The Next Chapter for Lido
With the Ethereum Merge approaching, staking on the Beacon Chain is booming as expected. The blockchain is now secured by over US$35B equivalent (at today’s prices) in staked assets, and 75% of new stakers who joined in the last 30 days have done so via Lido.
While this validates our mission to democratize staking in Ethereum, some people have expressed concern that this level of success can make Lido a centralizing force. We hear you, and your concerns are both important to us and valuable to Ethereum as a whole.
Lido is already non-custodial and permissionless for stakers and, pending an upcoming Ethereum upgrade, will give them an escape hatch to unstake their ETH at any time.
This post will address how we currently think about the largest remaining issue - the management of Lido’s node operator (NO) set. We cover:
- What goes into creating a good validator set.
- Why a good validator set is a public good that needs active attention and funding.
- How we plan on allowing permissionless validation in Lido and reducing the power of governance to an absolute minimum.
How to build a good liquid staking pool
Any liquid staking pool faces two hard problems:
- Providing a useful and deeply liquid staking token to its users (in our case stETH).
- Providing a good validator set, both to users (to maximize their APR) and to the underlying blockchain (to minimize the risk of misbehavior or poor performance).
Given the network effects at play, it is likely that the market for liquid staking will trend towards a ‘winner-takes-most’ outcome. As a result, it is important to the underlying blockchain ecosystem that the winning liquid staking provider is values-aligned and has a robust validator set.
The core reason we started Lido was to prevent a centralized exchange or group of exchanges from winning the staking market.
What makes a good validator set?
A good validator set allows users to use dapps on Ethereum L1 and L2s with the lowest risk of downtime or censorship, and the highest expected throughput. For that to happen, the validator set needs to deliver censorship resistance and performance, both in fair weather and throughout all forms of adverse conditions.
In short, the chain must flow and be a credibly neutral home for applications and their users. It's easy to evaluate performance in fair weather, but dealing with tail risks and their correlation is complicated.
A good validator set is opinionated
Lido currently selects its validator set on Ethereum by curating a periodically expanded list of peer-reviewed node operators.
Our model for curating the list is to minimize the following risks as much as possible:
- operator compromise.
- network connectivity issues.
- operator misconfiguration.
- regulatory capture.
- client bug.
While we can't fully get rid of these risks, we aim to decorrelate them by creating a robust and diverse validator set with the following properties:
- no operators with >1% of the total stake.
- an emphasis on improving client diversity in Ethereum.
- legally and physically unrelated.
- operators run their own nodes (no white-label or paid APIs in the infra).
- operations are distributed geographically and jurisdictionally.
- distributed variation of on-premise infra and different cloud providers.
- good performance.
- best practices in security and key management.
- operators earn well enough to build a profitable, dependable business on staking.
- long-term alignment with the success of Ethereum and decentralized economies.
A good validator set is a public good
A validator set with these properties is a public good. Why? Most stakers select their liquid staking provider based on two things: the liquidity of the staking token, and their staking APR.
They can’t all be expected to care about the complex requirements of what makes a good validator set. This leads to a tragedy of the commons where users are incentivized to stake with the largest or most profitable provider, while the negative externalities of their choice accrue to Ethereum itself. Therefore, unopinionated staking always leads to centralization over time.
An opinionated validator set is more expensive to operate and requires both funding and attention. In essence, a good validator set requires a long-term sustainable business model. This is a strong argument against imposing artificial constraints on any one staking provider.
There are two reasons why imposing hard limits on liquid staking products will not lead to a good outcome:
- An artificial ceiling on adoption (and hence liquidity) will shift competition to a single parameter: APR. But competition on APR is a race to the bottom that will compress any ability for the liquid staking provider to fund the provision of the public good - the robust validator set.
- Only a liquid staking protocol that has reached a significant scale can generate the fees necessary to maintain a good validator market, support the ecosystem, and ultimately protect the blockchain itself from centralizing forces.
Stakers will always have alternatives and a diversity of views, and will therefore not allow the winning protocol to over-capture. There is only so much premium a protocol can ask for to provide the most liquid and integrated solution.
Towards permissionless validation in Lido
Previously, we have established that Lido has to ensure that the validator set is good and stays good. At the moment, we use the simple approach of selecting operators from those that apply directly for participation in Lido.
However, there are problems with this approach:
- Not many professional node operators run their own infra and are not a one-person shop; we will run out of a candidate pool soon.
- There is little incentive for an operator to improve once they are in the set.
- There is no way to start small and build up for new operators inside Lido right now.
- Most importantly, curation by peer-review-only will lead to a full-blown cartel in the long-term; a dystopian outcome for Ethereum that we absolutely must prevent.
