Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Triggerable Withdrawals

EIP-7002 fixes the principal-agent problem in delegated staking—where stakers must trust validator node operators to pre-sign exit messages, or honor future exit requests—by introducing a new voluntary exit operation that can be triggered with a validator’s withdrawal credential. This empowers stakers to withdraw staked ETH without relying on the entity holding the validator’s signing key (i.e., the staking service in a delegated staking setup) to process withdrawals.

Table of Content

Triggerable Withdrawals
- Table of Content
General
🧰 Technical part
Useful links

General

Motivation

There are four main reasons Lido protocol should support Triggerable Withdrawals (TW):

Minimize trusted entities (Node Operators voluntary validator exits);
Unlock "truly" permissionless Staking Modules. A malicious node operator can't take the ETH hostage;
Fallback safety option for all node operator that lost their validator's secret key;
Unlock DualGov by allowing stETH holders to withdraw their funds permissionlessly;

Abstractly about eip-7002 and eip-7685

EIP-7685 describes general framework for storing contract-triggered requests. When developing a Withdrawal Credentials contract, it is important to consider that other types of requests may appear in the future (like consolidation in EIP-7251).

EIP-7002 key feature is the introduction of a stateful validator exit precompile that maintains a queue of validator exit messages originating from the execution layer.

Exit messages are regular Ethereum transactions with the validator precompile address as the target and indicate intent to exit a validator (identified by its public key). A validator exit message is valid if (a) it is signed by the Ethereum address referenced in the validator’s execution-layer (0x01) withdrawal credential (b) the validator to be exited is active on the Beacon Chain. These checks are executed by the consensus layer after the exit message makes its way to the Beacon Chain; the validator exit precompile only confirms if an exit transaction pays enough fee at the time the exit precompile is called by a withdrawal credential address.

Lido specific requirements

⚖ DualGov

Dual Governance allows stETH holders, in the worst case, to delay any proposed changes to the Lido protocol until they have fully exited (withdrawn their ETH from the protocol). Currently, the withdrawal process depends on the AO report (finalizing withdrawal requests), VEBO (requesting to exit a sufficient number of validators), and NOs (sending the exit message). By making the triggerable flow permissionless, we can eliminate the influence of VEBO and NOs, making withdrawals more secure and trustless.

Summary

Reduce trust assumptions on Oracles and NOs;
The protocol should allow Dual Governance to generate exit events in VEBO, enabling permissionless ejection from the EL side;

DualGov overview.

🌍 CSM (and other permissionless Staking Modules)

CSM is a permissionless module that compensates for reduced trust assumptions in delegated staking via bonds. There are several cases when CSM might require usage of the EL triggerable exits:

To trigger exits for validators that were requested to exit by VEBO but were not exited in time;
To trigger exits for validators demonstrating unacceptable performance for a long period of time;
To allow CSM Node Operators to trigger exits for their own validators in a case when validators' private keys were lost;

Summary

The protocol should allow CSM to request exits for any validator in the staking module;
The protocol should manage exit triggering for validators that were not exited voluntarily after the request.
The protocol component responsible for exit triggering should inform CSM about triggered exits.

CSM V2 EIP-7002 expectations

👔 DAO Gov

Lido governance should be able to do anything, unless it doesn't break DualGov assumptions.

Summury

The protocol should allow the Lido DAO Governance to eject any validators from the protocol, considering rational limits;

🧰 Technical part

To understand the following section, it is recommended to familiarize yourself with the operation of VEBO Oracles, particularly the process of submitting and unpacking hashes (Oracle phases).

Globally, the scope of changes will be as follows:

New trusted entities will be able to submit reports to VEB and thereby emit exit events.
Reports from these entities will be processed within the VEBO Oracle frame and will be limited by current sanity checks. Oracles reporting at the end of the frame will only be able to use the remaining frame's exit quota (exit limits).
TW in the protocol will allow anyone to provide proof of a validator's exit request and trigger the exit through the EL using the TW precompiled contract.
Anyone can prepare proof and deliver validator's state from CL to the VEB to notify Staking Modules about exit status.
The Accounting Oracle will no longer be responsible for reporting stuck keys (Accounting extra data details). This responsibility will now be handled by a dedicated bot that uses permissionless methods in VEB to deliver proofs that the validator was delinquent.
Update Staking Module interface and implement bonds in Curated Modules to correctly TW actions.

