Hi Lido team, I’d like to note that Sushi is in a hostile state with Jared Grey locking the extremely fair proposal (Remove Jared Grey as Head Chef - Proposals - Sushi Swap) to have him removed. That silencing is just the tip of the iceberg. There is a lot more and this “exploit” is looking very suspicious as days go on. I’d suggest not returning funds until he has been removed since no one is able to guarantee the recovered amount will make it back to users. Thanks for your consideration.
On surface level proposal makes sense, however, if passed, it might set a dangerous precedent as there is no framework to govern this activity, yet, we all know, that cases like this are plentiful. Without a proper research ramifications to the protocol are simply unknowable. I see several possible risks here:
- Without a clear framework Lido DAO can be heavily throttled by inflow of hack reimbursement proposals.
- In case of reimbursement DAO needs to be an arbitrary judge of what is legal/illegals activity for other protocols which is way beyond it’s usual capacity and might bring an unpredictable legal risks.
- What about other MEV manipulations and their status?
I believe that any residual dust or fragments of stolen assets should still be considered as stolen property and must be returned to the appropriate entity responsible for hack/debt resolution.
I’m very sorry to hear that Sushiswap became victim of a hack. Thank you also for this proposal, which opens an important discussion in Lido DAO. In this post, I will address two separate things:
- How should Lido governance approach problems like this in general (meta governance); and
- My thoughts on what a concrete policy, in this case, should be.
I believe that DAOs, in general, and Lido DAO, in particular, can’t succeed while micromanaging the day-to-day choices of a protocol. Instead, they should be voting on very important and relatively infrequent decisions. In particular, on five things:
- a constitution (basically the operating manual for a DAO, or “protocol for the social layer”) that is decided once and hard to change afterward
- key personnel, time-bounded
- budget, time-bounded
- important policies, time-bounded
- important one-time decisions (e.g., token issuance, buybacks, M&A deals, etc.)
The decision at hand falls firmly into “important policies.” The difference between a policy and a one-time decision is that policies are guidelines or templates for how all decisions of a particular type should be decided in the future.
One could argue that it’s an “important one-time decision” (and Sushi will certainly try to do that). But I will argue in the rest of the post that this decision will have a big impact on the future decisions that Lido has to make, which calls for creating a policy instead.
So if we assume that Lido token holders should discuss and vote on policies that the Lido protocol and Lido DAO service providers will execute, what would a good policy be in this case?
First of all, I want to repeat that we are dealing with a very important decision here. Whatever Lido DAO governors decide will not affect the case of Sushi primarily. Instead, it will create a precedent that will henceforth act as a policy, whether we want it or not. Hence we gotta be deliberate that we are creating a policy here and treat it with the necessary weight.
Of the funds in question, 5% was sent to Lido DAO, 5% to node operators, and 90% automatically deposited to stakers. We are hence not predominantly talking about whether Lido DAO should return any funds but whether Lido DAO should seek to arbitrate a dispute between Sushiswap and node operators and stakers.
My concrete policy proposal is for Lido never to act as such an arbitrator between stakers and node operators and third parties. Three main arguments speak in favor of that:
The first argument is that arbitrating Sushi’s MEV transaction is no different than arbitrating any MEV transaction where another party lost money. If Lido DAO were to arbitrate any money lost by Sushiswap, that would create the expectation (and policy) that anyone can get their MEV arbitrated by Lido.
Whether it’s a Uniswap trader that got sandwiched, an NFT aficionado who lost the opportunity to mint because of bots sniping a launch, or a liquidity provider who lost money to arbitrage – everyone can come to Lido and claim that whatever happened to them was illegitimate and hence Lido should refund them.
It should be clear that such a policy represents A) a big drain on Lido governance and B) would put Lido at a competitive disadvantage to all other stakers and staking pools with no such policy, and C) make Lido the arbiter of what transactions are allowed to be included in Ethereum or not.
Lido aspires to be a neutral middleware on top of Ethereum. This type of neutrality is extremely important for us to minimize our ability to harm stakers and the Ethereum community and scale to a much bigger size than we otherwise could. Becoming a neutral middleware requires us to ossify Lido’s technical and governance layers as soon as possible and be unopinionated about as many things as possible.
