Preface

The following describes the architecture, mechanics, economics and responsibilities of the different stakeholders of the SSVLM module to the Lido community and beyond. In so doing, this document, with potential changes before being submitted to the Lido DAO for snapshot vote, will serve as the official proposal from the Clusterform (independent SSV Labs subsidiary company) team to the Lido DAO.

Introduction

The SSV Lido Module (SSVLM) is a permissionless staking module leveraging the open source nature of SSV Network’s Distributed Validator Technology (DVT) to integrate Node Operators (NOs) into the operator set of Lido on Ethereum.

Building on the CSM framework and incorporating insights from the SimpleDVT module, SSVLM is designed to support operations of Node Operators within DV clusters while enhancing the scalability, security, and decentralization of Lido’s staking ecosystem.

After a discussion period, this proposal will be presented to the Lido DAO as a Snapshot vote to signal whether the Lido DAO supports this direction of work.

If the vote is supported, initial deployment on Holesky testnet is targeted for Q2 2025. This would be followed by a performance review and codebase audit.

If the outcomes are successful, Lido token holders will have the opportunity to express their opinion in another Snapshot vote, which will include the technical details and parameters, followed by a final on-chain vote aiming to integrate the module into the Lido on Ethereum protocol throughout H2 2025.

Why DVT

Distributed Validator Technology (DVT) enhances validator security by distributing key management and signing duties across multiple operators. This approach reduces the reliance on a single entity, aims to improve fault tolerance and continued validator operations, even in the event of individual operator failures (depending on the configuration). Key benefits include increased security through the use of Distributed Key Generation (DKG), greater decentralization, and enhanced fault tolerance, mitigating risks of single point of failures, compromise or downtime.

Why SSV

As the pioneer in DVT, SSV Network leads the field, operating over 50,000 validators and ranking fourth by market share. Its previous experience—three years in testnet, over a year on mainnet, and multiple successful audits—makes SSV the most battle-tested DVT protocol in this space. Close collaboration with Lido DAO contributors on Simple DVT mainnet as well as previous joint testnets ensures compatibility and reliability, making the SSV Lido module the ideal, scalable, and permissionless evolution of the SimpleDVT module on mainnet.

SSVLM Benefits

For Node Operators

The SSVLM provides NOs with a permissionless pathway to join the Lido on Ethereum operator set and operate validators as part of DV clusters. Within these clusters, NOs benefit from reduced barriers to entry, as they are only required to provide a fractional bond per validator, lowering the upfront requirements for participation.

Operating within DV clusters also provides NOs with a more resilient participation model. The inherent fault tolerance of DV clusters supports uninterrupted validator operations even if an individual NO experiences downtime, significantly reducing risks such as slashing and underperformance.

The SSVLM simplifies the user experience for NOs and aims to reduce operational costs by abstracting away the complexities of managing DV clusters from NOs. Responsibilities such as key management, cluster coordination, and other coordination activities are seamlessly managed within the module, streamlining operations and eliminating costs NOs would otherwise incur, such as SSV network fees and transaction costs.

By removing these complexities, the SSVLM allows NOs to focus solely on maintaining their infrastructure and bond, without incurring additional overhead or expenses. This streamlined approach makes participation both efficient and cost-effective, positioning the SSVLM as an attractive solution for NOs.

For the Lido on Ethereum protocol

The SSVLM provides the Lido on Ethereum protocol with a scalable and decentralized way to expand its operator set. Unlike solo-operated validators, each validator in the SSVLM is managed by multiple NOs within DV clusters. This structure should allow a larger and more diverse set of operators to be onboarded into the Lido on Ethereum protocol, effectively distributing stake across multiple participants and enhancing decentralization.

DVT reduces the trust requirements placed on operators by enabling them to manage only partial key shares rather than full validator keys, with keys securely generated using Distributed Key Generation. This approach eliminates the need for operators to have custody of the validator keys, significantly reducing risks associated with key management and increasing protocol security.

Additionally, the use of DV clusters introduces diverse operator configurations, ensuring that even if one NO in a cluster goes offline, the others continue to maintain validator operations. This inherent fault tolerance creates a more resilient staking infrastructure, reducing the impact of individual NO failures and enhancing the protocol’s overall stability.

While the Simple DVT Module has demonstrated the efficacy of utilizing DVT on mainnet, the manual coordination required to assess participants, form clusters, and facilitate onboarding is not scalable for onboarding thousands of Node Operators.

As a long-term solution, the SSVLM offers the Lido on Ethereum protocol a scalable, permissionless alternative to the existing SimpleDVT module. Its design enables seamless and decentralized operator participation, making the SSVLM a foundational component of the evolving staking ecosystem around the Lido protocol.