Affected protocol parts

The following parts will be affected:

Onchain
Off-chain
- Oracles
- Ejector
- (New) Trigger Withdrawals tool
- (New) Delayed keys report tool
Specs
- Penalties spec

New concepts

VEB - Validator Exit Bus Contract. Contains the following logic:

Submitting and storing report hashes;
Emitting validator exit events;
Triggering validator exits on the EL through the WC contract;
Reporting delinquent keys;

VEBO - Validator Exit Bus Oracle Contract. Contains next logic:

Storing frame's report hash.
Contains Oracles specific submit and unpack report hashes.

Delinqued key/validator - a key/validator that was unable to exit on time. Delinquent keys do not lose their status even if they are eventually exited afterward.

VEB specification

Emiting exit events

Events emiting in VEBO takes two steps:

First phase - Submit Report Hash
Trusted entities build a report, calculate the report hash, and send it (e.g., Lido Oracles, Dual Governance, Governance, Staking Modules). Report hashes are saved to the VEB.
Second phase - Deliver Report Data
Submit report data and emit exit events, taking exit limits into account.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

First Phase - Submit report hash

The first phase involves submitting and saving the hash in the contract.

Lido Oracles

The first phase of the Oracle process won't change. Oracles deliver report hashes to the Hash Consensus contract. When a quorum is reached, the report hash is delivered to VEBO via submitReport method. The report hash from Oracles can only be used to emit events by the Oracles themselves.


function submitReport(uint256 slot, bytes32 report, uint256 consensusVersion) external;

Trusted entities

Trusted entities submit a report hash to the VEB contract via the submitReportHash method. This hash is instantly saved to the VEB (in the reportHashes mapping) and can be used by anyone to deliver report data during the second phase.


function submitReportHash(bytes32 reportHash) external;

reportHashes mapping will have next signature:



















struct DeliverHistory {
    // Block number of deliver transaction
    uint32 blockNumber;
    // Last index of the key for which the exit event was emitted
    uint32 lastDeliveredKeyIndex;
};

struct ReportStatus {
    // Total items count in report (on creation 0)
    uint32 totalItemsCount;
    // Total processed items in report (by default 0)
    uint32 deliveredItemsCount;
    // Contract version on the moment of creation
    uint32 contractVersion;
    // Data delivery history
    DeliveryHistory[] deliverHistory;
};

mapping (bytes32 => ReportStatus) public reportHashes;

Invalidating report hashes

The ReportStatus structure includes a contractVersion field, indicating the contract version at the time the hash was submitted. This field is required to prevent the delivery of report data if the report hash was submitted under a previous contract version, thereby avoiding unpredictable behavior in the VEB.

Schema

Triggerable Withdrawals (2)

Second Phase - Deliver report data and Emit exit events

Oracles flow


// contract VEBO
function submitReportData(ReportData calldata data, uint256 contractVersion)

The Oracle unpacks the full report and emits events for all items in the report. Oracle exit limits are calculated dynamically and depend on the number of events emitted in the reference frame (details). During this phase, the ReportStatus record is added to the reportHashes mapping.

Triggerable Withdrawals (3)

Trustless flow


function emitExitEvents(ReportData calldata data, uint256 contractVersion)

Anyone can emit exit events by providing report data, the hash of which is stored in the VEB. If reportsHashes.totalItemsCount is 0 update and save the report length. Starting from deliveredItemsCount index, emit events for keys from the report. Once all keys are processed or the number of exits in the current frame reaches the exit limits from the OracleSanityCheck contract, stop emitting events and save last proceed key index + 1 into deliveredItemsCount.

Assumptions:

An actor cannot deliver specific keys; all events are emitted for keys one by one in the order specified in the report data;
An actor cannot choose how many keys to emit events for; exit events are emitted up to the exit limit or until the key list ends;
An actor cannot emit events for a report hash that was submitted with an outdated contractVersion;

Exit limits

For security reasons, the Lido protocol cannot create more exit requests in a single frame than specified in the OracleReportSanityChecker contract. This means that keys presented in the report but lacking an exit event should not be used as indicators to exit a validator and cannot be used to exit it via a TW.

Each frame has an exit quota that cannot be exceeded. Therefore, the sum of emitted exit events in a frame and the Oracle's report for that frame must not exceed this quota.

The Offchain Oracle's report is considered the final report for the frame it is based on, even if the transaction is included in the next frame.

Examples

For next examples assume that:

A report frame consists of 4 epochs;
The exit limit for one frame is 10 validators;

In the next example, Frame 2 contains two deliver report transactions:

5 exit events were emitted for the report #1, so #1 was fully delivered (5 exit quota left);
5 exit events were emitted for the report #2, it were partially delivered, because was limited by exit quota (0 exit quota left);
The Oracle report will contain no validators, as the entire exit quota was used;

Triggerable Withdrawals (18)

In Frame 3, exit events were emitted for all remaining keys from report #2. The Oracle can report up to 5 keys for exit.