As we saw in the first argument, it becomes very hard to draw the line when third parties could seek recourse on individual transactions from Lido. Doing this effectively requires Lido DAO to become an arbitration and censorship layer on top of the Lido protocol and, therefore, on top of Ethereum. This starkly violates Lido’s goal of neutrality – in the same way that Ethereum does not freeze the accounts of anyone, Lido DAO should not decide what transactions are legitimate or not for Ethereum node operators who use Lido to include.
Finally, there is the question of how much governance we should seek to allow in Lido DAO. This is a valid question since governance brings flexibility, and ossification brings inflexibility.
One of the core tenets of having an ossified governance layer is to have no more rules than are necessary. So when we are faced with the choice to A) adopt a policy of doing something and B) adopt a policy of doing nothing, we should always favor the latter today. That is because when it becomes time to ossify our governance layer, ossifying a policy that does nothing is much easier than the policy that does something.
In this post, I argued that Lido DAO should be governed through delegation and high level policy, not individual decisions. In the case of Sushiswap, we are dealing with such a policy decision that has wide effects on the neutrality and governance ossification of Lido in general. I recommend for Lido to adopt the policy of not arbitrating between third parties and Lido stakers and node operators for the reasons laid out above.
Appriciate your thoughts being shared here, it’s a utopian view though and ignores real-world concequences of not taking action…
There is not only an ethical responsibility to return stolen funds to users, but to protect the many contriburtors of Lido, stakers, etc… handling stolen funds affects every one of them.
I agree with Hasu’s general statements:
- Lido governance should approach this and other questions by setting a constitution, and in this case “important policies” which can be followed consistently
- In this specific case a concrete policy must be set going forward which covers the handling of MEV collected from exploits
- We must make sure that this policy does not open Lido to having every case of MEV (whether from known exploit or not) disputed, which would create an admin burden that Lido DAO is not equipped to deal with, and an expectation that any MEV is potentially recoverable
The specific policy:
However I disagree with the actually proposed policy (i.e. that Lido should never act as an arbitrator and should just put its hands up and say “not our problem” when clearly hacked or stolen funds pass to the DAO / node operators or stakers).
A goal of neutrality for Lido is honourable, but using the excuse of neutrality to avoid difficult problems is not.
A policy taking a more nuanced approach will be less simple, but can still be crafted to avoid unnecessary burden on the DAO and remain clear. An example would be:
- Exploits must be known and clearly defined and then reported via a specifically designed channel (i.e. a thread set up in the forum)
- Lido treasury, operators, and stakers must be able to be shown to have received more than 50 ETH from MEV related to this exploit (to filter out smaller requests)
- Lido will then arbitrate to recover funds, and all its operators (accepting its constitution) will opt into agree to do this also
A final point is that it is worth considering the overall direction of travel for the MEV ecosystem and competition for LSDs. With staking withdrawals now open, the liquidity moat that stETH has may shrink in the future. This will make competition over other factors more important than it has been in the past, and mean that competitors with smaller market share are less disadvantaged in DeFi than they have been up to this point.
We know that there is for example competition in the MEV space for more MEV to be returned to users and distributed in ways that are more aligned with ecosystem. Examples are mevblocker . io compared with i.e. Flashbots.
If Lido takes a policy of neutrality and refuses to ever return funds collected as MEV from major hacks, then I would expect some other liquid staking providers may use this as a differentiator to gain market share, signalling that they are more aligned with the DeFi users, projects and ecosystems.
Teams such as Sushi, and other DeFi projects, may feel align themselves with LSDs that have policies to help return stolen funds, instead of with Lido which does not. However this is clearly speculative at this point…
Thanks for you post, an most importantly disaggreeing here.
Putting it simply, illegitamite funds were received which enriched Lido. Lido didn’t ask for this, and we’re sorry for our mistakes which put you in this position, but ignoring it is doesn’t seem wise. We don’t want to get dragged into politics of utopian goverence, we want to make users are made whole.
How does adopting a constitution not violate your 3rd preamble?
The payout isnt MEV, its proceeds of a hack. I think your counter arguments are fairly week to be honest. The counter point should be more so related to how fee payments are treated ex post facto. Also the claimant themselves should come and make their case, not a 3rd party whom may or w be speaking on their behalf.
Node Operators may have less legal shield than stakers. A John Doe warrant served to the DAO against node operators would be more successful than against stakers per se.
How does adopting a constitution not violate your 3rd preamble?
