Special thanks to Isidoros Passadis, Eugene Pshenichniy, kadmil, George Avsetsin and Max Merkulov for feedback and review.
“If I had an hour to solve a problem, I’d spend 55 minutes thinking about the problem and 5 minutes thinking about solutions.”
— Albert Einstein
This document provides an overview of the Community Staking Landscape, focusing on the use of DVT and permissionless entry with bond options. Among these options, permissionless entry with a bond is currently seen as the more practical choice for immediate implementation. The proposed Community Staking Module (CSM) is expected to achieve a strong market fit by offering competitive economics. This will be accomplished through minimal bond requirements, reasonable staking fees, MEV (Maximal Extractable Value) smoothing, and a user-friendly experience for community stakers. Specific module parameters, such as the bond size and staking fee share, will be determined later to ensure the best possible conditions at the time of launch. As of the time of writing, a combination of a 4 ETH bond and a 7.5% staking fee appears to be a promising option. The proposal is designed to significantly increase the total number of Node Operators in Lido on Ethereum and allow them to join the Lido validator set permissionlessly.
The term “community stakers” has been widely used by Lido DAO contributors to refer to independent individuals or groups running validators while being aligned with the Ethereum goals and values. This term includes solo-stakers.
Running your own node is considered by the Ethereum community as a critical aspect of Ethereum’s security. Being independent, geographically, and jurisdictionally diverse, community stakers (independent node and validator runners) form a solid base for the security and resilience of the Ethereum network.
Lido DAO is strongly aligned with Ethereum’s goals and values. This alignment is reflected in the Lido DAO: Purpose, Mission, and Vision. Namely, the Lido DAO Mission is: “Make staking simple, secure, and decentralized”. Unfortunately, at the moment of writing, there is no simple and obvious way for community stakers to participate in the Lido protocol as operators. This fact limits the decentralization potential of the protocol and has been frequently criticized and discussed in the community.
At its inception, Lido on Ethereum launched with a permissioned validator set, steadily expanding through open onboarding rounds [1], [2], [3], [4], [5]. This intentional design decision was made to support protocol safety and reliability at its early maturity stages, emphasizing launching a scalable solution.
Currently, a significant amount of ETH is staked with Lido. Yet, the Lido Node Operator set consists of 37 active participants. The proposed Community Staking module (CSM), as well as the Simple DVT Module, would substantially broaden the Lido Node Operator Set by enabling permissionless entry.
The Lido V2 release, in addition to adding withdrawals, also introduced a re-architecture of the protocol via the implementation of the staking router. The once permissioned validator set, with identical rules for all participants (Node Operators), could now be transformed into a diverse set of subsets according to a variety of staking modules, each with diversified participation, rewards, penalties, and stake distribution characteristics.
Besides the recent updates to the Lido protocol, Ethereum itself is also evolving. Several features crucial for scalable permissionless staking are on the way to being added. Namely, EIP-4788: Beacon block root in the EVM will allow reporting of consensus layer data to the execution layer to be consumed in a trust-minimized way, and EIP-7002: Execution layer triggerable exits will allow the protocol to exit malicious or rule-violating validators. Adding permissionless access to the Lido Validator Set becomes feasible with these updates. Which, in turn, furthers Lido DAO's mission and brings Ethereum closer to its goals.
One of the possible implementations of permissionless entry is through a new staking module allowing open entry with a bond. Combining the permissionless entry with the bond requirement has proven to be a great approach to validator set formation. While providing coverage for the possible issues or inappropriate actions from the Node Operators' side, it also makes Node Operators and stakers economically aligned.
Anyone will be able to participate in the permissionless module. Yet it is crucial to enfranchise community stakers participation. Being independent and aligned with Ethereum, community stakers play an essential role in the Ethereum ecosystem's decentralization, resilience, and security. According to the Rated’s research, only 6.5% of the Ethereum validators are operated by community stakers (solo-stakers in particular). Lido contributors believe that this number can be increased. The main goal of the proposal is to offer a feasible design that will allow community stakers to participate in the Lido protocol with lower entry barriers and more appealing conditions compared to vanilla solo-staking and market competitors while maintaining and improving the level of security and utility staking with Lido protocol provides.
