The current one from Unslashed is for slashing (up to 5% of the single Node Operator’s total stake) and offchain penalties (of more than 1% of single Operator’s stake, 5% max)
I think the most important thing for a service like LIDO is security.
For that paying 25% of the DAO revenues (not staking revenues) is quite low. But I think the issue is not on spending on insurance, it’s that the current insurance scope is not large enough.
As a user getting slashed of 5% is not that bad and a risk that we can take (daily price swings can vary more than that). What I really want to get covered is the risk for validators to lose the money.
As it is what happens in practice (see Stakehound losing user money) and why I wouldn’t put all my ETH to staking providers.
So I think that instead we could try to extend the range of risks being covered such that the risks of losing the funds is <1% (currently it’s very high with 1 out 4 tokenized staking providers having lost the user funds).
The Kleros Cooperative both works with Unslashed and has a significant amount of funds in Lido (a bit more than 2500 ETH in stETH-ETH curve pool).
I agree with Fiskantes here.
Imo, Lido should own the stack and adopt a two-tranche insurance model, with tranche 1 being a stablecoin/ETH insurance fund and tranche 2 being an LDO staking pool. In case of a Shortfall Event, tranche 1 would be tapped fully first with tranche 2 being tapped only if tranche 1 wasn’t enough.
Tranche 1 could begin to be built up from a share of fees or bootstrapped from the ETH in treasury. For tranche 2, Lido should implement staking for governance and have LDO stakers underwrite some percentage of the risk similar to Aave’s Safety Module. Delphi has built several models similar to this and we’re happy to advise on implementation here.
Regardless, until the IF architecture is setup and sufficiently capitalized, we would recommend continuing to have some kind of insurance cover. Just to confirm, is Unslashed the only provider offering this kind of cover right now?
Yes, Unslashed is the only protocol to offer this for now.
Some form of insurance makes sense and should be seen as a waste of money:
- I agree with previous comments (@clesaege ) in that conceptually paying 25% of the DAO revenues for insurance is a reasonable expense to protect stETH holders in the case where there is a minor slashing event
- Insurance also improves attractiveness of stETH compared with other centralised staking solutions
- Clearly that cost is however dependent on the actual scope of cover provided, and the likelihood of a successful payout (depending on the provider)
- In the case of a more serious event, where a large proportion of the staked ETH was lost or un withdraw-able, as in the case of Stakehound, I don’t think there are any solutions available, and both in the case of self-insurance, and insurance via Unslashed, its not reasonable to expect to be able to insure against this for the amount of ETH staked with Lido
- Slashing likelihood so far after half a year of operation does indeed appear very low, and slashing from one of the many different validators would be socialised across the pool, leading to very small losses for each stETH held
Unslashed vs ‘Owning the Stack’:
- I am not sure there is evidence at this point that Lido could provide better more cost effective self-cover for users than Unslashed as a specialised provider is able to provide. It would depend on the parameters of the cover.
- However if the provided cover would be paid out in the form of the DAO’s supply of LDO, instead of its ETH, it could end up being more cost effective than alternative solutions. The cost of capital for LDO for the Lido DAO is currently very close to zero and there is a large available supply. This would resemble the AAVE style safety module as suggested by @gakonst
- I dont completely agree with the sentiment that the previous Unslashed provided cover was not sufficient in scope. I believe the only events we should be trying to protect against are minor slashing events (such as up to 5% of the funds staked with 1 validator). Larger black swan events do not seem realistic to insure against anyway.
- If using a self owned solution, paying out in LDO, I would expect the LDO price to take a extremely severe hit in the case where anything larger occurred than a minor slashing for 1 or 2 of the validators, which might significantly reduce the value of such cover.
After thinking about this some more, I am opposed to buying any cover at current prices.
The purpose of insurance is to socialize the consequences of a bad event across many optimally uncorrelated participants.
By supporting a diverse set of professional node operators, Lido already satisfies that today. If one validator gets slashed, the risk is socialized across thousands of stETH holders and/or LDO holders.
One could respond that the node operator set is still too small, and hence faults will be correlated enough to justify insurance. I think that’s a valid argument, but not convincing enough to give up 25%+ revenue. Especially if the cover is capped at 5% of total stake anyway.
