 45% or the fee slope could be lessened to a “medium” fee penalty instead of high.

In short, if Lido doesn’t self limit, there seems to be, afaict, a ~100% chance of Lido becoming even more dominant and attracting 35%, 50%, 85% of stake. But if Lido does self limit now, before the merge, we’ll have successfully reduced that ~100% chance to, say, ~0% given appropriate fee targeting. And if Lido’s self limit creates, say, a 50% chance of a Kraken or Coinbase token taking over, then Ethereum’s credible neutrality will, imo, be in a significantly better position because of the following three items:

1. a 50% chance of a Coinbase token taking over is significantly less than Lido’s ~100% chance of becoming further dominant without a self limit. I think I have worked to demonstrate that Coinbase’s chance of becoming the “new Lido” is much less than Lido’s chance of becoming increasingly hyper-dominant for the reasons above.

2. if Coinbase starts to take over, we have immediately accessible levers to gradually relax or wholly reverse Lido’s self limit.

3. if Coinbase starts to take over, Lido would still have 30% share at this time, and that puts us in a duopoly situation, which, imo, is significantly healthier for ethereum than, without a self limit, the realistic prospect of Lido running 80%+ of staked ETH.

In short, I see (i) a Lido self limit as the only remotely realistic avenue to prevent Lido from soon running a majority/supermajority of stake, (ii) Lido’s self limit as being flexible and reversible, and (iii) the estimated worst-case scenario of a Coinbase token taking over as being extremely unlikely and also, if it happened, more like a relatively healthier duopoly.

I think that if Lido may be able to ship a self limit now and asap, before the merge, using Vitalik’s fee targeting method, would be a huge win for ethereum’s credible neutrality. Personally, I’d strongly welcome such a self limit for a temporary period of two years and would look forward to Lido maintaining a ~30% share for years to come.

Lido should not artificially limit itself.

The rhetoric surrounding this idea continues to come from adversarial stakeholders, individuals who do not understand Lido’s systems, and people who are misinterpreting the genuine concerns of some in the Ethereum community.

Lido certainly has room to improve in:

• It’s internal decentralization to ensure each staking party has sufficient fail safe and stop gap measures they can introduce in light of a bad actor or exploit.

• Measures to fairly prevent system price gouging.

• Processes on the arbitration of (unlikely) system wide voting or dispute resolution among validators.

But, let’s not make the mistake here of thinking that Lido is a centralized staking entity.

Lido arguably isn’t even a staking entity, but instead, a rewards incentive and protocol layer for staking entities to be able to provide staking as a standardized service.

This is why it’s disingenuous to suggest that Lido “controls” XX% of stake when comparing it to entities like Coinbase or Kraken.

Lido is directly aligning the incentives of many parties, whom are normally adversarial, and forcing them to act in the best industry of the protocol as it favors their business long-term to do so.

Further, competition here is paramount. As the Ethereum community the only thing that should matter is the most robust and secure staking that is not owned by a single entity.

Artificially capping Lido would result in benefiting other parties who would not be competitive in their offerings under normal circumstances. I doubt we would see Binance or Coinbase stop their offerings under any circumstance, and if people can’t get more stETH or their is a premium, they’ll go to these other leading entities.

If other parties wish to take marketshare, they should do so by being a competitive standard of product.

I appreciate the seriousness with which Lido is examining the centralization concerns, I think being a market leader in such a critical space does require a great deal of responsibility - and that there is more than can be done in building the right system guard rails.

But Lido’s focus should be on making the best protocol to onboard more staking entities and reducing any potential vectors of misuse through trustless implementations, and not artificially capping itself, which would only help to serve low-quality and centralized offerings.

I am against any limitations being put on LIDO for leading the liquid staking market. If u disagree consider how you’d feel when Coinbase or Kraken take over instead. i think lido should stay transparent and thoughtful on how the validators are chosen and that’s basically all the market should care about on the subject. don’t punish lido for being the best in the market.

