A Governance Assessment by BlockScience
Context of this research
Based on our DAO Vulnerabilities research piece, we were contacted by Lido to undertake a resilience assessment of LIDO liquid staking protocol governance by conducting a Lido DAO governance vulnerability mapping exercise. In this blog, we share our findings from a DAO Vulnerabilities Assessment of Lido, including:
- Our research method & approach
- What is Lido, its significance in the Proof of Stake (PoS) landscape & stakeholder mapping
- Governance Intuition: Insights on governance minimization & “right-sizing”
- Lido’s vulnerabilities, in terms of the social, technical, and economic dynamics of the system
- Conclusion and next steps
The goal of this research is to map the current state of governance in Lido to understand its goals, dynamics, and risks. This can help guide Lido’s development of governance processes to ensure both social and technical resilience, and risk management to support Lido’s goals to drive industry leadership in liquid staking.
In this piece, we refer to vulnerabilities as a relational concept to threats. Vulnerabilities typically emerge internally to a system rather than externally and thus can be managed in many cases once identified. Identifying vulnerabilities can produce opportunities to improve adaptive capacity, resilience, and growth. This is essential for DAOs that aim to be decentralized and autonomous (meaning independent from external direction).
Research Methods & Approach
We employed qualitative methods, including stakeholder interviews and reviewed documentation, code repositories, block explorers, analytics dashboards, contract interfaces, public communications channels and more. The scope of this analysis was largely focused on Lido on Ethereum (note: we did not run a full node to inspect and verify the Lido contracts and we did not have access to any of the web servers we interacted with). This information was accurate at the time of our research from December 2021 to March 2022, noting Lido is a complex adaptive system and some things may have changed.
What is Lido Liquid Staking?
Lido is a financial platform offering ETH staking derivatives in exchange for a management fee. Lido allows users to earn liquid token staking rewards without locking up assets or maintaining their own staking infrastructure by depositing ETH into a Lido smart contract to receive transferable stETH (Lido’s liquid variant of stake ETH). In exchange, ten percent of all ETH staking derivatives (subject to change via LDO voting) flow to the Lido DAO, which is controlled by LDO token holders.
LDO token holders are the owners/managers of the platform. LDO token holders manage the structure of the Lido DAO and an extended suite of contracts, the Lido DAO treasury, and LDO tokens themselves. Anything beyond Ethereum (multi-chain) or IRL (people) is not directly owned or managed by LDO token holders. Although this may change in the future, Lido governance responsibilities are currently split between on-chain LDO token voting as well as end-users and operators who “vote with their feet.”
Liquid staking is a highly technical, capital intensive, and competitive market. It is in the interest of LDO token holders to grow Assets Under Management (AUM) as much and fast as possible to raise the amount of management fees accrued to Lido, which can then be reinvested into more growth and security.
Why Lido Matters in the Proof-of-Stake Landscape
Block space production is a competitive market. Proof of Stake (PoS) inflationary rewards are naturally centralizing and a few large players will likely dominate the market. Lido needs to gain enough market share to become the dominant “decentralized” ETH staking derivatives provider and already has a first-mover advantage.
If Lido succeeds, it will fill a significant gap between centralized exchange staking services and DIY hobbyist staking in the public blockchain landscape. This way individuals, institutions, decentralized applications (dApps), DAOs, and Decentralized Finance (DeFi) protocols can all benefit from simple, secure, liquid-staked ETH. If Lido (or a similarly decentralized liquid staking solution) cannot do this, however, then it is likely that centralized exchanges — that are subject to the laws of their jurisdictions and regulators — will control the majority of staking on major blockchains like Ethereum — and by extension own the production of block space on all major public blockchains. Whoever produces block space can re-order or censor transactions. Thus, block space is a critical and valuable resource in public blockchains.
If Lido, a more “decentralized” system, secures a large portion of the current and future PoS blockchains, then block space is more likely to remain credibly neutral (meaning less likely to be captured by a single party or “cartel”). This would make LDO increasingly valuable as a governance token that controls block space production, as well as the value that flows from that block space production. This means that Lido needs to identify and address internal social, technical, and economic vulnerabilities so that it can adapt to stay competitive, while also remaining resilient against external threats and changes in the environment to resist centralization or failure.
