# Magnitude and direction of Lido attack vectors <img src=https://storage.googleapis.com/ethereum-hackmd/upload_9b65fbea54740a30aaca08a17567d847.png width=46%> ↑ for memetic reference material [see here](https://www.youtube.com/watch?v=A05n32Bl0aY). $\cdot$ *by [mike](https://twitter.com/mikeneuder)* *monday – october 9, 2023* $\cdot$ ***tl;dr;*** *We explore the space of attacks on Lido and Ethereum by presenting malicious strategies available to the Lido protocol participants:* - ***`stETH` holders;*** *Ability to grief governance with their veto power.* - ***Node operators;*** *Ability to destabilize the price of `stETH` & `LDO` through coordinated slashing. Ability to collude with builders to obfuscate MEV rewards.* - ***`LDO` holders;*** *Ability to explicitly attack Lido by upgrading contracts. Ability to damage Ethereum consensus by coercing node operator behavior. Ability to implicitly attack due to positioning and soft power in the ecosystem.* *For each attack, we discuss the strategy at play, the short and long-term impacts, the possible mitigations, and the overall severity (the most subjective part of the analysis). To conclude, I share my perspective, present "Five shades of grey", and embark on an analogistic endeavor about Lido through a parable about a farm (YMMV).* $\cdot$ ### Related work | Article | Description| |---|---| | [*The risks of LSD*](https://github.com/djrtwo/writing/blob/main/docs/2022-05-30_the-risks-of-lsd.md) | Danny's post | | [*On "The risks of LSD"*](https://hackmd.io/@sacha/on-the-risks-of-lsd) | Sacha's response | | [*Should Lido on Ethereum be limited to some fixed amount of stake?*](https://research.lido.fi/t/should-lido-on-ethereum-be-limited-to-some-fixed-of-stake/2225) | Forum discussion | | [*Staking on Ethereum: an analysis of options, the current market, and protocol and network risks*](https://hackmd.io/@Izzy-/EthereumStakingCodex) | Izzy's analysis | |[*Do stakers represent users?*](https://tinted-soup-c75.notion.site/Do-stakers-represent-users-52e6171970b84d9da2e132c37c7ff90e) | Hasu's answer | |[*LDO + stETH dual governance*](https://research.lido.fi/t/ldo-steth-dual-governance/2382) | Sam et al.'s proposal | <!-- | [*Lido on Ethereum Block Proposer Rewards Policy*](https://github.com/lidofinance/documents-and-policies/blob/main/Lido%20Ethereum%20Block%20Proposer%20Rewards%20Policy.md#lido-on-ethereum-block-proposer-rewards-policy)| Block proposal policy | | [*Lido on Ethereum Block Validator Exits Policy*](https://github.com/lidofinance/documents-and-policies/blob/main/Lido%20on%20Ethereum%20-%20Validator%20Exits%20Policy.md#lido-on-ethereum-validator-exits-policy)| Validator exit policy | --> $\cdot$ ***Acronyms*** | source | expansion | |--- | ---| |`LDO`| the governance token for the Lido DAO | |`stETH`| the liquid staking token issued by Lido | |`NO` | node operator(s) | |`LST` | liquid staking token | |`DAO` | decentralized autonomous organization | $\cdot$ ***Acknowledgements*** *Special thanks to [Vitalik](https://twitter.com/vitalikbuterin), [Tim](https://twitter.com/TimBeiko), [Barnabé](https://twitter.com/barnabemonnot), [Sam](https://twitter.com/_skozin), [Sacha](https://twitter.com/sachayve), [Izzy](https://twitter.com/isdrsp), [Jon](https://twitter.com/jon_charb), [Toni](https://twitter.com/nero_eth), [Justin](https://twitter.com/drakefjustin), [Thomas](https://twitter.com/soispoke), [stokes](https://twitter.com/ralexstokes), & [Danny](https://twitter.com/drjrayn) for discussions and comments.* --- <!-- [Kydo](https://twitter.com/0xkydo), [Quintus](https://twitter.com/0xQuintus), [Bert](https://twitter.com/bertcmiller), [Barnabé](https://twitter.com/barnabemonnot), [Tim](https://twitter.com/TimBeiko), [Toni](https://twitter.com/nero_eth), [mteam](https://twitter.com/mteamisloading), [Justin](https://twitter.com/drakefjustin), [Jon](https://twitter.com/jon_charb), [stokes](https://twitter.com/ralexstokes), [Vitalik](https://twitter.com/vitalikbuterin), [Terence](https://twitter.com/terencechain), & [Francesco](https://twitter.com/fradamt) for discussions and comments. --> <!-- 1. ***Governance griefing/reward maximization through a veto.*** ***(i) – strategy.*** *.* ***(ii) – short-term.*** *.* ***(iii) – long-term.*** *.* ***(iv) – mitigation.*** *.* ***(v) – severity.*** *<span style="color:orange">low/medium: 3.5/10.</span> Given.* --> <!-- - MEV stealing/obfuscation --> <!-- - Unsolicited validators exit - Ceasing to perform validator duties --> <!