Take Lido as an example to delve into the potential risks of the LSD protocol
Original title:On the risks of LSD
Original Author: sacha
Original compilation: Qianwen, ChainCatcher
preamble
This article is rightDanny Ryan some perspective(will be presented in detail later).
The opposite of a fact is a fallacy, but the opposite of a profound truth is likely to be another profound truth.
— Niels Bohr
Overall, I think Dannys stance is great. But I also think there are equally significant risks to his approach that arent properly discussed in the public eye.
I dont think Dannys point is wrong per se, but I do think theres another side to it thats not communicated clearly enough. Thats exactly what this article is about.
Introduction to Dual Governance
Dual governance is an important step to reduce Lido protocol governance risks. It represents a shift from shareholder capitalism to stakeholder capitalism. It also provides a practical way for Ethereum holders to have a say in changes to the Lido protocol.
Its main purpose is to prevent LDO holders from changing the social contract between the protocol and stETH holders without the consent of the protocol and stETH holders. Currently, LDO holders have significant power over the protocol that can lead to significant changes to this social contract. These powers include:
Upgrade Ethereum Liquidity Calibration Protocol Code
List of members of the oracle committee that manages the Ethereum consensus layer
Change the way stake is distributed among node operators in potentially harmful or unexpected ways (e.g., adding or removing whitelisted Ethereum node operators)
Altering the governance structure in unexpected or potentially harmful ways (e.g. minting or burning LDOs, changing voting system parameters)
Change the total fee ratio of the Ethereum Liquidity Fixed Investment Agreement outside of the agreed ranges (and define those ranges).
decide how to use the treasury
With the exception of treasury spending, all of these powers directly affect stETH holders. Dual governance fundamentally allows STETH holders to veto any of the aforementioned modifications to the Lido protocol without introducing new attack vectors or placing undue political burden on STETH holders.
Node Operator Governance
Danny thinks:
Deciding who is the node operator (hereinafter referred to as NO), behind the two questions - who is added to the set, who is removed from the set. In the long term, this can be designed in one of two ways , one is through governance (token voting or other similar mechanisms), and the other is through automated mechanisms around reputation and profitability.
In the former model, which relies on governance to determine NO, governance tokens (such as LDO) become the main risk of Ethereum. If the token could determine who could become this theoretical majority - NO in LSD - then token holders could force cartel activities such as censorship, multi-block MEV, etc. otherwise NO would be removed from the set .
There is also an obvious risk in determining the governance of NO, and that is regulatory scrutiny and control. If a collective stake under the LSD protocol exceeds 50%, this collective stake gains the ability to censor blocks (worse, this number goes up to 2/3 due to being able to finalize these blocks). In a regulatory censorship attack, we now have a unique entity — the governance token holder — against whom regulators can place censorship demands. Depending on how tokens are distributed, this could be a much simpler regulatory goal than the entire Ethereum network. In fact, DAO token distribution is generally poor, with only a few entities determining the majority of votes.
Dual governance solves the above problems to a large extent. Specifically, if the LDO holder attempts to remove NO from the set unfairly, the following situations will occur:
StETH holders with a smaller quorum (say 5% of the total) can extend the governance vote so that those with a larger quorum (say 15%) can veto this wrong decision.
If the veto is passed, all subsequent LidoDAO proposals will be vetoed by default (vetoed status) - to avoid placing more voting burden on stETH holders.
Importantly, governance can only return to normalcy if both the LDO governance body and participating stETH holders agree to resolve the conflict.
In short, by giving stETH holders the power to veto NO setting changes, it is impossible for LDO holders to unilaterally enforce cartel activities such as review and multi-block MEV, because LDO holders themselves cannot clear dissenting NO.
Regarding Dannys second concern (regulatory scrutiny and controls), st ETHs token distribution is very different and more diverse than LDOs distribution. Therefore, the combination of LDO and st ETH is more resistant to this kind of scrutiny. Its true that its not as widely distributed as ETH, nor as diverse as the distribution of Ethereum users, but this will only improve over time.