Glad we finally got this out there

From my perspective the way that the argument to limit staking solutions as a whole has been put forth, and the assumptions it makes, do a disservice to the Ethereum community. This is not to say that there is no risk and that it shouldn’t be considered; in fact I would argue that Lido has been incredibly candid and honest about the risks that the protocol and the product present in general, what mitigation mechanisms exist or have been identified, and what the plan is for them to be implemented and improved on. Ultimately, however, the question at hand fails because it does a bad job in presenting the risks at hand, and it presents a specific solution as the only viable option even though ultimately it’s not.

For one, it lacks nuance. It’s really not that simple as “any one organization with dominance introduces existential risks”, because “one organization” and “dominance” are not simple things to define, and differ greatly when you compare different organizations and what and how much they can influence things. Second, and most importantly, it obfuscates the much larger, more immediate, and potentially more ruinous risk which is “how much direct control does any one or set of entities have over the network” by conflating organizations/entities of different type and not considering the differences between direct and indirect control. Not only does it draw attention away from this risk, but it explicitly allows for entities with direct control to amass critical power because it focuses on “umbrella” entities/organizations instead of examining the entities where the locus of power really lies.

I’ve put together a document detailing my thoughts on the staking landscape (warning: long and not beginner-friendly) in Ethereum, and I’ll be pointing to relevant portions of it in my summarized argument below.

• Lido does not have the control over its validators that people think it does. This was a conscious design choice and Lido continues to show that the choices it makes are driven by the protocol’s best interests. It’s disingenuous to pretend that it does, or that stake share via an on-chain protocol that is basically a federation of independent operators is the same thing as stake share of a solely or tightly-controlled group of them.
• Limiting any one staking solution, or even multiple staking solutions, to some fixed % of stake does not do what you think it does
  • Each protocol is different, and how decentralized each protocol is actually materially affects how decentralized the underlying network is, especially if they’re capped/limited to the same level
  • For this to even remotely work then you need to classify different staking solutions differently and potentially also cap by classification, and you need a way to enforce caps at the protocol level because there will be actors who will not self-cap (which is a nightmare to do, operationally/logistically, and it will probably spell the death of the network in any case)
• Permissionlessness is not decentralization, and assuming that permissionless solutions at large scale are similarly decentralized to how they are at small scale is dangerous (and we should actually examine how good they are at small scale, too)
• Self-capping the leading protocol does not make other protocols more competitive, in fact it allows them to grow despite being less competitive which means that you end up with a worse network
• Self-capping the leading protocol only allows non-aligned actors who were slow to join the chance to catch up and leapfrog lagging aligned actors (i.e. you end up with a worse network)
• Even if a miracle happens and all actors self-cap, this leads to a market that competes only on APR across staking solutions, which benefits centralized actors over decentralized ones, which means that decentralized solutions must rely on stakers’ willingness to pay a “decentralization premium” just to compete (nevermind offering a product that’s better for the network)

In the end, limiting the leading protocol only allows other protocols to play catch up. Some will argue that “if they catch up, we can revisit”, but this is not very reasonable. Why give them the opportunity (and power) that comes with catching up at all? Is the risk that’s introduced (and overall detriment to decentralization) worth it? The protocols that will catch up the fastest are ones that can leverage economies of scale and are unconstrained from a supply perspective. The reality is that there is a lot of capital waiting on the sidelines to enter the staked ETH market which is waiting for the merge to be done with (and likely withdrawals too). This capital is most likely to enter via KYC/AML onramps and offramps, especially if more KYC-friendly solutions take off or finally release their liquid staking token. Everyone is looking at the landscape now and ignoring what the landscape will most likely be in 12-18 months from now. Placing limits and constraints now is going to make competition later magnitudes more difficult, and the best solution is not to constrain the market leader but to do everything we can collectively to make it the best version of itself.

A time-horizon for the self-limit is an interesting idea, as some major events will completely change the market dynamics over time:

1. Currently the liquid staking market is subject to large economies of scale due to liquidity pool requirements for the staking tokens, leading to a winner-takes-most market. Once withdrawals are allowed, this goes away, and very likely we are no longer in a winner-takes-most market.

2. Distributed Validator Technology will become available and widely adopted, allowing Lido to take on a much more decentralized node operator network.