Lido has several key stakeholder groups that contribute to making simple, secure, liquid-staked ETH possible. They can be addressed according to the following categories:
- Primary: owners, operators, and users such as LDO token holders, governance sub-committees, multi-sig signers, Lido employees, and stETH end users.
- Secondary: external collaborators such as DApps that integrate stETH, validator operators, oracle operators, interface operators, and more.
- Outer: groups or systems that have an indirect relationship with Lido such as Layer 1 blockchains, competing staking-as-a-service providers, and more.
These stakeholders contribute to making simple, secure, liquid-staked ETH possible. Some categories of stakeholders also often overlap or move between roles in different contexts. As Lido evolves, its stakeholder groups are likely to evolve as well (especially across multiple chains, which is out of scope for this initial analysis which primarily focuses on the Ethereum ecosystem).
Insights on Governance Minimization & Governance Sizing
Lido has set forth a roadmap to “trustless staking on Ethereum” that emphasizes governance minimization via smart contract custodianship and automation of node operator participation. The term “governance minimization” tends to elicit various assumptions among stakeholders. Clarifying what this means can help align stakeholder expectations for future governance discussions and decisions.
In this context, governance minimization, means “reducing the power and reliance on governance wherever possible.” As Paradigm says: “the most widely used protocols will trend towards governance minimization”. The idea is that people are more likely to use and trust a system that can’t change against their interests versus one where the current owners or operators say that they won’t.
One approach to governance minimization that is becoming increasingly common, especially in DeFi protocols, is governance automation. Governance automation refers to deferring governance to algorithmic processes through automation at the technical layer. For example, the Lido roadmap emphasizes the automation of functions such as validator node selection. We note here that this is governance process automation, as governance itself cannot be automated. If an algorithm makes governance decisions, it is because it is designed to govern in specific ways. Thus, process automation moves governance from the operational layer of a system to the design layer.
However, governance is still required to ratify that design, and introducing algorithmic governance introduces new governance surfaces (fields of action that need to be determined to shape behaviors). Automation shifts how governance occurs in a system, and to who it is transparent and legible, rather than necessarily adding simplicity or efficiency. Governance is more a question of what function should be automated, and what requires human oversight.
In practice, this often looks like reducing human governance processes over most things by introducing automation, while intentionally applying human governance to others. Yet, if governance processes become so reduced or limited that the system can no longer be “steered” or governed, the ability to react to unanticipated threats and events is reduced. For example, Lido might want to put constraints on the power of teams at the local level, while giving them the freedom to act within those constraints for operational efficiency (see below on ‘subsidiarity for operational efficiency). This way operations can remain efficient while reducing systemic risk. As Lido evolves, balancing adaptivity and resilience, and adjusting that balance over time, is going to be critical for ongoing success.
The question for Lido DAO is: How does the DAO achieve operational efficiency through automation and trust in code, whilst enabling sufficient awareness, engagement, and participation for strategic accountability by DAO governors? This requires a practice of sizing governance (known as “requisite variety”), in terms of what can be removed and what is required to steer a system.
One way to think through governance sizing is to ask ‘what is operational?’ (and could be automated), and ‘what is strategic?’ (and likely requires human input); what can be observed (to use the control theory terms via sensors and feedback), and what can be controlled (via actuators). Then these dynamics can be tuned to provide the accountability and operational efficiency required to achieve the system’s goals.
Said another way, “decentralization” for the sake of “decentralization” is not productive. What is likely to be more effective is to reduce single points of failure, put constraints on operator permissions, and create options for users to “voice” or “exit” the system. From this perspective, it is a good thing if LDO token holders have less power over most things while retaining power over core functions that require human input — which may or may not go against popular notions of what is a “DAO”.