-- - Change the withdrawal contract to steal all the `ETH` that backs `stETH` (especially when Execution Layer exits are enabled – [EIP 7002](https://eips.ethereum.org/EIPS/eip-7002)) - Modify the `Node Operator` set to cycle out honest parties and cycle in malicious actors - Change the fee charged by the protocol - Steal the treasury --> <!-- - Soft power – influence over EIPs & the Ethereum roadmap - Erosion of core principles by having a DAO govern (via a small collection of whales) a significant portion of staked `ETH` - Increased regulatory surface area - Damage to the "money-ness" of `ETH` the asset --> ### Setting the stage Before diving into various scenarios, let's clarify the different Lido participants and the roles they play. *Cast of characters* - **`stETH` holders (delegators).** *Any `ETH` holder can become a delegator by minting `stETH` 1:1 through https://stake.lido.fi. `stETH` is a rebasing and yield-bearing asset, so holding it is equivalent to delegation (alternatively `stETH` can be purchased on the secondary market). Abilities include...* - minting and redeeming `stETH`, and - (eventually) veto power over any governance vote (dubbed ["dual governance"](https://research.lido.fi/t/ldo-steth-dual-governance/2382)). - **Node Operators (abbr. NOs) (delegates).** *The 31 organizations running the validators that receive delegated `ETH`. See the latest stats on [rated.network](https://www.rated.network/o/Lido?network=mainnet&timeWindow=1d&viewBy=operator&page=1&idType=pool). This [motion](https://vote.lido.fi/vote/165) aims to onboard 7 new parties – [onboarding round update](https://research.lido.fi/t/announcement-onboarding-for-ethereum-wave-5/4809/17) has more details. Abilities include...* - controlling the validator signing keys that receive delegated `ETH` from Lido, - selecting execution and consensus layer clients to run, and - deciding other validator configurations (geographic location, `mev-boost` utilization, etc.) within the Lido-specified policies (e.g., [proposer rewards policy](https://github.com/lidofinance/documents-and-policies/blob/main/Lido%20Ethereum%20Block%20Proposer%20Rewards%20Policy.md#lido-on-ethereum-block-proposer-rewards-policy)). - **`LDO` holders (governance participants).** *The Lido DAO allows governance participation based on token-weighted votes cast with [`LDO`](https://coinmarketcap.com/currencies/lido-dao/). See current votes at https://votes.lido.fi. The DAO has "root" access to the protocol via contract upgrades. Abilities include...* - upgrading smart contracts (including the withdrawals & `stETH` minting contracts), - maintaining the Node Operator registry, and - allocating the treasury. With this in mind, let's work through the attacks each party could launch against the Lido protocol and Ethereum. The presentation aims at laying out the attacks according to the malicious entity (in the order listed above). Of course, collusion between different entities is certainly possible (albeit with a higher coordination cost) and mentioned where relevant. For each scenario we analyze (i) the strategy undertaken, (ii) the short-term impact, (iii) the long-term impact, (iv) mitigation tools/techniques, and (v) the overall severity/risk. The severity assessment is the most subjective and only represents my views. ### `stETH` holder attacks By design, the `stETH` holders do not have much power in the Lido protocol. By delegating their `ETH` to Lido, they give up a significant amount of control and take on protocol risk. In return, they get a fungible LST that is usable in DeFi and accrues rewards simply through being held. However, `stETH` holders do have a trump card if they choose to vote with their feet; Lido only works so long as the `ETH` remains delegated. `stETH` holders can always simply withdraw their `ETH` if the node operators or governance participants violate their trust. In terms of attacks the `stETH` holders can launch, the only explicit power they have in the protocol will be the veto power granted to them under [dual governance](https://research.lido.fi/t/ldo-steth-dual-governance/2382) (note that dual governance is not yet implemented). 1. ***Governance griefing through vetos.*** ***(i) strategy.*** *`stETH` holders veto any governance proposal to effectively freeze the protocol. Alternatively, they use their veto power to steer the protocol towards a desired outcome (e.g., by only allowing censoring NOs to join). Sam discusses this in ["Protection from veto abuse"](https://research.lido.fi/t/ldo-steth-dual-governance/2382#protection-from-veto-abuse-13).