Original author: BlockScience

Original Compilation: Jeanne Jiang

This article is from The SeeDAO.

Research Background

Based on our research results on DAO vulnerability, Lido initiated the proposal of "Lido DAO Governance Vulnerability Panoramic Research", and contacted us to evaluate the resilience of the governance of LIDO liquid staking protocol. In this article, we will share the assessment report of Lido DAO governance vulnerability, including the following parts:

• Research Methods and Approaches

• What is Lido, its importance in the proof-of-stake (PoS) space, and a stakeholder (Stakeholders) analysis map.

• Governance Intuition: Insights into governance minimization and "reasonable sizing".

• A look at Lido's vulnerability at the level of the system's social, technological, and economic dynamics.

• Conclusions and solutions.

The goal of this study is to map the current state of Lido's governance in order to understand its goals, dynamics, and risks. This can help guide the development of Lido's governance process, ensuring social and technical resilience while managing risk to support Lido's growth goals and drive its leadership in the liquidity staking industry.

In this article, we define "vulnerability" as a concept related to "threat". "Vulnerabilities" usually appear inside the system, not outside. Therefore, in many cases, once a vulnerability is identified, it can be intervened. The identification of vulnerabilities helps to improve the system's adaptability, resilience, and growth opportunities, which is crucial for DAOs that aim to achieve decentralization and autonomy (meaning independence from external directions).

Research Methods and Approaches

We adopted qualitative analysis research methods, including stakeholder interviews, literature, code base, block explorer, data dashboard, contract interface, public communication channels, etc. The scope of this research is primarily focused on Lido on Ethereum (note: we do not run a full node to check and validate Lido contracts, nor do we have access to any web servers with which we interact). Also, Lido is a complex adaptive system and this information was accurate during the study period (December 2021 to March 2022) and some information may have changed by now.

What is Lido Liquidity Staking?

Lido is a financial platform that provides ETH pledged derivatives services and charges management fees. Lido allows users to earn liquidity token rewards without locking up assets or maintaining their own staking infrastructure. Deposit ETH into the Lido smart contract to receive transferable stETH (the liquidity token that pledges ETH on the Lido platform). In return, 10% of all ETH staking proceeds (changeable by LDO voting) goes to Lido DAO, controlled by LDO token holders.

LDO token holders are the owners/managers of the platform. LDO token holders manage Lido DAO's organizational structure, a set of extension contracts, Lido DAO's treasury, and the LDO token itself. Anything outside the Ethereum chain (multi-chain) or IRL (people) is not directly owned or managed by LDO token holders. While this may change in the future, Lido governance responsibilities are currently shared between on-chain LDO token voters and end-users who vote with their feet, as well as the operator.

Liquidity staking is a high-tech, capital-intensive and competitive market. It is in the interest of LDO token holders to increase the amount of management fees Lido collects through rapid growth in Assets Under Management (AUM), and then continue to invest in further growth and security.

Why Lido Makes a Difference in Proof-of-Stake (PoS)

Block space production is a competitive market. Inflationary rewards for Proof of Stake (PoS) are naturally centralized, and a small number of big players may dominate the market. Lido needs to gain enough market share to become the leading provider of "decentralized" ETH staking services, and it already has a first-mover advantage.

If Lido succeeds, it will fill a significant gap between centralized exchange staking services and DIY interest staking in the public blockchain space. In this way, individuals, institutions, decentralized applications (dApps), DAOs, and decentralized finance (DeFi) protocols can all benefit from simple, secure, liquid staking of ETH. However, if Lido (or a similar decentralized liquidity staking solution) fails to do this, centralized exchanges, subject to the laws of their jurisdictions and regulators, are likely to gain control of major blocks such as Ethereum The majority of staking on-chain, in turn owns block space production on all major public blockchains. Block space is a critical and valuable resource in public blockchains, and whoever produces block space can reorder or censor transactions.