If the proposal is accepted by the Lido DAO, a detailed risk framework will be presented for analysis before the final Snapshot vote to guide module scaling decisions. This risk assessment will be done by Lido DAO contributors, for the Lido DAO to consider as the module is proposed to scale in terms of its share limit, and does not lead to obligations for Clusterform. This framework will examine risk factors such as bond size, the percentage of verified and fully permissionless operators, as well as cluster makeup scenarios. This will allow for the Lido DAO to consider how the SSVLM can continue on the path of decentralizing the Lido Node Operator set while providing risk mitigation as the module scales over time.

For SSV Network

The SSVLM strengthens the connection between the SSV Network and the Lido on Ethereum protocol, solidifying SSV’s position as the trusted infrastructure provider for distributed staking infrastructure. This highlights SSV’s reputation for innovation and leadership in the Ethereum ecosystem.

By integrating Lido on Ethereum protocol, the SSVLM will drive greater awareness of the SSV protocol, attracting NOs who may not have otherwise joined as operators. This increased participation expands the operator base of the SSV Network, contributing to its growth and strengthening its ecosystem.

The SSVLM also creates significant growth opportunities for the SSV Network. By supporting a meaningful market share within the Lido on Ethereum protocol, the module contributes to the total value locked (TVL) managed by the SSV protocol. This expansion generates a steady revenue stream for the SSV DAO through additional network fees, directly supporting the ongoing development and success of the SSV Network.

SSVLM Design

The SSVLM is designed as a permissionless staking module enabling any Node Operator (NO) to join the Lido on Ethereum protocol. In DVT settings, operating validators within distributed clusters presents additional complexities, especially regarding secure key generation, layered coordination, and effective cluster management at scale. SSVLM endeavors to address these challenges and improves upon the limitations of the SimpleDVT module with a more robust, scalable design, developed around the following principles:

• Permissionless - Any NO that provides the required bond and is registered on the SSV Network can join the module. Additionally, incentives for Verified Operators are expected to allow for greater transparency into the make up of participating operators.
• NO Experience - Key management, cluster coordination and management requirements are fully abstracted away from NOs. This allows operators to focus exclusively on maintaining their infrastructure and providing a bond, without the burden of additional operational overhead through simplified operations.
• Lower Costs - By abstracting operational complexities, Node Operator costs that would otherwise be incurred, such as SSV network fees and transaction costs, are entirely eliminated, as these expenses are fully managed by a network of distributed Module Oracles. This approach reduces barriers and ensures a more accessible and cost-effective participation model for NOs.
• Zero Coordination & Scalable - NOs can join and operate validators within DV clusters independently, without any need to coordinate with other NOs.
• Enhanced Security with DKG - Module’s validator keys are generated through Distributed Key Generation (DKG), eliminating the reliance on any single operator to manage keys individually.
• Competitiveness - Operating within DV Clusters allows each NO to provide only a fraction of the total bond per validator, lowering entry barriers and broadening access for operators.

Considered Approaches to Cluster Coordination Design

1. Trusted Management - SSV Module developers oversee the formation of NO groups into DV clusters and manage them throughout their lifecycle.
2. Coordinator Management - Clusters are managed by designated “Coordinators” (contributors from Lido and others), responsible for forming and maintaining DV clusters, building on the proven approach used in the SimpleDVT module.
3. Distributed Management (Chosen) - Cluster formation, management, and all other module operations are handled by a network of distributed Module Oracles.

Decision Outcome

The Distributed Management approach was chosen for the SSVLM to align with its core design principles and to provide maximal module decentralization potential for the Lido protocol. This approach leverages a network of Module Oracles to handle cluster formation, coordination, and all module operations, making the system more scalable and efficient. By automating coordination, the oracles provide a streamlined user experience for NOs, who can participate with minimal ongoing maintenance requirements. Additionally, the decentralized operation of the oracle network ensures that cluster management is distributed, reducing centralization risks and enhancing resilience across the module.

Module Architecture

Smart Contracts

The SSVLM comprises a set of smart contracts, primarily structured around two key components:

• SSVLM Adapter - This smart contract manages the integration with the Lido protocol by implementing a Staking Router-compatible interface. It holds a registry of all the module’s validators, mapping them to their respective clusters, states, and deposit data. Additionally, it transfers staking rewards from the module to the SSVLM Core smart contract, where they are further distributed to its Node Operators.

• SSVLM Core - The user-facing smart contract, serving as the main gateway for NOs and Module Oracles, this smart contract oversees NO onboarding, bond management, DV clusters management and rewards distribution. The smart contract is maintained by “Module Oracles”, which are in-charge of its upkeep and continued operations.

1125×623 76.1 KB

To enhance familiarity with existing codebases, streamline audits, and ensure compatibility with existing tooling, we aim to reuse much of the CSM code and processes. The smart contracts architecture is currently being evaluated and may be subject to change based on feasibility assessments.

