Taking Lido as an example, what risks are associated with the LSD protocol?

Original Title: On the risks of LSD
Original Author: sacha
Translated by: Qianwen, ChainCatcher

Preface

This article is a response to some views from Danny Ryan (which will be presented in detail later).

The opposite of a fact is a falsehood, but the opposite of a profound truth is often another profound truth.
------ Niels Bohr

Overall, I believe Danny's position is great. However, I also think that his approach carries significant risks that have not been adequately discussed in public.

I do not think Danny's views are wrong in themselves, but I do believe that there is another side to his perspective that has not been clearly communicated enough. That is the purpose of this article.

Introduction to Dual Governance

Dual governance is an important step in reducing governance risks for the Lido protocol. It represents a shift from shareholder capitalism to stakeholder capitalism. It also provides a practical way for Ethereum holders to have a say in changes to the Lido protocol.

Its main goal is to prevent LDO holders from changing the social contract between the protocol and stETH holders without the consent of the latter. Currently, LDO holders have significant power over the protocol, which can lead to substantial changes in this social contract. These powers include:

• Upgrading the Ethereum liquidity staking protocol code
• Managing the list of members of the Ethereum consensus layer oracle committee
• Changing the equity distribution among node operators in potentially harmful or unexpected ways (e.g., adding or removing whitelisted Ethereum node operators)
• Altering the governance structure in unexpected or potentially harmful ways (e.g., minting or burning LDO, changing voting system parameters)
• Changing the total fee ratio of the Ethereum liquidity staking protocol beyond the agreed range (and defining those ranges).
• Deciding how to use the treasury

All of these powers, except for treasury expenditures, directly affect stETH holders. Dual governance fundamentally allows stETH holders to veto any of the aforementioned modifications to the Lido protocol without introducing new attack vectors or placing an excessive political burden on stETH holders.

Node Operator Governance

Danny believes:

"Deciding who the node operators (referred to as NO hereafter) are involves two questions—who gets added to the set and who gets removed from it. In the long run, this can be designed in one of two ways: either through governance (token voting or similar mechanisms) or through automated mechanisms based on reputation and profitability.

In the former model, where governance decides on NO, governance tokens (like LDO) become the primary risk for Ethereum. If tokens can decide who can become this theoretical majority—NO in LSD—then token holders can enforce censorship, multi-block MEV, and other cartel activities, or else NO will be removed from the set.

There is also a clear risk in governance deciding on NO, which is regulatory scrutiny and control. If a set under an LSD protocol stakes more than 50%, that set will gain the ability to censor blocks (worse, since they can finalize those blocks, that number can reach 2/3). In a regulatory scrutiny attack, we now have a unique entity—the governance token holders—whom regulators can target for scrutiny. Depending on the distribution of tokens, this could be a much simpler regulatory target than the entire Ethereum network. In fact, the token distribution in DAOs is generally poor, with only a few entities deciding most of the votes."

Dual governance largely addresses the above issues. Specifically, if LDO holders attempt to unfairly remove NO from the set, the following scenarios can occur:

• A quorum of stETH holders (for example, 5% of the total) can extend the governance voting period so that a larger quorum (for example, 15%) can veto this erroneous decision.
• If the veto passes, all subsequent LidoDAO proposals will be automatically vetoed (veto status)—to avoid placing additional voting burdens on stETH holders.
• Importantly, the governance body can only return to normal status if both the LDO governance body and the participating stETH holders agree to resolve the conflict.

In summary, by granting stETH holders the power to veto changes to NO settings, LDO holders cannot unilaterally enforce censorship, multi-block MEV, and other cartel activities, as LDO holders themselves cannot remove dissenting NO.

Regarding Danny's second concern (regulatory scrutiny and control), the distribution of stETH tokens is markedly different from that of LDO and is more diversified. Therefore, the combination of LDO and stETH is better able to withstand such scrutiny. It is indeed not as broadly distributed as ETH and lacks the diversity of Ethereum user distribution, but this will only improve over time.

Selecting NO Based on Economic Factors

Danny believes:

"In the scheme of selecting NO based on economics and reputation, we will ultimately still fall into a similar cartelization, albeit automated cartelization.

