It's an evolving (Work-In-Progress) draft of the Lido stVaults tech design document, which covers a high-level technical description of stVaults' design principles, architecture, and mechanics.
It's not a product or goals doc, although they are briefly mentioned to give context. More detailed tech reference follow-up docs and materials will be presented later.
Lido Staking Vaults (stVaults) are modular primitives that seamlessly connect stakers, node operators, and protocols, settle fee structure, validation setup, and optimize risk/reward. All this is done while preserving decentralization, security, and access to stETH liquidity.
The stVaults aim to:
stETH
token stability and fungibility.It reflects the goals stated in the Hasu's 2nd GOOSE voted-in proposal and provides the backbone for creating the various product lines for the staking.
There are significant changes in the current Lido protocol contracts (named Lido Core from now on for simplicity) and logic related to stVaults introduction, so it's important to outline the primary constraints that remain in place:
So, it remains the key priority to maintain the stability and security of the Lido Core and the whole Lido staking infrastructure.
The secondary goal is to maintain the balance between the security and agility of the setup. To achieve this, there are two different layers:
A stVault is an essential smart contract that implements non-custodial delegated liquid staking with a single node operator (or DVT NO cluster) and is connected to the Lido infrastructure, which provides the ability to mint stETH on behalf of this vault.
Using stVault, one can:
stETH
against the stVault's staked and unstaked ether.To cover the risks of maintaining the custom staking setup for stETH holders, stETH
is minted not in a 1:1 ratio like the Lido Core allows, but with some reserve margin (named Reserve Ratio or RR), determined by the risk parameters and limits. When stETH is minted, the respective amount is locked for withdrawal from the vault. The locked amount is nominated in stETH shares whilst shares balance increases daily along with the stETH rebase (with the same rate plus fees). To unlock ether for withdrawal, the vault must burn the necessary amount of stETH.
Oracle integration: Lido AccountingOracle provides balances of vaults' validators as part of the daily report, as well as some historical data required for vault accounting.
Each StakingVault
has two important parameters that define its state and determine its lifecycle: valuation
and locked
.
If locked > valuation, the StakingVault cannot mint stETH, withdraw ETH, or deposit new validators.
Additionally, to control stETH minting, VaultHub
tracks these parameters for each stVault:
reserveRatio
is 30%, 100 ETH in the vault can only mint 70 stETH).reserveRatioThreshold < reserveRatio
.Diagram. Vault valuation breakdown
Funding
fund()
to send ETH to the stVault.valuation
.Depositing Validators
depositToBeaconChain()
using predeposit guarantee to create or top up a validator.0x02
withdrawal credentials pointing to the vault's address.valuation
.locked > valuation
.Collecting Rewards and Withdrawals
valuation
until reported by the Oracle.Exiting Validators
askValidatorsForExit()
to ask for a voluntary exit.VaultHub
(under extreme conditions) can call requestValidatorWithdrawal()
to request EIP-7002 "triggerable withdrawal".Withdrawing
withdraw()
to take out any amount of unlocked ETH (i.e., valuation - locked
) from the vault's balance.Minting
mint()
on the VaultHub
to mint stETH on behalf of the vault.sharesMinted
.valuation
, sharesMinted
, shareLimit
, and reserveRatio
Burning
burn()
on the VaultHub
to burn stETH on behalf of the vault.sharesMinted
.locked
amount gets reduced with the next Oracle report.Rebalancing
sharesMinted
and valuation
simultaneously by taking ETH from the vault, submitting it 1:1 for stETH via Lido Core, and then burning it on behalf of the vault.reserveRatioThreshold
is breached.The accounting flow of stVaults is performed by the Lido AccountingOracle
and does the following:
valuation
NOTE: The precise and immediate valuation
of the vault on the given block can be presented as: where is the sum of all validator's balances that have withdrawal credentials set to the vault, and is the balance of the vault contract itself. However, validators' balances are not immediately available on the execution layer, which makes the Oracle valuation inherently out of sync, although one can estimate it:
where:
is vault's valuation brought in the i the Oracle report is the difference between cumulative deposits to and cumulative withdrawals from the vault stored in the contract is the historical value of this difference that was actual on the slot of the i Oracle report is the unknown difference of the vault's CL balance accumulated since the I the Oracle report. In this model, we assume that the reserveRatio is chosen so that reserve covers if it's negative and prevents minted stETH insolvency. Therefore, the valuation
of the vault can be calculated as:given that reserveRatio
is chosen accordingly to prevent negative discrepancies from influencing stETH holders' risk profile.