If a "decentralized" system like Lido secures the majority of current and future Proof-of-Stake (PoS) blockchains, it is more likely that the blockspace will remain credibly neutral (meaning less likely monopolized by a single or joint group). This will allow LDO to serve as a governance token controlling the production of block space, as well as the value flowing out of this block space production. This means that Lido needs to identify and address internal social, technological, and economic vulnerabilities so that it can adapt itself to remain competitive and resilient to external threats and environmental changes, thereby avoiding centralization or failure.

Read Lido's whitepaper and 2022 OKRs to better understand the project

image description

Figure 2: Diagram of Lido stakeholders on Ethereum. Some categories of stakeholders often overlap or switch roles in different contexts. As Lido develops, its stakeholder group may also change.

Lido has several key stakeholder groups who are instrumental in enabling simple, secure, and liquid ETH. They are:

• Key Stakeholders:Owners, operators and users such as LDO token holders, governance subcommittees, multi-signatures, Lido employees and stETH end users.

• Secondary Stakeholders:External partners, such as DApps integrating stETH, verifier operations, oracle operations, interface operations, etc.

• External Stakeholders:Groups or systems that have an indirect relationship with Lido, such as Layer 1 underlying blockchains, competing staking-as-a-service providers, etc.

These stakeholders help enable easy and secure staking of ETH liquidity. Some categories of stakeholders also often overlap in different contexts or switch between different roles. As it continues to develop, Lido's stakeholder base may also change (especially across multiple chains, but this article focuses on the Ethereum ecosystem, so this is outside the scope of our initial analysis).

governance intuition

Perspectives on Governance Minimization and Governance Scale

Lido published a roadmap for Trustless Staking on Ethereum, emphasizing minimal governance through smart contract escrow and automated participation of node operators. “Governance minimization” tends to elicit various assumptions among stakeholders, and clarifying its definition can help unify stakeholder expectations for future governance discussions and decisions.

In this context, governance minimization means "reducing as much power and reliance on governance as possible". As Paradigm put it: "The most widely used protocols will tend to minimize governance." What this point of view is trying to express is: people are more willing to use and trust a system that will not violate their interests, rather than a current owner or operator Say they won't change the system.

Automated governance is one approach to minimize governance that is gaining popularity, especially in DeFi protocols. Automated governance refers to the algorithmization of the governance process through the automation of the technical layer. For example, the Lido roadmap emphasizes the automation of features such as validator node selection. We believe this refers to the automation of the governance process, since governance itself cannot be automated. If an algorithm makes governance decisions, it is because it was designed to govern in a particular way. Thus, process automation moves governance from the system operations layer to the design layer.

image description

Figure 3: From "Combining the concept of DAO with cybernetic precedent" (Zargham, Nabben, 2022)

In practice, this often appears to be the process of reducing human governance by introducing automation, while intentionally applying human governance to other areas. However, if the governance process becomes so simplified or limited that the system can no longer be "guided" or governed, then the ability to react to unexpected threats and events is reduced. For example, Lido may wish to place limits on the powers of local teams while giving them the freedom to act within those limits to improve operational efficiency (see "Subsidiary Principles of Operational Efficiency" below), in a way that maintains efficient operations while Reduce systemic risk. As Lido develops, maintaining a balance of adaptability and resilience (resilience), and continually adjusting that balance over time, will be key to continued success.

Governance at scale

The question for Lido DAO is: How can a DAO guarantee operational efficiency through automation and trust in the code, while at the same time enabling DAO governance to have sufficient awareness, exposure, and engagement with strategic responsibilities? This requires an approach to scale governance (also known as "necessary diversity"), that is, what can be eliminated, and what is necessary to guide a system.

One way to think about governance at scale is to ask yourself: What is operational (and can be automated)? What strategy (may require human input)? What can be monitored ("through sensors and feedback" in control theory terms)? What can be controlled (through "executive agencies")? These elements can be tuned to achieve the reliability and operational efficiency required to achieve system goals.