We, the Lido DAO contributors, seek the community’s feedback to ensure that our proposal takes into account all essential considerations and identifies any potential improvements. We would greatly appreciate your input on the following four questions:
Your feedback is invaluable in creating an effective, efficient, and fair proposal for all stakeholders.
The fact that the Lido Validator set is permissioned makes it impossible for the community stakers to participate. Since community stakers participation is one of the top priorities of Ethereum, it is crucial to add a permissionless entry to the Lido on Ethereum Node Operator set and enfranchise solo-staker participation in the protocol to stay aligned with Ethereum. At the same time, it is vital to maintain Lido on Ethereum protocol security, reliability, and capital efficiency on a level equal to or above the existing ones.
Given the Staking Router architecture introduced in the Lido V2 upgrade, the problem statement can be narrowed down to:
Propose and implement a staking module that will add a permissionless entry to the Lido on Ethereum Node Operator set, enfranchise solo-staker participation in the protocol, and maintain Lido on Ethereum protocol security, reliability, and capital efficiency on a levels equal to or above the existing ones.
At the current state of Ethereum, several approaches and ways exist to add community staker’ participation to the Lido validator set while maintaining existing protocol security, reliability, and economic efficiency.
Lido curated module utilizes the operator's reputation as a primary security and alignment tool. Operators in the curated module put their reputation at stake to guarantee appropriate performance, lack of malicious actions, and alignment with the other stakeholders.
Reputation, in this case, consists not only of the validator's performance but also of the operator’s entity recognition in the community, proven experience, and contributions to the Ethereum ecosystem.
While validator performance can be reflected on-chain in trust-minimized ways using existing or proposed Ethereum features (see EIP-4788 for reporting CL state to EL smart contracts), the other aspects of reputation can not. This fact makes the reputation not a suitable tool for security and alignment in the permissionless staking module, given the current state of Ethereum. Yet, this fact might change with the introduction of the novel on-chain reputation tools. It is worth noting the latest research by Nethermind [1], [2] in the field of on-chain identity and reputation here.
As an alternative to reputation, a bond requirement can be used. Bonds are useful both as a form of economic incentive alignment, especially when reputation is not easily assessed (i.e., since operators would use the protocol permissionlessly), as well as coverage for the consequences of inappropriate or malicious actions by the operator.
As on-chain reputation systems evolve, a gradual transition from a pure bond-based model to a combined approach can be considered. One of the simple examples here is lowering bond requirements for the actors with proven reputations. Yet, this topic lies outside the scope of the document.
DVT (Distributed Validator Technology) is one of the best options for community stakers' participation in the Lido protocol and arguably the most appealing technology for Ethereum validation in the future.
Yet, the technology still needs to be battle-tested on the mainnet, and several improvements remain to be made (ex., full-featured DKG, trustless rewards distribution, on-chain cluster formation, etc.). Nevertheless, the first steps towards adding DVT support to the Lido validator set have already been made with several rounds of DVT testnet trials (Round 2, Round 3), which resulted in the Simple DVT staking router module proposal by Lido contributors.
Given the current state of DVT and the fact that development teams from Obol network and SSV network have indicated their interest in the implementation of the native support for their DVT solutions, it is worth considering other options for community staker participation in the Lido protocol to make it possible earlier, with less complexity, and with more opportunities to join.
It is proposed to consider a “Solo” option. This option will be similar to vanilla solo staking from the operator's perspective, with the main difference being that Lido provides part of the stake.
While considering possible implementation options, it is crucial to understand the state of the market and competitors' solutions.
Rocket Pool is, without a doubt, a leading provider of liquid staking with permissionless options for Node Operators. Being “radically permissionless”, Rocket Pool thrives to offer a good solution for liquid staking with a permissionless validator set by offering a “solo” entry option similar to the one described above. While being one of the most robust solutions for permissionless staking, there are several aspects of the protocol design that are discussed by the community, namely, additional RPL bond requirement (also read here), noticeable gas fees, on-chain interaction complexity, and amount of the capital required as a bond (at the moment of writing LEB16 and LEB8 minipools are available requiring 16 ETH + 1.6 ETH in RPL and 8 ETH + 2.4 ETH in RPL respectively). Nevertheless, the Rocket Pool team and community have done a great job of supporting independent Ethereum stakers.
