Should Lido use third party insurance providers?

Context

For the last months Lido has purchased slashing insurance from Unslashed Finance, which has now expired. The premium for this insurance has been estimated to be ~25% of the DAO’s yearly revenues. This thread’s purpose is to discuss the path forward about Lido’s insurance plans.

Available Options

  • Purchase insurance: Historically, we have been unable to purchase cover for enough funds at a reasonable premium (e.g. Unslashed provided cover for up to 5% of the funds staked with 1 validator).
  • Do not purchase insurance: In theory, by not purchasing insurance we would be exposing our users to more slashing risk than before. Cover is also important for institutional users. In practice, Lido’s governance-gated validator registry has allowed onboarding high quality aligned validators that haven’t been slashed to date. All beacon chain slashing events to date are quite minimal: <100 ETH slashed from 145 validators out of >185k validators.
  • Lido would provide insurance to its users: Another approach is to have an in-protocol insurance fund, which covers certain scope of risks (here, slashing risks). For example, that mechanism could either be an AAVE-style safety module, or it could be more ad-hoc via governance proposals.

The path forward

I polled Twitter recently on this subject, and opinions were mixed, with more erring towards not purchasing more insurance from Unslashed. We probably cannot expect that anybody would offer us insurance on the entire principal in Lido (even if they did, it’s unlikely they’d be able to pay it out).

Not having any insurance at all could be reckless and hurt customer trust.

As a result, it seems like a reasonable path forward would be for Lido to “own the stack”, and informally insure users by reimbursing them if a slashing event happens according to the chosen mechanism(s).

In all cases, we should be explicit about the edge cases involved in order to not create false expectations around what kinds of events users are insured against.

13 Likes

That’s thoughtful, thank you for bringing this up. Safety module style, if chosen as a solution, will take some time to develop, so needs to have an interim solution bolted on. Ad-hoc governance fallback doesn’t seem that clear to me: as a staker, I’d prefer a better defined precommitment from the DAO to understand what’s I’m guaranteed by the dao and what would be an unreasonable recourse to expect.

5 Likes

My sense is that 1/4 of revenue for insurance is excessive–especially as it seems to cover more so the one-offs and less so the meltdown type correlated slashing events (think Medalla rough-time incident).

To expand on Georgios’ point on probabilities, when I ran the numbers at 1M slots, the tally came to 0.0084% of slots including slashings and 0.00085% of all ETH staked had been slashed. When you take Staked out of the picture, these numbers drop to 1/3 of what they are.

Updating for 1.5M slots (where we are currently) should further suppress those numbers. And these numbers are already very small.

Imo the safety module/insurance fund sounds a lot more capital efficient over the long term + I do hear @vsh’s points on implementation.

Also: given Lido is in the relatively unique position to have a widely adopted liquid staking derivative that has a market price (which would be adversely impacted in a Medalla-like incident), there’s a world out there where we could explore an options strategy as part of an insurance offering, to specifically hedge against a 2 sigma + event

7 Likes

Do we know how the premium is priced? I could imagine the relative cost decreases after The Merge, when staking APYs rise dramatically due to MEV, so any decision should probably factor that in.

In general, slashing insurance seems hard to justify when the risk is already socialized over 500k+ ETH. The average user is not gonna feel it.

5 Likes

+1 on an option strategy to hedge the systemic risk. Buying cover for a crash of the StETH / ETH pair below a certain threshold could be a simple and understandable way of doing it with obvious marketing value.

2 Likes

I firmly believe Lido should start building up an insurance fund from fees combined with a mechanism that transfers part of the risk to LDO token holders (which they should also be compensated for). We could also require validators who partake in Lido to own and stake/lock some amount of LDO tokens. This would give LDO a rudimentary value accrual properties without affecting the underlying stack too much.

Third party insurance such as Unslashed can be used complementary (or individual validators can use it separately, in which case they could have some other benefits) but will probably never be sufficient given the current size of Lido and potential growth.

Edit: I think the insurance fund should also be much more flexible and not restrict itself to cover slashing events only. E.g. should be partially covering other types of risks - exploits, hacks, tail risks (mentioned option cover of stETH price crash)

3 Likes

Would validators have to buy more LDO as they are given more ETH to stake?

Haven’t thought it through yet, but it would work well with LDO becoming a “fallback” asset of sorts as part of the insurance fund, in which case it makes sense to require validators to stake some. However its not feasible to require them stake it 1:1 with ETH value they are handling, so maybe some sort of function should be put in place.

In-protocol insurance will take time as @vsh points out and I’m of the opinion that this is what we’re gunning for eventually. In the meanwhile, do we buy insurance from somewhere else?