* ***(ii) short-term.*** *The DAO governance locks up and coordination is required to exit the vetoed state. The price of `LDO` or `stETH` could change due to market sentiment, allowing an attacker to attempt to open a short position.* ***(iii) long-term.*** *In the best case, the DAO resumes operation and the malicious `stETH` holders are removed from the system or punished. In the worst case, the governance of the protocol ceases to function. Existing NOs are entrenched, but the protocol can no longer be updated. While endgame Lido does aims to ossify, prematurely freezing governance in this way would severely cripple the system.* ***(iv) mitigation.*** *As outlined in ["Protection from veto abuse"](https://research.lido.fi/t/ldo-steth-dual-governance/2382#protection-from-veto-abuse-13), this attack would be \~extremely\~ costly. The FDV of `stETH` is around [15 billion USD](https://coinmarketcap.com/currencies/steth/) at the time of writing. If 1% of `stETH` is needed to veto, this price is 150mm USD. Other mitigation strategies such as extended timelocks and expropriation of `stETH` are actively being discussed.* ***(v) severity.*** *<span style="color:orange">low/medium: 3.5/10.</span> Given the cost and the fact that other mitigation techniques are actively being researched before dual governance is implemented, the severity doesn't seem too high.* ### Node Operator attacks Node operators have significant power in the Lido ecosystem. As the sole owners of their validator signing keys and autonomy over hardware & software used to participate in the Ethereum protocol, each node operator is trusted to handle a large set of validators. Since the node operators are not required to put up collateral, they embody a principal-agent problem by having no "skin in the game". Any misbehaving node operator is not punished through the Ethereum protocol, but they do sacrifice future discounted cash flows from participation in the network (they earn 5% of the staking rewards earned from their validators) and the reputational damage of harming Ethereum (all node operators are known entities). This combination should be viewed as the "economic security" of a node operator. > **Aside** – *A quick back-of-the-napkin calculation on Lido node operator rewards. Each operator controls about [10,000 validators](https://www.rated.network/o/DSRV%20-%20Lido?network=mainnet&timeWindow=1d&idType=poolShare) accounting for `320,000 ETH`. At a 4% APR and a 5% node operator reward, we get $320000 \cdot 0.04 \cdot 0.05 = 640 \; \text{ETH} / \text{year}$. At $1600 \; \text{USD}/\text{ETH}$, this corresponds to $1,024,000 \;\text{USD} / \text{year}$ for each node operator.* Each node operator controls a portion of the `ETH` delegated to Lido; the largest node operators have around $\frac{1}{30}$ of Lido's `ETH` which corresponds to [1.18%](https://www.rated.network/o/Lido?network=mainnet&timeWindow=1d&viewBy=operator&page=1&idType=pool) of the total stake. While this is a massive amount, it remains well below what some centralized exchanges control (e.g., Coinbase alone controls between 10-15% (not clear [exactly how much](https://twitter.com/hildobby_/status/1710326919898579023)), around 10x of any single Lido node operator). Of course, if the node operators behave collusively, they can do much more damage than any individual operator. This becomes especially potent when the total amount of stake controlled between all the operators surpasses key consensus layer thresholds of $1/3, 1/2, \text{ and } 2/3$. It's also worth pointing out that collusion is possible for non-Lido node operators as well. Lido DAO doesn't uniquely enable any specific node operator collusion, beyond what can be enforced by governance (which we explore below in the [`LDO` holder attacks](https://notes.ethereum.org/@mikeneuder/magnitude-and-direction#LDO-holder-attacks) section). > **Aside 2** – *One of the biggest changes of [Lido V2](https://blog.lido.fi/introducing-lido-v2/) is the addition of the "staking router", which allows different "modules" (e.g., a permissionless module that mirrors RocketPool) to qualify for delegated `ETH`. The Lido DAO will still be responsible for determining the allocation and managing the risk of the modules to ensure the fungibility of `stETH`. We focus on the current curated node operator set, but more could/should be written about the security model and attacks enabled through the staking router as its development continues.