Determining the NO list based on profitability may be the only trustless (non-governance) method to ensure that NO benefits the pool.

The definition of profitability is problematic… Due to the significant changes in the economic activities of the system over time, the design of the system cannot rely solely on some absolute metric, such as needing to earn X in transaction fees.

When all operators use 'honest' technology, this profitability comparison metric can work well, but if a certain number of bad operators turn to destructive technologies, such as multi-block MEV or adjusting block release times to capture more MEV, they will distort the profitability targets, causing honest NOs that do not use destructive technologies to be automatically eliminated.

This means that regardless of the method used—NO governance or economic selection/exclusion—this pool that exceeds the consensus threshold will become a cartel layer. Either a cartel is formed directly through governance, or a destructive profit cartel is formed through smart contract design."

This analysis feels overly binary. For Lido (or Ethereum), both extremes (LDO governance NO or purely algorithmic/economic selection/exclusion) are neither possible nor desirable.

Dual governance is crucial for minimizing the risk of cartel abuse. Moreover, as Danny rightly points out, profitability is too simplistic a metric to rely on entirely.

There are many important factors that are difficult to verify on-chain, such as geographical distribution or jurisdictional diversity, which means that people may always need to play a role in some loop—though perhaps this can ultimately be simplified to voting on rebalancing equity among node operators (new and old) annually.

Staking ETH Governance Scheme

Danny believes:

"Some people think that LSD ETH holders can have a say in the governance of their underlying LSD protocol, potentially supporting unfair distributions and oligarchization of tokens.

It is important to note that ETH holders are not Ethereum users by definition, and in the long run, we expect the number of Ethereum users to far exceed the number of ETH holders (those holding more ETH than is necessary to facilitate transactions). This is a key and significant fact that affects Ethereum governance—ETH holders or custodians do not enjoy on-chain governance rights. Ethereum is a protocol that users choose to run.

In the long run, ETH holders are merely a subset of users, and thus, ETH holders are even just a subset of that subset. In an extreme case where all ETH becomes staked ETH under an LSD, the voting weight or suspension of governance for staked ETH does not protect the users of the Ethereum platform.

Therefore, even if the LSD protocol and LSD holders align on minor attacks and capture, users will not and cannot/will not respond."

Hasu's response largely addresses these issues.

The Evil Nature of Governance

Danny believes:

"Even if there are time delays in LSD governance, allowing pooled capital to exit the system before changes occur, LSD protocols will still be subject to a 'boiling frog' style governance attack. Small, gradual changes are unlikely to lead to capital exiting the system, but the system will still undergo drastic changes over time. Nevertheless, any governance mechanism is subject to this, whether it is primarily informal (soft) or formal (hard)."

Looking back at Danny's argument, small, gradual protocol changes driven by EF are unlikely to cause DAOs/users to exit Ethereum, but the Ethereum protocol (and its spirit) may still undergo significant changes over time.

In particular, it can change the way the protocol operates, thereby breaking the social contract of early contributors.

While I am far from being an immutability maximalist, I do believe that governance minimization as a philosophy exists upstream of soft and hard governance.

The drawbacks of hard governance have been extensively discussed, while soft governance has its own issues (more subtle and often obscured), involving unrecognized/unaccountable power, how to exercise power without sacrificing credible neutrality, and how to deal with power vacuums (in cases of death or tragic accidents). This is certainly not a panacea for eliminating all tail risks.

In other words, under soft governance, there is often a significant amount of unrecognized power. Unrecognized power is unaccountable power. And unaccountable power will almost inevitably lead to undesirable situations over a sufficiently long time span.

Gwart once tweeted that "social punishment is Justin Drake coming to your door with a big knife, cutting your computer's internet cable, and pointing at you saying, 'You're a bad guy.'"

While this is a humorous expression, it indeed reveals a deeper potential contradiction between the need to maintain the protocol and the centralization of soft power among key actors.

In Dankrad's slightly more serious words: "Yes, we might have opinions about what you do at the staking layer, which could include disrupting your protocol and destroying it."