The risk of minimizing governance too much is eliminating adaptivity. If the purpose of governance is to enable a system to adapt to fulfill its function then the governance surface should be as small as possible to do so but no smaller. The aim of defining a governance surface is for it to be sized to be as small as possible but still controllable. If the governance surface is too large, it is impossible to control and observe, thus undermining governance. If the governance surface is too small, not enough control levers are available to influence and steer the system. The appropriate governance surface size is just enough levers to steer a system toward its objectives but no more. Many of the vulnerabilities explored in this piece are about minimizing governance risks and delineating between governance and operations.
In the context of token system security, one of the main purposes of “decentralization” is to prevent any party (internal or external) from imposing its will on the direction of the system and its stakeholders. If a system is “decentralized”, you can trust the system even if you don’t trust the participants. This section aims to explore all the areas where Lido might have single points of failure (centralization) that could reduce its resiliency, and thus its ability to fulfill its function (which is simple, secure, liquid staked tokens).
One way to think about this is via the control theory concepts of controllability and observability. In this context “controllability” refers to the levers of control in the system, and “observability” refers to how the behavior of the system can be observed and measured.
- Is the system controllable (able to be influenced by signals to reach a given state in a finite amount of time) and is it observable (able to know critical changes in state from system outputs), and if so, how controllable and how observable?
- Where are the most effective places to add sensors (that measure states and product output to generate feedback loops) and actuators (exert forces or levers of control)?
- Which states in the system should be measured, and what can be estimated?
With this in mind, we’ll start by exploring vulnerabilities in the governance surface of Lido: the set of things that can be controlled and observed, concerning the objective of the system and the ability to optimize against that objective. We do so under the categories of social, technical, and economic.
Adaptivity with regards to Purpose
Adaptivity and governance minimization are inextricably linked. Some may presume that adaptivity (change) is in opposition to governance minimization (no change) but this is not the case.
Adaptivity is the ability to change. Conversely, governance minimization constrains what can be changed, and within that set, how changes are made. Adaptivity makes it possible to minimize governance over time by adding constraints on decision making, without removing the ability to govern the system entirely where unanticipated events occur. That way, a system can evolve to become more resilient in a changing environment.
Form Follows Function
The organizational form of an institution needs to follow the function it intends to optimize for. Broadly, Lido is a “DAO”, but what organizational form it takes depends on the function it aims to fulfill and the context in which it operates. At a high level, DAO concepts of “decentralization” and “autonomy” mean that no single party controls the system. Yet, what this looks like for staking as a service is going to be different than what it looks like for consensus on Layer 1 protocols. Lido governance needs to allow the system to be as simple as possible while still allowing the system to adapt to provide simple, secure, liquid staking. The appropriate size for Lido’s governance surface is determined by the purpose of the system and what is possible (or “reachability”). Lido needs to be able to adapt to changing L1 protocols (e.g. ETH2.0) and multiple blockchain ecosystems, whilst efficiently pursuing its purpose.
Lido governance processes have adapted and evolved, both to enable new functions as well as to put constraints on existing functions, to optimize for its objectives. An example of Lido’s evolution is Easy Track Governance. This is a Lido sub-system that provides freedom for operators to act quickly with minimal support (adaptivity), but what can be acted on is constrained (governance minimization). This reduces governance risk, while also separating high-level goal-setting decisions (Aragon Voting) from low-level execution decisions (Easy Track voting).
Looking forward, Lido is exploring increasing the DAO voting time and difficulty as well as putting more constraints on Easy Track Governance. By creating sub-systems for operational functions that are separate from strategic, whole-of-DAO decision making, Lido can minimize governance (less root level activity) and move towards trustless Ethereum staking (more user-level activity).
Communication & Coordination
Communications and crisis planning are critical to DAO operations and governance. The DAO must avoid overly burdensome coordination overheads concerning communications, but have clear plans and processes to know how to adapt and respond in a crisis. This is one area across organizational functions that Lido could professionalize as it scales its operations across multiple Layer 1 protocols, implementation teams, and validator nodes, as well as transitions the team into working groups that are directly employed by the DAO.
