--- tags: governance, research, risks --- # Lido DAO Governance Risk FAQ Lido DAO governs the Lido liquid staking protocol. What does it mean and what Lido DAO can or can not do in the worst-case scenario? ## Lido DAO levers of control From on-chain PoV, Lido DAO can execute transactions on behalf of the Lido DAO Agent contract. This contract: 1. Can upgrade the upgradable parts of the protocol. 2. Holds DAO Treasury. 3. Has exclusive admin rights on most of the Lido DAO contracts, either through role model or by being admin/owner of the deployed smart contracts. What could be done with this power? Let's review the potential "threat vectors" for different actors. ## Stakers (stETH holders) #### What can governance do: Mint stETH: yes Burn stETH: yes Lock stETH: yes Change the staking fee: yes Forcefully transfer stETH: yes Withdraw ETH from beacon chain: maybe in the future, hard no at this point* \* withdrawals are not possible now; for quite some time will only be triggerable by node operators; this will likely change after a third Ethereum upgrade from now (1.5-2 more years) Lido DAO has the control over permissions of the Lido contract as it is (can take some actions without changing the code) and can upgrade the protocol & protocol components' implementations. Lido DAO can change **stETH balances** in any way, **burning** or **minting** tokens on arbitrary addresses — though any such change would require Lido DAO Aragon vote to pass, and **minting** to arbitrary address would require Lido contract implementation change first. What Lido DAO can't do is **withdraw** user funds. While the Lido DAO controls **stETH balances** — in the worst case of malicious vote performing malicious protocol upgrade — the **staked user-supplied ether** itself is outside of Lido DAO's reach until withdrawals are enabled. Once withdrawals are enabled, Lido DAO would upgrade the protocol to support withdrawals and would be looking to ossify the contract used as protocol withdrawals recipient as fast as possible. ## Ethereum Network #### What can governance do: Turn off validators: no Make a double-spend: no Make a reorg: no Suddenly change the validator set: no Slowly change the validator set: yes* \* at this time — only by adding new validators, which is contingent on getting the new stake Lido itself does not run any validators, all of them are run by well-established node operators. It's extremely unlikely they can be made to harm the Ethereum network, and Lido does not have the power to shift the stake to the less secure operators. After withdrawals are enabled, it will be possible to shift the stake between operators. ## Node Operators #### What can governance do: Whitelist an operator: yes Withdraw the stake from an operator: no Stop adding a new stake to an operator: yes Stop fee payments to an operator: yes Remove Lido stake from an operator on another chain: yes Coordinate operators into running a particular MEV software: maybe* Coordinate operators to harm the Ethereum blockchain: no* Lido DAO has no direct control over Node Operators' operation and the stake dedicated to them. The current situation of Lido with Node Operators is essentially a stand-off. Operators can hold the stake hostage (withdrawals currently can only be operator-initiated). That's why the only things we can change in the operator's behavior are consensual, well-discussed improvements. There's no realistic way to do anything that can be even remotely seen as an attack on Ethereum. ## Protocols integrating Lido staking assets #### What can governance do: Mint stETH on integration addresses: yes Burn stETH on integration addresses: yes Use Treasury funds against the integration: yes Tweak the integration params: no for most integrations Change the integration code: no for most integrations For the major integrations stETH currently has — Curve, Balancer, Maker, AAVE — Lido DAO **doesn't have control** over params or integration implementation, and any changes require integration protocol's governance decision. There is direct governance control over Anchor integration, but at this moment it's minor relative to the biggest stETH integrations. ## Way forward We want to have most of these lines filled with "no", and the rest gated behind timelocks, veto systems, and rate limiters so that any significant change would come telegraphed and could be acted upon with a comfortable deadline. ## Summary Lido DAO **controls the code** behind the Lido protocol stETH token. While the malicious vote can affect stETH balances & holders, Lido DAO doesn't have any direct control over the funds already in staking on the Beacon chain or Node Operators' operations.