Sushi RouteProcessor2 Post-Exploit Request For Comment

I’m very sorry to hear that Sushiswap became victim of a hack. Thank you also for this proposal, which opens an important discussion in Lido DAO. In this post, I will address two separate things:

  1. How should Lido governance approach problems like this in general (meta governance); and
  2. My thoughts on what a concrete policy, in this case, should be.

Metagovernance

I believe that DAOs, in general, and Lido DAO, in particular, can’t succeed while micromanaging the day-to-day choices of a protocol. Instead, they should be voting on very important and relatively infrequent decisions. In particular, on five things:

  1. a constitution (basically the operating manual for a DAO, or “protocol for the social layer”) that is decided once and hard to change afterward
  2. key personnel, time-bounded
  3. budget, time-bounded
  4. important policies, time-bounded
  5. important one-time decisions (e.g., token issuance, buybacks, M&A deals, etc.)

The decision at hand falls firmly into “important policies.” The difference between a policy and a one-time decision is that policies are guidelines or templates for how all decisions of a particular type should be decided in the future.

One could argue that it’s an “important one-time decision” (and Sushi will certainly try to do that). But I will argue in the rest of the post that this decision will have a big impact on the future decisions that Lido has to make, which calls for creating a policy instead.

So if we assume that Lido token holders should discuss and vote on policies that the Lido protocol and Lido DAO service providers will execute, what would a good policy be in this case?

Should third parties be allowed to seek arbitration from Lido DAO?

First of all, I want to repeat that we are dealing with a very important decision here. Whatever Lido DAO governors decide will not affect the case of Sushi primarily. Instead, it will create a precedent that will henceforth act as a policy, whether we want it or not. Hence we gotta be deliberate that we are creating a policy here and treat it with the necessary weight.

Of the funds in question, 5% was sent to Lido DAO, 5% to node operators, and 90% automatically deposited to stakers. We are hence not predominantly talking about whether Lido DAO should return any funds but whether Lido DAO should seek to arbitrate a dispute between Sushiswap and node operators and stakers.

My concrete policy proposal is for Lido never to act as such an arbitrator between stakers and node operators and third parties. Three main arguments speak in favor of that:

1 – An MEV arbitration policy opens a significant attack surface on Lido.

The first argument is that arbitrating Sushi’s MEV transaction is no different than arbitrating any MEV transaction where another party lost money. If Lido DAO were to arbitrate any money lost by Sushiswap, that would create the expectation (and policy) that anyone can get their MEV arbitrated by Lido.

Whether it’s a Uniswap trader that got sandwiched, an NFT aficionado who lost the opportunity to mint because of bots sniping a launch, or a liquidity provider who lost money to arbitrage – everyone can come to Lido and claim that whatever happened to them was illegitimate and hence Lido should refund them.

It should be clear that such a policy represents A) a big drain on Lido governance and B) would put Lido at a competitive disadvantage to all other stakers and staking pools with no such policy, and C) make Lido the arbiter of what transactions are allowed to be included in Ethereum or not.

2 – Lido is neutral middleware.

Lido aspires to be a neutral middleware on top of Ethereum. This type of neutrality is extremely important for us to minimize our ability to harm stakers and the Ethereum community and scale to a much bigger size than we otherwise could. Becoming a neutral middleware requires us to ossify Lido’s technical and governance layers as soon as possible and be unopinionated about as many things as possible.

As we saw in the first argument, it becomes very hard to draw the line when third parties could seek recourse on individual transactions from Lido. Doing this effectively requires Lido DAO to become an arbitration and censorship layer on top of the Lido protocol and, therefore, on top of Ethereum. This starkly violates Lido’s goal of neutrality – in the same way that Ethereum does not freeze the accounts of anyone, Lido DAO should not decide what transactions are legitimate or not for Ethereum node operators who use Lido to include.

3 – Lido should minimize the role of governance.

Finally, there is the question of how much governance we should seek to allow in Lido DAO. This is a valid question since governance brings flexibility, and ossification brings inflexibility.

One of the core tenets of having an ossified governance layer is to have no more rules than are necessary. So when we are faced with the choice to A) adopt a policy of doing something and B) adopt a policy of doing nothing, we should always favor the latter today. That is because when it becomes time to ossify our governance layer, ossifying a policy that does nothing is much easier than the policy that does something.

Conclusion

In this post, I argued that Lido DAO should be governed through delegation and high level policy, not individual decisions. In the case of Sushiswap, we are dealing with such a policy decision that has wide effects on the neutrality and governance ossification of Lido in general. I recommend for Lido to adopt the policy of not arbitrating between third parties and Lido stakers and node operators for the reasons laid out above.

23 Likes