It’s largely a question of optics imo. The reality is that Lido’s current validator set are some of the industry’s best operators, so (simplifying somewhat) insurance is more like insurance against systemic eth2 failure than Lido validators not doing well.

25% seems quite a high a price for that, so I’m of the opinion that the DAO should just keep the validator bar really high in the short-term (until in–protocol insurncae available). If optics are a concern, maybe demonstrating the relative performance of Lido validators to the community is cheaper than the 25% premium charged by unslashed.

4 Likes

Re: staking LDO for node operators, I’m against it. At this point in time Lido needs to attract professional node operators, and a money barrier is counterproductive to that.

One option here would be to, say, precommit 6k ETH (or stETH :wink: from treasury as an insurance fund on more or less same terms as Unslashed gives, as an interim solution.

2 Likes

I guess there are a couple of points I would like to address here:

  1. As @vsh mentioned, Lido needs to attract professional node operators. Opposing additional capital requirements like staking LDO onto them doesn’t seem like it benefits the DAO long term. Also, current node operators would get into a pickle since they can’t opt out of running the validators they have already been assigned with until the merge.

  2. I also agree that 25% of the yearly revenue is too much for the upside of said insurance. In my opinion this leaves two options:

  • We increase the commission fee on stETH and allocate the extra money into insurance, hence lowering the percentage of annual earnings used for insurance. I don’t think this is a good idea since we need to compete with other staking solutions and it doesn’t solve the fact that this insurance is expensive for the upside it provides. This would also probably result in a lot of negative emotions from our customers.

  • We allocate part of the treasury to an internal insurance fund. This could either happen as ETH like @vsh suggested or as stETH (earning staking rewards, growing our insurance fund as long as there is no slashing). In case of a slashing the stETH in the insurance fund could be burned to keep stETH pegged by ETH on the beacon chain as close to 1:1 as possible (depending on the slashing size). In my opinion this could be a feasible interim solution until more external options for insurance arise.

In the end, what I think is mostly important here is that the impact of a slashing highly depends on the share of validators run by the affected node operator. Our biggest goal should therefore be a broad distribution of validator keys. We need to further grow our node operator set by more professional validators. This would ultimately reduce the risk of fatal events to the DAO. Having 5% of validators slashed is much less problematic than having 15% slashed. Therefore, I would like to suggest another round of onboarding ETH 2.0 node operators to the DAO as soon as possible.

7 Likes

I like the idea of directing a part of the treasury to this, but committing stETH as insurance sounds problematic (insuring an asset with the exact same asset as the payout?). If we’re going down this route, I’d advocate for depositing some ETH into Compound or Aave to make sure stETH is covered by an uncorrelated asset.

I’m against having operators stake LDO. This can be more prohibitive than anything and it could drive away quality operators.

3 Likes

Insuring stETH with stETH works fine for isolated problems, like small time slashings of a single node operator. If one node operator who runs, say, 1/10 of Lido’s stake, is slashed for 1% of the stake they run, stETH in insurance fund only loses 0,1% of its value.

1 Like

I prefer an AAVE-style safety module, but acknowledge that adds a layer of complexity in terms of pricing/paying risk/reward mechanism, LDO fungibility, etc. Spitballing, but what if stETH holders who staked LDO into an insurance pool earned some tiny spread of revenues (effectively a discount on standard pricing).

If LDO self-insurance is funded with LDO or stETH, the insurance may be effectively worthless in a black swan as people dump the very tokens needed to fund the payout. Funding with ETH or some other diversified bucket of collateral earning yield is the optimal approach.

What circumstances is the insurance for? If it’s for the slashing, that’s one thing. If it’s for the more general stETH going off peg, then the insurance payout could end up being all the value held as stETH (black swan event).

Thank you all for your comments.

A Snapshot Poll is now up for people to vote on next steps.

4 Likes

The current one from Unslashed is for slashing (up to 5% of the single Node Operator’s total stake) and offchain penalties (of more than 1% of single Operator’s stake, 5% max)

1 Like

I think the most important thing for a service like LIDO is security.
For that paying 25% of the DAO revenues (not staking revenues) is quite low. But I think the issue is not on spending on insurance, it’s that the current insurance scope is not large enough.
As a user getting slashed of 5% is not that bad and a risk that we can take (daily price swings can vary more than that). What I really want to get covered is the risk for validators to lose the money.
As it is what happens in practice (see Stakehound losing user money) and why I wouldn’t put all my ETH to staking providers.
So I think that instead we could try to extend the range of risks being covered such that the risks of losing the funds is <1% (currently it’s very high with 1 out 4 tokenized staking providers having lost the user funds).

Disclosure:
The Kleros Cooperative both works with Unslashed and has a significant amount of funds in Lido (a bit more than 2500 ETH in stETH-ETH curve pool).

2 Likes