As a result, our current approach is merely a stopgap. It allows Lido to have a good operator set now, but will be replaced with a system where anyone can be a node operator, all NOs are incentivized to do their best, and the risk from governance is absolutely minimized.
To get there, we will make two fundamental improvements to Lido.
The first improvement is the gradual adoption of Distributed Validator Technology (DVT) in Lido. DVT groups validators into independent committees that propose and attest to blocks together, greatly reducing the risk of an individual validator underperforming or misbehaving.
Once implemented, this would allow us to onboard untrusted NOs by pairing them with a majority of trusted NOs. This way, untrusted NOs would directly contribute to the decentralization of the group without being a risk for Lido stakers or Ethereum. The implementation of DVT is the largest focus on our immediate roadmap and we are actively supporting its research and development.
The second improvement is to create a Node Operator Score (NOS) compiled from different metrics and allocate stake based on that. This continuous score would replace the existing binary notion of trusted/untrusted NOs and have several advantages:
- Performance and other metrics directly affect an NO's stake allocation, giving them an incentive to maintain strong performance to increase their stake.
- Anyone can join Lido as a NO and build up stake over time by improving their NOS. This can be done by putting one’s own skin in the game (e.g. by bonding collateral), joining committees with other NOs, showing good performance over time, and more.
To limit risk for our stakers and Ethereum, we expect our first steps on the scoring system to start once Distributed Validation Technology is integrated into Lido.
Designing this system is a monumental achievement to deliver. It is even more difficult while unstaking from a sub-par node operator is not yet technically possible.
Towards resilient Lido governance
In the meantime, there are several layers of defense against Lido governance capture, with more being introduced soon. This work will happen in parallel to our work on permissionless staking and the first step has already been taken with the publication of a report we recently initiated into potential governance risks affecting the DAO.
The main risk Lido poses for Ethereum is selecting a bad validator set. This can happen in two ways - suddenly, or gradually.
To understand why a sudden coup in Lido is impossible, one has to understand the constraints imposed by the Beacon Chain. Lido cannot yet un-select an operator after delegating to it. That means that any stake Lido has delegated thus far will not be able to change until withdrawals become available.
As a result, Lido has no significant leverage to coerce operators that are already participating to do something they don't want to do: we can't even unstake them. Even when Lido is able to rotate operators (explained in greater detail in our last decentralization update), the mechanics of the staking queue ensure that it will take months to do so.
The second and bigger risk is for Lido to gradually worsen the validator set, especially once forced exits and withdrawals are possible. If this happens, it will likely be the result of governance capture. To prevent that, we want to rely on three measures of defense:
- Introducing new mechanics that prevent untelegraphed changes to Lido, such as time-locks and giving veto rights to a quorum of stETH holders.
- Since Lido is non-custodial and permissionless for stETH holders, they can always voluntarily unstake and move to a competitor.
- We make it easy for Ethereum core developers to fork Lido as a last resort. All it takes is to switch a few bits in our governance contract to revoke Lido’s current permissions and transfer them to a community-owned contract.
Lido is just 14 months old but in that short time has already delivered tremendous value to our stakers - giving them the simplest way to participate in securing the Beacon Chain using any amount of capital.
Meanwhile, Lido also contributes to the decentralization and security of Ethereum itself:
- Instead of large exchanges dominating the staking market, Lido actively shapes a good validator set. We currently have 21 providers who adhere to the highest community standards and have less than 2% of the total staked Ether each (the goal is to reduce this further and we have recently announced the latest onboarding wave for new operators).
- Instead of large amounts of stake sitting in custodial solutions, stakers control their own ETH.
- Instead of complexity and opportunity cost keeping many stakers out, far more capital is securing the Beacon Chain today than otherwise would.
- Instead of staking tokens confined to a walled garden, stETH is a fundamental building block powering the future of Defi.
While these are great achievements in the short term, we are aware that the current method of managing this validator set is not sustainable and must improve. Our vision is to build a staking solution that is fully permissionless for the blockchain itself, and it has been our vision from the start.
We previously made promises to the community about this roadmap and are pleased to be updating you on the parallel tracks that we are actively pursuing:
- We will gradually adopt Distributed Validator Technology in Lido and start researching a scoring system that allows anyone to become a validator in Lido without permission.
- We will create additional checks and balances on Lido governance, including directly empowering stETH holders to veto any decision that will be made.
We are deeply committed to creating and maintaining the best validator set possible, and being excellent stewards of the Ethereum ecosystem. In the next year, we hope to make meaningful progress toward the mission laid out today. Ethereum deserves nothing less, and we want to thank the entire community for continuously holding us accountable to the values of decentralization.