VEBO Improvements

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

🎯 TL;DR

It is proposed to modify the algorithm for exiting validators in the Validator Exit Bus Oracle (VEBO). From the staking modules' side, it is suggested to add the ability to signal VEBO about the need to exit validators from an operator regardless of the demand in the Withdrawal Queue (WQ). From the staking router's side, it is proposed to consider the module's share when prioritizing validators for exit.

It is assumed that the reader is familiar with the current design of VEBO:

🌟 Motivation

Boosted Exit Requests

The current VEBO design assumes that validators can only be requested to exit if there are existing user withdrawal requests. While the protocol has tools to prioritize validator exit requests from specific operators, it does not have tools that allow the protocol to request an operator to exit validators regardless of the demand in WQ.

Exit requests without taking into account user withdrawal requests is important for upcoming permisionless modules in order to signal VEBO about the need to exit validator when operator's bond decreases. It's also needed for offboarding of operators or reducing their share in the pool in a situation when there is insufficient user withdrawal requests.

This motivates to consider adding a special mode to the protocol to exit validators from the operator without taking into account the demand in WQ.

The current design of the staking router uses the targetShare parameter of each module when distributing stakes among them. However, this parameter is not considered in the algorithm for choosing which validators request to exit. This could lead to a situation where one of the modules reaches its target share, after which a large number of validators are exited from other modules, leading to an increase in the original module's share above the target share. Since a module's share can be chosen based on security considerations, it is proposed to consider a mechanism to take it into account not only during stake allocation, but also during validator requests to exit.

💅 Proposed Design

Boosted Exit Requests

The current VEBO design presupposes a request for validator exits only in the presence of user withdrawal requests in the WQ contract. Modules can signal VEBO about the priority of exiting validators from a particular node operator using the targetLimit mechanism.

It is proposed to allow modules to signal VEBO about the necessity of sending a request to exit validators at a specific operator without being tied to demand in WQ. For this, it is suggested to modify the current targetLimit instrument by adding an additional boosted exit mode, namely, the parameter bool isTargetLimitActive is proposed to be replaced with uint8 targetLimitMode taking one of the following values:

0 – Disabled
1 – Limited stake, smooth exit mode
2 – Limited stake, boosted exit mode

Let's consider the target limit modes in more detail:

Disabled. This mode implies no limitation. The operator is not restricted in receiving new stakes and does not have additional priorities when choosing validators for exit.

Smooth exit mode. The operator has a limit on the number of active validators. As long as the number of active validators of the operator does not exceed the targetLimit, the operator receives stakes under general conditions. If this value is reached, the operator stops receiving new stakes (should be implemented at the module level). If the number of active keys of the operator exceeds the targetLimit, then such an operator's validators are prioritized for exit in the amount of targeted validators to exit.

Boosted exit mode. Similar to smooth mode, but does not consider demand in WQ. The operator's validators in the amount of targeted validators to exit are prioritized for exit and requested without considering demand in WQ.

Adding a new mode does not affect the overall limit on validator exits per report. If it is necessary to accelerated exit a large number of validators, this will be done over several reports.

The proposed design suggests the following changes in the IStakingModule interface:

interface IStakingModule {
    function getNodeOperatorSummary(uint256 _nodeOperatorId) external view returns (
        uint8 targetLimitMode, // former isTargetLimitActive
        uint256 targetValidatorsCount,
        uint256 stuckValidatorsCount,
        uint256 refundedValidatorsCount,
        uint256 stuckPenaltyEndTimestamp,
        uint256 totalExitedValidators,
        uint256 totalDepositedValidators,
        uint256 depositableValidatorsCount
    );

    function updateTargetValidatorsLimits(
        uint256 _nodeOperatorId,
        uint8 _targetLimitMode, // former _isTargetLimitActive
        uint256 _targetLimit
    ) external;
}