Triggerable Withdrawals (14)

Validator's exit flow

The main operations involving validators are as follows:

Once a validator is marked for exit in the VEB, the Node Operator (NO) should send an exit message on the CL. Simultaneously, anyone can trigger the withdrawal on the EL.

Anyone can provide proof that a validator did not exit on time, and this information will be relayed to the Staking Module. All further decisions regarding penalties are made by the Staking Module.

Classic CL exit

Exits using voluntary messages on the CL remain our primary method for withdrawing validators. NO hosts validator ejector that sending exit message as soon as it sees event in VEB contract.

Triggerable exits in VEB

The following function verifies that the hash of the provided report data exists in the mapping and that events for the keys have been emitted. It then triggers exits on the EL via the Withdrawal Vault contract.


function triggerExits(ReportData calldata data, uint32[] keyIndexes,)

This function contains next steps:

Verifies that the provided data hash exists in the reportHash mapping;
Confirms that events were emitted for the provided key indexes beforehand;
Sends a request to the Withdrawal Vault contract to trigger exits for the provided keys;
Sends notification to Staking Router contract with keys data that were triggered to exit.

Triggerable Withdrawals (5)

Delinquent keys report

Delinquent keys are keys for which validators did not start exiting before the end of the voluntary exit period. Delinquent keys can be permissionlessly reported to the VEB contract with corresponding proof that the required time has passed.

Those keys should be penalized by Staking Modules. Our current penalties concept is specific for permissionfull staking modules.

Anyone can deliver proof that validator was delayed:


function submitProofOfDelinquent(ReportData calldata data, Witness[] witness, BeaconBlock beconBlock) external;

This method will support batch proof delivery to optimize gas costs.

Triggerable Withdrawals (6)

Delinquent hook to module

After receiving and verifying the proof, the VEB notifies the Staking Router about the delinquent validators. This data is then provided to the Staking Modules.

Essentially, the module notification consists of the validator's identifier within the Lido protocol, the time when its exit was requested, and the time it remained active. Staking modules use the time difference between the exit event and the timestamp when the validator was not in an exiting status to determine whether the node operator should be penalized.

Staking Modules should take into account that some validators could be not able to exit because of CL restrictions.












struct DelinquentStatus {
    // Validators indetification
    uint32 stakingModuleId;
    uint32 nodeOperatorId;
    uint32 keyIndex;
    // Timestamp when validator was activated
    uint32 activatedTs;
    // Timestamp when exit event was emited
    uint32 exitedTs;
    // Timestamp of block on which validator were still active
    uint32 activeTs;
}

Direct Triggerable Exit

Trusted entities will be able to directly emit exit events and request validators through the TW to exit them without delivering hashes and any proving.

This type of TW should also comply with the sanity report limits.


function triggerExitsDirectly(ValidatorsData calldata data) external;

The flow is as follows:

Verify that the provided validator count fits within the limits;
Provide the validator list to the Withdrawal Vault TW method;

Triggerable Withdrawals (7)

Offchain tooling

Lido Oracles

AO

Since stuck keys are deprecated, all functionality related to this feature should be removed from AO.

VEBO

Remove the delayed predicate;
Remove the weight predicate;
Restructure VEBO limits so that all entities share common limits for a frame;
Remove the last NO exited index;

Oralce will fetch exit events only for the last 28 days to track which validators have already been requested for exit. If this period has already passed, it is possible that the same validator might be requested to exit again. However, this scenario is unlikely because in case of stuck validators they will be exited using TW.

Delinquent Deliver bot / CLI

A bot that will generate proof that a validator was delinquent and deliver it to the protocol.

An analog of the CSM Prover tool.

Exit Trigger bot

The Exit Trigger bot should be accessible for anyone to use to exit validators. It should feature a straightforward interface that allows for flexible exiting of any validators.

Goals:

Develop a trigger exit policy;
Create a bot capable of delivering WE proofs with various fee strategies;
Make this an open-source project and include a CLI within the bot to facilitate the creation of selected Triggerable Withdrawal requests;

Ejector allowlist

Purpose of protection

Generally, what is this protection for:
If a Node Operator (NO) relies on third-party providers for the ejector, these providers could potentially return falsified data, such as fake events. To address this security risk, the ejector verifies that the signatures associated with these events were created using Oracle accounts.

