The risk of operators having complete control over exits is seemingly the largest single risk that Lido faces with the upcoming introduction of withdrawals. It’s easy to see how a single bad actor, perhaps maliciously or because they feel backed into a corner financially, can cause contagion. I won’t go into detail here, purposefully.
The best solution here is one that minimizes the reliance of Lido on operators. There’s been some talk about an EIP which would allow for withdrawals and exits only using withdrawal credentials, but that was pushed back on. It seems quite unlikely that this ends up being the solution, at least within the year.
Instead, (temporary) alternatives which try and solve the core problem of the Lido design not aligning with the Ethereum spec on withdrawals, should be embraced.
There’s very little time left until they are enabled and a solution is needed ASAP to ensure that Lido isn’t frozen in the case of operators poorly managing exits. All it takes is some operator incompetence for this to become ugly.