Module Oracles

The Module Oracles are entities that collectively operate and maintain the SSVLM. Represented by a multi-signature wallet, each Module Oracle entity serves as a signer, contributing to distributed decision-making and module operation.

The Module Oracles perform their operations within the SSVLM by running the SSVLM Oracle Node software, which automates their tasks and streamlines coordination among them.

826×792 52.9 KB

The Module Oracles are tasked with the following core responsibilities:

• Cluster Formation: Grouping Node Operators (NOs) into Distributed Validator (DV) clusters.
• Cluster Management: Overseeing and maintaining the health of existing clusters.
• Rewards Distribution: Calculating and submitting the Merkle tree data for distributing rewards.
• Exit Requests: Processing exit requests for validators and NOs.
• Penalty Enforcement: Identifying and penalizing underperforming or non-compliant NOs.

Composition, Selection and Replacement

To ensure decentralization and provide fault tolerance, the Module Oracle set will initially consist of five participants, with a quorum threshold of 3-of-5 required to execute operations.

The initial oracle set for the SSVLM will prioritize participants from the existing Lido on Ethereum protocol’s Oracle set due to their familiarity and expertise in providing oracle services for the Lido protocol. If this group does not yield the required number of participants, the selection process will focus on other reputable node operators and infrastructure providers from the Ethereum staking ecosystem.

The evaluation of Module Oracles and their contributions will be an ongoing process conducted by the module’s Admin Committee.

Compensation

Module Oracles will be reimbursed for their operational costs to ensure they do not incur operational losses. These funds will be drawn from the “Module Operations” fee allocation.

Risks

While the use of oracles introduces certain risks, these are limited strictly to their responsibilities. Even in cases of oracle underperformance or downtime, the module’s managed validators and their performance remain unaffected.

• Single Oracle Downtime: If one Module Oracle underperforms or experiences downtime, the oracles can continue functioning as long as the quorum threshold is maintained. This fault tolerance should ensure continuity despite isolated failures.

• Majority Oracle Downtime: If a majority of the Module Oracles go offline and the quorum is not met, ongoing module operations will halt. This includes the formation of new clusters, maintaining runway of existing clusters, processing of validator exit requests, distribution of new rewards (excluding bond rebases), and enforcement of penalties.

Operator Onboarding

To onboard as a Node Operator in the SSVLM, NOs must register with the module and provide a bond, with the amount determining how many validators they can operate, subject to a minimum validator requirement that may be enforced by the module (e.g., at least 10 validators to participate).

As a prerequisite, NOs must have an SSV Operator with preset configurations: it should be set to private, have a 0 fee, and whitelist the SSVLM smart contract. Additionally, operators are required to run both the SSV operator and DKG nodes and must provide their DKG endpoint as part of their SSV operator metadata.

To mitigate potential geographic latency issues for clusters with infrastructure located far from relay locations, NOs are encouraged to use a selection of predefined relays from the vetted list of SSVLM relays, which have proven to offer optimal geolocation coverage. The SSVLM relay list is curated and maintained by the Admin Committee. This list is derived from a subset of relays from the vetted and approved list provided by the Lido Relay Maintenance Committee, prioritizing those that demonstrate strong geolocation coverage and reliability.

During registration, NOs link their SSV operator ID to the SSVLM, completing the onboarding process after verifying the above mentioned conditions are met.

415×342 19 KB

Operator Bond

The bond provided by NOs partially protects (by it being burnt) the Lido protocol from potential misconduct or underperformance. That being said, full protection is not guaranteed in cases where the severity of the infraction, such as a significant MEV theft exceeds the NO’s supplied bond.

To mitigate such risks, the bond is associated with the NO rather than the validator level. This approach helps reduce the likelihood of uncovered losses arising from infractions tied to specific validators that exceed the bond allocated per validator. However, in any case, the bond associated with the NO is the upper limit for any coverage and protection (See penalties section).

The bond is submitted in stETH or ETH (which will be staked for stETH) tokens. The bond can be topped up at any time to support additional validators (subject to the minimum validator requirement if enforced, meaning increases must align with the predefined minimum validator threshold).

In the SSVLM, NOs need to bond only a fractional share per validator, reflecting the distributed nature of DV clusters. For instance, in a cluster of four NOs, each NO is responsible for bonding a quarter of the total bond required per validator.

Similar to the CSM, the SSVLM will utilize a non-linear bonding curve. This bond curve enables NOs to operate multiple validators, with bond requirements that decrease as the number of validators they manage increases.

As part of this approach, the SSVLM might also include a bond curve reduction program for the Verified Operators - a vetted subset of operators within the SSV network, similar to CSM’s early adoption program. This initiative would reward trusted operators with reduced bond requirements, benefiting the module by attracting more professional and reputable NOs while allowing greater transparency into the Node Operators running validators via the Lido protocol.