In other words, "decentralization" for the sake of "decentralization" is inefficient. Perhaps more effective would be to reduce single points of failure, limit the permissions of operational staff, and provide users with the option to "engage" or "opt out" of the system. From this perspective, limiting the power of LDO token holders over most things, but retaining their power over core functions that require human input, is actually a good thing. This may go against the mainstream concept of "what is a DAO", but it may not.

The risk of oversimplifying governance is that it eliminates adaptability. If the purpose of governance is to enable a system to adapt and complete its functions, then the governance surface should be as small as possible within a certain range, but not too small. The purpose of defining governance planes is to establish as small but manageable a scale as possible. If the governance surface is too large, it cannot be controlled and observed, thus undermining governance. If the governance surface is too small, there will not be enough manipulation to influence and guide the system. Proper governance surface size is about steering the system towards its goals through just enough, not too much manipulation. The multiple vulnerabilities explored in this article are about minimizing governance risk and how to differentiate governance and operations.

Vulnerabilities of Lido

From the perspective of token system security, one of the main purposes of "decentralization" is to prevent any party (internal or external) from imposing its will on the development direction of the system and its stakeholders. If a system is "decentralized", you can trust the system even if you don't trust the participants. This section aims to explore areas where Lido may have a "single point of failure" (centralization) that could reduce its resilience and prevent it from being a simple, secure, and liquid token.

One way to think about this is through the cybernetic concepts of controllability and observability. Here, "controllability" refers to the joystick control in the system, while "observability" refers to how the behavior of the system can be observed and measured.

• Is the system controllable (can be influenced by a signal to reach a given state in a finite amount of time)? Is it observable (critical changes in state can be learned from system output)? If yes, how controllable and observable?

• Where is the most efficient place to add sensors (to measure state and product output to create a feedback loop) and actuators (to apply force or control a joystick)?

• Which states in the system should be quantified and which can be estimated?

According to this approach, we will start to explore the fragility of Lido's governance, including:image description

Figure 4: Drivers of Change for Lido Vulnerabilities

social vulnerability

target adaptability

Adaptability and governance minimization are inextricably linked. Some might think that adaptability (change) is antithetical to governance minimization (constant), but this is not the case.

Adaptability is the ability to change. Conversely, minimal governance limits what can be changed and how it can be changed in the system. Adaptability enables governance to be minimized by increasing constraints on decision-making over time, without completely losing governance of the system in the event of an unexpected event. In this way, a system can evolve to be more resilient in a changing environment.

function determines form

An institution's organizational form needs to follow the function it seeks to optimize. Broadly speaking, Lido is a "DAO", but the organizational form it takes depends on the function it wants to achieve and the environment it is in. On a macro level, DAO's concept of "decentralization" and "autonomy" means that no single party controls the system. However, there is actually a difference between the application of this concept in staking as service (staking as service) and the consensus of the underlying protocol. Lido's governance needs to keep the system as simple as possible, while also allowing the system to be adaptable to provide simple, secure, liquid staking. The correct scope of Lido's governance surface is determined by the purpose and possibility (or accessibility) of the system. Lido needs to have the ability to adapt to changing L1 protocols (such as ETH2.0) and multiple blockchain ecosystems, while also effectively pursuing its goals.

Lido's governance process has been adapted and evolved to enable new functionality while constraining existing functionality to optimize its goals. One example of this is Easy Track governance. This is a subsystem of Lido that gives operators the freedom to start quickly with minimal support (adaptability), but limits what can be implemented (minimal governance). This reduces governance risk, while also separating high-level goal-setting decisions (Aragon votes) from low-level implementation decisions (Easy Track votes).

Lido is exploring increasing the voting time and difficulty of the DAO, as well as imposing more restrictions on Easy Track governance. In the future, by creating a subsystem of operational functions separate from strategy, overall DAO decision-making, Lido can achieve minimal governance (reduced activity at the superuser level) and staking to trustless Ethereum (more activity at the ordinary user level) )develop.