The change in the updateTargetValidatorsLimits method does not break backward compatibility with the EasyTrack factory UpdateTargetValidatorLimits which is used to set limits in the Simple DVT module. Nonetheless, it is proposed to update it, supporting changes in the IStakingModule interface.

interface IUpdateTargetValidatorLimits {
    struct TargetValidatorsLimit {
        uint256 nodeOperatorId;
        uint8 targetLimitMode; // former isTargetLimitActive
        uint256 targetLimit;
    }
}

The change from bool isTargetLimitActive to uint8 targetLimitMode affects the response from the view method getNodeOperatorSummary, which may be used in external integrations and offchain tooling. Tests show that backward compatibility remains: https://github.com/lidofinance/sr-1.5-compatibility-tests. All modes other than disabled are interpreted by the decoder based on the old interface as the enabled targetLimit mode.

Changes to the off-chain part are described in the Exit Order section.

Target Share

When validators are exited from one module, its share decreases, while the shares of other modules increase. This can lead to a situation where a module's share significantly exceeds its target share.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

The illustration shows the exit of validators from module A, leading to a redistribution of shares between modules: the share of module A decreases, while the share of module B increases.

The most direct and simplest solution could be to consider the target share when prioritizing validators for exit. However, this solution has a problem – the protocol's TVL has some volatility, and operators in different modules have varying costs for rejoining validators. These differences can be expressed in the node operator itself (solo staker or large company), in the automation of processes, technology features (vanilla validator or DVT), etc. TVL volatility, combined with varying rejoining costs, leads to the problem that the protocol may periodically rotate validators in modules with high rejoining costs – requesting exits and then making deposits after some time.

Given the described problem and the drawbacks of the direct solution, it is proposed to represent the target share of a module as a range of values: stakeShareLimit and priorityExitShareThreshold, where stakeShareLimit <= priorityExitShareThreshold.

The lower value stakeShareLimit represents the maximum share that can be allocated to a module when distributing stakes among modules. This parameter is nothing other than the current targetShare. Nevertheless, it is suggested to rename it, as its current name does not fully reflect its essence.

The higher value priorityExitShareThreshold represents the module's share threshold, upon crossing which, exits of validators from the module will be prioritized.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

These two values allow the module to be in one of three states at any given time:

currentShare < stakeShareLimit. The proposed design makes no changes for this state. Everything remains as it is:

The staking router prioritizes stake allocation to modules in this state
Validators in a module with this state do not have any extra priority for exit

stakeShareLimit <= currentShare <= priorityExitShareThreshold. The proposed design makes no changes for this state. Everything remains as it is:

The staking router does not allocate stake to modules in this state
Validators in a module with this state do not have any extra priority for exit

Module exceeds priority exit threshold

priorityExitShareThreshold < currentShare. It is the state that is affected by the proposed changes.

The staking router does not allocate stake to modules in this state
Validators in a module with this state have an increased exit priority

The proposed design suggests the following changes in the Staking Router contract interface:

interface IStakingRouter {
    struct StakingModule {
        uint24 id;
        address stakingModuleAddress;
        uint16 stakingModuleFee;
        uint16 treasuryFee;
        uint16 stakeShareLimit; // rename targetShare parameter
        uint8 status;
        string name;
        uint64 lastDepositAt;
        uint256 lastDepositBlock;
        uint256 exitedValidatorsCount;
        uint16 priorityExitShareThreshold; // new parameter
    }
	
    event StakingModuleStakeShareLimitSet(uint256 indexed stakingModuleId, uint256 stakeShareLimit, address setBy);
    event StakingModulePriorityExitShareThresholdSet(uint256 indexed stakingModuleId, uint256 priorityExitShareThreshold, address setBy);
	
    function updateStakingModule(
        uint256 _stakingModuleId,
        uint256 _stakeShareLimit, // rename _targetShare argument
        uint256 _priorityExitShareThreshold, // new argument
        uint256 _stakingModuleFee,
        uint256 _treasuryFee
    ) external;

    function addStakingModule(
        string calldata _name,
        address _stakingModuleAddress,
        uint256 _stakeShareLimit, // rename _targetShare argument
        uint256 _priorityExitShareThreshold, // new argument
        uint256 _stakingModuleFee,
        uint256 _treasuryFee
    ) external;
}