650×210 36.2 KB

Bond Statuses

• Pending - The initial state for deposited bonds, representing bond amounts that are not yet assigned to a validator. Any rebasing rewards on stETH accrue to the NO’s pending bond, and this bond can be withdrawn at any time without restrictions.

• Assigned - When an NO is allocated to a validator within a cluster by the Module Oracles, the portion of the bond backing that validator transitions to the assigned state. Assigned bonds are tied to active validators and can be withdrawn only by making a request, which will result in the exit of a validator or validators to release the bond.

• Requested - Bonds in this state have been requested for withdrawal by the NO. These bonds are still assigned but are queued for withdrawal. The request is reviewed by the Module Oracles, who determine which validators within clusters need to be exited to a new cluster.

• Withdrawable - Once the Module Oracles have completed the necessary operations and exited the relevant validators, the bond transitions to the withdrawable state. At this point, the NO can withdraw the bond, minus a removal charge, which accounts for the impact on the cluster.

Validator Lifecycle

Cluster Formation

Cluster formation is the process of grouping NOs to form a DV cluster and generating their validator keys through DKG ceremonies. This process endeavors to ensure the module maintains a sufficient number of available keys (undeposited) ready for activation at all times.

Cluster formation is triggered whenever the number of available keys within the SSVLM falls below a predefined threshold (e.g., if the threshold is set to 50 and the number of available keys drops to 40, the cluster formation process initiates until the threshold is restored).

Cluster Formation Flow

image870×768 88.3 KB

1. Prerequisite - NOs Onboarding & Bond Deposits
   Before cluster formation begins, NOs must have registered and provided the required bond, as outlined in the NOs onboarding process. Out of the NOs who have registered, those with “pending” bond status are eligible for cluster formation and are placed in a queue, awaiting formation.

2. Monitoring and Cluster Formation by Module Oracles
   The Module Oracles continuously monitor the NOs queue and use deterministic heuristics to group NOs from the queue into DV clusters, initially operating on a 3/4 operator threshold with goals to transition to 5/7 in the future. As part of the cluster formation process, the Module Oracles verify the participating NOs, ensuring their settings remain unchanged since onboarding and confirming that their DKG client is live through a health check.

3. Distributed Key Generation (DKG) Ceremony
   Once a cluster is formed, the Module Oracles conduct a DKG ceremony, generating validator keys, deposit data (with withdrawal credentials set to the Lido protocol Withdrawal Vault), and SSV keyshares for the cluster.

4. Keys Registration
   After the successful DKG ceremony, the Module Oracles add the generated keys (deposit data) to the SSVLM Adapter, where they await verification and deposit by the Staking Router. Simultaneously, the validator keyshares are registered with the SSV Network, where they await activation. During this operation, the participating NOs bond status transitions from “pending” to “assigned,” reflecting their active role in the newly formed DV cluster.

Validator Activation

The activation of SSVLM validators begins with the Staking Router querying the module for available keys, which are consistently maintained by the Module Oracles to ensure a sufficient supply. The SSVLM Adapter responds with the number of DKG-verified deposit data of keys ready for activation.

Upon initiating the deposit, the Staking Router places the validator in the Beacon Chain activation queue. Because all validator keys are already registered on the SSV Network, the validator begins attesting from the second epoch after becoming active on the Beacon Chain.

843×766 54.4 KB

Cluster Management

Throughout the lifecycle of validators within the module, the Module Oracles will continuously monitor all clusters to provide sufficient operational runway in SSV token balance to operate within the SSV Network.

If a cluster’s runway is detected to be above or below a predefined threshold (e.g., less than six months or more than 18 months), the Module Oracles will endeavor to adjust it accordingly (e.g., to maintain at least one year of runway). This proactive approach is designed not only to improve capital efficiency by accounting for validator churn but also to accommodate potential changes in the SSV protocol, such as network fee modifications or liquidation threshold updates.

The funds required for these top-ups fall under the responsibility of the Admin Committee, which oversees the reimbursement of Module Oracles for operational costs.

Rewards

There are three types of rewards for SSVLM Node Operators:

1. Bond Rewards - Rewards generated from the rebasing of stETH provided as bond by NOs to the SSVLM. These rebased rewards are credited to the NO’s “pending” bond balance, allowing NOs to either withdraw or compound them to manage additional validators.

2. Node Operator Rewards - Rewards earned by NOs for fulfilling validator duties within the SSVLM. Rewards are based on the performance and contributions of each NO within their assigned clusters.

3. SSV Incentive Rewards - NOs also receive a share of the Incentivized Mainnet (IM) rewards earned by the validators they manage on the SSV network. These rewards are distributed as part of the SSV DAO’s Incentivized Mainnet Program and will continue to be available for as long as the program remains active, as determined by the SSV DAO.