Glad that you ask! Basically, constitution is to the social layer what an immutable smart contract is to the protocol layer. It establishes a set of guidelines and rules between different actors in the system, to the degree that they happen outside of what can be enshrined with smart contracts.
Personally, I think the idea of stolen property that is “traceable”, “identifiable”, & “attributable” but “not recoverable” is a significant risk to long term viability.
Likely this comes with huge legal headaches, practical headaches (validators or addresses getting co-labeled as recipients of stolen funds) + regulatory exposure & headaches. Really this does boil down to participants in the protocol (including the treasury) being compensated with stolen funds. I don’t believe now is the time to open this Pandora’s box.
I am hoping this matter can pave the way toward thinking about how protocols can solve these challenges before the trial by fire. My sense is the “ can’t do anything about it” is not the correct path.
Would you say the same about Ethereum?
Yes, great example. That’s why there’s Eth & Classic. They didn’t open Pandora’s box prematurely.
I agree with most of your longer post above but this post seems to raise a contradiction.
Wouldn’t you say that Ethereum has both technically and socially ossified such that similar requests/expectations don’t exist? One could argue that until Lido “can’t do anything about it” Lido should do something about it (which is why Lido must ossify.)
Another question that should be asked if a reimbursement plan is pursued: In the process of reimbursing Sushi victims, is it possible to only take from stakeholders exactly as much as they were unduly rewarded or is it inevitable that any solution will create another set of undeserving victims. (It is always easy to take small amounts from many people over long periods of time to remedy victims with more acute pain but that is called insurance and a premium must be paid.)
Danny Ryan’s recent thoughts on the matter are insightful here:
Or maybe it isn’t that the protocol can truly ossify but that instead the best we can do is always be-in-dialogue-with ossification. If the ethos is to attempt to ossify or to be in a much more ossified state rather than to always expect, desire, or need change, then the dialogue of ossification will bias towards change-skepticism. Enough skepticism here might be sufficient to protect the protocol even as the protocol (slowly) evolves.
As I reflect this year, I begin to believe that this dialogue with ossification is not only the best we can do but in a world in which we cannot predict tomorrow, ensures that Ethereum does not reach a local maximum that is insufficient for what is to come. But I also believe that the ossificationers – those that bias toward slowing down, that bias towards only changing certain components if absolutely necessary, that fear ever mounting complexity and the impact of change on the layers above – are too small a cohort in both the core L1 process and the greater community today. This camp and ethos is not yet strong enough to be the requisite immune system of the protocol.
By any measure, Ethereum is still very far away from technical ossification. The recent discussions on social slashing show it is quite far from ossifying socially too (fwiw, I think the distinction we between the two is largely overrated).
Apart from the large differences in number of people affected and the magnitude of the funds at risk, I think an important part of what made this socially acceptable is that we were able to run both possible futures by forking, and give community members the freedom to decide which future they would like to belong and contribute to. Lido DAO does not have that superpower.
Note that Vitalik has expressed mixed feelings on this too. Here are some of his reflections from an interview with Naval:
Least proud moment? Definitely the handling of the DAO fork situation. A lot of people did feel betrayed as a result of the DAO fork. A lot of people did feel like their expectations got violated. And a lot of people felt like their opinion was disrespected, especially people who opposed the fork.
A lot of them did feel like there was this social environment where if you oppose the fork, then you’re evil because you’re pro hackers stealing millions of dollars.
That environment ended up turning a lot of people off, and there was a lot more that we could have done to not create that environment and still make people feel welcome despite the disagreement.
As the discussion has multiple possible directions outlined, seems like a good next step would be to summarise main options for the DAO Snapshot vote.
The summary would be sent as a comment to this thread on Fri, 21st, will be up for feedback and go to the snapshot (with feedback incorporated) by Thu, 27th.
With all due respect, avoiding difficult problems is not what we’re about, nor what Hasu is getting at. Quite the opposite in fact. The path he’s suggesting is a much longer and gruelling one. One that does not buy us any friends in the short term.
Nor is neutrality simply an honourable goal. It is essential to a world in which agreements can be enforced without violence, the pursuit of which is a core part of Lido’s purpose.
For me, this is about staying true to the DAO’s core ethos and guiding principles, which is arguably the much harder thing to do in the face of public pressure to compromise on them.
The guiding principle that is perhaps most relevant to this request is the following:
Self-regulate through technology and incentives, not laws and promises.