Backward compatibility

The change to the StakingModule struct affects the response from some view methods, which may be used in external integrations and offchain tooling:

getStakingModule
getStakingModules
getStakingModuleDigests
getAllStakingModuleDigests

Tests show that backward compatibility remains for both offchain tools and possible onchain integrations: https://github.com/lidofinance/sr-1.5-compatibility-tests. The modified response is correctly decoded using standard Solidity tools and the ethers library. New bytes in the response are ignored.

Changes to the off-chain part are described in the Exit Order section.

Exit Order

It is proposed to implement two stages of selecting validators for exit:

Covering Demand in WQ
Boosted Exits

Stage 1. Covering Demand in WQ

This stage is from the current design of VEBO. To determine which validators to request for exit, the Offchain Oracle selects one entry from the sorted list of exitable Lido validators until the demand in WQ is covered by the exiting validators and future rewards, or until the limit per report is reached.

Validators are sorted by predicates in the following sequence:

Validator whose operator with the lowest number of delayed validators
Validator whose operator with the highest number of targeted validators to boosted exit
Validator whose operator with the highest number of targeted validators to smooth exit
Validator whose module with the highest deviation from the module share
Validator whose operator with the highest stake weight
Validator whose operator with the highest number of validators
Validator with the lowest index

The proposed changes affect predicates 2, 3 and 4 (italicized), the others remain unchanged. Let's examine the changing predicates in detail:

Boosted target limit predicate. If targetLimitMode is set to boosted exits, the result will be the number of targeted validators to exit; in other cases, the predicate returns 0. The higher the return value, the higher the priority of the validator to exit.

def predicate_boosted_target_limit():
    if operator.target_limit_mode == TARGET_LIMIT_MODE.BOOSTED_EXITS:
        return max(operator.predictable_validators_count - operator.target_limit, 0)
    return 0

Smooth target limit predicate. If targetLimitMode is set to smooth limit, the result will be the number of targeted validators to exit; in other cases, the predicate returns 0. The higher the return value, the higher the priority of the validator to exit.

def predicate_smooth_target_limit():
    if operator.target_limit_mode == TARGET_LIMIT_MODE.SMOOTH_EXITS:
        return max(operator.predictable_validators_count - operator.target_limit, 0)
    return 0

Module share predicate. The predicate prioritizes the exit of validators from modules where there are more validators than the exit threshold. The higher the number of predicted validators over the exit threshold assigned to a module, the more prioritized the validators in that module are for exit.

Predicted validators represent the number of active validators that will be in the module after all effects are applied: all requested validators are exited, deposits that were made recently turned into active validators.

def predicate_module_share():
    module_max_validators = total_validators * priority_exit_share_threshold

    if module_predicted_validators > module_max_validators:
        # the higher is the number of validators in the module over the exit threshold, the higher is the exit priority
        return module_max_validators - module_predicted_validators

    return 0

After each iteration of selecting a validator, the state of operators and validators mutates – validators previously sent for exit are marked, after which the array of validators is resorted. After the stage ends, the state is passed to the next stage – Boosted Exits, thus validators requested at an earlier stage are considered in the subsequent one.

The target limit predicate is now split into two: boosted and smooth
Validators of operators with targetLimitMode set to boosted exits have a higher priority for exit than operators with the mode set to smooth limit
The new module share predicate prioritizes exits from modules that have more validators than the exit threshold allows

Stage 2. Boosted Exits

The second stage presupposes the exit of validators requiring exit regardless of the demand in WQ. The state of operators and validators after the first step is filtered, leaving only validators of operators having targetLimitMode set to boosted exits.