Rewards Distribution

The distribution of Node Operator (NO) and SSV incentive rewards occurs in 28-day cycles. At the end of each cycle, the SSVLM Module Oracles calculate the rewards for all NOs and construct a Merkle tree representing the distribution data. The Oracles then submit the Merkle root of that tree to the SSVLM contract, enabling each NO to claim their rewards independently.

Rewards are distributed through a cumulative Merkle contract, allowing NOs to claim both their Node Operator and SSV rewards in a single claim process. Since the contract is cumulative, NOs can accumulate rewards over multiple cycles without needing to claim them after each cycle.

To ensure transparency and accessibility, the Oracles will publish the Merkle tree data on a public platform, with options such as IPFS under consideration.

1600×1136 146 KB

The Module Oracle calculates the rewards with respect to:

• Validator Share Contribution - The rewards are weighted based on the amount of validators managed by each NO proportionally.

• Validator Performance Socialization - Similar to the CSM, the SSVLM will utilize reward socialization based on a performance threshold to determine the distribution of rewards among the module’s NOs. Validators whose performance exceeds the defined threshold (“eligible validators”) will share in the rewards received by the SSVLM, with the distribution proportional to their share of eligible validators.

NO rewards per distribution cycle are calculated by the following formula:

image871×581 31.5 KB

Validator Exits

Validators within the SSVLM can be exited under two scenarios:

1. Lido Exit Requests - When the Lido protocol initiates a request to exit one of the module’s validators, the Module Oracles monitor Lido protocol’s Validator Exit Bus Oracle (VEBO) events to detect and initiate these exit requests.

747×657 49.1 KB

2. Node Operator Bond Withdrawal Requests - Due to the permissionless nature of the SSVLM, NOs have the option to withdraw their provided bond at any time. Since there is no dedicated “offboarding” function, withdrawing the full bond effectively serves as offboarding. If the withdrawn bond is currently “assigned” for active validators, the withdrawal process involves two steps: “requesting” and “withdrawing.”

When a NO initiates a request to withdraw an assigned bond, the Module Oracles determine which of the NO’s validators to exit. After the Module Oracles have checked that the selected validators have fully exited from the Beacon Chain and have been removed from the SSV Network will the NO be able to proceed with the bond withdrawal.

A timelock is applied to bond withdrawal requests, delaying both the withdrawal process and the ability to submit additional requests until the timelock period has elapsed. This safeguard is designed to provide adequate time to detect and enforce penalties before the bond can be withdrawn in the event of an infraction.

742×628 54.8 KB

Exit Charge

NOs wishing to exit while actively managing validators will incur a removal charge. This fee is calculated on a per-validator basis and is designed to cover the operational costs associated with facilitating the effective exit of their validators.

The exit charge is deducted from the portion of the NO’s bond that becomes withdrawable after their request to withdraw assigned bonds, once the validators have been fully exited and removed.

In both scenarios, the Module Oracles checks that any validator is fully exited before proceeding to remove it from the SSV Network and releasing the managing NO’s bond. As part of this process, the validator’s withdrawal balance is checked against the minimum required deposit amount. If the balance is insufficient, the Negative Validator Balance penalty is enforced, and the difference is deducted from the managing NOs’ bond.

If the Module Oracles encounter any issues in exiting the validator—such as the cluster being offline—they will submit a request through the Lido protocol (following implementation of EIP-7002 in the Lido on Ethereum Withdrawal Credentials, only possible post-Pectra hard fork) to initiate the validator exit.

[Proposal cont. below]

Penalties

The SSVLM is designed and structured with a penalty system to uphold the integrity and performance of Node Operators (NOs) and clusters. Managed by the Module Oracles and the Module Admin Committee, penalties aim to dissuade infractions, underperformance, and malicious behavior. This responsibility of the Admin committee may be coded programmatically and will be finalized in the final technical document that goes to snapshot to the Lido DAO.

Penalties are categorized into two types:

Bond Penalties

Bond penalties are applied in response to severe infractions that compromise the module’s operational integrity and reliability. These penalties result in the confiscation or penalization of the associated NO’s bond, ensuring that misconduct carries consequences.

The Module Admin Committee is responsible for monitoring infractions using its own tools or leveraging existing Lido on Ethereum protocol monitoring systems, such as MEV-monitoring to detect MEV theft, while the Module Oracles are responsible for enforcing penalties and reporting validator withdrawal proofs.

• Negative Validator Balance penalties are enforced when a validator’s withdrawal balance falls below the minimum required amount for a validator on the Beacon Chain to be activated (currently 32 ETH).