* With their access to the validator keys, the node operators can execute the following strategies. 1. ***Coordinated slashing to under-collateralize `stETH` and devalue `LDO`.*** ***(i) strategy.*** *By colluding and getting a significant fraction of the staked `ETH` slashed, node operators could seek to destroy the value of `stETH` and `LDO`. In the case of a mass-slashing event, the `ETH` that collateralizes the circulating `stETH` is massively reduced, essentially making Lido insolvent. There would be a "bank run" of sorts to try to withdraw any remaining `ETH` from the protocol and `stETH` would trade at a discount on the secondary markets. The withdrawals process is complex due to the underlying delayed withdrawals of the consensus layer, so the impact of such a bank run would be minimized through the activation of bunker mode – see ["Withdrawals Landscape"](https://hackmd.io/@lido/SyaJQsZoj) for more details.* ***(ii) short-term.*** *Informed actors could place shorts on both the `stETH` and `LDO` tokens. The protocol would quickly get drained of any remaining `ETH` and the consensus layer would suffer from a massive reduction in the validator set.* ***(iii) long-term.*** *The consensus layer would remove all slashed validators and `stETH` would no longer trade at 1:1 with `ETH`. Any remaining `ETH` in the consensus layer would get withdrawn and redeemed at the discounted rate.* ***(iv) mitigation.*** *Trust in the node operators is what backstops the Lido protocol. There is no way to prevent them from getting their delegated `ETH` slashed. The mitigation comes from the fact that the node operator set is composed of different entities based in different jurisdictions and with different team members. Collusion among a disparate set of protocol actors would be a coordination challenge and is not uniquely enabled by Lido. Additionally, with Lido v2, the DAO can change the amount of skin in the game required for different node operators. Further, by having deeper liquidity and lower volatility, larger LSTs are less vulnerable to this type of price manipulation attack. Lastly, there is a circuit-breaking mechanism in the Lido protocol called ["bunker mode"](https://hackmd.io/@lido/SyaJQsZoj), which handles withdrawals in the case of a mass slashing event. This prevents a bank run insofar as the withdrawals will not be processed until the rebase has occurred, accurately reducing the amount of `stETH` in all holding addresses. As a result, the loss will be evenly socialized among holders, and no insider or sophisticated actor will be able to prioritize their withdrawal.* ***(v) severity.*** *<span style="color:orange">medium: 4.2/10.</span> Given the severity of this attack and the massive downstream effects (especially in DeFi), it is certainly one of the largest risks to Lido itself. I rate it only as a medium because, in terms of the impact on the Ethereum protocol, the damage seems pretty well contained. There would be a large fallout in DeFi, significant churn in the validator set, and a lot of noise, but once the dust settled the consensus layer would keep chugging along. We also benefit from the fact that coordination of this type of attack would be difficult. Node operators have valuable reputations and earn non-trivial rewards from participating in the existing network – both of which would be destroyed by taking part in this attack. Additionally, it's not clear that there is enough liquidity available to make shorting the tokens sufficiently profitable to incentivize this extreme behavior. Any short position of this magnitude would be noticeable either on-chain or on centralized exchanges, which could tip the community off before the slashing begins.* 2. ***MEV stealing and obfuscation.*** ***(i) strategy.*** *Node operators can collude with block builders to obfuscate the amount of MEV earned during their slot. By not making use of the public `mev-boost` auction, builders can pay the node operator directly rather than the execution layer rewards being redirected to Lido. This attack is not unique to Lido. It may be even worse in the collateralized, permissionless setting because single-block MEV could exceed the value of the bond – see ["Community Risk Analysis & Bonding"](https://www.youtube.com/watch?v=feVy1JmvB_w) for an in-depth look.* ***(ii) short-term.