Lido on Ethereum Scorecard

Keep track of the latest updates on how Lido is performing against its goal of being decentralized, trustless, governance-minimized and ethos-aligned with the Ethereum community.

Lido DAO’s purpose is to keep Ethereum decentralized, accessible to all, and resistant to censorship.

Lido DAO’s mission is to make staking simple, secure, and decentralized.

And the endgame is a world in which Ethereum is the co-ordination and value layer of the internet.

As the protocol specification and related technologies evolve, Lido continues to drive towards its vision of a trustless, governance-minimized, and ethos aligned liquid staking protocol.

The scorecard below shows how we are doing. We invite anyone who cares to provide feedback on our research forum.

Where we’re already succeeding

Scorecard Attribute
Category
Self-Assessment
Comments
Operators run their own nodes (no white-labeling)
Validator set
Good
Good performance
Validator set
Good
Operators should earn enough to build a profitable, dependable staking business
Validator set
Good
Lido is easy to fork
Security
Good
All it takes is to switch a few bits in the governance contract to revoke Lido DAO’s current permissions and transfer them to a community-owned contract.
Withdrawal requests are automatically fulfilled
Validator set
Good
The Lido protocol has a subsystem which can execute withdrawals with no human participation (apart from requiring Node Operators to top up pre-signed exit messages). This subsystem ensures withdrawal requests can’t be cancelled (within a bounded period of time) and is designed to work even during chaotic tail-risk scenarios.
Withdrawal credentials are non-custodial and trustless
Security
Good
All Lido on Ethereum validators are now using 0x01 (smart contract) withdrawal credentials.

Where we’re doing well, but can improve

Scorecard Attribute
Category
Self-Assessment
Comments
No operator has more than 1% of total stake
Validator set
Okay
Most operators have slightly more than 1% of total ETH staked. No operator has more than 1.2% of total ETH staked.
Distributed geographically and jurisdictionally
Validator set
Okay
25% of validators are currently with US-based Node Operators, and there remains an over-reliance on European based entities. The DAO needs to be better at selecting Node Operators that are geopolitically diverse as it continues to expand the curated set. The latest stats can be found here.
Distributed variation of on-premise infra and cloud providers
Validator set
Okay
Lido has made important strides here, but there are still too many operators relying on public cloud servers (40-45% of stake).
Best practices in security and key management
Validator set
Okay
Keys are managed by professional node operators but distributed validator technology has not yet been introduced to Lido. Threshold based validation would be more robust, but remains work in progress and an active research focus.
Client Diversity
Validator set
Okay
There is no dominant Consensus layer client. However the share of smaller clients can and should be higher. Additionally, more work needs to be done to diversify clients at the Execution Layer.
Lido’s smart contracts have the best security possible
Security
Okay
Thorough and multiple audits are undertaken on all smart contract upgrades, but no formal verification or symbolic execution based tests.
Node operators are disincentivized from acting maliciously
Validator set
Okay
Currently, if Node Operators don’t process exits on time (in other words, try to block users from obtaining their withdrawn ETH), they suffer penalties (automatically enforced by the protocol, as well as reputational). Triggerable execution layer exits, expected in Q2 2024, will keep Node Operators even more accountable to the Lido DAO (since exiting validators will be possible via a DAO vote).
Lido DAO can’t suddenly change the validator set
Validator set
Okay
As it stands, LDO holders cannot force Node operators to exit. Even if triggerable exits were live today, it would still take the DAO half a year, at a minimum, to rotate all validators (due to the mechanics of how the staking queue works). Additionally, in order to create additional checks and balances on Lido governance, a dual governance system, which gives stETH holders veto powers over any decision that would change the validator set, is expected to go live by end of Q3 2024.

Needs Improvement

These attributes clearly need work and Lido is actively working on solutions and improvements. We welcome input from the DAO, our partners and the wider community as we seek solutions

Scorecard Attribute
Category
Self-Assessment
Comments
Lido governance has significant safeguards
Governance
Needs improvement
Currently, the Aragon votes are two-phased. The first phase is regular vote, and the second one is time-lock with objections, during which LDO holders can only vote ‘against’ or change their vote from ‘for’ to ‘against’. Currently, operators do act as a check on LDO power since they cannot be force exited. Dual governance will add an additional check on power.
There’s a robust set of Lido governance delegates
Governance
Needs improvement
Lido DAO currently has vote delegation for Snapshot votes; however, the delegate set is limited and significant amount of voting power is undelegated and dormant. Lido contributors are currently conducting research on what a good delegate framework looks like. This will likely launch sometime in 2024.
Delegation is enabled in onchain Lido governance
Governance
Needs improvement
Currently, delegation is only enabled for Snapshot votes. Lido is actively researching possible mechanics for onchain delegation.
There is a way for stakers to resist malicious governance capture
Governance
Needs improvement
Lido on Ethereum is controlled by LDO token voting. This includes the Lido treasury, staking withdrawal keys, node operator and oracle lists, and more. As such, the voting app effectively has root access to Lido. Research are underway to enable stakers to block the execution of harmful governance decisions and exit the protocol if an agreement cannot be reached.
There’s a way for operators to permissionlessly enter the set and prove themselves
Validator set
Needs improvement
Lido V2’s Staking Router is a controller contract which paves the way for permissionless operators to join Lido’s validator set. Currently at the policy discussion stage, the first modules are expected to go live by end of year.

Contribute to the discussion

Want to contribute to the discussion or workgroups related to the above priorities? Join in