Join TwitterLido on Ethereum Scorecard
Keep track of the latest updates on how Lido is performing against its goal of being decentralized, trustless, governance-minimized and ethos-aligned with the Ethereum community.
Lido on Ethereum Scorecard
Lido started with a mission to keep Ethereum decentralized and to democratize access to staking on the Beacon Chain.
While the protocol specification and related technologies evolve, Lido continues to drive towards its vision of a trustless, governance-minimized, and ethos aligned liquid staking protocol.
The scorecard below shows how we are doing. We invite input and feedback from the Ethereum community to keep track along the way on our research forum.
Where we’re already succeeding
While these attributes will remain under review, we assess Lido's performance to be 'Good'. We welcome community feedback on the attributes and how they are scored on our Research Forum.
Scorecard Attribute
Category
Self-Assessment
Comments
Operators run their own nodes (no white-labeling)
Validator set
Good
Good performance
Validator set
Good
Operators should earn enough to build a profitable, dependable staking business
Validator set
Good
Lido is easy to fork
Security
Good
All it takes is to switch a few bits in the governance contract to revoke Lido DAO’s current permissions and transfer them to a community-owned contract.
Withdrawal requests are automatically fulfilled
Validator set
Good
The Lido protocol has a subsystem which can execute withdrawals with no human participation (apart from requiring Node Operators to top up pre-signed exit messages). This subsystem ensures withdrawal requests can’t be cancelled (within a bounded period of time) and is designed to work even during chaotic tail-risk scenarios.
Withdrawal credentials are non-custodial and trustless
Security
Good
All Lido on Ethereum validators are now using 0x01 (smart contract) withdrawal credentials.
Where we’re doing well, but can improve
These attributes are more of a grey area with identified areas for improvement noted in the comments.
Scorecard Attribute
Category
Self-Assessment
Comments
No operator has more than 1% of total stake
Validator set
Okay
A few operators have between 1% and 2% of total ETH staked.
Distributed geographically and jurisdictionally
Validator set
Okay
While ~10% of validators are currently with US-based Node Operators, there remains an over-reliance on European based entities. Lido will continue to select Node Operators in the interest of jurisdictional and geographic diversity as it expands the set and will publish this information transparently going forward
Distributed variation of on-premise infra and different cloud providers
Validator set
Okay
Not enough on-premise infra setups
Best practices in security and key management
Validator set
Okay
Keys are managed by professional node operators but distributed validator technology has not yet been introduced to Lido. Threshold based validation would be more robust, but remains work in progress and an active research focus.
Client Diversity
Validator set
Okay
There is no dominant Consensus layer client. However the share of smaller clients can and should be higher.
Additionally, more work needs to be done to diversify clients at the Execution Layer.
Lido’s smart contracts have the best security possible
Security
Okay
Thorough and multiple audits are undertaken on all smart contract upgrades, but no formal verification or symbolic execution based tests
Node operators are disincentivized from acting maliciously
Validator set
Okay
Currently, if Node Operators don’t process exits on time (in other words, try to block users from obtaining their withdrawn ETH), they suffer penalties (automatically enforced by the protocol, as well as reputational).
Triggerable smart contract exits, expected sometime in 2024, will keep Node Operators even more accountable to the Lido DAO (since exiting validators will be possible via a DAO vote).
Lido DAO can’t suddenly change the validator set
Validator set
Okay
As it stands, Lido governance cannot force Node operators to exit.
Even if triggerable exits were live today, it would still take the DAO half a year, at a minimum, to rotate all validators (due to the mechanics of how the staking queue works).
Additionally, in order to create additional checks and balances on Lido governance, contributors are exploring ways to empower stETH holders to veto any decision that would change the validator set.
Needs Improvement
These attributes clearly need work and Lido is actively working on solutions and improvements. We welcome input from the DAO, our partners and the wider community as we seek solutions
Scorecard Attribute
Category
Self-Assessment
Comments
Lido governance has significant safeguards
Governance
Needs improvement
Currently, the Aragon votes are two-phased. The first phase is regular vote, and the second one is time-lock with objections, during which LDO holders can only vote 'against' or change their vote from 'for' to 'against'.
There’s a robust set of Lido governance delegates
Governance
Needs improvement
Lido DAO currently has vote delegation for Snapshot votes; however, the delegate set is limited and significant amount of voting power is undelegated and dormant.
Lido is working on improving the delegate set and educating DAO members about vote delegation.
Lido is working on improving the delegate set and educating DAO members about vote delegation.
Delegation is enabled in onchain Lido governance
Governance
Needs improvement
Currently, delegation is only enabled for Snapshot votes. Lido is actively researching possible mechanics for onchain delegation.
There is a way for stakers to resist malicious governance capture
Governance
Needs improvement
Presently, Lido on Ethereum is controlled by LDO token voting via an Aragon DAO. This includes the Lido treasury, staking withdrawal keys, node and oracle operator lists, DAO Access Control List (ACL) permissions, the execution of EVM scripts, and more. As such, the voting app is effectively root access to Lido.
In order to reduce the power LDO holders have over the protocol, when faced with a critical governance decision that could negatively impact stakers, stakers should be able to block Lido governance from executing the decision, and exit the protocol if an agreement cannot be reached. To this end there are research paths currently being pursued.
There’s a way for operators to permissionlessly enter the set and prove themselves
Validator set
Needs improvement
Lido V2’s Staking Router is a controller contract which paves the way for permissionless operators to join Lido’s validator set.
Currently at the policy discussion stage, the first modules are expected to go live by end of year.