*** *Some node operators may earn disproportionate rewards by colluding with the builder. Immediate detection would be difficult due to the high variance in block rewards.* ***(iii) long-term.*** *The colluding node operator rewards would be significantly lower than other node operators. It may become detectable that, despite pretending to use `mev-boost`, the node operator is underperforming.* ***(iv) mitigation.*** *Lido has specified a [policy on block rewards](https://github.com/lidofinance/documents-and-policies/blob/main/Lido%20Ethereum%20Block%20Proposer%20Rewards%20Policy.md#lido-on-ethereum-block-proposer-rewards-policy) that outlines a set of metrics to detect deviations from expected rewards for a block proposer.* ***(v) severity.*** *<span style="color:green">low: 2/10.</span> Given the ease of detection and the relatively minor damage to both Lido and Ethereum, this attack seems low in severity. Additionally, it is not clear why a builder would choose to participate in this out-of-band agreement. If they are already a top builder, then they could just compete in the normal `mev-boost` auction and collect their margin by strategically bidding above what other builders are bidding. If they are not a top builder, then it is unlikely that the side-channel bids would exceed what is available to the node operator through `mev-boost`. If the builder is vertically integrated with a node operator, they may have a slight latency advantage on the public auction, so this could provide a small incentive to side-channel and obfuscate MEV.* ### `LDO` holder attacks Now we get to the real beating heart of the protocol – the `LDO` holders. Governance has "root" access to Lido and can update the existing contracts with a token vote. Additionally, the `LDO` holders are the most centralized group in the protocol. The fixed supply of 1 billion `LDO` tokens was initially [allocated as follows](https://blog.lido.fi/introducing-ldo/#:~:text=LDO%20Token%20Allocation): - DAO treasury - 36.32% - Investors - 22.18% - Validators and signature holders - 6.5% - Initial Lido developers - 20% - Founders and future employees - 15% Further, governance proposals need >5% of the total `LDO` supply to participate in the vote along with a simple majority of voting `LDO` to pass. Based on the initial allocation, it is safe to assume that some proposals could be passed by single individuals/entities. When looking at [historical votes](https://vote.lido.fi/), it is clear that most motions pass with a small plurality of 5-6% voter turnout and near unanimity of "yes" votes. The low voter turnout could be due to "voter fatigue" and in theory, contentious motions would elicit higher voter turnout than the regularly scheduled votes (e.g., the [vote on self-limiting](https://snapshot.org/#/lido-snapshot.eth/proposal/0x10abedcc563b66b1adee60825e78c387105110fa4a1e7354ab57bc9cc1e675c2) had an ~8% turnout as opposed to the more usual ~5%; the 8% voted 99.81% \*against\* self-limiting, so its easy to also assume that a less lopsided outcome would further increase participation). Currently, delegation is allowed in snapshot (off-chain) voting – see [Snapshot delegation](https://research.lido.fi/t/lido-governance-optimisation-snapshot-delegation/1707), but not in the official onchain voting mechanism (though research in this direction is being done). If this feature is added, it could also improve voter turnout, even if the number of entities voting remains small. We partition the `LDO` holder attacks into "explicit" and "implicit". The explicit attacks are quite simple and boil down to the fact the DAO controls all the smart contracts in the system \*and\* the node operator set. By having the ability to arbitrarily mint `stETH`, spend the treasury, overwrite the withdrawal contract, and cycle the node operators, the DAO could effectively destroy the Lido protocol in a "rug-style" manner. It's worth explicitly stating that this risk exists, but these attacks are so overt that they are accompanied by massive reputational, legal, and financial risks. The implicit attacks are more subtle. #### Explicit attacks We outline two attacks. The first is to simply destroy Lido in an attempt to achieve short-term financial gain. The second directly attacks the Ethereum consensus layer by coercing the existing node operators into specific malicious behaviors or forcing them out in favor of compliant replacements. 1. ***Mint unlimited `stETH` and change the withdrawal contract.