# Dual governance FAQ for LDO holders ### Does dual governance contradict Lido's philosophy of governance minimization? While governance minimisation is a useful North Star, it shouldn't come at the expense of increasing redemption risk to users. Sometimes that's not possible today but improvements to technology make it possible tomorrow. For example, although dual governance increases Lido's governance surface, it still makes sense in part because it reduces redemption risk to users. ### Why do we need two thresholds? Well-designed onchain DeFi protocols are able to put users ahead of tokenholders. In the sense that even if the protocol is failing, users can still permissionlessly exit with their funds intact, and there's nothing tokenholders can do about it. This is something that is truly new to financial markets and infrastructure. Something that is only made possible by the non-custodial nature of onchain DeFi. This power of exit, is an extremely underrated differentiator between onchain Defi and offchain Defi/Tradfi. If we want to preserve the right to exit under the most extreme scenarios, a naive Moloch style rage quit mechanism isn't quit good enough. This is because of how Ethereum's validator exit queue works – all Ethereum validator exits are processed through a single queue with limited throughput. This rate-limited exit queue means that in the worst case it could take more than a year to exit the protocol. During this time, the DAO could, in theory, pass proposals that could harm these users. Placing a naive timelock on DAO decisions (a temporary freeze, so to speak) doesn't work either because the dynamic nature of the exit queue ensures there is no good way to place an upper limit on the length of this time. In addition to this, many users choose to re-deploy their staked capital to other forms of economic activity. And unwinding from these positions can take weeks. If we only had a single (higher) threshold, then these users would not be able exit under a worst case scenario. On the other hand, a single low threshold would open the DAO up to continual abuse by attackers. In sum, a dual threshold allows for a relatively small number of users to sound the alarm. In doing so, they can pause Lido governance proposals for long enough to either complete a negotiation and de-escalation process (happy path), or to allow for more users to join the rage quit and eventually exit (unhappy path). So as to avoid burdening users with politics, giving them exit guarantees is preferable to giving them full governance rights. ### Why local over global settlement? Earlier discussions debated the benefits of what was termed [local vs global settlement](). While global settlement allows for better protection of passive stakers, it also enables an attacker to destroy the Lido protocol in the worst case. Since the worst case is existential, we don’t feel confident enough to even consider implementing this until we have the critical parts of the code (specifically stETH minting and transfers) ossified and/or verified ar the bytecode level. Having said that, [special care has been taken]() to design a version of local settlement that can best protect passive stakers. For example, stakers that miss joining the 2nd phase of the first veto, are able to keep the DAO in a frozen state (modulo treasury spends) by starting a subsequent veto. ### Will wstETH be supported? In several jurisdictions, there’s a substantial tax distinction between stETH and wstETH. So unwrapping wstETH to join the VetoSignaling Escrow might trigger an expensive, taxable event. Given that wstETH is an immutable in-protocol wrapper around stETH, both tokens will be natively supported by dual governance. There will be no need to unwrap anything. ### Does dual governance harm the value of LDO? There are both positive and negative aspects to governance power. The ability to control the DAO treasury and make the protocol safer and more useable is positive. The ability to destroy the protocol and tamper with its core promises is negative. Ideally, we want to maximize the positive aspect while minimizing the negative side. Viewed through this lens, dual governance doesn’t make LDO any less valuable. In fact, there's a good argument to be made that the opposite is true: by derisking the protocol for users it makes Lido more appealing, and by extension LDO more valuable. Yes, users now have the ability to coordinate to oppose the DAO and leave the protocol safely, but the right to exit exists today anyway; users can leave even without dual governance, they just suffer greater redemption risks under worst case scenarios. ### Is there more we can do to leverage node operators? The alignment between the protocol and node operatorss is a powerful feature that can bring a lot of value. The proposed v1 design doesn’t include operators because we've tried to keep the mechanism design as simple as possible. We have limited time before EIP-7002 (EL triggerable exits) is implemented, and we really want dual governance to be deployed before that. Though we view this as an important longer term research direction. ### Practically speaking, how will a non-technical stETH holder express their opinion? Since seamless UX is of the utmost importance here, the plan is to have a dedicated UI (open source and deployed on IPFS). It will explain the current state of Lido governance and allow users to easily join rage quit. ### Why not allow for stETH holders to delegate their rights? Delegation adds another layer of complexity from both game-theoretical and technical perspectives, so it is outside the scope of the proposed v1 design. That's not to say that it isn't a fruitful direction for v2. ### Could you provide more context on how contributors plan to arrive at specific threshold numbers for the stETH veto? Not yet. Contributors are in the process of modelling and conducting preliminary analyses. A proper analysis will be published once it's ready (definitely before dual goverance is put to an on-chain vote). ### What is the penalty for freezing the system? What specific mitigation measures prevent this? The indirect penalty for temporarily freezing the DAO for (crossing the 1st veto threshold) is the opportunity cost of locking stETH for the duration of the DAO lock (X days). Any longer than this requires passing the 2nd veto threshold, which means completing an stETH to ETH withdrawal (and therefore incurring a greater opportunity cost). ### What's the longest stETH holders can pause LDO governance for? The longest stETH holders can pause DAO governance without withdrawing stETH is ProposalExecutionMinTimelock + VetoSignallingMaxDuration + VetoSignallingDeactivation. If the DAO submits a new proposal during the VetoSignalling phase, the maximum duration of the VetoSignallingDeactivation phase can be prolonged up to the VetoSignallingMaxDuration. This is needed to give holders enough time to react to a malicious proposal submitted at the end of the VetoSignalling phase (see [here](https://hackmd.io/@skozin/rkD1eUzja#Veto-Signalling-state) for