Further, we should consider if insurance tips the scale for sufficiently many users to stake with Lido over other parties. In my opinion, there are enough other reasons to use stETH instead of an exchange derivative, since it can be used to generate addt. yield in Defi and soon be used as collateral in lending markets. Finally, the current set of node operators consists only of professional firms with a good track record. All in all, I don’t see the type of user who insists that there is even more insurance on top.
I would like to frame my thoughts on the subject through the lens of this optimization: Lido should attempt to maximise staking user experience while also maximising treasury.
Some variables you need to figure out this function:
- What is the difference in impact on users and on treasury in some hypothetical slashing scenarios: i) with current Unslashed insurance; ii) without any insurance; iii) with ad-hoc Lido treasury insurance?
- What is the cost of the insurance?
- What is the incremental growth of stETH from users that stake because they are happy with insurance? Does this incremental growth of stETH from users have basis in reality? (ie. have any users done their research on how the insurance operates and made a calculated decision, or did they just see the words slashing insurance and go “sounds good, thats what I wanted to see”)
- Would there be a retention issue or could the removal of insurance harm the curve peg (and thus Lido user experience)?
- Is there some larger trust issue that the terms you stake on may change which could in turn harm future growth of stETH?
Ok, so, whats the difference for users?
- Scenario A: small slashing event on one node operator. Less than 1% of ETH in Lido slashed.
In this scenario i) with insurance, the insurance would cover it; ii) without insurance, Lido could perhaps cover it directly from the Lido treasury.
- Scenario B: medium-large slashing event. 6.5% of ETH in Lido is slashed.
In this scenario i) with insurance, insurance would partially cover; ii) without insurance, Lido could also partially cover from Lido treasury and perhaps add a long-term LDO airdrop to further recoup slashed stETH holders.
- Scenario C: black swan slashing event on multiple operators. 25% of ETH in Lido slashed.
In this scenario i) with insurance, the insurance cover would not cover the loss; ii) without insurance Lido’s DAO treasury is likely not large enough currently to cover it. In both scenarios Lido could perhaps sell LDO to cover in some capacity in addition to socialising some loss.
In general, the outcome for users from each of these events is virtually identical – as long as Lido is willing to cover slashing on an ad-hoc basis, which I would expect to be the case given ignorance of user losses would not be an optimal strategy for future growth.
Given insurance costs around 500 ETH per year currently to cover up to 5% slashing per node operator, and all beacon chain slashing events today have been very minimal (<100 ETH slashed from 145 validators) you can weight some probabilities for each scenario to figure out whether that 500 ETH is expensive or not. If you were expecting a 1-5% slashing event to be even 5% likely, it would probably be worth keeping the cover. At lower %s, it becomes a very expensive cost rather than just paying directly from ETH treasury for example.
Next question to ask is: does Lido lose incremental revenue/growth by not having cover?
I do not have any useful data, but my expectation is that there is a minor conversion function from insurance being mentioned but that users do not research much how the cover works.
I would expect the conversion benefit from potential staker to staker is small and probably insignificant vs. the cost reduction.
What about retention or trust issues?
My personal opinion is that these probably track as above and there may even be truth benefits from rigorous discussion on these topics as people work to find optimal solutions for both the users and the DAO.
It seems like a superior solution for the users that are pushed from potential staker to staker because of these issues can be catered for in other ways.
Some other questions that are probably helpful to think about too, because they might change your answer.
- Is cover less important now we have data to suggest how existing node operators (both Lido and otherwise) perform on the Beacon Chain?
- Many people staked ETH when Lido provided cover. The FAQ noted that there was slashing insurance. Since you cannot currently unstake without taking a small haircut on your ETH, do we have obligation to users to continue offering cover until transactions are enabled on eth2 simply because those were the terms under which they staked ETH?
- Is it important to have Lido commit to -some- action in the case of slashing events, rather than voting for no-cover which seems like the maximally confusing scenario for users. How can a user know what to expect in the no insurance category? Is it important to cover until there is an answer to that question?
Personally, I would stop paying for the cover on the condition there’s a commitment from Lido to cover slashing up to, say, 10k ETH. I’d also consider a product offering risk tranches for staking yield, allowing users to opt-out of risk themselves:
mum im scared
This is a good point, and if users were locked into the service then I’d agree Lido has an obligation to stand by whatever terms were promised when they staked initially.