*** ***(i) strategy.*** *By minting `stETH`, the `LDO` holders can dump the new `stETH` on the market for `ETH` and any other assets that have the liquidity to trade against. At the same time, the `LDO` holders can override the withdrawal contract to turn off redemptions, keeping all the `ETH` currently deposited in Lido for themselves.* ***(ii) short-term.*** *The price of `stETH` goes to zero as the newly minted `stETH` is dumped on the market. Any current withdrawals are redirected to the malicious party.* ***(iii) long-term.*** *Node operators need to figure out what to do with their delegated `ETH` that is still in the consensus layer. The withdrawal credentials are already set to the Lido contract (which was overwritten). They could collude with the `LDO` holders to split the `ETH` and perform an exit from the protocol, but this would require another layer of coordination under extreme legal risks. Note that if [EIP-7002](https://ethereum-magicians.org/t/eip-7002-execution-layer-triggerable-exits/14195) is included in the protocol, the withdrawal contract itself can trigger the exit. Alternatively, if they are opposed to the actions taken by the DAO, they can intentionally get all the consensus layer `ETH` slashed. Because they only control the validator signing keys, the node operators cannot update their withdrawal credentials, but they can change the fee recipient of their blocks to receive the execution layer rewards for any subsequently proposed blocks.* ***(iv) mitigation.*** *Dual governance is the clean fix for this. Such an attack would draw huge amounts of attention in the voting phase and `stETH` holders would be incentivized to vote against such a change to avoid the devaluation of their `stETH`.* ***(v) severity.*** *<span style="color:orange">medium: 5.1/10.</span> This is a doomsday level attack. I leave the rating as 5.1 because dual governance has not yet been implemented. As of today, `LDO` holders and node operators could collude to steal all the delegated `ETH` in Lido.* 2. ***Coerce malicious node operator behavior to censor or reorg Ethereum.*** ***(i) strategy.*** *Suppose `LDO` holders were pressured by a government to censor some set of transactions. They could mandate that existing node operators begin censoring or cycle in compliant replacements. Alternatively, the `LDO` holders could steer node operators to perform reorging attacks or [randao manipulation](https://ethresear.ch/t/selfish-mixing-and-randao-manipulation/16081) to earn extra rewards for the DAO. It's worth noting that, if the existing node operators do not comply with the strategy requested from the DAO, this attack becomes \*extremely slow\* to execute. Cycling out a massive amount of stake is time-consuming due to the exit queue, leaving plenty of time for `stETH` redemption to take place.* ***(ii) short-term.*** *This attack would be a clear violation of a core tenet of Ethereum. The hope would be that `stETH` holders understood the risk this posed to the `ETH` they delegated to Lido and would withdraw (or veto once dual governance is live). In the case of "weak censorship", regulated transactions simply experience slower inclusion times and the chain does not split.* ***(iii) long-term.*** *Ideally, as the `ETH` flows out of Lido, the chain would retain its censorship resistance and Lido would control fewer blocks and attestations. In the absolute worst case, Lido node operators could cause a chain split, where censoring validators extended a separate fork in an attempt to launch a "strong censorship" attack. Attacks of this severity (similar to reorg attacks and randao manipulation) qualify for the discussion of social slashing (even the [credible threat](https://barnabe.substack.com/p/seeing-like-a-protocol) of social slashing would incentivize all `stETH` holders to redeem to avoid devaluation of their tokens).* ***(iv) mitigation.*** *Since this attack would involve the `LDO` holders either coercing existing node operators or replacing them, it would take time. The existing validator set already has the `ETH` delegated to them, thus there is no immediate way to force them out of the validator set ([EIP-7002](https://ethereum-magicians.org/t/eip-7002-execution-layer-triggerable-exits/14195) allows this, but the exits are still throttled heavily by the queueing mechanism). The hope is that `stETH` holders would understand the extent to which this attack put their `ETH` collateral at risk and would withdraw (or veto once dual governance is live).