At the moment, the Lido team and inter-DAO communications across stakeholders occur via patterns of informal communications. If there is a bug, a contentious debate, or any scenario where trust breaks down, users could have a difficult time acquiring information and acting to protect their interests. Some critical communication functions are reliant on specific team members seeing messages in semi-open channels and knowing whether or not to share them with the wider Lido community. If messages are not seen, people leave the project, or the project continues to scale, critical functions must be composed according to function, not individual people. This potential for breakdown of communications poses a governance risk.
Governance design is a critical consideration in improving DAO communications. To reduce reliance on individual team members, organizational functions can be enacted for greater adaptability and redundancy. Organizational functions can be scoped according to roles, responsibilities, and processes that can be sustained even if people change. That way, the organization can steadily continue operations even if contributors change over time.
Subsidiarity for Operational Governance
One approach toward bottom-up strategies for self-governance is economist Elinor Ostrom’s principles for “Governing the Commons”. Ostrom refers to “nested enterprises” as a principle that recognizes that long-enduring, complex resource systems are usually organized into many tiers of nested organizations that together perform provisioning, monitoring, enforcement, conflict resolution, and governance activities. In other words, complex, scalable organizations operate on multiple levels, across the individual, organizational, broader system, etc. By nesting organizations within one another, users can take advantage of many different scales of organizations to better govern their resources at each scale to manage complexity, for overall efficiency, ownership, accountability, and scale.
This form of governance is seen as synonymous with resilience, as an “ability to adapt and transform in response to disturbances to continue performing its core functions”.
An appropriate starting point for designing such governance is subsidiarity: the principle that decision-making rights each be assigned to the lowest level of a governance arrangement at which they can be exercised competently. Subsidiarity organizes according to organizational functions, rather than specific actors in a system. Specifying an organizational function provides a container that has the necessary authority and incentives to serve its function, rather than dependencies on certain people. This allows for redundancy to be designed appropriately into each organizational function and creates a foundation of shared understanding for how each function interacts with one another. It also allows system owners to grant or revoke rights to act within those containers.
Lido has already begun doing this with the different voting tracks and operational budgets for some teams that only require a DAO vote if the amount is altered (e.g. LEGO grants). Understanding the principles of subsidiarity and nested governance can aid Lido to identify and pursue this approach in the appropriate areas.
Ownership / Operation of Non-Crypto Property
Should there be a contentious governance event, the Lido intellectual property (IP) is the most likely to be the center of a legal or political fight. At the moment, it is not registered and no one explicitly owns it.
To avoid potential risks, like an ecosystem partner exiting, a lawsuit (e.g. Craig Wright Bitcoin lawsuits), or a community fork, Lido might consider forming a subsidiary entity that reports to the DAO to handle legal ops or open source IP.
This section explores Lido’s main mechanisms for governance and technical vulnerabilities related to them:
- Easy Track Governance
- Lido Node Operator Sub-governance Group (LNOSG)
- Lido Ecosystem Grants Organization (LEGO)
- reWards Committee
- Deposit Guardian Council
Main Channels for Coordination
- Telegram (informal chats)
- Governance Forum (detailed discussions)
- Snapshot (signaling votes)
- Social Media (announcements and updates)
Aragon Early Voting
Lido on Ethereum is controlled by LDO token voting via an Aragon DAO. This includes the Lido treasury, ETH2 withdrawal keys, node and oracle operator lists, DAO Access Control List (ACL) permissions, the execution of EVM scripts, and more. As such, the voting app is effectively root access to Lido.
At the time of writing (March 2022), the permissions on the Lido DAO are set such that:
- Any address with vested or unvested LDO tokens can create a new vote
- For a vote to pass at least 5% of all LDO tokens need to participate in the vote (approval/quorum)
- Of those who vote, 50% need to approve a proposal for it to pass (support/threshold) at the end of the voting window
- If 50% of the total supply votes in favor or against a proposal it will have a supermajority and execute immediately
A few things that might reduce the likelihood of governance capture or compromise:
- Do not decrease the voting support threshold.
- Consider increasing the difficulty (duration, support, and participation) so that root access is used as little as possible (and sub-systems are used more) — already in progress.