In practice I think this lockin is hard to argue as users can simply sell their stETH back to ETH.
Great post btw, love the maximization framework.
Agree, except there is a slight financial loss since peg isn’t exactly 1:1, but I think it’s so small and so unlikely that it’s probably not that relevant overall. IMO stuff like this is just worth mentioning as evidence thoroughness of thinking
One thing to note, though: the first event springing all discussion around cover was change of terms from Unslashed. As currently it’s the single provider for the slashing cover, Lido would have to build a framework for cover anyway to save the terms for stakers.
Marouane from Unslashed here
First, I would like to thank everyone for their input and for this passionate debate!
There are some things that I would like to discuss from a neutral point of view as it doesn’t only apply to Lido but rather to most self-insurance initiatives/ideas. Then I will happily express my totally biased position regarding the topic at hand (renewing/not renewing/not renewing + exploring something else).
I/ External Insurance vs Self Insurance
There are 3 main models for Self Insurance that were described/discussed:
(A) using the ETH treasury that Lido holds
(B) using LDO as a “backstop”
(C) a mix of both (A) and (B) by using a tranching logic; a first tranche being ETH treasury and the second one being LDO for example.
When thinking of fat tail events (a slashing of 10k-20k+ ETH for example), picking A), B) or C) leads ultimately to the same result which could be broken down into the following:
Price impact on LDO:
If (A): the ETH that was raised to maintain Lido as the Number 1 Liquid Staking protocol is now gone and the project is at risk. If (B), LDO holders will sell as soon as the news is out and the sold/airdropped LDO will likely be severely discounted. If (C), the result is a mix of both.
Some past examples of rather small to medium size losses:
The MakerDAO 0$ CDP liquidations in march 2020 was a rather medium size incident; around 5m$ was lost and a coordination of several industry actors was needed to buy the newly minted MKR and recoup the losses.
Compound’s oracle liquidations led to a price decrease of 20% for $COMP, and in this case Compound wasn’t planning on covering any losses.
More recently, the Thorchain hack of 5m$ led to a price decline of more than 20% in $Rune so far and they have USD + BTC in treasury that they promised to use to cover the losses (for the story, I reached out to them a few months ago to discuss an insurance policy and didn’t hear back from the team who could have helped put one together …).
Will/do these tokens recover? Yes probably but the rational is to always discount the tokens by taking into account the additional risk that they bear. Moreover, when it becomes a larger scale loss instead of a small/medium sized one, the recovery is much harder. Think Harvest or Pickle for example.
We can all agree that stETH will very likely lose the peg after a slashing event until withdrawals become possible. The question of knowing what would happen if there is a second slashing becomes a reality. If the first was covered by self-insurance, would it be enough for a second slashing? And would LDO holders be willing to distribute LDO or ETH from treasury? or is it going to be some other “non-cash equivalent” solution (vested tokens, debt tokens, options, etc.)?
Lido’s Image/perception/reputation post slashing event:
Lido started by having an external slashing insurance then a decision was made to stop it. In the case where a medium to large slashing event happens, some hard questions would need to be answered.
II/ Why (External) Insurance and how does Unslashed approach Lido’s risk?
Why a third party insurance? The simple answer is to avoid all the drawbacks of self-insurance.
Apart from providing a perception of safety and security, an external insurance actually allows to spread any losses over a longer period of time compared to self insurance; the 300 to 450 ETH of yearly premiums could be seen as an advance on possible future losses and continuing to pay premiums post slashing could be seen as paying back the loss incurred by the insurance provider. A 5k ETH slashing could happen in one month or in 2 years, we don’t know but what we know is that it would require 11 to 15+ years to be recovered by the insurance provider at the current premium price. A 15k ETH slashing 33 to 45 years. And during these 10 years or 45 years, Lido has the treasury and LDO price doesn’t suffer as much + the project can thrive.
On a long enough timeframe, any event that could happen tends to happen. Considering slots as the unit of measure for slashing is the equivalent of considering the number of times a car wheel spins to price a car insurance policy. Yes the wheels do spin millions of times per year and when an accident happens they stop spinning, so that’s 1 chance out of x million(s), but the reality is different as we all know. Using slots for probability calculations would simply lead to false math/assumptions/results.