Communication & Coordination

Communication and contingency plans are critical to the operation and governance of a DAO. DAOs need to avoid excessive coordination costs due to communication, and at the same time have a clear crisis response plan and crisis adaptation process. This is an area that spans organizational functions and can only be specialized as Lido scales its operations to multiple underlying protocols, executive teams, and validator nodes, and transforms the team into multiple working groups directly attached to the DAO .

Currently, the Lido team and stakeholders communicate within the DAO through an informal model. If there is a breach, a contentious debate, or any scenario where trust breaks down, it can be difficult for users to get the information and take action to protect their interests. Some key communication functions depend on specific team members seeing information in semi-open channels and being aware of sharing it with the wider Lido community. If the information is not seen, people will leave the project. If the project continues to scale, key functions must be composed of programs rather than individuals. The potential for this communication breakdown is also a governance risk.

Governance design plays an important role in the communication improvement of DAO. To reduce dependence on individual team members, organizational functions can be formulated to increase adaptability and reduce redundancy. Organizational functions can be scoped in terms of roles, responsibilities, and processes so that they can be maintained even as personnel change. This way, even if contributors change over time, the organization can continue to operate stably.

Subsidiarity Principles of Operations Governance

Economist Eleanor Ostrom's The Ways of Governing the Commons is one approach to bottom-up self-governance strategies. Ostrom referred to the principle of "nested enterprise", arguing that long-term, complex resource systems are usually planned into many levels of nested organizations that jointly complete supply, monitoring, enforcement, conflict resolution, and governance activities. In other words, composite, scalable organizations can operate at multiple levels—across individuals, organizations, and broader systems. By nesting organizations within each other, users are able to leverage many different scopes of organizations, better govern their resources at each scope, manage complex systems, and achieve improvements in overall efficiency, ownership, accountability, and scope.

This form of governance is closely related to "resilience", which is "the ability to adapt and transform in response to disturbances in order to continue to perform its core functions".

An appropriate starting point for such governance design is the principle of subsidiarity: assigning decision-making power to the lowest competent echelon of the governance arrangement. The principle of subsidiarity is planned in terms of organizational functions rather than specific actors in the system. Clarifying an organizational function is like providing a container that is given the necessary powers and incentives to perform its function, rather than being dependent on someone. This allows for redundancy to be appropriately engineered within each organizational function and creates a basis for a common understanding of the interactions between each function. It also allows system owners to grant or revoke rights to activities within these "containers".

Lido has already started doing this, with different voting lanes and business budgets for some teams, requiring DAO votes only when changing amounts (eg LEGO grants). Understanding the principles of subsidiarity and nested governance can help Lido test and execute this approach in the appropriate domain.

Ownership and operation of non-crypto property

Non-encrypted property here refers to anything related to Lido DAO, including the name "Lido", information stored under the "Privacy Policy", website domain names, communication infrastructure, software subscriptions, etc. that require legal entities and/or non-encrypted payments Digital property rights or intellectual property rights that can be owned and operated.

In the event of a contentious governance incident, the intellectual property (IP) of the "Lido" name is most likely to be at the center of a legal or political battle. Currently, it is not registered and no one explicitly owns it.

In order to avoid potential risks such as ecosystem partner exits, litigation (such as the Craig Wright Bitcoin lawsuit), or community forks, Lido may consider setting up an affiliate company reporting to the DAO to handle legal business or open source IP.

image description

Figure 5: Incomplete overview of Lido's technical architecture

This section explores Lido's main governance mechanisms and the technical vulnerabilities associated with them

global node(Lido Aragon DAO, currently controlled by LDO token voting)

• Node operator registration

• Oracle Operator Registration

• Financial Management

• DAO permissions and ACLs

subsystem

• Easy Track Governance

• Lido Node Operators Sub-Governance Group

• Lido Ecosystem Grant Organization

• reWards Committee

• Guardianship of Deposits Committee

Coordinating main channels

• Telegram (informal chat)

• Governance Forum (detailed discussion)

• Snapshot ( signature vote )

• secondary title

Aragon Early Voting

Lido on Ethereum is controlled through Aragon DAO and voted by LDO tokens, including Lido treasury, ETH2 withdrawal keys, node and oracle operator lists, DAO access control list (ACL) permissions, execution of EVM scripts etc. therefore,The voting app is actually Lido's root access.