Adjusts locked
locked
ETH grows as minted shares appreciate from stETH positive rebasing.locked
ETH decreases if stETH
was burned on behalf of the vault prior to the current Oracle report and/or stETH negative rebasing.Collects Lido protocol treasury fees
sharesMinted
value for that vault.A cornerstone principle of stVaults design is:
stETH remains fungible and redeemable at a 1:1 ratio to ETH through Lido Core.
Thus, each vault must remain solvent, preventing any vault-specific losses from spilling over to stETH holders. The mechanism to enforce this is called forced rebalancing:
reserveRatioThreshold
(e.g., due to slashing or prolonged penalties).To prevent the deposit frontrunning exploit, the StakingVault does not allow the associated node operator to directly make deposits to the beacon chain using the vault ether. Instead, this responsibility is delegated to a specialized contract, PredepositGuarantee
, that discourages deposit frontrunning by having the node operator post an equivalent guarantee amount.
Diagram. Node operator deposit happy path
Through this contract, node operators make one ether predeposits to validators and lock an equivalent bonded amount. After that, the node operator must provide the proof of withdrawal credentials by utilizing the EIP-4788 beacon block root in the EVM, thereby unlocking their bonded amount. Once the validator is verified, the node operator is permitted to make full deposits of any amount to this validator. All predeposits and deposits by node operators are submitted through the PredepositGuarantee
.
Diagram. Proven validator deposit flow
The complete flow of the stVault's validator deposit is as follows:
1 ether
on the PredepositGuarantee
contract as a guarantee.1 ether
using the StakingVault funds through the same PredepositGuarantee
contract.PredepositGuarantee
, unlocking their bonded 1 ether
.PredepositGuarantee
contract.Important to know!
- Node operator guarantee can come from a dedicated guarantor account (which trusts the operator).
- The bonded ETH from the operator or guarantor stays in the
PredepositGuarantee
contract; only stVault ETH ever goes to the validator.- StakingVaults support Pectra's EIP-7251
MAX_EB
right away, so1 ETH
is enough to deploy a 2048-ETH validator.- The steps listed above are not separate transactions. All of them can be conducted in just two transactions.
- One can sequentially reuse the same posted 1 ETH guarantee to set up and prove multiple validators for the same operator.
- The contract supports batched operations.
The delegation subsystem is an optional extension for StakingVault and deals with:
StakingVault is a minimal staking primitive that manages only immediate staking operations and tracks its valuation and locked ether. It implements a simple single-owner model. The delegation system is optional and plugs into a StakingVault by taking over its ownership while the actual vault admin becomes the admin of the Delegation
contract.
Diagram. Delegation access control model
Key components (in order of inheritance):
AccessControl
that provides a basic RBAC system (using AccessControlEnumerable
as the implementation),AccessControlConfirmable
, an extension over AccessControl
that adds multi-role confirmation,Permissions
defines main permissions (AccessControl
role constants) for respective StakingVault operations,Dashboard
, user-facing contract wrapping StakingVault
and VaultHub
operations,Delegation
introduces the curator and node operator manager roles and their optional fees.With delegation plugged in, every operation in the StakingVault requires the respective role. For example, funding the StakingVault requires that the sender has the FUND_ROLE
. All of these roles have their role admin.
Diagram. Role-restricted operations
Important to know!
- The
Delegation
contract includes functions for batch-granting and batch-revoking roles;- Some operations (like rebalance) can be pre-funded if ether is > attached to the transaction and the sender has
FUND_ROLE
.
The multi-role confirmation mechanism restricts some administrative actions, thus preventing unilateral decisions. This means that a member of each of the required roles must send the transaction with the same parameters within a configurable duration (lifetime).
Diagram. Example of a multi-role confirmation process
The StakingVault intentionally does not include any accounting for extraneous fees (e.g., node operator, curator, reward share) to allow for flexibility in different setups. Instead, this logic was implemented in Delegation
with room for configuration. Curator and node operator are unique entities that do not have respective operations in the underlying StakingVault. Instead, they are each eligible for a fee taken as a portion of the StakingVault's rewards.
The performance fee calculation is as follows:
Calculate the total rewards
Multiply the total rewards by the fee percentage. If
Important to know!
- Before setting a new fee, the accumulated fee must be claimed. Otherwise, the transaction will revert;
- Fee percentages are represented in basis points, with 1 point equivalent to 0.01% and 10000 to 100%.
Stakers and ecosystem participants are advised to carefully consider these risks and conduct their own research before participating in stVaults.