Validators are sorted by the number of targeted validators to exit. After each iteration of selecting a validator, the state of operators and validators mutates – validators previously sent for exit are marked, after which the array of validators is resorted. The selection of validators continues as long as there are elements in the array or until the total number of exiting operators per report reach the limit.

There is only one sorting predicate on this stage:

Validator whose operator with the highest number of targeted validators to boosted exit
Validator with the lowest index

Let's consider various examples below. Coral color indicates validators requested due to the enabled boosted target limit of the operator, grey color indicates validators requested in general order.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

In the example above, only the first stage of the algorithm works. Demand in WQ is partially covered by boosted exits and partially by other validators in general order. The second stage returns 0 validators to exit because all validators of operators in boosted exit status have already been requested by this time.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

In the example above, both stages of the algorithm work. Demand in WQ is fully covered by boosted exits, after which the second stage of the algorithm continues to exit validators until the targeted validators to boosted exit equals 0.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

In the example above, the operator with the boosted exits mode enabled has delayed validators. As a result, the protocol switched to exiting validators from other operators to cover the demand in WQ. After covering the demand, the second stage of the algorithm requested the next validators to exit from the operator with the boosted exits mode enabled.

The predicate uses the state from the previous stage to ensure that all previously requested validators are accounted for
The selection of validators occurs only from among targeted validators to boosted exit
If an operator with the boosted exits mode enabled delays the exit, the demand in WQ will be covered by other operators

🙈 Out of Scope

Exit Specific Validators

The current solution does not cover the scenario of requesting the exit of specific validators of an operator. Validators are requested in the sequence from the smaller index to the larger index, i.e. in the order in which they were deposited. However, there may be a situation in which it is necessary to request validators to be exited out of the order in which they were deposited, for example if the validator's private key has been lost or the DAO suspects that the validator's private key may have been compromised.

The exit of specific validators is addressed in another research and is covered by the Priority Exit Bus (PEB) functionality, which allows requesting validators to exit in priority order and without respect to demand in the WQ.

💖 Acknowledgements

The document is partially based on the works of Raman S and KRogLA:

dgusakov

2024/03/18 09:18:44

maxShare

How this will work in case of the multiple modules with 100% target share? Theoretically Lido can have several "unlimited" modules

KRogLA

2024/03/19 11:09:38

moreover, if we have 2 modules with a target share of 100%, in practice this means that the actual share of each does not exceed 50%

2024/03/19 11:22:35

moreover, we must have at least one module with targetShare=100% to avoid getting stuck )

George Avsetsin

2024/03/20 16:27:00

the wording on that part has changed a lot

2024/03/18 09:21:06

Validator whose operator with the highest stake weight

This part might get tricky for the permissionless modules. To avoid exiting NOs might create sybils. However, I don't think there is a way to overcome it

2024/03/19 07:31:59

In general this predicate is quite controversial in my opinion. I'd take it away completely.

2024/03/19 09:25:40

Same true for 6

Raman

2024/04/24 00:47:15

Is there any decision on this?

2024/03/18 09:21:55

Validator whose operator with the highest number of validators

5 and 6 are separate to account for the MEB changes, right?

2024/03/19 07:37:39

No, those are predicates from the old design. They don't change in the proposed design, although I'd really like to drop the 5 altogether 5) quite complex. it looks at all operators with >1% stake and counts the total age of validators of such operator. The motivation was to prioritize exits from those operators who had been at Lido the longest and therefore earned more rewards than the others 6) just sorting by the number of validators of the operator

2024/03/19 09:24:59

1% is not mentioned explicitly

2024/03/21 15:59:31

These predicates do not change, so they are not described. Details can be found at https://docs.lido.fi/guides/oracle-spec/validator-exit-bus.

isidorosp

2024/03/18 10:29:34

A bit confused by this. TargetShare essentially IS maxshare (we just named it badly).

