Using Lido as an example, we delve into the potential risks of the LSD protocol.

Original Author: sacha Translation: Qianwen, ChainCatcher


This article is a response to some of Danny Ryan’s viewpoints (which will be presented specifically later).

The opposite of a fact is falsehood, but the opposite of a profound truth may well be another profound truth. – Niels Bohr

Overall, I think Danny’s position is great. However, I also believe that his approach carries equally significant risks, which have not been properly discussed in public.

I do not think Danny’s viewpoints themselves are wrong, but I do think that there is another side to his viewpoints that has not been conveyed clearly enough. That is the purpose of this article.

An Introduction to Dual Governance

Dual governance is an important step in reducing the governance risks of the Lido protocol. It represents a shift from shareholder capitalism to stakeholder capitalism. It also provides a practical way for Ethereum holders to have a say in changes to the Lido protocol.

Its main purpose is to prevent LDO holders from changing the social contract between the protocol and stETH holders without the consent of the protocol and stETH holders. Currently, LDO holders have significant power over the protocol, which can lead to significant changes in this social contract. These powers include:

  • Upgrading Ethereum liquidity benchmark protocol code

  • Managing the list of Ethereum consensus layer oracle committee members

  • Changing equity distribution among node operators in potentially harmful or unexpected ways (e.g., adding or removing whitelisted Ethereum node operators)

  • Changing governance structure in unexpected or potentially harmful ways (e.g., minting or burning LDO, changing voting system parameters)

  • Changing the total fee ratio of the Ethereum liquidity provisioning protocol beyond agreed-upon ranges (and defining these ranges)

  • Deciding how to use the treasury

Except for treasury spending, all of these powers directly affect stETH holders. Dual governance fundamentally allows stETH holders to veto any of the above modifications to the Lido protocol without introducing new attack vectors or placing an undue political burden on stETH holders.

Node Operator Governance

Danny believes:

“Deciding who becomes a node operator (NO) involves two questions – who gets added to the set and who gets removed from the set. In the long run, this can be designed in one of two ways: either through governance (token voting or similar mechanisms) or through automatic mechanisms based on reputation and profitability.

In the former mode, where governance decides NO, governance tokens (such as LDO) become the main risk for Ethereum. If tokens can determine who can become the theoretical majority – NO in LSD, then token holders can force reviews, multi-block MEV, and other cartel activities, otherwise NO will be removed from the set.”

The governance of determining NO also has an obvious risk, which is regulatory scrutiny and control. If the collective pledge under an LSD protocol exceeds 50%, the collective pledge will gain the ability to review blocks (worse still, because it can ultimately determine these blocks, the number will reach 2/3). In regulatory review attacks, we now have a unique entity – governance token holders, whom regulatory agencies can request for review. Depending on the distribution of tokens, this may be a much simpler regulatory target than the entire Ethereum network. In fact, the token distribution of DAOs is generally poor, with only a few entities determining most of the votes.”

Dual governance largely solves the above problems. Specifically, if LDO holders try to unfairly remove NO from the collective, the following situations will occur:

  • stETH holders with fewer votes (e.g. 5% of the total) can extend the governance voting time so that those with more votes (e.g. 15%) can veto this wrong decision.

  • If vetoed, all subsequent LidoDAO proposals will be automatically vetoed (in vetoed state) – to avoid placing more voting burdens on stETH holders.

  • Importantly, the governance can only return to normal if both the LDO governance and participating stETH holders agree to resolve the conflict.

In summary, by granting stETH holders the power to veto NO setting changes, LDO holders cannot unilaterally carry out reviews, multi-block MEV, and other cartel activities because LDO holders themselves cannot clear dissenting NO.

Regarding Danny’s second concern (regulatory scrutiny and control), the token distribution of stETH is distinctly different from that of LDO and is more diverse. Therefore, the combination of LDO and stETH is more resistant to such scrutiny. It is indeed not as widely distributed as ETH and lacks the diversity of Ethereum user distribution, but this will only improve over time.