I think you make a good argument for Lido to not self limit based on, we may call it, endogenous and virtuous grounds of capitalism. But, I also think your argument may be a bit oblique in the sense that it doesn’t directly address the suggested primary reasons for Lido to self limit.

I’d be interested to know your specific views on the core of the argument for Lido to self limit, ie. that

1. Lido’s monopoly is circumstantial due to the early and current lack of “competitive competitors”. That’s to say, liquid staking is not necessarily destined to be a monopoly, it just happens to be one right now.

2. If Lido doesn’t self limit, it may be expected to run a supermajority of stake in the months/quarters following the merge. To give some anecdotal context here, I’m part of an informal working group of liquid staking oligopolists, and our general consensus has been that nobody is close to catching up to Lido and it’s completely unrealistic to expect a competitor to catch up before the merge and Shanghai hypergrow Lido deposits.

3. Having a single liquid staking provider running 30%, 66% of stake is a significant perceived and real reduction in ethereum’s credible neutrality, and should be avoided if possible. It’s a perceived reduction in credible neutrality for obvious reasons. But, it’s a real reduction in credible neutrality, too, as the Lido governance community has non-trivial power to force validators to follow their wishes, for example, by threatening to kick them off the platform.

4. Lido’s self limiting may be explicitly temporary for the reasons above. With a two-year temporary self limit, competitors may be expected to substantially catch up, and if they don’t catch up within two years, Lido will have done right by the ecosystem. Note that, of course, Lido will still grow a lot during the two-year self limit period, as only their share is self-limited, not their amount of ETH staked.

What do you think?

Lido’s current market cap is only ~$400M. That means that for $200M, someone could take over 51% of the governance vote and use it to carry out an attack on Ethereum by pressuring / swapping operators.

What % market share can Lido get to before the social layer of Ethereum finds this untenable and executes a fork to slash Lido validators?

I understand there are governance proposals (such as letting stETH holders veto), but not clear when those are coming out, nor what % of stETH holders would be active voters.

It’s also worth noting that a similar fork threat is there to prevent CEXs from taking too large of a share. A CEX like Coinbase has much more to lose from that type of slashing than even Lido does, because they have other business lines which would be impacted / bankrupted by what is to them a side business. Why would they take that kind of risk instead of just self-limiting their share?

1. I have no idea what this has to do with a need to self limit. It does not change the attack vector here. What is relevant is, “is Lido owning all the stake a risk or not” - not “what would it be if others launched at the same time”

2. It’s entirely possible that Lido could see a supermajority stake in that time frame. Which once again suggests that Lido should look towards ensuring that safe guards are in place to responsibly manage such a possibility. I would agree this is a concern with capping if the actual validators staking were a single entity. But, if there are credible safe guards in place, then it is no different.

3. The perception part is irrelevant to the core issue. Now, the reduction in credible neutrality does matter. That solution to this is not to artificially stunt growth, but to ensure, in advanced, that there are policies in place for this. For example, that could range from holding a governance vote to limit governance power on certain matters if Lido owns more than XX share, or, creating a more clear policy for what type of reasons are acceptable to vote a party off of the platform. There are plenty of solutions that don’t involve stunting.

4. The self limiting being temporary, is not in and of itself a justification for it to be implemented.

Ultimately for self limiting to be the right solution you’d need to show:

• 1. There is a specific attack vector of concern.
• 2. That specific attack vector cannot be solved via smart contract implementation, governance changes or other policy measures.
• 3. This attack vector is a concern specifically because of Lido’s implementation and would not be present if each of these validators within Lido were acting independently.

If there is a specific attack vector, that creates systemic risk and cannot be solved in any other manner then sure exploring self-limiting should absolutely be on the table.

But, while we’ve heard the proposal of self-limits and other anti-Lido rhetoric for months now, I’ve yet to see specific and detailed concerns.

Given that I assume a lot of the concern stems from:

• People concerned ideologically without looking at the specifics.
• Individuals jumping the gun without looking at actual attack vectors.
• Entities who are competitive with Lido and their associates.

We’re identifying a potential concern, and skipping right up to the nuclear solution and I’ve yet to see compelling cases why there isn’t better ways to address these concerns.