Choose NO based on economic factors
Danny thinks:
“In choosing NO based on economics and reputation, we will still end up in a similar cartelization, albeit an automated one.
Determining the NO list based on profitability is probably the only trustless (non-governance) way to ensure that NO is beneficial to the pool.
The definition of profitability is very problematic... Since the economic activity of the system varies greatly over time, the system cannot be designed with only some absolute indicator that X number of transaction fees must be earned.
This profitability comparison metric works well when all operators use honest technology, but if a certain number of bad operators switch to disruptive technology such as multi-block MEV or adjustment zones block release time to gain more MEV, then they will skew profitability goals so that honest NO will eventually be automatically eliminated if they do not similarly use disruptive technology.
This means that no matter which method is used - NO governance or economic selection/culling - such pools that exceed the consensus threshold become a cartel layer. Either a cartel is formed directly through governance, or a destructive profit-making cartel is formed through smart contract design.
This analysis feels too binary. Both extremes (LDO governance NO or pure algorithmic/economic selection/culling) are neither possible nor desirable for Lido (or Ethereum).
Dual governance is critical to minimizing the risk of cartel abuse. And, as Danny rightly points out, profitability is too simplistic a metric to rely on entirely.
There are a number of important factors that are difficult to verify on-chain, such as geographic distribution or diversity of jurisdictions, meaning one may always need to be in a ring somewhere - though, perhaps this can ultimately be simplified to a node operator running a network on a year-to-year basis Vote on rebalancing equity between (old and new).
Staking ETH governance plan
Danny thinks:
“Some believe that LSD ETH holders could have a say in the management of its underlying LSD protocol, potentially supporting unfair distribution and plutocraticization of the token.
The caveat here is that ETH holders are by definition not Ethereum users, and in the long run we expect Ethereum users to far outnumber ETH holders (holding more ETH than is needed to facilitate transactions) quantity). This is a key and important fact affecting Ethereum governance - ETH holders or depositors have no on-chain governance rights. Ethereum is the protocol that users choose to run on.
In the long run, ETH holders are only a subset of users, therefore, ETH holders are even a subset of them. In the extreme case where all ETH becomes staked ETH under one LSD, voting weight or suspension of staked ETH governance does not protect users of the Ethereum platform.
Therefore, even if the LSD protocol and LSD holders are aligned on micro-attacks and captures, users will not and cannot/will react.
Hasus response largely addresses these concerns.
The evil nature of governance
Danny thinks:
“Even if there is a time delay in LSD governance such that pooled capital can exit the system before the change occurs, the LSD protocol is still vulnerable to boil-and-frog governance attacks. Small, slow changes are unlikely to cause invested capital to exit the system, but the system will still change drastically over time. That said, this is true of any governance mechanism, whether predominantly informal (soft) or formal (hard).”
Looking at Dannys argument in reverse, small, slow protocol changes driven by EF are unlikely to drive DAOs/users out of Ethereum, but the Ethereum protocol (and ethos) could still change dramatically over time.
In particular, it can change the way the protocol works, thereby breaking the social contract of early contributors.
While I am far from an immutability maximalist, I do believe that governance minimization as a philosophy exists upstream of soft and hard governance.
The downsides of hard governance have been written a lot, while soft governance has its own (more subtle and often glossed over) problems with unacknowledged/irresponsible power, how it can be exercised without sacrificing credible neutrality Power, and how to deal with a power vacuum (in the event of a death or tragic accident). This is certainly not a panacea for eliminating all tail risks.
In other words, under soft governance, there is usually a lot of power that is not known. Unrecognized power is irresponsible power. Irresponsible power almost inevitably leads to undesirable situations over a long enough time horizon.
Gwart once tweeted that “Social punishment is Justin Drake driving up to your door with a machete, cutting your computer network cable, pointing at you and saying ‘You are a badass.
While this is a humorous expression, it does reveal a deeper underlying tension between the need to preserve agreements and the centralization of soft power among key actors.
