# On the risks of LSD *A section by section response to an essay authored by Danny Ryan. Originally posted May 30, 2022 on [notes.ethereum.org](https://notes.ethereum.org/@djrtwo/risks-of-lsd) and later copied over to [github](https://github.com/djrtwo/writing/blob/main/docs/2022-05-30_the-risks-of-lsd.md).* *Thanks to Hasu, Jon, Barnabé, Sam, Victor, Vasiliy, and Izzy for reading drafts of this* ## Preamble > The opposite of a fact is falsehood, but the opposite of one profound truth may very well be another profound truth. > -- Niels Bohr Viewed holistically, I think it's great Danny is taking [the stance](https://twitter.com/dannyryan/status/1688644951230267392) he's taking. But I also think there are equally important risks to his approach which have not properly been debated in public. I don't think Danny's wrong per se, but I do think there's [another side](https://research.lido.fi/t/should-lido-on-ethereum-be-limited-to-some-fixed-of-stake/2225/6) which hasn't been communicated clearly enough. Doing so is the goal of this document. ## Introduction to Dual Governance [Dual governance](https://www.youtube.com/watch?app=desktop&v=JKvJw2DT2YQ) is an important step towards mitigating Lido protocol governance risk. It represents a move away from shareholder capitalism to stakeholder capitalism. And provides a practical way for Ethereum stakers to have a say in Lido protocol changes. The main goal is to prevent LDO holders from changing the social contract between the protocol and stETH holders without their consent. Today LDO holders have important powers over the protocol that can result in important changes to this social contract. These include: - Upgrading the Ethereum liquid staking protocol code. - Managing the list of the Ethereum consensus layer oracle committee members. - Changing how the stake is distributed between node operators in a potentially harmful or unexpected way (e.g. adding or removing whitelisted Ethereum node operators). - Changing the governance structure in an unexpected or potentially harmful way (e.g. minting or burning LDO, changing the parameters of voting systems). - Changing the total fee percentage of the Ethereum liquid staking protocol outside of the agreed boundaries (as well as defining these boundaries). - Deciding on how to spend the treasury All of these powers, apart from treasury spends, directly affect stakers. Dual governance essentially allows stETH holders to veto any of the above changes to the Lido protocol, in a way which does not introduce new attack vectors, or overburden stETH holders with politics. ## Governance of node operators Danny writes: > Deciding “who” gets to be a NO is a matter of two questions – who is added to the set and who is removed the set. This can be designed in one of two ways in the long run – either via governance (a coin vote or other similar mechanism) or via an automated mechanism around reputation and profitability. > > In the former -- governance deciding NOs -- the governance token (e.g. LDO) becomes a major risk to Ethereum. If the token can decide who can be a node operator in this theoretical majority-LSD, then the token holders can force cartel activities of censorship, multi-block MEV, etc, or else the NO is removed from the set. > > .. > > Governance deciding NOs has another distinct risk which is regulatory censorship and control. If pooled stake under one LSD protocol exceeds 50%, this pooled staked gains the ability to censor blocks (and worse-so at 2/3 due to being able to finalize such blocks). In a regulatory censorship attack, we now have a distinct entity -- the governance token holders -- that a regulator can make requests of censorship. Depending on the token distribution, this is likely a much simpler regulatory target than the Ethereum network as a whole. And, in fact, DAO token distributions are generally pretty terrible with just a few entities deciding most votes. [Dual governance](https://www.youtube.com/watch?app=desktop&v=JKvJw2DT2YQ) goes a long way towards addressing the above concerns. Concretely, if LDO holders tried to remove a node operator from the set unfairly, it would work as follows: - A small quorum of stETH holders (say 5% of total) could extend the governance vote long enough for a larger quorum (say 15%) to veto this bad decision. - If the veto passes, all subsequent Lido DAO proposals are vetoed by default (veto state) -- so as to avoid burdening stETH holders with further votes. - Importantly, governance can only be brought back to normal state if both LDO governance and participating stETH holders agree to resolve the conflict. In sum, by giving stETH holders the power to veto changes to the node operator set, it becomes impossible for LDO holders to unilaterally force cartel activities of censorship, multi-block MEV, etc, since LDO holders cannot, by themselves, remove dissenting node operators. Regarding Danny's second concern (regulatory censorship and control), stETH's token distribution is very different and much more diverse than LDO's distribution. So the combination of LDO and stETH is much more resistant to this sort of censorship. It’s still not as diverse as ETH's distribution, or the distribution of Ethereum users, but this is only going to improve with time. ## Economic selection of node operators > In the alternative design -- economic and reputation based NOs -- we actually end up in a similar, albeit automated cartelization. > > ... > > Kicking from the NO set on profitability is likely the only trustless (non-governance) method to ensure that NOs are good for the pool. > > Defining profitability is problematic... the system cannot be designed to just have some absolute metric -- must make X in TX fees -- due to the high variance in economic activity of the system over time. > > This profitability comparison metric works well when all operators are using "honest" techniques, but if any amount of the NOs defect to utilizing destructive techniques such as multi-block MEV or adjusting block release times to capture more MEV, then they skew the profitability target such that honest NOs will eventually be automatically ejected if they do not join in on the destructive techniques. > > This means that in either method -- governance of NOs or economic selection/ejection -- such a pool exceeding consensus thresholds becomes a stratum for cartelization. It's either a direct cartel by governance or it's a destructive, profitability cartel through smart contract design. This analysis feels too binary. Neither extreme (LDO governance of NOs or pure algorithmic/economic selection/ejection) is likely or desirable for Lido (or Ethereum). Dual governance is crucial to minimising the risk of cartel abuse. And, as Danny correctly points out, profitability is too simple a metric to soley rely on. There are a host of important factors, which are difficult to verify on chain -- think geographic distribution or jurisdictional diversity -- which means that humans will probably always need to be in the loop somewhere -- though perhaps this can eventually be reduced to a yearly vote on rebalancing stake between node operators (old and new). ## Staked ETH governance fallback > Some suggest that LSD ETH holders could have a say in governance of their underlying LSD protocol, and thus become a safety backstop on what might be a poorly distributed, plutocratic token. > > It is important to note here that ETH holders are not by definition Ethereum users, and in the long run, we expect that there are massively more Ethereum *users* than ETH *holders* (people with ETH held beyond the amount needed to facilitate TXs). This is a critical and important fact that informs Ethereum governance -- there is no on-chain governance granted to ETH holders or stakers. Ethereum is the protocol that *users* choose to run. > > ETH holders in the long run are just a subset of users, so staked ETH holders are even a subset from there. In the extreme of all ETH becoming staked ETH under one LSD, governance vote weights or aborts by staked ETH do not protect the Ethereum platform for *users*. > > Thus even if the LSD protocol and the LSD holders are aligned on subtle attacks and capture, users are not and can/will react. Hasu's [response](https://tinted-soup-c75.notion.site/Do-stakers-represent-users-52e6171970b84d9da2e132c37c7ff90e?pvs=4) largely addresses these concerns. ## Insidious nature of governance > Even with time-delays in LSD governance such that pooled capital can exit the system before a change occurs, LSD protocols suffer from frog-boil governance attacks. Small, slow changes are unlikely to get staked capital to exit the system, but the system can still drastically change over time. While true, this is true of any governance mechanism, whether predominantly informal (soft) or formal (hard). To turn Danny's argument on its head, EF-driven small, slow protocol changes are unlikely to get DAOs / users to exit Ethereum, but the Ethereum protocol (and ethos) can still [drastically change over time](https://twitter.com/_prestwich/status/1666535056553447425). ![](https://hackmd.io/_uploads/SJ3Ryuc23.png) In particular, it can change the protocol in ways which can break the [perceived social contract](https://twitter.com/ercwl/status/1689769992672182274) for [early contributors](https://twitter.com/MicahZoltu/status/1640998604369465344) / OGs. In Eric's words: ![](https://hackmd.io/_uploads/By-2CIqhh.png) ![](https://hackmd.io/_uploads/rydBCU92n.png) In Micah's words: ![](https://hackmd.io/_uploads/SydM5w533.png) While I'm far from an immutability maximalist, I do hold the belief that [governance](https://www.paradigm.xyz/2020/10/870) [minimisation](https://docs.reflexer.finance/ungovernance/governance-minimization-guide), as a philosophy, exists upstream of soft vs hard governance. While much has been written on the shortcomings of hard governance, soft governance has its own -- more subtle, and often glossed over -- problems that touch on unacknowledged / unaccountable power, how to exercise that power without sacrificing credible neutrality, and how to handle power vacuums (in the event of a death or tragic accident). It's certainly not a panacea for removing all tail-risks. Put another way, there is usually a great deal of [unacknowledged power](https://twitter.com/GwartyGwart/status/1642921139474411523) under soft governance. Unacknowledged power is unaccountable power. And unaccountable power almost inevitably leads to situations which are far from ideal over a long enough time horizon. ![](https://hackmd.io/_uploads/S1sf7d92n.png) While Gwart's take here is humourous :), it does reveal a deeper underlying tension between the need to safeguard the protocol and the centralization of soft power amongst key actors. In Dankrad's slightly more serious [words](https://www.youtube.com/watch?v=aP9f_1v9Ulc&t=3686s): > Yes we might be opinionated on what you do on the staking layer, and that might include messing with your protocol and destroying it. ## User representation > Additionally, as mentioned above, LSD holders are not the same as Ethereum users. LSD holders might be fine with some sort of censorship-requisite governance vote, but this is still an attack on the Ethereum protocol and one that users and developers will mitigate through the means at their disposal -- social intervention. One can also look at this from the opposite perspective. Almost everywhere we look, we see that user guided decisions have tended to encourage market centralization across important dimensions. 