At the time of writing (March 2022), Lido DAO's permissions include:

• Any address with vested or unvested LDO tokens can create a new vote

• In order for the vote to pass, the number of voters needs to represent at least 5% of the LDO token supply (approval/quorum)

• At the end of the voting window, a proposal must be approved by 50% of voting participants to pass (support/threshold).

• If 50% of the total supply votes for or against a proposal, it qualifies for a supermajority rule and can be executed immediately.

These few things may reduce the likelihood of governance capture or compromise.

• Do not lower the voting threshold.

• Consider increasing the difficulty (time, support and participation),Minimize root access as much as possible(more use of subsystems) [in progress]

• Consider creating more Lido subsystems (such as Easy Track) with restricted permissions, but that give the operator freedom to act within those restrictions so that the main (root-access) voting application doesn't have to be used as often.

• Distribute LDO to a wide range of ecosystem participants, especially those who are long-term. In this way, the interests of more governance participants are aligned with Lido's long-term vision. In the future, it might even be possible to add a time-weighted voting system (vote escrow, vote of confidence, etc.), giving more governance power to long-term stakeholders.

• Create automated monitoring tools that provide alerts for every vote, preferably with additional warnings when unusual EVM scripts occur (eg, funds transfer >X%).

• Assess where automation can be applied, how it can help the governance process, and what additional dynamics (governance planes) it introduces.

secondary title

managed interface

Interfaces are portals connecting users and services. More often than not, users trust what the interface shows them. Although seeing is believing, seeing does not mean understanding. When most users connect their Ethereum wallets or interact with DApps, they tend not to verify that what is displayed on their screen is actually on-chain. This creates a risk that the interface may be unusable or misleading, causing users to not take the best action to represent their interests. For Lido to respond to internal and external pressures, stakeholders need to be able to find and act on information. Anything that hinders or interferes with this can be a risk to governing the right to know and participate.

Potential threats include, but are not limited to:

• Interfaces are vetted to prevent stakeholder usage.

• Modify the data displayed by the interface, make coordination/communication difficult and/or induce users to vote on wrong proposals.

• Hackers attack the interface to steal users' assets.

For example, the interface of Badger DAO was exploited recently, and the amount of loss reached 120 million US dollars. This had nothing to do with their contracts or the Ethereum blockchain, it was their website that was having issues.

Another example is third-party contract verification. Security researcher @Samczun recently discovered a zero-day vulnerability in Etherscan's contract verification engine. Aside from discovering vulnerabilities yourself, the best way to prevent zero-day vulnerabilities is to minimize your reliance on trusted third parties.

In general, interfaces are usually more vulnerable to attacks than smart contracts, and they are more opaque, so it is difficult to guarantee security. Of course, there are also measures to make the interface more resilient:

• Content addressing:The initial approach was to use content-addressable interfaces whenever possible. This can help minimize interface governance if each version is immutable. The content-addressable interface can then be hosted on IPFS or Arweave. The TornadoCash interface is one such example.

• Self-hosted interface:It is also important to make it easier for users to launch or host their interfaces. This will allow individuals to run their own interfaces without needing to trust third parties, while also allowing ecosystem partners (and scammers) to host their Lido interfaces with the main interface down. This establishes the basis for a competitive interface market without dependency on any particular service provider.

• Multiple independent interfaces:secondary title

Validator Diversity

As mentioned on the Lido Research Forum, validator client diversity is important to cut dependencies and reduce dependence on a single infrastructure provider. If Lido validators are all using the same client software, a single error could affect all of Lido's AUM, but if Lido validators use diverse clients, then any single error will only affect one of Lido's AUM Subset. This may be especially important after the Ethereum merger, since then validators will be able to earn Maximum Extractable Value (MEV), but most ETH2 clients do not provide MEV related functionality (which could lead to a merger around the Ethereum client). The Lido Node Operators Group (LNOSG) is working on enabling "trustless Ethereum staking," and LDO token holders should be aware of these changes, especially with regard to approving new node operators and/or any changes to node operators. An automated system for ranking and rewards.