- Consider creating more Lido sub-systems (like Easy Track) with constrained permissions, but that gives operators the freedom to act within those constraints so that the main (root access) voting app does not have to be used as much.
- Distribute LDO to a wide variety of ecosystem participants, especially those with a long-term perspective. That way, more stakeholders who engage in governance have interests aligned with Lido’s long-term success. In the future, this might even include a time-weighted voting system (vote escrow, conviction voting, etc.) that gives more governance power to stakeholders with a long-term stake in the system.
- Create automated monitoring tools that provide alerts for every vote, and ideally provide additional warnings in the event of unusual EVM scripts (for example treasury transfers > X%).
- Evaluate where and how automation can aid governance processes, and what additional dynamics (governance surfaces) it introduces.
Because Aragon Voting is equivalent to root access to the DAO, the severity of a compromise could be an existential threat to Lido.
An interface is a portal to connect a user and a service. Often users believe what the interface shows them. Seeing is believing, but believing is not knowing. When most users connect to their Ethereum wallets or interact with a dApp they often do not verify that what is displayed on their screen is what is on the blockchain. This creates a risk that an interface could be unavailable or misleading, causing users to not take the optimal actions to represent their interests. For Lido to be resilient to both internal and external pressures, stakeholders need to be able to find information and take action on it. Anything that blocks or interferes with that could be a risk to informed and participatory governance.
Potential threats include, but are not limited to:
- Censorship of interfaces to prevent stakeholder usage.
- Modification of data displayed by interfaces to make coordination/communication difficult and/or to trick users to vote on the wrong proposals.
- Hacking of interfaces to steal assets from users.
Another example is third-party contract verification. Security researcher @Samczun recently discovered a zero-day in Etherscan’s contract verification engine. Outside of discovering vulnerabilities yourself, the best way to prevent zero-days is to minimize reliance on trusted third parties.
Overall the attack surface for interfaces is often larger than smart contracts, but they’re also more opaque, which makes them difficult to secure. That being said, there are a few things that can be done to make interfaces more resilient.
- Content Addressing: An initial approach is to use content-addressed interfaces wherever possible. This can help minimize the governance of the interface if each version is immutable. Content addressed interfaces can then be hosted on IPFS or Arweave. As an example, see the TornadoCash Interface.
- Self-Hosted Interfaces: Making it easier for users to spin up or host their interfaces is important as well. This would allow individuals to run their own interfaces without needing to trust third parties, and it would also allow ecosystem partners (and scammers) to host their Lido interfaces if the main ones go down. This builds the foundation for a competitive market for interfaces without relying on any specific service provider.
- Multiple Independent Interfaces: Another strategy to mitigate interface vulnerabilities is a competitive market of providers. It’s more difficult, and thus unlikely, for an attacker to compromise multiple interfaces or data providers. With multiple options, users can compare results between providers.
As noted on the Lido Research Forum, validator client diversity is important to reduce slashing correlations as well as to reduce dependence on a single infrastructure provider. If Lido validators all use the same client software a bug could affect all of Lido’s AUM, but if Lido validators use a diversified set of clients then a bug in anyone would only affect a subset of the AUM. This could be especially important after the Ethereum merge because then validators will be able to earn Maximal Extractable Value (MEV), but most ETH2 clients don’t offer MEV-related features, which could result in consolidation around the Ethereum clients that do. As the Lido Node Operator Sub Group (LNOSG) works to move towards “Trustless Ethereum Staking”, LDO token holders should be aware of these dynamics, especially for approving new node operators and/or any automated system that ranks and rewards node operators.
We note that this is a core competency of Lido’s operations and something Lido seems to be already aware of and working on.
Lido competes to produce block space in Proof of Stake (PoS) systems. This is rewarded with block subsidies, fees, and in the future MEV.