StakeWise V3, currently live on testnet, offers a different approach for solo-staker participation. On the one hand, there is no minimal bond requirement, and a vault can be created with no stake provided by the Node Operator. On the other hand, if there is not enough stake in the vault to run a validator, the chances of getting it from the other stakers are relatively low, given no/low vault score in this case. It is worth noting the remarkable and unique architectural approach by StakeWise. Yet, the limitations above make it less appealing for solo-stakers than the other market offers.
Another notable player on the market is Stader. It offers a combination of Rocket Pool for permissionless entry and curated permissioned entry. The main difference with Rocket Pool is the lower bond requirement of 4 ETH + 0.4 ETH in SD token for the permissionless entry.
Besides the staking pools mentioned above, the staking solutions by DappNode, Avado, Ebunker, and others are also worth mentioning. These solutions do not provide user funds for stakers but significantly facilitate solo staking by offering ultimate hardware and software for validator management. Also, an MEV Smoothing pool was recently introduced by DappNode. Solo-stakers participating in this pool can smoothen their MEV and EL rewards with the other pool participants.
The competition for potential Node Operators (in the wide sense) between existing and upcoming staking protocols is rising. Any solution proposed for Lido on Ethereum adoption must be competitive to raise the number of community stakers in the protocol.
Ideas about the possibility for the community stakers to participate in the Lido protocol have been discussed for many years in the Lido and Ethereum communities. However, the first significant step towards community staking in Lido was made about a year ago with the publication of the Community Validation Manifesto. In conjunction with the Lido DAO: Purpose, Mission, and Vision, this document remains the most relevant indication of the Lido DAO goals, values, and principles that underpin the Lido Community Staking initiative, namely:
To narrow the initial goals from the Lido Community Staking Manifesto and form more practical applications, the following goals for CSM are proposed:
One of CSM's key advantages is friendly UX for community stakers. Reducing UX complexity is crucial for making solo staking more accessible. Hence, making interactions with CSM simple, gas-effective, and easy to understand is proposed.
On a high level, a typical Node Operator flow in CSM might look like this:
Also, optional steps can be considered:
CSM is proposed to be a full-fledged Staking Router module and thus would implement the IStakingModule interface.
There are two important features regarding staking reward distribution on the Staking Router level:
As the result of the first feature, all EL rewards and MEV extracted by Lido validators are smoothed across all stETH holders and Node Operators. The second feature results in the averaging of the rewards between different modules. These two features ensure that rewards allocated to the CSM module will be smooth and will benefit from the performance of the other staking modules in case it is higher. The opposite is true when CSM module performance (performance of the validators in CSM) exceeds the performance of the other staking modules.
MEV smoothing feature makes MEV part of staking rewards close to the average value even for short timeframes (~10 days), smoothing rewards that would traditionally be very volatile for solo stakers. In the case of solo-staking, the MEV part of staking rewards will likely (>50% probability) be closer to the median than the average value (with a 50% chance of being less than the median rewards) from the statistical point of view. Meaningful difference between average and median MEV values results in more consistent rewards for CSM validators than for the vanilla solo-staking or staking solutions that do not offer MEV smoothing.
A targetShare
parameter should be set for a new module when added to the Staking Router. This parameter determines the target percent of the total Lido protocol stake that should be allocated to the module by the Staking Router. It is proposed to set a targetShare
parameter to 1% upon initial module activation and gradually increase it to 10% based on Lido DAO decision and operational metrics (validator performance, number of operators, etc.) of the module after the launch. The maximal proposed targetShare
value of 10% is determined by two considerations: CSM impact on the Lido risk should be capped to maintain sufficient resilience for protocol users until more data is observed; Currently, 10% of the Lido stake is approximately equal to the total stake controlled by Rocket Pool.
The stake allocation algorithm in the Staking Router prioritizes stake distribution to the modules with available capacity and actual stake share below the targetShare. By the time of CSM activation, it will have no stake. Hence, it will receive a stake before other modules in case of available capacity (enough validator keys uploaded by Node Operators).