We note that this is a core competency of Lido's operations, and Lido seems to be aware of it and working on it.

economic vulnerability

Lido competes to produce block space in a proof-of-stake (PoS) system. In return, block subsidies, fees and future MEV can be obtained.

Investing in block production is prospective and probabilistic. This means that if you control 10% of the validating rights (staked tokens), then in the future you might get around 10% of block rewards. However, if other validators increase their stake, then you only get a lower percentage of the block production reward. To stay competitive, you have to buy more tokens. This creates an incentive to buy as many tokens as possible early so that you can earn rewards for staking early. The sooner you stake, the sooner you earn money, and the sooner you earn money, the sooner you can stake more. In short, PoS verification may be a winner-take-all market, and the benefits of the staking market are many. Lido's goal is to become the leader in consolidated staking with a decentralized, non-custodial staking pool model.

It needs to be mentioned here that the competitive dynamics of the market Lido is in, a validator that dominates a PoS network can become very valuable, and therefore, the governance of that validator can become valuable. But this could create competition for control of the system (think MEV's curve wars). If this happens, two forces may enable such a system to avoid centralization while continuing to provide neutral competitive decentralized blockspace production:Competitive marketplaces and DAOs.

• If block space were a competitive market, then users and validators would have a choice. They can choose which tokens to buy and sell, and which chains to use or validate. If a party becomes the producer of the majority of blocks in the network, they are less likely to "raise rent", and users and validators can easily sell their tokens and choose to leave. That said, professional PoS validators are highly technical and capital intensive. Those who are the best at this may get more capital (tokens, computers, and financing) to participate in all chains.

• If a decentralized governance system controls the majority of block production, then the system can be directed by a diverse group of stakeholders while not being controlled by any of them. How this plays out in practice depends on the token distribution and governance of the staking system, but may involve minimizing the governance surface over time. With minimal governance of a resource, the ability of stakeholders to compete for and capture that resource is also minimized. Therefore, if a system is expected to be contested in advance, governance should be reduced as soon as possible and as much as possible, if and only if it reaches this point, while maintaining the adaptability it needs in order for it to function.

Conclusions and next steps

The goal in this post is to find vulnerabilities in Lido's governance in terms of the dynamics of the system at the social, technological and economic levels. Once vulnerabilities are identified, they can be "governed" to improve Lido's adaptability and resilience. Because systems are dynamic and ever-changing, the process of turning governance vulnerabilities into opportunities will also be continuous.

Governing the vulnerability of socio-technical systems requires an analysis of both human stakeholders and technological mechanisms. Governance is the use of joysticks within the boundaries of a system to guide that system. Lido's current structure allows it to provide a decentralized platform for Ethereum's liquidity staking, while also having enough control to accommodate the changing architecture of Ethereum's 1.0 to 2.0 transition. As Ethereum becomes more stable over time, the adaptability of Lido's governance structure can be continuously applied, making Lido more resilient. This is extremely important, as Lido grows to multiple blockchains and becomes more valuable, the governance of Lido's liquidity staking will also become valuable.

By minimizing single points of failure, increasing the difficulty of "root-level" governance, creating more subsystem governance with the assistance of organizational functions and subsystem mechanisms (such as Easy Track) that can quickly execute decisions within constraints , Lido can increase its resilience. Lido's goal is to contribute to decentralized staking of ETH liquidity while mitigating systemic risk to any particular actor or operating process. Ideally, addressing the vulnerability reduces the likelihood of malicious attacks or underperformance, while rewarding productive contributions in a more permissionless and efficient manner. This needs immediate attention at a strategic level.

In the emerging, high-stakes space of DAOs and liquidity staking, this task is complex. We would like to commend the Lido team and community for their contributions to enabling decentralized liquidity staking on Ethereum.

Original link

Original link