Selecting NO based on economic factors

Danny believes:

“In schemes based on economic and reputational selection of NO, we will eventually fall into a similar cartelization, albeit automated cartelization.

Profit-based determination of the NO list may be the only trustless (non-governance) method to ensure that NO is beneficial to the pool.

The definition of profitability is problematic…since the economic activity of the system varies greatly over time, the system’s design cannot rely on a single absolute metric, i.e. it must earn X in transaction fees.

When all operators use “honest” techniques, this profitability metric can work well, but if a certain number of bad operators turn to use destructive techniques such as multi-block MEV or adjusting block release times to gain more MEV, they will distort the profitability goal, ultimately leading to the automatic elimination of honest NO if they do not use destructive techniques.”

This means that no matter which method is used – NO governance or economic selection/exclusion – this pool that exceeds the consensus threshold will become a cartel layer. Either a cartel is formed directly through governance, or a disruptive profit cartel is formed through smart contract design.”

This analysis feels too binary. For Lido (or Ethereum), neither extreme (LDO governance NO or pure algorithm/economic selection/exclusion) is possible or desirable.

Double governance is crucial to minimize the risk of cartel abuse. And as Danny correctly pointed out, profitability is too simple of an indicator and cannot be relied upon entirely.

There are many important factors that are difficult to verify on-chain, such as geographical distribution or diversity of jurisdiction, which means that people may always need to play a role in some loop – but perhaps this can ultimately be simplified to voting for a rebalancing of equity between node operators (new and old) each year.

Staking ETH Governance Scheme

Danny believes:

“Some people believe that LSD ETH holders can have a voice in the management of the underlying LSD protocol, which may lead to unfair distribution of tokens and the formation of oligarchy.

It is important to note here that ETH holders, as the name suggests, are not Ethereum users, and in the long run, we expect the number of Ethereum users to far exceed the number of ETH holders (holding ETH exceeds the amount needed for facilitating transactions). This is a key and important fact that affects Ethereum governance – ETH holders or depositors do not have on-chain governance rights. Ethereum is a protocol that users choose to run.

In the long run, ETH holders are just a subset of users, and even just a subset of a subset. In the extreme case where all ETH becomes staked ETH under an LSD, the voting weight or suspension of governance for staked ETH cannot protect the users of the Ethereum platform.

Therefore, even if the LSD protocol and LSD holders are consistent in terms of minor attacks and capture, users will not and cannot/will not react.”

Hasu’s response largely addresses these issues.

The Evil Nature of Governance

Danny believes:

“Even with time delays in LSD governance, allowing pooled capital to exit the system before changes happen, the LSD protocol is still susceptible to a governance attack that boils the frog slowly. Minor, slow changes are unlikely to cause invested capital to exit the system, but the system will still undergo drastic changes over time. However, this is true for any governance mechanism, whether it is primarily informal (soft) or formal (hard).”

Looking at Danny’s argument in reverse, minor, slow protocol changes driven by EF are unlikely to cause DAO/users to exit Ethereum, but the Ethereum protocol (and spirit) may still undergo significant changes over time.

In particular, it can change the way protocols work, thereby breaking the social contract of early contributors.

While I am not a maximalist when it comes to immutability, I do believe that governance minimalism, as a philosophy, exists upstream of both soft and hard governance.

There have been many discussions about the downsides of hard governance, and soft governance also has its own problems (more subtle and often obscured), involving unrecognized/unaccountable power, how to exercise power without sacrificing trusted neutrality, and how to handle power vacuums (in the event of death or tragedy). This is certainly not a panacea for eliminating all tail risks.

In other words, under soft governance, there is often a significant amount of power that is unknown to the public. Unrecognized power is irresponsible power. And irresponsible power almost inevitably leads to suboptimal outcomes over a long enough time span.

Gwart once tweeted, “Social punishment is like Justin Drake coming to your doorstep with a big knife, cutting your computer’s network cable, and pointing at you saying, ‘You’re a bad person.'”

While this is a humorous expression, it does reveal a deeper underlying contradiction, namely the contradiction between the need to maintain the protocol and the centralization of soft power among key actors.