According to the Lido on Ethereum Validator Exits Policy, each staking module should support validator exits for withdrawal coverage. Currently, these requests are managed by VEBO. Since “bonded” validators are more appealing to the protocol from a security and economic alignment perspective, it is proposed to set the lowest exit request priority for CSM validators when fulfilling withdrawal requests.
To ensure the correct operation of CSM, several off-chain tools should be updated, namely, KAPI, Accounting Oracle, and Exit Bus Oracle (VEBO). Also, it is worth noting that a new key validation tool is required (see details in the sections below) and updates for the various monitoring tools like MEV-monitoring, E-V-M, etc.
“Everything is designed. Few things are designed well.”
— Brian Reed
To create a solid and reliable design of the bonding mechanism, the following principles are formulated:
To ensure economic alignment between stakers and Node Operators (principle 1) and that tokens provided as a bond by the Node Operator are acquiring rewards (principle 3), it is proposed to stake tokens provided as a bond.
To provide coverage for the cases when a bond provided for the individual validator is insufficient to cover losses (ex., huge MEV stealing), it is proposed to associate a bond with the Node Operator and not the individual validator. This will significantly reduce the chances of uncovered losses (i.e., penalties could be applied to the aggregate total of bonds provided by an operator vs just at the validator level).
In addition to the bond principles, it is important to consider ways to use a bond as a Sybil prevention mechanism. One of the possible approaches to achieve that is to reduce bond requirements for the Node Operators controlling more than one validator. This approach is usually referred to as “non-linear bonding”. According to the research by Lido DAO contributors, the gradual bond reduction could function as a mechanism to reduce the attractiveness of Sybilling and EL-stealing strategies.
Another important yet complicated consideration about the bond mechanism is a bond reduction for the Node Operators with a proven record of being a solo-staker. The complexity here lies in the fact that there are no unambiguous and precise methodologies to identify an operator as a solo-staker and ways to deliver this information on-chain in a trustless way. Although Rated has attempted to identify solo-stakers based on the on-chain data in their research, the approach used can not be reused without additional efforts for the latest on-chain data. With that being said, it is proposed to reconsider this option of the bond usage later and leave it out of the scope of this document.
To ensure coverage for the consequences of inappropriate or malicious actions by Node Operators, it is vital to understand the feasible case when bond confiscation can be applied. Node Operator actions might result in direct losses for the protocol (CL penalties) and missed profits (low performance and MEV stealing). Missed profits from low validator performance are relatively hard to define due to the lack of the constant reference value for the “optimal profits” since there are multiple factors outside Node Operators' control influencing CL performance (global internet connection outages, natural disasters, overall network effectiveness, “inactivity leak” state of the network, etc.). Hence, there is a limited set of things that are feasible to be accounted for and confiscated, namely:
While the first point is obvious, the second case will be discussed separately in the MEV stealing detection and penalties section.
Another meaningful thing about the bond is the involvement of the additional tokens or assets. The most notable example here is Rocket Pool. To create a LEB8 minipool, a Node Operator must provide an RPL bond equivalent to 2.4 ETH alongside the 8 ETH, making the total bond requirement equal 10.4 ETH. The requirement to provide additional tokens as a bond might not be desirable or acceptable for some users. It is proposed to use only ETH in staked form (stETH) as a bond for the CSM validators to make CSM participation more attractive for the Node Operators and keep straightforward logic of collateral and possible implications it's intended to cover existing in the same token.
Determination of the actual bond size and possible curves for “non-linear” bonding depends on multiple factors, including:
All these factors may significantly change over time. Hence, it is proposed to determine the actual bond size and curves for “non-linear” bonding closer to the module’s mainnet release (if approved by the Lido DAO).
However, some numbers can be provided now as a reference in the theoretical assumption that CSM can be released within the next few months with a target stake share of 1%, and EIP-7002 will be implemented not later than a year from the CSM release date. In this case, according to the latest risk assessment research by Lido DAO contributors, a 4 ETH bond is sufficient to cover all possible losses and most missed profits in the realistic scenario, and a 2 ETH bond is sufficient to cover all direct losses (CL penalties) in the same realistic scenario.