[Re: Lido monopoly being circumstantial] I have no idea what this has to do with a need to self limit. It does not change the attack vector here. What is relevant is, “is Lido owning all the stake a risk or not” - not “what would it be if others launched at the same time”

It seems that the fact that the monopoly is circumstantial and not necessary is relevant because some people feel a Lido self limit is inappropriate because all roads lead to an eventual liquid staking monopoly, so why prolong the inevitable? Hasu has taken this view. I strongly disagree, as I think liquid staking can and is best to be an oligopoly, and a Lido self limit may be how we get there in practice.

The self limiting being temporary, is not in and of itself a justification for it to be implemented.

I totally agree, self limiting being temporary is not in and of itself a justification for it to be implemented. But, I think making any self limit temporary is important because, imo, the natural steady-state here seems likely to be a completely free staking market. I see us as merely in the unfortunate position that Lido did so much of a better job out of the gate than competitors in terms of growing market share. Now, for the overall health of ethereum, I think competitors need time to catch up. Lido doesn’t owe them that time, of course. We’re asking Lido to self limit for the good of the chain and not out of any obligation.

Ultimately for self limiting to be the right solution you’d need to show:

1. There is a specific attack vector of concern.
2. That specific attack vector cannot be solved via smart contract implementation, governance changes or other policy measures.
3. This attack vector is a concern specifically because of Lido’s implementation and would not be present if each of these validators within Lido were acting independently.

These criteria seem fair to me. To address them

1. I think it has been demonstrated that specific attack vectors of concern are reasonably likely to exist https://twitter.com/dannyryan/status/1524044529669525510

2. afaik, these attack vectors can’t be eliminated in general by contracts, gov changes, or policy, because they stem from Lido being a non-hyperstructure, with governance exerting significant control over the Lido staking platform and set of validator operators

3. I think the attack vectors can be partitioned into those that are viable even if validators are acting independently, such as smart contract exploits, and those that rely on Lido governance’s ability to potentially coerce operators into taking certain actions, including by kicking operators off the platform, or reducing their proportion of stake, or creating social pressure among operators. Personally, I see these attack vectors as significant given the context of ethereum becoming a settlement layer for trillions in annual remittances.

We’re identifying a potential concern, and skipping right up to the nuclear solution

fwiw, I think the phrase “nuclear solution” is inappropriate here because Vitalik’s fee targeting method gives granular control over the self limit apparatus, it’s not an extremist mechanism. As well, the very phrase “nuclear” implies you can’t reverse dropping a nuclear bomb, whereas we can simply turn off a self limit mechanism if it becomes inappropriate in the future.

Conflict of interest discoslure: I am not long or short LDO or RPL or any related token, and I’m extremely long ETH, and I have no plans to change these positions.

I am not arguing that a monopoly is inevitable.

Just that something being, or potentially being, a monopoly in this case, is not grounds that are sufficient for it to be a negative thing, nor for justifying the particular proposed solution.

These are rather vague generalities, that Danny seems to be suggesting can be managed through coercion of requiring a player to comply with bad behavior or risk being removed from the platform.

Which would also be highly against the long-term viability interest of the DAO itself.

Either those actions are ones that:

A) Can be directly be performed by governance.

or

B) Can only be implemented via coercion of voting a validator party out of the system.

If it is A, then it can be restricted by policy or contract.

If it is B, then it can be restricted by policy, contract, or voting measure. (i.e. the best way to prevent B is probably just to own more LDO if you care about preserving the actions of the ecosystem)

Governance can always be limited contractually, and by participant behavior.

If however, the argument is that we can’t trust voters to do the right thing because incentives are misaligned then either:

A) We need to fix the incentives to align them to the long term health of the Lido protocol rather than short term action.

Or

B) We need to think this entire decentralized system in the first place.

Did you just say “I’m part of an informal working group of liquid staking oligopolists”? That’s fine but you do have a specific interest here, just like everyone; and I think its the crux of the issue.

It’s an ideological perspective that Lido is too centralized and therefore will exert negative action.

I think that is a good concern to raise - but let’s not talk in generalization, let’s talk about specific attacks and we can talk about how they can be prevented line by line.