## Transition to ETH1 withdrawal credentials ### Summary Change [ether withdrawal credentials](https://github.com/lidofinance/lido-dao/blob/master/docs/protocol-levers.md#eth-20-withdrawal-credentials) to Eth1 address corresponding to the LidoDAO controlled smart contract. This change will affect only new deposits and would be a first step to build a trust-minimized withdrawal mechanic for Lido ethereum pool. All current deposits are still held by distributedly manages account backed by BLS multi-sig. ### Motivation Currently, all current deposits are still held by a distributed manager account backed by BLS multi-sig. This design decision was forced by the minimalistic nature of Phase 0 spec and was the most decentralized option available to Lido at that time. Beacon chain spec v1.0.1 enables a new [withdrawal credential type](https://github.com/ethereum/eth2.0-specs/blob/v1.0.1/specs/phase0/validator.md#eth1_address_withdrawal_prefix) that corresponds to eth1 address. It means that withdrawals can go into eth1 smart contracts. We propose to change [withdrawal credentials](https://github.com/lidofinance/lido-dao/blob/master/docs/protocol-levers.md#eth-20-withdrawal-credentials) to Lido controlled smart contract which will allow building more transparent protocol operations without relying on distributed custody. This improvement is very important. The transition to eth1 withdrawal credentials will increase Lido decentralization. This can positively impact obtaining new users and increasing TVL, because this transition puts Lido on the same decentralization level as other ethereum liquid staking protocols that is decentralized from the zero-day. ### Withdrawal Vault contract As mentioned above, we propose a transition to eth1 withdrawal credentials pointed to `Withdrawal Vault`. `Withdrawal Vault` is Lido controlled smart contract. The current specification of eth1 withdrawal credentials does not impose any special restrictions on the contract internal structure. In the future, it is reasonable to use this contract as a component of the stETH to ETH Lido withdrawal system. However, at the moment there is no final spec for this and we cannot now implement `Withdrawal Vault` in the right way. Therefore, we propose to deploy a placeholder contract, which is ownable and upgradable by the DAO agent only. Thus, the upgrade will be possible only through the DAO voting. We suggest using a standard upgradeable proxy contract [EIP-1822: Universal Upgradeable Proxy Standard (UUPS)](https://eips.ethereum.org/EIPS/eip-1822) instead of Aragon proxy implementation. There are two reasons for that: Aragon proxy consumes additional gas on each call and uses an outdated version of solidity 0.4.24. ### Execution ETH1 withdrawal credentials transition will require several steps: 1. Deploy Withdrawal Vault smart contract with the owner set to Lido [agent address](https://etherscan.io/address/0x3e40D73EB977Dc6a537aF587D48316feE66E9C8c) 2. Generate Eth1 withdrawal credentials which correspond to Withdrawal Vault address. 3. Remove all unused validators key for all Node Operators. 4. Change [withdrawal credentials](https://github.com/lidofinance/lido-dao/blob/master/docs/protocol-levers.md#eth-20-withdrawal-credentials) to the new one 5. Ask Node Operators to generate new chunks of keys and submit them to `NodeOperatorRegistry` ### Further Steps After the transition to eth1 withdrawal credentials, all new ether deposits will be withdrawable to `Withdrawal Vault` address. But the previously deposited ether are still holds by BLS multisig key. We can nothing to do with this until withdrawals will be activated in Phase 2. Although there is a chance that proposal (https://ethresear.ch/t/withdrawal-credential-rotation-from-bls-to-eth1/8722) about key rotation will be included in the further hard forks. ### Todo What is missed here? What other information is good to have in this proposal? Is this a good place to ask help to push withdrawal credentials rotation in Ethereum community? What kind of discussion we can facilitate in the end this proposal?