* ***(v) severity.*** *<span style="color:orange">medium: 4.7/10.</span> Given how concentrated the `LDO` token distribution is, this attack feels like at least a medium. We do have the benefit of the withdrawals and dual governance as a check on the governance power.* #### Implicit attacks; *~most important and nuanced, but least understood~* This is less of an attack and more of a "death by a thousand cuts" situation, which makes it difficult to both identify and mitigate; we saved the best for last. 1. ***Leveraging soft power and eroding social norms.*** ***(i) strategy.*** *By governing the coordination layer to a massive portion of the staked `ETH`, `LDO` holders have "soft power" in the community. This could manifest in different ways such as having significant influence over protocol upgrades, controlling the income stream of core-dev teams, and shifting the social norm to being more comfortable with `LDO` holders acting as "pseudo-governance" over a large percentage of Ethereum stake.* ***(ii) short-term.*** *The consensus core-dev teams are already node operators in Lido. This income stream is valuable as a much more sustainable funding model for public goods infrastructure, but it also creates a conflict of interest for the core devs who are now more beholden to the `LDO` holders.* ***(iii) long-term.*** *This is probably the most uncertain and contentious part of the entire Lido debate. While Lido moves towards governance minimization and dual governance, it will always be the case that the `LDO` holders are needed to curate the node operator set to ensure the fungibility of `stETH` (amortize the risk). Additionally, `LDO` has a fixed supply and the initial distribution was concentrated among a small set of individuals and VCs. The downstream effects of this fact are up for debate.* ***(iv) mitigation.*** *Mitigation is difficult because it's hard to identify social layer creep. A real concern is a slow changing of social norms and increased `stETH` holder apathy. Since the debate is so top-of-mind lately, any `LDO` vote that was even remotely malicious would likely result in a massive outflow of `ETH`. However, if 5 years down the line, everyone is used to Lido controlling a majority of the stake and only then is more influence exerted by `LDO` holders, there may be too much apathy (or too high of switching costs) in the `stETH` holder set to take coordinated action against governance.* ***(v) severity.*** *<span style="color:#ff6600">medium+: 6.3/10.</span> This is super hard to rate, but I believe it is the core of most concerns around Lido. With governance minimization, dual governance, and commitment to growing the node operator set through the v2 upgrade, the Lido roadmap seems aimed at reducing the power of the `LDO` holders.* ### Zooming out Until this point, we have explored only the mechanics of the attacks and their respective mitigations. Looking holistically at Lido and its relationship to Ethereum, I'd like to share my zoomed-out view based on the above analysis. ***Disclaimer – this is only my personal opinion and in no way represents the perspective of the EF, EF research, Lido, the reviewers of this article, or any other party. I currently own a total of `10 stETH` and `0 LDO` tokens.*** #### Personal takeaways 1. **Lido ecosystem participants can launch explicit attacks on Ethereum, but appear unable to permanently damage the system.** *If anything, the attacks listed above mostly harm other Lido ecosystem participants and expose the actors to massive legal, reputational, and financial risks. Minting unlimited `stETH` and maliciously upgrading the withdrawal contract result in Lido destroying itself; strong censorship or reorging attacks on Ethereum are clear candidates for social slashing.* 1. **Soft power is a legitimate concern, but the most difficult to assess in terms of risk and mitigation.** *This seems to be the root of the differing views on Lido; the debate often boils down to the distinction between the 30+ node operators and the `LDO` holders/governance participants. Other organizations in the space (obviously including the EF) exert soft power as well, and all parties should aim to be transparent and hold one another accountable (or else the "anon + conspiratorial [alignment dissenters](https://gist.github.com/michaelneuder/526306c405fc3a78755caf0170318a1d) will come for you :-).