6 months of ETH 2.0 doesn’t provide enough data points to compute probabilities in a simple manner, the merge and post-merge upgrades come with some amount of risk. Recently many Polkadot validators were slashed and the slashing ended up being reversed by the council, ETH 2.0 doesn’t have a council, once the funds are lost they are gone no matter who is responsible and what really happened. When considering Lido’s validator set we think of their activity on all the different networks they are part of and try to extrapolate the slashings and losses.
Taking a 20 years timeframe and trying to come up with a fair pricing leads us to the cost of 1% to 1.5% per year, this cost currently represents an average of 10% of the fees earned from the staking rewards. It might be seen as high compared to the DAO’s revenues, which I can understand, but it is still an event priced at 1% to 1.5% per year and that cost could be easily offset by increasing the fee Lido is taking from 10% to 11%.
Over time the pricing will follow the reality of the incidents/losses/risk, which means that if we are being optimistic and there are no reasons to remain cautious, the cost of the slashing insurance would diminish and reach the same levels insurance represents in other “regular” businesses.
And this is not something Self-Insurance will get to.
This being said, if the current cost continues to appear to be high, there are other alternatives that might be worth exploring:
Use some ETH from Lido’s treasury that was supposed to be locked for Self Insurance and supply it to Unslashed’s bucket in order to have enough yield to offset the insurance cost. This will give the Lido DAO exposure to its own slashing risk as well as other risks that are part of the bucket. The Lido DAO could be long the bucket and short some specific risks the Lido DAO is not comfortable having exposure to. 3-4k ETH would allow to approx generate the 300-450 ETH per year.
Have a separate Capital Pool for Lido’s policy, this could serve as a self-insurance for which there is a policy and an independent claims process.
Have a separate Capital Pool for Lido as in 2. but with less ETH being locked and combine it with a tranching logic: Lido’s independent Capital Pool will be taking the first losses up to XX ETH and the policies that are part of Unslashed Bucket would take everything that is above XX and up to YY ETH. The premium price in this case will be naturally lower.
Do different variations of 1., 2. and 3.
Option 5: another option I would need to check and make sure it makes sense in this case.
Happy to have everyone’s thoughts on this and excited to see where this is heading!
I think you submit your post early – it ends half-way through
yes sorry about that, I was writing then stopped then continued - just edited it.
Massive +1 on tranching stETH (which can also be combined with insurance)
Lido is already at a scale where we know insurance can’t cover the full risk, and never will be able to at a reasonable cost.
Splitting into tranches solves the issue better than pure insurance will ever be able to, and allows market mechanisms to price in the risk of slashing and other events, and to shift the risk onto those who are comfortable with it.
Allows there to be a gold plated version of stETH which is extremely unlikely to ever be slashed, and which can be bought by institutions and those uncomfortable with any level of risk (which has been one of our main stated aims of having insurance)
Additional LDO rewards could be added to holding higher risk stETH tranches.
The DAO has snapshot-voted to explore self-cover options, for the time being stopping purchasing more cover from the Unslashed.
stETH’s network effect and liquidity is Lido’s biggest asset. Even having just two tranches half the size of the original stETH would reduce their utility by much more than half. Just something to keep in mind when we talk about tranching.
There could be other approaches to tranching that reduce impact on liquidity network effects. Instead of making separate tokens for each tranche, we could let people stake stETH into a slashing contract like stkAAVE with a 2-3 week withdraw cooldown period (stETHb), divert an additional 5-10% of stETH yield to this contract (increasing total fees on stETH to 15-20% of yield), and then make stETHb take a certain percent of first losses (eg 30-100%) before slashing impacts the wider userbase of stETH holders. Advantage here is that insurance costs feed back into stETH ownership through staking rather than going to external capital sources. stETH would be the sole accepted collateral for stETH insurance.
We’ve started a workgroup on exploring Ethereum staking penalty scenarios and coverage options. Right now we’re preparing the analysis for publication and would like feedback from the larger community. If you’re interested in being as part of the workgroup please let me know via telegram (@isidorosp)!
Irina did a wonderful research on risks we need to cover: Offline & Slashing Risks: Are Self-Cover Options Enough?