User Representation

Danny believes:

"As mentioned above, LSD holders are not equivalent to Ethereum users. LSD holders may accept some governance voting predicated on censorship, but this still constitutes an attack on the Ethereum protocol, and users and developers will mitigate this attack through the means at their disposal—social intervention."

We can also view this issue from the opposite perspective.

Almost everywhere, we can see that user-driven decisions often encourage market centralization in various important aspects.

99.9% of users may not care about forms of temporal censorship that do not directly concern them, while most contributors to liquidity protocols tied to Ethereum may care about this.

For example, most users do not care about, nor should they care about, issues like the geographical distribution of Ethereum nodes or judicial diversity, but contributors to Ethereum-tied liquidity protocols certainly will care and can take concrete actions to maintain Ethereum's resilience in these areas.

Capital Risk and Protocol Risk

Danny believes:

"The above discussion largely focuses on the risks that LSD pools (like Lido) pose to the Ethereum protocol, rather than the risks faced by those holding capital in the pools. Therefore, this could be a tragedy of the commons—everyone rationally decides to use the LSD protocol for staking, which is a good decision for users but a worsening decision for the protocol. However, in fact, when the consensus threshold is exceeded, the risks faced by the Ethereum protocol and the risks faced by the capital allocated to the LSD protocol are interconnected.

Cartelization, MEV extraction abuse, censorship, etc., are all threats to the Ethereum protocol, and users and developers will respond to these threats in the same way they would respond to traditional centralized attacks—through social intervention to leak or burn. Therefore, pooling capital into this layer for cartelization not only jeopardizes the Ethereum protocol but also endangers the pooled capital in return.

This may seem like a 'tail risk' that is difficult to take seriously or may never happen, but if we have learned anything from the cryptocurrency space, it is that—if this risk can be exploited or has some unlikely 'critical edge cases,' it will be exploited or collapse faster than you can imagine. In this open and dynamic environment, fragile systems collapse time and again, and vulnerable systems are exploited time and again."

In the words of Nikolai Mushegian, in an open system, the entire world can interact with it, and incentives are not merely suggestions. They are more akin to physical laws, such as gravity or the laws of entropy. As long as even one part of the system is incompatible with the incentive mechanism, it is only a matter of time before it is exploited. Any naive notion cannot reduce this risk.

Relying on commitments to deter bad actors opens the door to tail risks, which can be said to be as severe as the risks Danny emphasizes, if not more so.

Self-Restriction

Danny believes:

"The Ethereum protocol and users can recover from the centralization and governance attacks of LSD, but it is not pretty. I suggest that Lido and similar LSD products self-restrict for their own benefit and advise capital allocators to acknowledge the inherent collective risks in LSD protocol design. Due to the inherent extreme risks, capital allocators should not allocate more than 25% of the total staked Ether to LSD protocols. Artificially imposing restrictions does not guarantee good outcomes."

In fact, artificially limiting liquid staking products is unlikely to yield good results.

Because the period during which commitments can be maintained is limited.

The likely outcome is that parties unable to exert influence within the community will win: liquid staking on exchanges, institutions (and licensed) staking products, or adopting more immutable (and less resilient) protocols.

These idealistic ideas start from a good place but are disconnected from the practical situation, which is a common blind spot for EF. It is precisely these kinds of errors that allowed exchanges to dominate before Lido's plans were launched.

Supplement: Public Goods Are Very Beneficial

So, what does a world where Lido wins mean for the future of Ethereum public goods (especially the role of Lido DAO in promoting this future)?

In the words of Kelvin Fichter, EF is an independent nonprofit organization with a closed governance structure that cannot (and should not) become the primary coordinator of public goods for the Ethereum community.

Therefore, I believe that good validators are a public good that requires funding support, and EF should not rely on it to provide funding (partly because its closed governance structure and overwhelming soft power do not well establish credible neutral rules). Only a successful liquid staking protocol (>50% market share) can afford the financial inefficiencies required to do so: maintaining a good validator market, sponsoring expensive validators, providing ecosystem support, while still being profitable in the long run (over the next 100 years).