In addition to all the facts above, some generic considerations (aka “napkin math”) about bond size determination can be provided:
In the curated module, the stake is distributed using MinFirstAllocationStrategy, resulting in an even distribution between Node Operators. While this distribution strategy works great for the permissioned set, it is not so for the permissionless set with a bond. Since Node Operators have to lock bond funds to upload new validator keys, it is fairer if they would get stake in the same order they locked bond funds. While this issue is somewhat ameliorated by the fact that the bond will be staked (i.e., it is not entirely unproductive capital like in the cases of protocols where the bond is not staked), a different allocation strategy can be employed here. It is proposed to employ a FIFO (first in, first out) stake allocation queue approach for CSM.
Due to challenges introduced by the FIFO queue approach for validator seeding, the current key and deposit data validation mechanism (used for the Curated Operator Module) is insufficient. Thus, an improvement will need to be made to the key validation process and mechanism to allow for both allocation methodologies as well as of the checking of sufficient bonds in the case of modules where that is required (like CSM).
Given the permissionless nature of CSM, Node Operators should be able to exit validators and then claim the released bond permissionlessly. Without a doubt, the owner of the validator private key, the Node Operator in the CSM case, can sign and publish the exit message anytime to exit the validator from the Consensus Layer.
The release of the bond (partially or fully, depending on how many of their validators a Node Operator has exited) is more complicated. CSM needs to know the withdrawal balance of the validator(s) and whether any MEV stealing has been detected before releasing tokens in order to adjust the releasable balance. Given that EIP-4788 will most likely be included in the next Ethereum hardfork (Dencun), it is assumed that CSM will most likely be proposed for mainnet release after the EIP implementation on the Ethereum mainnet. With EIP-4788, beacon_root
will be available for usage in smart contracts on the Execution Layer. Hence, it will be possible to prove the validator withdrawal balance in a trustless and permissionless way. Once the withdrawal balance is reported to CSM, the excess bond is released and can be claimed by the Node Operator.
It is proposed to modulate staking rewards for the node operator based on their validators’ performance while allowing for reasonable performance leeway so that home stakers with small performance dips are not adversely affected. This is in contrast to the approach taken in the Curated Operator Module whereby Node Operators receive rewards based on the number of active (i.e., deposited but not exited) validators that they operate as a share of the total validators of the module. This differing mechanism is chiefly proposed to incentivize good performance in lieu of “free-riding”.
A good example of an attack that this mechanism would prevent is when the Node Operator creates a lot of validators and keeps them offline. In this case, no staking fees will be distributed to the Node Operator, and acquired penalties will be confiscated from the bond after the validator exits.
CSM will receive staking rewards allocated to the module by the Staking Router and accumulate until the CSM Performance Oracle report. Once the Performance Oracle report is settled, these accumulated rewards will be transferred to the accounting contract to make them available for claim.
It is proposed to use CL validator performance as a metric to distribute rewards since EL rewards values do not directly depend on the validator's duty performance. Hence, it is proposed to use successful block attestations as the performance metric. Each validator should perform exactly one attestation per epoch; attestation rewards are approximately 84.4% of all validator CL rewards in case of appropriate validator operation. These facts make successful attestations a generally reliable and straightforward indicator of the validator’s performance on the Consensus Layer.
As mentioned earlier, one of the main goals of CSM is to enfranchise community staker participation. Unlike professional operators, community stakers are more likely to be affected by external factors like the internet or power outages. This will inevitably lead to short-term performance inefficiencies. To account for this fact, it is proposed to introduce a performance threshold. All Node Operator’s validators with performance above this threshold will get socialized rewards (validatorReward = totalModuleRewards / wellPerfValidatorsCount
). In contrast, those performing below the threshold will not get rewards in the given Performance Oracle report; any surplus would also go to the validators within the threshold. It is proposed to conduct robust research in the near future to determine a reasonable performance threshold to make it appealing for stakers (stETH holders) and community stakers, all while supporting the optimal performance of CSM validators while still maintaining a robust validator set.