2024/03/19 07:44:15

I agree that the naming isn't the best. I'll suggest an alternative

2024/03/19 09:33:47

It is not the same. This is the main idea. TargetShare is used during allocation, while max share is used during exits

2024/03/20 16:24:40

renamed to stakeShareLimit and priorityExitShareThreshold

2024/03/19 13:49:50

there are more validators than the max share, and de-prioritizes the exit of validators

as I mentioned above, de-priorirtization should work until maxShare reached, i.e. in case when a small module share exceeds targetShare (e.g. due to big exits amount in Curated module) but not exceed maxShare

2024/03/19 14:31:33

updateTargetValidatorsLimits

should we keep previous soft target limit value in the module?

Alexey Potapkin

2024/03/21 17:02:23

rebalancing the stake between operators or even modules, or for offboarding operators

It's operationally easier to do it from the NO side.

2024/03/25 08:57:49

I think it's worth having these handle onchain. We already have onchain leverages - halving rewards in case of stuck keys and skipping new stake allocation, and with 7002 it will be possible to completely not rely on the operator for validator exits. But snapshot voting is not enough for that, we need VEBO report to request keys explicitly

Guest Bell2024/03/31 21:30:05

the number of predicted validators over the exit threshold assigned to a module

Assuming "number of predicted validators over the exit treshold" is an absolute number that seems to lead to a situations, when e.g. module with 3% actual share with 1% treshold would be lower in priority over module with 53% vs 50%. While there are arguments for this soultion (e.g. absolute number of validators is a baseline to whole protocol, so priotizing module where there are more of them can be logical) it's also could be arguet, as, for example above, the module exceeding it's limit 3x times is lower in priority

Maxim Merkulov

2024/03/31 21:31:36

Sorry for anonymus comment, it's me :-)

2024/04/01 16:46:53

Covering Demand in WQ Boosted Exits

Shouldn't it be the reverse? i.e. if there's boosted exits then they should be used to cover demand in WQ, if additional demand remains then proceed with normal (smooth) exits.

2024/04/01 16:49:58

seems we kinda do this but it's a step of covering WQ demand. what's the purpose of having boosted exits in 2nd stage instead of first?

2024/04/01 17:14:06

Might be a bad name for stage two. I'll think of a better name. It's basically the exits regardless of the demand in WQ. And there are only boosted exits there now. But theoretically there could be some more. For example, exits for stake redistribution among modules. Boosted exits have high priority in both stages. In the first stage it is the second most important prioritized criteria, above only delayed. In the second stage it is the only criteria. This approach makes it possible to put the interests of users at the top of the priority list. In case boosted exits are not satisfied by an operator, we can move on to the next operator to cover demand in WQ asap. At the same time, we will continue to exit boosted validators as many as the report limit allows. This scenario is described in the last example of this section

2024/04/09 15:50:58

It’s also needed for offboarding of operators or reducing their share in the pool in a situation when there is insufficient user withdrawal requests.

Looks like "Offboarding is needed for offboarding". Maybe, "it gives a lever for DAO to offboard NO or reduce their share directly if DAO decides so"

2024/04/09 15:55:50

Motivation

Maybe, we need to describe Motivation starting from problems that we are solving, not from the features that solve these problems. And structure will be clearer though: Motivation - problems, Design - features.

2024/04/09 16:05:41

However, this solution has a problem – the protocol’s TVL has some volatility, and operators in different modules have varying costs for rejoining validators.

It's not clear how it is a problem, actually.

2024/04/11 08:16:53

prioritized

boosted?

2024/04/11 08:18:50

module with the highest deviation from the module share

deviation of what?

2024/04/24 00:43:51

Not module share, but priorityExitShareThreshold

VEBO Improvements

🎯 TL;DR

🌟 Motivation

Boosted Exit Requests

Target Share

💅 Proposed Design

Boosted Exit Requests

Target Share

Module has not reached share limit

Module has reached stake share limit

Module exceeds priority exit threshold

Exit Order

Stage 1. Covering Demand in WQ

Stage 2. Boosted Exits

🙈 Out of Scope

Exit Specific Validators

💖 Acknowledgements