When one of the module’s validators is exited—either by the Module Oracles (due to an NO bond withdrawal request or a Lido protocol withdrawal request) or, post-Pectra hard fork, by the Lido on Ethereum protocol through an EIP-7002 execution layer exit request—a report is submitted to the SSVLM smart contracts containing the validator’s exited balance proof. The smart contract then validates the report against the beaconBlockRoot to determine whether the validator’s withdrawal balance is below the minimum deposit amount. If the validator’s balance is insufficient, the difference between the withdrawal balance and the minimum deposit amount is deducted from the managing NOs’ bond and penalized.

• MEV Theft penalty is a delayed penalty with a challenge period before final enforcement. The Module Admin Committee is responsible for detecting MEV theft, reporting it to the SSVLM smart contracts, and settling the report at its discretion during the challenge period.

Once an MEV theft is reported, the bond of all NOs managing the validator is confiscated, meaning it is locked within the SSVLM and cannot be withdrawn. The confiscated bond remains locked until the Admin Committee reviews the case and makes a settlement decision within the challenge period or until the NO voluntarily compensates the stolen amount along with a fixed stealing fee back to the module.

If no compensation for the stolen amount by the NOs is made and the challenge period elapses without a settlement decision, the bond is unlocked and returned to the NOs.

If the theft is confirmed, the bond of all managing NOs is penalized. In cases where the amount stolen exceeds the validator’s backing bond, the penalty is capped. The penalized bond amount per each NO is determined as the lower between:

• The total amount stolen divided by 4 (to account for all four NOs in the managing cluster)
• The total bond of the NO with the lowest bond among the validator’s NOs

Example scenario #1 - stolen amount is 10 ETH and each NOs has provided more than 10 stETH, 2.5 stETH would be penalized from each NO.

Example scenario #2 - stolen amount is 100 ETH and the lowest provided bond out of one of the NOs is 10 stETH → 10 stETH would be penalized from each NO.

Penalized bond amounts are burned as stETH shares using the Lido on Ethereum protocol Burner contract, effectively redistributing the burned stETH value among all other stETH holders.

Performance Penalties

Performance penalties are used for performance-related metrics that are tracked over longer periods. These penalties are applied to validators and are deducted from the rewards in the following rewards distribution cycle. Performance penalties incentivize consistent performance and discourage long-term underperformance.

• Validator Performance penalties are applied at the validator level and affect all NOs managing a validator that fails to meet the predefined validator performance threshold.

The rewards deducted due to performance penalties are redistributed among the NOs who meet or exceed the predefined performance thresholds, ensuring that rewards are allocated to NOs who actively contribute to the module’s reliability and performance.

Additionally, a NO Performance penalty mechanism is under consideration for potential future implementation. If introduced, this penalty would apply at the NO level to NOs who fail to meet the predefined NO performance threshold (e.g., not participating in at least X% of their active validators’ duties inherent to the SSV network during a distribution cycle). This safeguard is intended to prevent “free-riding” NOs within clusters, where DVT’s intrinsic fault tolerance can mask individual underperformance. The penalty would serve to better align rewards with active participation and contribution to cluster reliability and performance.

Module Economics

The SSVLM aims at creating a sustainable and competitive economy for all participants. Preliminary economic ranges are provided below, and will be finalized prior to the launch of the module via a Snapshot vote. To facilitate the decision-making process regarding SSVLM economics a separate detailed risk assessment which is done by Lido DAO contributors, for the Lido DAO and will be provided separately for community discussion with no obligations for Clusterform.

Staking rewards allocated by the Staking Router are distributed across three key areas:

1. Lido Protocol - A portion of the staking rewards supports the Lido protocol, contributing to its broader operational and development needs. The expected preliminary range is 4% - 6% of staking rewards.

2. Node Operators - NOs get a portion of the staking rewards, along with a portion of SSV incentives, which makes the module competitive within the staking landscape and attractive in comparison to other modules. Given that an expected launch data for the SSVLM would be following the Pectra hard-fork, initial slashing penalties would be reduced. This will allow for the SSVLM to offer a lower value bonding curve, while providing a market leading capital multiplier. The expected preliminary range is 2% - 3% of staking rewards.

3. Module Operations - A portion of the staking rewards are allocated towards module operations which reimburses the Module Oracles for their ongoing work in operating the module and supports Clusterform for the continuous development and scalability of the module, ensuring it remains sustainable throughout its lifecycle. The expected preliminary range is 2% - 3% of staking rewards.

Conclusion

The design of the SSV Lido Module (SSVLM) reflects the core goals of creating a permissionless, decentralized staking module that seamlessly integrates Node Operators into the Lido protocol validator set.

By leveraging Distributed Validator Technology (DVT) and a robust framework of Module Oracles, SSVLM addresses the unique challenges of secure key generation, cluster coordination, and NOs accountability while remaining competitive in the staking ecosystem.

The DVT-based architecture not only enhances fault tolerance but also enables greater decentralization and scalability, aligning closely with Lido protocol’s vision for a resilient staking protocol.