Even if it is by far the more gruelling path, I believe that Lido DAO should favor self-regulating through cryptography and incentives (market-forces), rather than laws and promises.
To paraphrase Nikolai Mushegian, we should respect incentives as natural law. For in a system that is open for the whole world to interact with, incentives are not just a suggestion; they are more akin to physical laws, like gravity or entropy. If there is even one part of the system that is not incentive-compatible, it is only a matter of time until it is exploited. In this sense, fixes that don’t serve to align the relevant incentives that led to the issue in the first place are a strategic error.
With respect to your speculative claims:
If Lido takes a policy of neutrality… I would expect some other liquid staking providers may use this as a differentiator to gain market share
My perspective here is that credibly neutral protocols are so incredibly difficult to get right that those that do make it will always have a competitive advantage vs the rest, and so will always be in demand. This is especially true in this current geopolitical climate, where increasing political polarization and instrumentalization of the rule of law has resulted in a scarcity of neutrality across all countries and the systems they depend on.
In Nikolai’s words again:
Credible neutrality is a competitive advantage. Even if it takes longer to scale, a sound and credibly neutral system will ultimately win out… Teams that try fiddling with incentives and see short-term results fail to realize just how much capital is waiting on the sidelines, unwilling to commit to a mechanism where the developers still have so much control.
Hi everyone! I’m María, from PeaceKeepers a web3 dispute resolution project.
We started PeaceKeepers because the need for native dispute resolution systems between DAOs was forseeable.
As a developer working on future resolution systems PeaceKeepers has interest in this conversation, and many that have come before this one, and many more to follow. Along our journey we have collected some level of experience and observations.
Clearly everyone wants to help. The gap is differing interests. Some of the suggestions turn around the exploit treated on an ad-hoc basis versus how to treat any problem withing existing precendents, or by setting a new generalized precedent that could apply universally.
The contrasting ideas could be described as as “strictly speaking, the ETH from a hack ended up in deposit contract and to claw it back would require an Ethereum hardfork” on the one hand, versus “if in the course of an incident like this the MEV tokens ended up in my own pocket, I’d send it back out of goodwill becasue sending back is a good thing to do - I think that this same logic should apply to Lido treasury” on the other hand.
I do agree, based on our work, with the importance the role of neutrality plays within the ecosystem.
PeaceKeepers is a not-for-profit and relies on grants and donations to develop and support its intiatives that help address unsolved issues across web3. Donations always welcome.
The rough consensus so far looks like the proposal requires not singular decision, but setting up a policy regarding similar cases. Options voiced out so far are:
- More research on potential policy is required (Sushi RouteProcessor2 Post-Exploit Request For Comment - #5 by Misha_Statemind)
- Any funds received due to the hack are stolen property and have to be returned (Sushi RouteProcessor2 Post-Exploit Request For Comment - #6 by k06a)
- Lido DAO shouldn’t act as an arbitrator between stakers, Node Operators and third parties (Sushi RouteProcessor2 Post-Exploit Request For Comment - #7 by Hasu)
- There’s a set of criteria designating “major hack” where the refund should be administered (Sushi RouteProcessor2 Post-Exploit Request For Comment - #9 by will_harborne)
Any feedback and other options voiced out by EOD Wed 26th would be incorporated so the signalling snapshot vote could be set up. Please, share yours!
Untangling the original post, it’s clear there are two, largely orthogonal, decisions at hand:
A decision on an outflow of ≈
40 ETHfrom the Lido DAO treasury to help Sushi (this is the amount which came into the treasury as a result of the exploit).
A wider policy decision on whether or not the DAO should ever act as an arbiter between stakers, node operators, and third parties – and if so, how, and under what conditions.
The discussion so far has revolved almost entirely around the second decision – yet this has not been made clear within the discussion itself.
To minimize the risk of decisions, on both fronts, being made for the wrong reasons, it makes sense to move these two decisions into separate threads where they can be discussed individually.
I’ve created a child thread for the first decision here. Snapshot date will be this Thursday (May 4th). Please chime in with your thoughts, but try to keep it focused on the decision at hand.
As for the second decision, which @kadmil has touched on above, we’re starting work on a Swiss Booklet style document which summarizes the debate so far and presents the full spectrum of options and their respective tradeoffs as clearly as possible (see here for a prior example). Realistically, doing this well will take a couple of weeks, so expect this to be posted for further discussion on the week of May 15th (we will cross-link it here).