MEV stealing is complex to reason about, especially on-chain. Block builders use various block-building standards and approaches. Even though most of them directly set the correct feeRecipient
or use the approach where the proposer fee is transferred in the block’s last transaction, there is no single standard, and sometimes there are even mixed approaches employed within a payload. This fact has also been discussed in the new rewards system proposal from Rocket Pool, with the outcome that it is not feasible to account for all cases. On the other hand, Rated has recently announced MEV Oracle. This technology seems promising, yet not battle-tested. Hence, it is proposed to consider possible usage of it later and stick to the existing loose monitoring approach within CSM.
Currently, Node Operator conformance with policies regarding MEV and block proposer rewards is assessed via the MEV-monitoring tool (based on the design proposal).
A Lido DAO CSM committee can be formed to monitor for possible MEV stealing by CSM Node Operators. This committee will use this data to lock the bond part in case of MEV stealing detection initially. At the same time, actual penalty application should be the responsibility of on-chain governance. A dedicated EasyTrack motion type is proposed to settle the penalty application. It is crucial to separate bond locking and actual penalty application to allow Node Operators to appeal potentially incorrect MEV stealing penalties and to protect them from the possible inaccuracies by the Lido DAO CSM committee in the absence of the ability to detect MEV stealing in a full trustless way.
Since the proposed option with a dedicated committee might be considered sub-optimal, we seek community feedback and alternative proposals on the possible approaches to MEV stealing mitigation.
Once EIP-7002 brings smart contract triggerable exits to Ethereum, the Lido protocol will be able to trigger exits for validators in case of significant rule violations, lack of bond coverage after penalty application, or significant drop in a validator’s CL balance. Once the current validator CL balance is lower than the 32 ETH - threshold
and the validator is not slashed, one can confidently state that something is wrong with the validator. The validator’s key might be lost, or the validator stopped maintaining its duties for another reason. Hence, the validator should be ejected to avoid additional loss of funds. The same goes for when, after penalty application, the Node Operator’s bond is no longer sufficient to cover all active validators. In this case, “unbonded” validators should be ejected to maintain the economic security of the Lido on Ethereum protocol. Design and implementation details for EIP-7002 support in both Lido on Ethereum core protocol and CSM are to be figured out in the future.
Lido DAO contributors believe implementing a successful permissionless staking module is only possible with partnerships and collaboration with the Ethereum ecosystem projects and teams. The module itself and vital off-chain tooling (Performance Oracle, new Key Validation tool, etc.) are proposed to be developed by Lido DAO contributors. At the same time, many other tools and applications can be developed or enhanced to facilitate community stakers utilization of CSM.
One of the greatest ways to get more people to stake from home is tooling that helps to install, configure, and operate the various software necessary for a full validator setup. Many such tools already exist and help community stakers to operate as solo-stakers and with staking pools. Some of the more well-known examples are DappNode, Avado, Stereum, Sedge, eth-docker, and many others. Lido DAO contributors suggest that LEGO help support the continued improvement of some of these tools and explore direct integrations with the Lido protocol to enable operators to participate in CSM more easily.
To deeply integrate tools for validator maintenance with CSM, regular updates and support will be required. To support this maintenance and to establish alignment between Lido DAO and validator maintenance tools developers, it is proposed to introduce a referral program similar to the existing reward share program. While the exact program description will be proposed separately, the basic idea of the CSM referral program is to allocate part of the staking rewards to the referrals instead of DAO treasury for the validators operated using such tooling.
We seek proposals from the developers of the validator setup preparation and maintenance software as well as other software that can improve community stakers experience in the comments to the original forum post.
The proposed design of CSM (Community Staking Module) arises from the goals and constraints outlined. It is aimed to address the desire to introduce meaningful permissionless entry to the Lido validator set. In the case of Lido DAO and community approval, the approach outlined in the document can be used as a basis for the actual development of CSM as a part of the general Lido Community Staking initiative.
Imagining that Lido DAO may approve this proposal within Q4 2023, Lido DAO contributors estimate that the proposed module can be implemented and deployed to the Holesky testnet in Q3 2024, and, in case of no significant blockers or implementation issues proposed for the mainnet release in Q4 2024.
As mentioned, Lido contributors believe implementing a successful permissionless staking module is only possible with partnerships and collaboration with the Ethereum ecosystem projects and teams. Hence, feedback and partnership proposals are welcome.
Let’s build the best permissionless staking module together!
Community feedback about the proposed design and decision drivers is highly appreciated.