In Dankrad’s slightly more serious words: “Yes, we may have a problem with what you do at the staking layer, and that may include disrupting your agreement and breaking it.”
user representative
Danny thinks:
“As mentioned above, LSD holders are not equivalent to Ethereum users. LSD holders may accept some kind of governance vote premised on censorship, but this is still an attack on the Ethereum protocol, users and developers will Mitigate this attack with the means at their disposal - social intervention.
We can also look at this problem from the opposite angle.
Almost everywhere, we see that user-led decisions tend to encourage market concentration in all important respects.
99.9% of users probably care less about forms of timeliness review not directly relevant to them, whereas most contributors to a liquidity protocol tied to Ethereum probably care about that.
For example, most users dont and shouldnt care about issues such as the geographic distribution of Ethereum nodes or judicial diversity, but contributors to the Ethereum-bound liquidity protocol certainly do, and can take practical steps to address these issues. Keep Ethereum resilient.
Capital risk and agreement risk
Danny thinks:
“Most of the above discussion has focused on the risks that LSD pools (like Lido) pose to the Ethereum protocol, rather than the risks faced by those who hold capital in the pools. So, this may be a tragedy of the commons - everyone rational It is a good decision for users, but it is an increasingly bad decision for the protocol. But in fact, when the consensus threshold is exceeded, the risks faced by the Ethereum protocol and the allocation of The risks faced by the capital of the LSD protocol are linked.
Cartelization, abusive MEV extraction, censorship, etc. are all threats to the Ethereum protocol that users and developers will respond to in the same way as traditional centralized attacks — leaks or burns through social intervention. Therefore, funneling capital into this class to cartelize would not only jeopardize the Ethereum protocol, but would in turn jeopardize the pooled capital.
This may seem like a tail risk that is difficult to take seriously or may never happen, but if we have learned anything in the field of cryptocurrency, it is that if this risk will be exploited or has some unlikely critical edge case, then it can be exploited or broken sooner than you think. In this open and dynamic environment, brittle systems break down again and again, and fragile systems are exploited again and again.
In the words of Nikolai Mushegian, in an open system with which the whole world can interact, incentives are more than a suggestion. They are more similar to the laws of physics, such as the laws of gravity or entropy. As long as there is even one part of the system that is incompatible with incentives, it is only a matter of time before it is exploited. No amount of naive thinking can reduce this risk.
Relying on promises to deter bad actors opens the door to tail risks that are arguably as serious, if not more serious, than those highlighted by Danny.
self-limitation
Danny thinks:
“The Ethereum protocol and users can recover from LSD’s centralization and governance attacks, but it’s not rosy. I recommend that Lido and similar LSD products self-limit for their own benefit, and that allocators of capital acknowledge the inherent Due to the inherent extreme risk, capital allocators should not allocate more than 25% of the total Ether staked to the LSD protocol. Artificially imposing limits does not guarantee good outcomes.”
In fact, artificially restricting the liquidity of staking products will probably not lead to good results.
Because the commitment can be maintained for a limited period of time.
The end result is likely to be one that the community cant influence wins: liquid staking on exchanges, institutional (and permissioned) staking products, or more immutable (and less resilient) protocols.
These idealistic ideas have good intentions, but they are divorced from the actual situation, which is like a blind spot that often occurs in EF. It was mistakes like these that allowed the exchange to dominate even before Lido was launched.
Supplement: Public goods are very beneficial
So, what does a Lido-winning world mean for the future of public goods on Ethereum (and specifically the Lido DAO’s role in facilitating that future)?
In the words of Kelvin Fichter, EF is an independent non-profit organization with a closed governance structure and cannot (and should not) be the main coordinator of public goods in the Ethereum community.
Therefore, I think good validators are a public good that needs to be funded, and EF should not rely on them to provide funding (partly because its closed governance structure and super soft power are not very good at enacting credible neutrality. rules), only a successful liquid staking protocol (>50% market share) will have enough leeway in fees to afford the financial inefficiencies required to do so: maintaining a good validation market, expensive sponsorship validators, provide ecosystem support, while still being profitable in the long run (next 100 years).