If approved by the LDO token holders voting through the Lido DAO voting process, this proposed design can serve as the foundation for the development and deployment of SSVLM as a scalable enhancement to Lido protocol’s decentralized staking infrastructure.

With the potential to eventually replace the SimpleDVT module, SSVLM offers a long-term, scalable solution that could evolve with Lido protocol’s needs.

Next steps

After discussion on the forum, this proposal will be presented to Lido DAO as a Snapshot vote to signal that Lido DAO supports this direction of work.

If the vote is supported by Lido DAO voters, the initial deployment on the Holesky testnet is targeted for Q2 2025.

After a successful outcome on Holesky and a codebase audit, Lido voters will have the opportunity to express their opinion in another Snapshot vote, which will include the technical details and parameters.

If supported on Snapshot, the next step will be the mainnet deployment, followed by a final on-chain vote aiming to integrate the module into the Lido on Ethereum protocol throughout H2 2025.

Appendix 1. Module Admin Committee

While the Module Oracles are responsible for the day-to-day operations of the SSVLM through automated software, there is a need for a dedicated mechanism (e.g. a committee multisig) to handle broader operational tasks and make decisions that require human judgement. An Admin Committee is proposed to fill this gap, focusing on the oversight of module functions and settings.

The specific processes and responsibilities of the Module Admin Committee are currently in the research and development phase, as the goal of the SSVLM is to automate as many processes as possible. It is proposed that, should the initial SSVLM proposal be successful, the details will be shared and voted on in a subsequent Snapshot vote that covers the technical implementation and parameters of the SSVLM.

Appendix 2. Verified Operators (VO) Program

The Verified Operators (VO) Program is an initiative to onboard NOs from the vetted list of SSV network’s VOs to the SSVLM by offering them favorable terms to encourage their participation.

Incorporating VOs into the module offers several significant advantages:

• Reputable and Reliable NOs: VOs are typically professional entities with extensive experience in Ethereum staking and blockchain infrastructure services. Their participation ensures a high standard of reliability and professionalism in the SSVLM.

• Long-Term Commitment: VOs are more likely to remain active participants within the module over time, as many of them operate professionally as businesses rather than solo NOs. This stability contributes to the module’s sustainability and growth.

• Enhanced Sybil Resistance: Since all VOs are vetted and KYC’d by the SSV DAO’s VO Committee, their presence increases Sybil resistance within the clusters they are part of. This mitigates the risk of a single entity operating multiple operators within the same cluster, thereby reducing single point of failure risks.

• Improved Performance: VOs’ professionalism and expertise create a strong foundation for better validator performance, benefiting the module and Lido on Ethereum protocol’s stakers by ensuring more consistent and performant validator operations.

Benefits for Verified Operators

• Lower Bonding Curve - VOs will benefit from a reduced bond amount requirement for their managed validators. This allows them to manage more validators with less stETH requirements, making it more capital-efficient for them to participate in the module.

• Prioritization in Cluster Formation - When forming DV clusters, the Module Oracles will prioritize incorporating VOs into clusters. This prioritization ensures VOs are included in cluster formations whenever possible, but it is not enforceable - clusters will still form without VOs if none are available in the NO queue for cluster formation.

The responsibility for whitelisting NOs as VOs will rest with the Module Admin Committee, which will whitelist the owner addresses of VOs approved by the SSV DAO.

Additional Terms

1. Clusterform team shall retain all rights and interests, including intellectual property rights, in any proprietary modifications, enhancements, and integrations made as part of the services and deliverables provided under this Proposal. Any underlying open-source code remains subject to its respective open-source license.
2. Clusterform may provide some of its obligations through affiliate entities or third parties, in its sole discretion.
3. Services shall be provided on an “as-is” basis. The module is based on an available-to-all open-source code determining the services, as may be amended by the Clusterform team from time to time. Clusterform disclaims all warranties, express or implied, with respect to the services or deliverables. Unless in cases of wilful misconduct and fraud, Clusterform shall not be responsible for claims, damages, liabilities, losses, expenses and costs, direct or indirect, arising out of or resulting from this engagement, services, and deliverables, whether civil, administrative, criminal or otherwise. Nonetheless, excluding wilful misconduct and fraud, if a competent court or authority determines otherwise, liability will be limited to 50.000 USD for all claims.
4. Clusterform shall perform its obligations independently. Nothing shall be viewed as establishing partnership, agency, employment or exclusivity relationship between Clusterform, Lido DAO, Lido DAO contributors, LDO token holders and/or any Lido DAO adjacent entity. Clusterform may make similar proposals in other projects or otherwise pursue similar endeavors to this Proposal. It is clarified and understood that this proposal does not create engagements between users of Lido protocol and Clusterform.
5. Clusterform may stop supporting the services and deliverables in this proposal by giving a 3 (three) months notice, that will be published to the Lido DAO Research Forum, unless instructed to so earlier by a competent authority.
6. The Clusterform team will make commercially reasonable efforts to maintain compatibility with the Lido protocol, but is not obligated to do so.
7. The Clusterform team is committed to endeavoring to provide industry standard quality regarding the components of this module.