To put it in Dankrad’s slightly more serious words, “Yes, we might have reservations about what you do at the staking layer, which might include disrupting your protocol and breaking it.”

User Representatives

Danny believes:

“As mentioned above, LSD holders are not equivalent to Ethereum users. LSD holders may accept governance voting based on some form of review, but this is still an attack on the Ethereum protocol, and users and developers will mitigate this attack through the means they have at their disposal – social intervention.”

We can also look at this issue from the opposite perspective.

Almost everywhere, we can see that user-driven decision-making often encourages market centralization in various important aspects.

99.9% of users may not care or should not care about issues such as the geographic distribution of Ethereum nodes or judicial diversity, but contributors to liquidity protocols tied to Ethereum will definitely care and can take concrete measures to maintain Ethereum’s resilience in these areas.

Capital Risk and Protocol Risk

Danny believes:

“The above discussion mostly focuses on the risks that LSD pools (such as Lido) pose to the Ethereum protocol, rather than the risks faced by those who hold capital in the pools. Therefore, this could be a tragedy of the commons – everyone rationally decides to use the LSD protocol for staking, which is a good decision for users but a progressively worse decision for the protocol. However, in fact, the risks faced by the Ethereum protocol when it exceeds the consensus threshold are linked to the risks faced by the capital allocated to the LSD protocol.”

Cartelization, MEV extraction abuse, censorship systems, and so on are all threats to the Ethereum protocol. Users and developers will respond to these threats by adopting the same methods as traditional centralized attacks—leaking or burning through social intervention. Therefore, consolidating capital into this class for cartelization not only endangers the Ethereum protocol but also endangers the consolidated capital.

This may seem like a tail risk that is difficult to take seriously or may never happen, but if we have learned anything in the cryptocurrency field, it is that if this risk can be exploited or has some unlikely “critical edge case”, it will be exploited or collapse faster than you can imagine. In this open and dynamic environment, fragile systems collapse time and time again, and vulnerable systems are exploited time and time again.”

As Nikolai Mushegian put it, in an open system, the whole world can interact with it, and incentives are not just suggestions. They are more like physical laws, such as gravity or entropy laws. As long as a part of the system is incompatible with the incentive mechanism, it is only a matter of time before it is exploited. Any naive idea cannot reduce this risk.

Relying on commitments to deter bad actors opens the door to tail risks, which can be said to be just as serious as the risks emphasized by Danny, if not more so.


Danny believes:

“The Ethereum protocol and users can recover from centralized and governance attacks of LSD, but this is not ideal. I suggest that Lido and similar LSD products impose self-restraint for their own benefit and that capital allocators recognize the inherent aggregation risk in LSD protocol design. Due to the inherent extreme risk, the funds allocated to the LSD protocol by capital allocators should not exceed 25% of the total Ether staked. Imposing restrictions artificially cannot guarantee good results.”

In fact, artificially limiting liquidity staking products is unlikely to yield good results.

Because the period during which commitments can be maintained is limited.

The ultimate outcome is likely to be a victory for parties that the community cannot influence: liquidity staking on exchanges, institutions (and licensed) staking products, or the adoption of more immutable (and less flexible) protocols.

These idealistic ideas have a good starting point but are divorced from reality, just like the blind spots that EF often encounters. It is these kinds of mistakes that have led to exchanges dominating before the launch of the Lido plan.

Supplement: Public goods are very beneficial

So, what does a world where Lido wins mean for the future of Ethereum public goods (especially the role of Lido DAO in promoting this future)?

As Kelvin Fichter puts it, EF is an independent non-profit organization with a closed governance structure and should not (and cannot) be the primary coordinator of public goods in the Ethereum community.

Therefore, I believe that good validators are a public good that requires financial support. EF should not rely on them to provide funds (partly due to its closed governance structure and strong soft power, which cannot effectively establish trustworthy neutral rules). Only a successful liquidity staking protocol (>50% market share) can afford the financial inefficiency required to maintain a healthy validation market, sponsor expensive validators, and provide ecosystem support, while still being profitable in the long term (over the next 100 years).