* 2. **The Lido roadmap of dual governance, ossification, the staking router, and governance minimization indicates that the team deeply understands its position in the ecosystem.** *They are engaged, professional, and serious about improving across many dimensions (see their self-assessed [scorecard](https://lido.fi/scorecard)). Stating that they are acting purely "in bad faith" or are not legitimately trying to contribute to Ethereum's decentralization is untrue.* 3. **As with any ambitious roadmap, there remains plenty of work to do.** *The Lido protocol is more susceptible to the above attacks until the protocol is in its final form. We should continue to engage with Lido and hold them accountable for the vision that they put forward.* 4. **The `LDO` token distribution and voting behavior is important and under-studied.** *The `LDO` token holders have significant power in the protocol, especially as checks and balances are being built out. We should try to improve our understanding of who exactly controls the tokens, when those tokens vest, and the voting activity associated with various accounts, to ensure transparency and accountability of the DAO.* 5. **Large L1 changes to improve staking decentralization and LST competition should be strongly considered.** *Ideally, there would be a more balanced distribution of stake among pools and users would have many good options to choose from. Big-picture discussions around the supply of `ETH` staked (see [Anders' mega-thread](https://twitter.com/weboftrees/status/1710704461750944190)) and validator economics more broadly are also timely and vital.* 6. **In the meantime, the anti-Lido discourse, specifically claims like "the *`LDO` holders control Ethereum consensus*", "*Lido makes Ethereum a consortium chain*", and "*Lido is a $1/3$-stake attack*", are neither productive nor accurate.** *This rhetoric creates a false dichotomy of good vs. evil, where the situation is more nuanced. The claims seem more concerned with the \~vibe\~ or "optics" of Lido controlling $>1/3$ stake than the specifics of how Lido could permanently damage Ethereum.* The figure below doubles down on this idea of exploring the "grey area" between the polar ends of many reductionist dichotomies. <img src=https://storage.googleapis.com/ethereum-hackmd/upload_0d8e9310c13e1d3beb1568e72e398aaf.png width=100%> #### Closing vignette – *"A Simple Farm Life"* *Lou (a.k.a. `LDO` holders), Nancy (a.k.a node operators), and Stephen (a.k.a. `stETH` holders) live in harmony on a farm. They collectively own a single cow (a.k.a. Lido). The cow is expected to live for many years (hopefully decades) and provides for the farm inhabitants in different ways. Nancy spends the most time with the cow and makes sure it's clean and happy, Lou decides when to take the cow to the veterinary, and Stephen feeds and milks the cow daily. Each farm inhabitant benefits greatly from the cow's continued health, but they each wield a weapon with which they can kill the cow. In the short term, killing the cow could have an immediate payoff at the expense of the other farm inhabitants, but the irreversible action would destroy the long-lasting rewards of keeping the cow alive. **This, in itself, is a pretty strong incentive not to kill the cow.** Moving forward, we should aim to make each weapon less deadly (governance upgrades/checks-and-balances), to make the cow more resilient to attacks (ossification), and to allow more people to join the farm (Lido v2 staking router). Additionally, we should do whatever we can to encourage neighboring farms to nurture and grow their cows, rather than (non-credibly) threatening to kill the existing cow that got too big.* <img src=https://storage.googleapis.com/ethereum-hackmd/upload_eba5fd685608a05d15f8c22c00d21f08.jpg width=80%> thanks for reading :-) <br><br> <!-- excited to share "Magnitude and direction of Lido attack vectors." the Lido debate always gets reduced to a false dichotomy of good vs. evil; this piece aims to paint a fuller picture read 'til the end for a closing vignette "A Simple Farm Life" ⇓🐮 https://notes.ethereum.org/@mikeneuder/magnitude-and-direction if you are wondering who this guy in an orange jumpsuit is, there is a link at the top of the doc. as @gossipprotocol would say, "if ur confused it’s working." :-) special thanks to @VitalikButerin @TimBeiko @barnabemonnot @_skozin @sachayve @IsdrsP @jon_charb @nero_eth @drakefjustin @soispoke @ralexstokes, & @dannyryan for extensive discussions and thorough reviews!! -->