I’m very excited to see this proposal and appreciate all the effort from Clusterform to put together something so comprehensive. Clusterform presented this idea during LidoConnect 2024 and based on the ideas in this proposal I believe SSVLM could be a great addition to the protocol.

With the final planned Simple DVT onboarding round recently completed, SSVLM could offer a new permissionless onboarding path for community stakers utilizing DVT within the protocol. It is very clear to me that DVT offers advantages to the Lido Node Operator set: the Simple DVT module has consistently held the top RAVER score since its addition to the protocol. DVT offers significant benefits to the decentralization and distribution of infrastructure, clients, and Node Operator types, and the use Distributed Key Generation improves key security.

Combining this with a permissionless onboarding mechanism that abstracts away cluster coordination could set the standard for how home stakers and professional operators work together to further decentralize the network over the coming years.

SSVLM seems to offer the combined advantage of both Simple DVT and CSM: permissionless onboarding with risk mitigation by design via bonding and the use of threshold based DVT clusters. With the Lido Node Operator set having grown to over 500 operators in the last year with just these two modules, it seems that SSVLM would be a great step on continuing towards the path of the 2nd original GOOSE goal of attracting the best validator set in the market.

Than you for all the support!

This has been a long time in the making, and I’m beyond excited to see it finally come to life! A huge thank you to the Lido core contributors for their dedication, hard work, brainstorming, and support throughout this journey.

One Small Step for SSVLM, One Giant Leap for Decentralization

SSVLM is designed to achieve two critical goals simultaneously: distributing stake at scale across numerous operators while ensuring that individual validators run on DVT. The key here is scale—Lido has the size and influence to drive meaningful impact on Ethereum, and this proposal is a step toward turning that vision into reality.

That, coupled with SSV’s immediate plans to become a multi-client DVT protocol (huge shout-out to SigmaPrime), means we can drive a net-positive impact on Ethereum—not in five years, but today!

A New Era in Staking Economics

This proposal changes the existing staking paradigm and paves the way for a new economic model.

With the launch of SSV’s incentivized mainnet, we’re already seeing how decentralized staking can thrive. As we move toward SSV2.0, a new marketplace will emerge—allowing SSVLM validators to extend their operations to other protocols and earn additional rewards.

This shift not only makes staking more profitable but also encourages more solo and small operators to join, strengthening the decentralized staking landscape. And most importantly, this is all optional and validators will never be at risk!

Join the Conversation

We’re now at a critical stage where community feedback is key. As we push forward, we’re working hard to launch a public testnet for SSVLM and onboard the next 1,000 operators to Lido. Your insights, suggestions, and participation will help shape the future of decentralized staking—let’s build it together!

As an ambassador for the SSV Network, I am thrilled to see the proposal for the SSV Lido Module (SSVLM) by Clusterform. This proposal leverages SSV Network’s leading position in Distributed Validator Technology (DVT) to introduce a permissionless path for Node Operators (NOs) to join the Lido protocol.

By distributing key management and signing duties across DVT clusters, SSVLM significantly enhances the security and fault tolerance of validators, reducing reliance on single entities. This not only increases the decentralization of the Lido protocol but also lowers the entry barriers for NOs while providing greater operational flexibility.

Moreover, by abstracting the complexities of cluster coordination, SSVLM simplifies the user experience for NOs, reducing operational costs and making participation more efficient and cost-effective.

We believe that the implementation of SSVLM will further strengthen Lido’s position within the Ethereum ecosystem and drive the development of decentralized staking infrastructure.

Great proposal and looking forward to seeing this progress!

As we consider how to support the participation of thousands in the protocol, I believe that the SSVLM constitutes a substantial step forward in advancing decentralization via both an increase in permissionless participation at the validation layer of the network, as well as increased technical and operational robustness of the validator set.

The combination of DVT together with a mechanism to bring together different participants in order to create SSV Clusters and the potential for this to meaningfully decrease the barriers to entry for independent stakers and smaller node operators (via decreased bonds) is very important to enfranchise new and smaller participants in the ecosystem.

Snapshot vote started

Please get your wallets ready to cast a vote , the SSV Lido Module Proposal Snapshot has started! The Snapshots ends on Mon, 24 Mar 2025 16:00:00 GMT.

The SSV Lido Module Proposal Snapshot has reached a quorum and completed!
The results are:
Approve : 57.2M LDO
No Action : 24.597 LDO