Investments in block production are forward-looking and probabilistic. This means that if you control ten percent of the validation power (staked tokens), then you can expect about ten percent of the future block rewards. If, however, other validators increase their stake, then you might only be able to expect a lower percentage of the block production rewards. To stay competitive, you have to buy more tokens. This creates an incentive to buy as many tokens as possible, as soon as possible, so that you can earn more tokens as soon as possible, so you can stake them to earn more tokens. The sooner you stake the sooner you earn, and the sooner you earn the sooner you can stake more. In short, PoS validation is likely to be a winner take all market. The benefits of the staking market are large, and the aim of Lido is that the leader in pooled staking is a decentralized / non-custodial staking pool.
This emphasizes the competitive market dynamics Lido is operating in. The dominant validator on a PoS network is likely to become very valuable, and as a result, governance over that validator will become valuable. This could create competition over control of that system (think Curve Wars but for MEV). Should this occur, two forces might enable such a system to resist centralization while continuing to provide neutral competitive decentralized block space production: competitive markets and decentralized autonomous organization.
- If there is a competitive market for block space then users and validators would have options. They could choose which tokens to buy and sell, and which chains to use or validate. Then if a single party becomes the majority block producer on a network they might be less likely to “raise rents” if users and validators could easily sell their tokens and leave. That being said, professional PoS validation is highly technical and capital intensive. Those who are the best at it are likely to get more capital (tokens, computers, and financing) to do it for all the chains.
- If a decentralized governance system controls the majority of block production then that system could be steered by a diverse group of stakeholders, while not being controlled by any of them. What this looks like in practice is dependent on the token distribution and governance of that staking system, but it likely involves minimizing the governance surface over time. By minimizing the governance of a resource, the ability for stakeholders to battle over and capture that resource is minimized. Thus, if a system anticipates being fought over it should minimize governance as much as possible and as soon as possible, when and only when it can do so while maintaining the adaptivity it needs to fulfill its function.
Conclusion & Next Steps
Our goal in this piece is to identify Lido governance vulnerabilities according to the social, technical, and economic dynamics of the system. Once vulnerabilities are identified, they can be “governed” to improve the adaptive capacity and resilience of Lido. This process of governing vulnerabilities to transform them into opportunities is ongoing, as the system is dynamic, meaning it is constantly changing.
Governing vulnerabilities in socio-technical systems requires analysis of both human stakeholders and technical mechanisms. Governance is the use of levers of control to steer a system, within the boundaries of that system. Lido’s current structure enables it to provide a decentralized platform for liquid-staked Ethereum, while also having enough control to adapt to Ethereum’s changing architecture in the transition from Ethereum 1.0 to ETH2.0. Over time, as Ethereum becomes more stable, the adaptive capacity afforded by Lido’s governance structure can then be continually applied to make Lido more resilient. This will be especially important because as Lido grows and becomes more valuable across multiple blockchains, the governance over Lido liquid staking will also become valuable.
Lido could improve its resilience over time by minimizing single points of failure, increasing the difficulty of “root level” governance, and creating more sub-system governance via subsidiarity of organizational functions and sub-system mechanisms like Easy Track that allow operations to be executed quickly but within constraints. The goal is to enable contributions that support the provision of decentralized liquid-staked ETH while reducing the systemic risk of any particular actor or operational process. Ideally addressing vulnerabilities reduces the possibility of malicious attacks or poor performance, while enabling and rewarding productive contributions in a more permissionless and efficient manner. This requires immediate and strategic attention.
This task is incredibly complex in the nascent and high stakes domain of Decentralized Autonomous Organizations and liquid staking. We commend the work of the Lido team and community to enable decentralized liquid staking on Ethereum.
This report was authored by Kelsie Nabben, Burrrata, Michael Zargham, and Jessica Zartler. With special thanks and appreciation to the Lido team, its stakeholders who participated in the interviews, and the BlockScience team for all of their input and feedback — especially Jeff Emmett, Peter Hacker, and David Sisson.
Kelsie Nabben, Burrrata, Michael Zargham, and Jessica Zartler.
“DAO Vulnerabilities: A map of Lido governance risks and opportunities”. BlockScience Medium (blog). Available: https://medium.com/block-science/dao-vulnerabilities-a-map-of-lido-governance-risks-opportunities-92bc6384ff68