For example, if a malicious provider generates 10 fake events, they will be ignored by the ejector because they would be signed with a non-Oracle private key.

After TW implementation

After TE, emitting exit events can be performed by anyone since it is permissionless, and transaction signature verification cannot be done.

To mitigate this security issue, all Node Operators (NOs) should run their ejectors on their own local nodes.

Useful links

George Avsetsin

2024/08/19 08:51:20

NO wants to exit his own validator, but he can't do it publishing exit message on CL (Lost or can't access to the validator's SK);

In general, this is true for any module, not only for CSM

2024/08/19 08:56:12

The protocol SHOULD allow CSM to request exits for any validator in Staking Module. (Should protocol check that requested validators are from CSM?)

I think that the emergence of such a tool as TE should push Lido to write a common policy to exit low performing validators. And this policy should be applicable to all modules

2024/08/19 08:57:36

The protocol SHOULD manage exits triggering for the validators that were not exited voluntarily after the request;

I agree but it doesn't seem to be a conclusion from the description in this section

isidorosp

2024/08/19 12:04:30

Indeed, it's not mentioned above as a possible case. I think you can have general cases that apply to all modules, and then develop specific cases per-module as needed.

2024/08/19 12:00:38

withdrawal process depends on the AO report

Might be good to also mention exogenous to the protocol factors (i.e. the network having finality).

2024/08/19 12:43:23

especially if NO decide to exit validator voluntary, but lost his CL key.

Not sure I get this, can you expand?

2024/08/19 12:43:57

Penalty for stuck validators. Report expenses that were used to eject validator from EL side to module to refund expenses from bond.

Why CSM specific? IMO we should consider applying this to curated as well (maybe penalty should be even higher).

2024/08/19 12:45:35

It can be done by decreasing limits to 0 and create report with all validators keys

We mean in SR1.5? Right now, this is not possible.

2024/08/19 12:48:39

Currently if forced NO has delayed validator it has low priority and can be ignored for a while

Yes, essentially it should be the opposite once we have TE (i.e. delayed operator should have exits prioritized via TE and have to pay fine).

2024/08/19 13:21:57

Triggerable bot

Need to create some thinking and analysis around fee escalator, different scenarios for exits (eg including potential mass-exit scenarios, and willingness to pay, etc).

2024/08/19 14:43:06

The Exit Trigger bot should be available for anyone to use for exiting validators.

Permissionlessly?

2024/08/19 14:43:49

Now everyone can deliver reports

If everyone (anyone) can deliver a report, what's the point of a whitelist? Not sure I follow.

dgusakov

2024/11/27 06:34:49

Describe hook to staking module?

Make sure to pass pubkey and NO ID to the module within the hook call

2024/11/27 06:36:57

Also, if it is possible, it will be great to have key index also since it is hard to get it on-chain

Yuri Tkachenko

2025/01/08 13:29:51

three cases

Only two cases are outlined below.

pshenichnyy

2025/01/14 06:47:46

EIP-7002 https://eips.ethereum.org/EIPS/eip-7002 fixes the principal-agent problem in delegated staking

Not really

sabrychiaa

2025/02/03 19:28:52

penalized

is it still 5 days of half rewards until reset to normal?

sssngth

2025/03/06 10:05:41

If not, we need to adjust the sections on the cooldown period here: https://lido.mypinata.cloud/ipfs/QmZTMfmJZsYHz61f2FjhYdh5VNu6ifjYQJzYUGkysHs8Uu#D3---Validator-Exits-Performance

Sven

2025/02/11 08:22:53

2025/03/06 09:54:37

What does this stand for? The Withdrawal Vault contract?

2025/03/10 08:57:27

yes that's correct, the Withdrawal Vault contract is on the address that corresponds with the 0x01 Lido WithdrawalCredentials (WC)/

2025/03/06 10:08:49

Our current penalties concept https://docs.lido.fi/guides/oracle-spec/penalties/

The descriptions on the website are not in line with the most recent validator exits SNOP - at the latest with the release of the next version, this should be fixed. https://lido.mypinata.cloud/ipfs/QmZTMfmJZsYHz61f2FjhYdh5VNu6ifjYQJzYUGkysHs8Uu#D3---Validator-Exits-Performance (Edited)

2025/03/06 10:19:59

Update Staking Module interface and implement bonds in Curated Modules to correctly TW actions.

This has been loosely discussed for some time, but to my knowledge never been concretised, let alone proposed to the community. Without ratification and the provision of more information on how exactly this should look like, it should not be part of the scope/actively been worked on.