Nexus Mutual <> Lido DVT Proposal
The Current Position
The stake in Lido has grown rapidly, with billions of dollars of ETH now staked through the protocol. This growth in stake means that the DAO has been able to expand its team to do more to support the protocol. Critical to this is protecting users. Any loss of funds that’s experienced by users will hamper growth, which is why the DAO decided to provision funds to protect users against the impact of slashing events.
But these provisions have not kept pace with the growth in stake, meaning that they reduce each month in percentage terms. Currently, they only cover 0.08% of the stake, meaning that users would be impacted by events larger than this. In my opinion, this level of coverage is not sufficient, particularly as the stake continues to grow each year.
While the DAO has surplus funds that it could allocate to these slashing provisions, I still believe much deeper levels of coverage are necessary as Lido expands with new modules like DVT.
The core problem is the immense value of the stake. Even a small percentage loss is a huge absolute value and so to internally provision for these losses the DAO needs to be extremely well funded.
Self-coverage via provisioning is somewhat common among large corporations with massive excess reserves, unutilized cash flow and relatively small expected losses.
Lido DAO doesn’t currently match these criteria, which makes it challenging to expand the provisions inline with the rapid growth of the protocol. Given the DAO’s current runway and the size of the coverage gap, it might be preferable that the DAO consider implementing an additional fee to support the growth of these provisions, or to pay for premiums for external coverage.
DVT Module: Risks and Coverage
For the DVT module specifically, the risk profile is very different to the main staking module. Primarily, the risk is in unknown unknowns, due to the new codebase which hasn’t been battle tested like the current, trusted Lido staking module. With DVT the goal is to reduce the risk of trusting a given operator, trading off for more technical complexity. I believe that in the future it will serve to meaningfully reduce the risk of staking. However, we should accept some increase in the current risk profile because as with all smart contracts it will be most vulnerable to exploits when it’s first targetable by malicious actors.
The size of the DVT module makes it plausible that the DAO could utilize internal provisioning to protect against this risk. In the case of an exploit, these internal provisions would be sufficient to make users whole and the DAO would likely vote to replenish the reserves from the current surplus.
While I believe that this approach is sufficient for the purposes of protecting users from the risks of the DVT module, I don’t believe that the current provisions and the surplus together are sufficient to protect the entire stake at risk. Therefore, while I can see the logic of using internal provisions to protect the stake in the DVT module, I believe that a move to either significantly fund the staking provisions or to pursue external coverage more broadly is necessary. I see this DVT module as an opportunity to explore external coverage, with the goal of retaining the strength of the current provisions, and re-proving the benefits of external coverage to then expand this more broadly.
External Coverage
Lido DAO voted to not renew a previous coverage policy because this cost 25%+ of the DAOs internal revenue each month. Yet, in the past weeks we’ve seen a proposal from DAO members suggesting that the DAO looks to provision more than 25% of its funds each month for self-coverage.
My reading of this proposal is that it would require more than 100% of the revenue to the DAO to be allocated to self-coverage. At its core, this is the problem with self-coverage. The magnitude of the risks is so far above the current financial position of the DAO, that the DAO cannot provision enough funds from its revenue to match the growth of the Lido protocol.
Today, the provisions are 6,235 stETH to protect users against slashing. The protocol has 8,169,134 ETH staked, so the provisions are for 0.08% of the funds at risk.
Currently, this slashing provision is only sufficient to protect against relatively smaller events, with any sizable risks having expected losses far in excess of 6,235 stETH. A single operator experiencing slashing across their set, or a client bug causing downtime, could lead to events that either massively depletes this fund or wipes it entirely. If the goal is to mitigate the impact of catastrophic events, external coverage can provide deeper levels of protection.
However, relatively small events like downtime or non-function of the DVT module are coverable by the DAO slashing fund because the cost of penalties and missed rewards are relatively small.
The DVT module will allow for 0.5% of the Lido stake, meaning 40,845 ETH. Should the Lido DAO increase the stake allowed in the DVT module we would expect to re-quote a new policy for the higher stake amount.
Downtime for this entire cluster would mean 2.37 ETH in penalties and 3.8 ETH in missed rewards, per day. The provisions of 6,235 stETH would therefore allow for this DVT cluster to be offline for ~900 days before depleting. Clearly, this is easily sufficient…
Where the provisions are insufficient is in the case of an exploit or bug that leads to the loss of funds from the smart contracts, or slashing to the validators. DVT is brand new and so there are likely to be a host of unknown unknowns, which make this particularly risky.
With ~41k ETH potentially entering the DVT module it’s not feasible to get a policy that will protect this entire sum. Instead, we must focus on protecting as much as possible, while keeping the premiums at a level that the DAO can afford.
Nexus Mutual Coverage Proposal
Protecting 20% of the funds at risk in the DVT module, ~$13M, would protect against most of the day-to-day risks of operations.
Full terms of the policy will be shared should the DAO vote to pursue external coverage. We expect that this policy would include penalties and losses to slashing, with a minimal 2.5% deductible to prevent the submission of many small claims due to normal operations.
Per ETH deposited into the module, Nexus Mutual would charge 0.6% per year, offering up to 8,200 ETH of coverage and with coverage of up to 20% of the size of the module. Lido DAO would be free to select the coverage limit that’s right to them, in increments of 1 ETH, so long as that coverage total is less than 20% of the ETH in the DVT module. This structure will allow the policy to grow with the DVT module.
This policy is structured as an umbrella, rather than per validator, meaning that while this can be thought of as 20% per validator (6.4 ETH), it’s superior because it would allow for up to 32 ETH payout on any single validator with a policy-wide limit of 20% of the DVT module stake.
Examples:
| DVT Module ETH | Max Coverage Option | Deductible | Max Claims Payout | Yearly Cost ETH |
|---|---|---|---|---|
| 1000 | 200 | 5 | 195 | 6 |
| 10,000 | 2,000 | 50 | 1,950 | 60 |
| 30,000 | 6,000 | 150 | 5,850 | 180 |
| 41,000 | 8,200 | 205 | 7,995 | 246 |
Even at its peak of 41,000 ETH, the 0.5% limit imposed on this DVT module via Lido, the yearly cost of 246 ETH means that the current 6,235 ETH provisions could pay for 22-years of premiums.
Given that this 6,235 stETH in provisions is in stETH, at 4% per year it will earn 249 ETH in expected returns. That alone would pay for all of the premiums under even the most extreme policy.
To compare to the ChainProof policy which covers 4 ETH per validator, with a 25% deductible, meaning a maximum of 3 ETH payout per validator. The cost is 198 ETH, so the % cost is approximately:
198 ETH / (1281 validators * 3 ETH max payout per validator) = 5.15%
Our comparable policy looks like:
180 ETH / 5,850 ETH max payout = 3.08%
We are able to offer a deeper level of coverage, 5,850 ETH vs 3,843 ETH (3 ETH max payout per validator), at a lower cost of 180 ETH rather than 198 ETH. Should Lido DAO choose to opt for a larger policy, say 8,200 ETH, we’re able to offer this at the same 3.08% rate, only 246 ETH per year.
Smart Contract Coverage
The suggested policy above covers slashing and penalties. We would also be able to offer smart contract coverage for the module at 3% of the value covered. For example, if the DAO wanted to cover 10,000 ETH for one year against smart contract risk, the cost would be 300 ETH. This smart contract coverage is an optional choice outside of the primary slashing and penalties coverage policy quoted previously.