99.9% of Users probably don't care much about forms of time-sensitive censorship which do not directly concern them, whereas most contributors to an ethereum-aligned liquid staking protocol probably do. For example, most users do not, and should not be expected to, care about things like geographic distribution or jurisdictional diversity of ethereum nodes, but contributors to an ethereum-aligned liquid staking protocol certainly do, and can take [tangible steps](https://twitter.com/sachayve/status/1690053167138906129) to keep ethereum resilient across such dimensions. ![](https://hackmd.io/_uploads/BJZRLDc3h.png) ## Risks-on-capital vs risks-to-protocol > Much of the above discussion focuses on risks an LSD pool, such as Lido, pose to the Ethereum protocol and not actually the risk to those holding capital in the pooled system. Thus this appears to suffer from the tragedy of the commons -- each individual making a rational decision to stake with the LSD protocol is making a good decision for the user but an increasingly bad decision for the protocol. But, in fact, risk to the Ethereum protocol and risk to capital allocated to the LSD protocol when exceeding consensus thresholds are *tied together*. > > Cartelization, abusive MEV extraction, censorship, etc are all threats to the Ethereum protocol and ones that users and devs will respond to in the same methods available for traditional centralization attacks - leak or burn through social intervention. Thus pooling of capital into this stratum for cartelization puts not only the Ethereum protocol at risk, but, in turn, the pooled capital. > > These may seem like "tail risks" that are hard to take seriously or that might never happen, but if we've learned anything in crypto it's -- if it can be exploited or has some unlikely "critical edge case", then it will be exploited or collapse much sooner than you think. Time and time again in this open and dynamic setting brittle systems collapse and vulnerable systems are exploited for both fun and profit. To paraphrase [Nikolai Mushegian](https://bank.dev/principles), in a system that is open for the whole world to interact with, incentives are not just a suggestion. They are more akin to physical laws, like gravity or entropy. If there is even one part of the system that is not incentive-compatible, it is only a matter of time until it is exploited. No amount of wishful thinking can reduce this risk. Relying on promises to stop bad actors opens the door to tail-risks that are arguably just as serious, if not more so, than the ones Danny highlights. ## Self-limiting > The Ethereum protocol and users can recover from an LSD centralization and governance attack, but it won't be pretty. I recommend that Lido and similar LSD products self-limit for their own sake, and I recommend capital allocators to acknowledge the pooling risks inherent to LSD protocol designs. Capital allocators should not allocate to LSD protocols exceeding 25% of total staked Ether due to the inherent and extreme risks associated. There really is no guarantee that imposing artificial limits will end well. In fact, there's a [good chance](https://research.lido.fi/t/should-lido-on-ethereum-be-limited-to-some-fixed-of-stake/2225/6) that imposing artificial limits on liquid staking products will not lead to a good outcome. Promises can only last for so long. The endgame here is [likely a win](https://hackmd.io/@Izzy-/EthereumStakingCodex#Self-limiting-doesn%E2%80%99t-do-what-you-think-it-does) for parties that the community can’t exert influence over: liquid staking on exchanges, institutional (and permissioned) staking products, or [more immutable (and less resilient)](https://twitter.com/sachayve/status/1617663036986372096) protocols. ![](https://hackmd.io/_uploads/B1R-4vqnh.png) These sorts of idealistic takes, which come from a good place but are detached from pragmatic reality, feel like a recurring EF blindspot. It's the same category of mistake which led to [exchanges dominating before Lido launched](https://twitter.com/sachayve/status/1623251899053928448). ## Addendum: Public goods are good So what does a world in which Lido wins mean for the future of public goods on Ethereum (and in particular, Lido DAO's role in contributing to that future)? In the words of [Kelvin Fichter](https://twitter.com/kelvinfichter/status/1505622968445059084): ![](https://hackmd.io/_uploads/ByOgTP5h3.png) Along these lines, it is my belief that a good validator set is a public good that needs funding, that the EF should not be relied on to provide that funding (in part because its closed governance structure and outsized soft power does not lend itself well to credibly neutral rules here), and that only a winning liquid staking protocol (> 50% market share) can have enough leeway in fees to afford the the financial inefficiency required to do so: in the form of maintening a good validator market, sponsoring an expensive validator set, and providing ecosystem support, while still returning a profit over the long run (the next 100 years). /fin