the details). When rage quit is activated, LDO governance will be blocked until all funds locked in the Escrow become available for withdrawal (in other words, until all stETH holders have taken issue with the proposal are able to exit). The precise time period depends on the total number of ETH that needs to be withdrawn, and the state of the beacon chain exit queue -- in the worst cases this can be anywhere from a coupe of months up to a couple of years (in the catastrophic scenario in which all stETH is subject to withdrawal and the Beacon Chain's Exit Queue is already clogged). Note that LDO holders can still pass treasury spends during this time. They can also vote to unfreeze things by cancelling all pending proposals. ### What will the voting cadence look like in a post DG world? No reasonable person expects the majority of stETH holders to pay consistent (if any) attention to LDO governance, regardless of the cadence in place. Dual governance is being proposed in part to address this problem -- by allowing a minority of stETH holders who are actively monitoring the DAO to trigger an extended timelock on pending decisions, the gives enough time for the majority of stakers to unwind their positions and join. Having said that, slowing down the governance cadence for major changes is a good idea since it improves the overall predictability of the protocol. The DAO ops team has already taken [important steps in this direction](). One thing to note here is that some Ethereum consensus changes, especially around staking mechanics, might require some level of support from Lido contracts, and this support almost certainly will require upgrades of core contracts. Since Ethereum forks are not bound to any pre-defined schedule, just pinning major Lido upgrades to a pre-defined schedule won’t work. ### Why do we need a tiebreaker committee? The Tiebreaker committee is a more complex multisig that has the ability, under very specific conditions, to execute decisions that were proposed and approved by LDO holders but subsequently blocked by stETH holders. Note that it only obtains this right under two potentially catastrophic edge case scenarios (one in which the Gate Seal committee has paused withdrawals post veto, and another in which there's an infinite exit loop type bug). If this power didn't exist, then stETH holders who are in the middle of rage quitting could be prevented from withdrawing indefinitely. While the GateSeal committee is optimized for speed of reaction, the Tiebreaker committee is designed for maximum security and wider ecosystem alignment: It is expected to composed of 3 or 4 sub-committees (some of which are expected to be fully-fledged DAOs). Each of these subcommittees represents a distinct interest group within the ecosystem. Any decision it makes needs to be approved by a majority (2/3 or 3/4) of sub-committees. And for each individual sub-committee to approve a decision, the latter should be supported by the supermajority of the sub-committee members. Note that no sub-committee may share members with the Gate Seal committee. ### How will the tiebreaker committee be structured? There are many ways the committee can be structured. For example, we could have 3 subcommittees as follows: - Social layer subcommittee: with representatives from the EF and client teams. - Validators subcommittee: all active Ethereum validators with voting power weighted by the time since activation. - DAOs subcommittee: governance contracts of the largest DAOs by TVL. Each subcommittee should require a majority support, and for the Tiebreaker committee to execute a DAO decision, approval from all subcommittees is required. ### Why do we need a GateSeal committee? The Gate Seal committee is a 3/6 multisig that has the power to pause stETH to ETH withdrawals for a predetermined amount of days (currently set to 6). You can think of it as a safeguard against a withdrawal vulnerability being exploited by an attacker. The pause lasts for x days or, in the case that DAO decisions are blocked by stETH holders, until the execution of DAO decisions is unblocked. Importantly, the Gate Seal committee can only enact a pause once before losing its power (it has to be re-elected by the DAO after that). In case of non-use, the multisig automatically expires on a fixed date in the future -- currently set to May 1st 2024. At any time, the DAO can vote to appoint a new Gate Seal committee with a new expiration date. ### Why do we need a margin of safety committee? In case of critical bugs there needs to be a way to revert Lido DAO governance back to a pre dual-governance state. The margin of safety committee is a temporary multisig which effectively has the power to revert Lido governance back to it's current state (i.e pre dual governance). It exists primarily to protect from zero-day vulnerabilities in dual governance. The plan is to have a generous bug bounty to encourage responsible disclosure. ### When will the committees be phased out? The margin of safety committee is expected to be phased out within a year of launch (once the bug bounty program has completed). In the future, the Gate Seal committee should be replaced by an autonomous and trustless mechanism, e.g. an invariant-based circuit breaker contract. This will make it impossible to transition the protocol into a paused state without some critical code invariant being broken. If we can do this, then we might also be able to phase out the tiebreaker committee (note this case is more complicated because the committee also has to reach consensus on which proposal submitted by the DAO should be executed). ### What are the future research directions? While dual governance is an important step in reducing governance risks of the protocol, it’s in no way the final step. Some ideas for v2 include: - Allow vanilla ETH holders to trigger an extended timelock / veto - Give some sort of veto / tiebreaker power to node operators - Allow for delegation of stETH veto / exit power - Allow for seamless DAO forks - Voter bonds - Prediction markets A particularly promising future research direction involves looking for ways to also improve the efficiency of foot voting by node operators. For example, by allowing a subset of stakers and node operators to coordinate a protocol and DAO fork by re-pointing validator withdrawal credentials to a new contract (assuming consensus layer support). The ultimate solution to the user redemption-risk problem is governance minimization and eventual ossification of the protocol code and parameters. There’s no governance risk if nothing is being governed. Gradually minimizing the governance scope is something that Lido contributors see as a necessity in the coming years. However, until the Ethereum specification ossifies, there is only so much that can be done on this front. In addition, any immutable code has to be formally verified on the bytecode level to minimize the risk of exploitable compiler bugs. Doing this effectively will require significant changes to the architecture of Lido's code.