I recently shared a Twitter thread addressing an issue with RocketPool's withdrawal mechanism and its potential to discourage large stakers from utilizing the protocol. In this post, I'll delve deeper into the key points discussed in that thread. It's important to note that while my focus is on RocketPool, the observations I make here can be applicable to any protocol that enables permissionless node operators to carry out validation, such as Stader (coming soon) and Lido V2(coming soon).
Unlike centralized solutions, requesting a random node operator to stop staking and exit their validator is not possible in such protocols. Instead, the withdrawal process relies on market dynamics. When a user wishes to withdraw, they have two options: they can withdraw through the deposit pool, assuming sufficient funds are available, or they can utilize the secondary market at a slight discount. However, it's worth noting that selling large sums of money on the secondary market is inefficient due to limited liquidity.
Now, let's consider a scenario where the deposit pool is empty, and another protocol attempts a vampire attack on our protocol. In this situation, if a user wants to shift from one LST (Liquid Staking Token) to another, the only way to exit is through the secondary market. However, as more people exit, the discount on the secondary market increases. It's unlikely that this discount will rise significantly, as market dynamics come into play when the discount reaches around 1-1.5%. At this point, node operators can take advantage of the arbitrage opportunity by exiting their validators.
Here is a quick explanation of how this works: Suppose our LST is available at a 2% discount on the secondary market. A node operator can choose to exit their validator, causing the 24 ETH assigned to that validator to return to the deposit pool. The node operator can then utilize a flash loan to purchase the discounted LST and immediately redeem the ETH, thereby making a 2% profit on the 24 ETH. This profit roughly amounts to 0.48 ETH, excluding any gas fees or other inconveniences associated with exiting a validator.
Fortunately, the RocketPool community has already developed a tool called rocketarb, which simplifies this process for node operators, I assume other protocols will also develop similar solutions.
The underlying issue lies in the requirement for validators to have a monetary incentive to justify the costs associated with non-voluntary exits, such as gas fees, time, and opportunity costs. We need to ask ourselves where the profit comes from when node operators arbitrage the peg. The answer is simple: it comes from you and others who sell at a discounted price. Essentially, you are paying an additional 1-3% for the privilege of retrieving your funds, on top of the commissions you are already paying to the node operators. In my opinion, this mechanism is fundamentally unfair and should be a top priority for improvement.
Let's now examine an extreme scenario. Imagine the protocol experiences a massive bank run. While the discount increases, more validators may be willing to exit. However, it's unrealistic to expect every operator to constantly monitor the peg and react to price fluctuations. Consequently, your ETH becomes trapped within a validator that only the owner can unlock, creating a potentially problematic situation.
Finding a solution to this problem is undoubtedly challenging, and I trust that the development teams are actively exploring various options. When I initially pondered a fix, my idea was to use forced exits after the implementation of EIP-7002, randomly removing validators and reclaiming the ETH allocated by the protocol. However, with the input from @RP_Intern, I soon realized that this system would be highly unfair to node operators. Considering the effort and monetary investment (gas fees) required for node operators to set up a validator, it would be unjust to have their validators seized arbitrarily.
With that in mind, I've come up with an alternative solution that aims for a more equitable solution:
Here's a rough idea that came to mind when contemplating a fair exit mechanism for validators. A prerequisite for these solutions would be the implementation of EIP-7002 or a similar method that allows for the presigning of exit messages, enabling validators to be exited by the protocol.
The concept revolves around the protocol introducing a dedicated exit mechanism that first utilizes the exit pool. If there are no funds remaining in the pool, the protocol would initiate something like a dutch auction. In this auction, node operators can specify a compensation amount in their configuration when they set up their validator, which they would they would take at the least to exit their validator. This system allows node operators to automatically participate in the bidding without humans getting involved. The auction system would gradually increase the reward for exiters until all available exit spots are filled. The maximum reward for an exiter can be set as a protocol parameter.
In cases where not all exit spots are filled, the protocol would randomly select the remaining exiters, prioritizing validators with lower bonded amounts. This approach would unlock more of the protocol's ETH and incentivize a higher overall collateralization in the protocol. Another factor to consider is node performance, potentially prioritizing the exit of nodes with poor performance. Once the validators to exit are selected, they would be given the maximum exit reward because they didn’t exit voluntarily, meaning they have no say in whether they are exited or not. To prevent operators farming the exit pool the protocol can impose limits based on time spend in the validator set, node performance and bond size.
The critical question is where the funding for rewarding exiters would come from. The answer lies in a dedicated pool holding sufficient unstaked ETH to reward node operators in the event of exits. There are two primary methods to fill this pool: either by deducting a portion of the rewards from node operators or by increasing fees for users. Once the pool reaches its target size, no further fees would be collected.
One possible attack vector to consider is the scenario where an entity stakes a significant amount of LST on-chain and instantly redeems it to deplete the exit reward pool. To mitigate such an attack, the protocol could implement a restriction on the daily unstaking limit. By imposing this limit, the exit reward pool would have sufficient time to replenish from the collected fees, ensuring its resilience against rapid depletion. This measure acts as a safeguard against potential exploits, bolstering the overall security and stability of the system. But this is not at all a bulletproof solution.
Please note that this is an initial concept, and further analysis and refinement would be necessary to implement a fair and effective exit mechanism for validators. Note that creating a solution that is 100% fair for node operators and stakers is near impossible.