Disclaimer: The information presented in this article has not undergone empirical testing. It is based on an overview of forums, documentations, and scanners. Readers are advised to verify and validate the content independently before relying on it for decision-making purposes.
A bit of context for those who don't know Lido yet
The Lido protocol aims to bring liquidity to staked assets on Ethereum. It allows users to stake their Ether (ETH) into the protocol, which then issues a token representation of the staked asset (e.g., stETH for staked Ether). This token can be used in DeFi applications, providing liquidity and yield opportunities while the underlying assets are staked and earning staking rewards.
Lido ecosystem flows as follows: users stake their assets (e.g., Ether) into the protocol, which is then managed by validators who validate transactions on the underlying proof-of-stake (PoS) blockchain network, earning staking rewards that are passed on to stakers who rebase their staked tokens (e.g., stETH); governance and protocol decisions are made by the Lido DAO, while node operators maintain the necessary infrastructure and token holders participate in governance and potential rewards.
Blockful researched the on-chain activities and the economic theory of the Lido DAO in its current state and generated a simple overview of the protocol's inner mechanics while also raising its concerns to understand the "why" of the incoming changes in the protocol. Looking forward to engaging in the debates regarding Dual-Governance (DG) that aims to be implemented in Q3/Q4 of 2024.
How the governance is structured
Understanding how the DAO operates starts at their discussion forum, where any idea, proposal, or grant request is published and discussed to gather community feedback. The next step is a Snapshot voting by hodling at least 1k LDO tokens. The proposal needs to reach a minimum quorum of 5% of the total token supply. The Snapshot vote is not integrated into the Lido contracts on-chain and holds no power to promote changes in the ecosystem. We can see the Snapshot vote as the measure of public opinion towards a proposal.
The real vote starts on-chain and 5% of the total token supply is needed for the proposal to be enacted. Lido utilizes the Aragon framework for on-chain governance and proposal creation is open to addresses holding any quantity of the LDO token, differing from Snapshot, which requires at least 1k ($1,700).
Proposals that change protocol rules or manage treasury must be submitted with an execution script in raw bytes format. The script will be executed by a low-level call once the proposal finalizes the timelock meeting validation criteria.
The Token Manager contract will forward the proposal and start a new vote in the Voting contract. The first phase of the on-chain vote, which lasts 48h, is the conventional voting, where one can vote both for and against. The second lasts 24h, and one can vote against or change their vote from for to against.
Vote executions are also called at the Aragon's Voting contract. This function can only be fulfilled if the four conditionals meet the criteria: when the voting period is over; the script is not yet executed; the support threshold is 50%; a minimum quorum of 5% of the LDO supply.
Scripts can change almost everything in the ecosystem, from configurations to treasury management but the Kernel contract - which controls the implementation of proxy apps - cannot be modified by scripts.
Once the script is executed, the contracts will change into a new state with the new set of variables introduced according to the enacted proposal.
Another key component to work in parallel with the voting schema is the Easy Track. It's a mechanic introduced by Lido to easily assist with routine and uncontentious governance proposals. The motions can only be proposed by the multi-sig committees with a designated role and may only be enacted if no objections hit the 0.5% threshold of the total token supply within 72 hours after the proposal.
Security concerns
Unlike most protocols, Aragon contracts used by Lido don't have native delegation integrated into their contracts, which is a subject that has been and is still constantly under debate in the forum. Even in the new DG proposal, the token delegation mechanism and other types of vote delegation were left unmentioned by post authors and reinforced by the community in the comment section.
Although scrapped a little, the delegation matter was not included in the proposal. It looks like a topic that Lido wants to evade for now, especially because none of it was mentioned in the DG flowcharts. Delegation is important because empowers user participation without compromising the token balance of their sponsor. It's the most common exercise in the governance sector and Lido should lean towards this approach.
The Kernel contract among other proxy implementations seems to be under the centralized control of a few addresses, allowing them to set up new apps outside the voting schema. However, this claim needed to be deeply verified. One of the addresses mentioned is not even a multi-sig but perhaps an HSM.
Lido Deployer is enrolled in multiple activities regarding the deployment and initialization of the Lido contracts. According to the current owners of the multi-sig, 2/3 of them seem to be personal wallets of developers that have recent interactions with other protocols in the ecosystem, reminding us that it is advisable not to use personal wallets for protocol management.
A griefing attack on Lido through governance vetoes could significantly disturb the protocol. The griefing could happen on the Easy Track contract with 0.5% of the total supply needed for the veto while indeterminate amounts would be needed for the Aragon Voting contract. In this attack, LDO holders could veto any governance proposal, effectively freezing the protocol, or use their veto power to push the protocol towards a desired outcome by selectively allowing censoring NOs to join. In the short term, this would lock up DAO governance and require coordination to exit the vetoed state. Market sentiment could cause the price of LDO or stETH to fluctuate, potentially allowing attackers to profit from short positions.
Lido's governance contracts lack measures to prevent proposal spamming, allowing anyone with a minimal token balance to submit proposals paying only the Ethereum gas fees. This vulnerability could clutter the front-end interface and make it difficult for users to identify legitimate proposals. Additionally, it would place a heavy burden on the governance process, requiring significant manual effort to review and manage these proposals, potentially slowing down decision-making, and generating costs attached to refusing the proposals.
Dual Governance: Lido's next stage
Lido's new Dual Governance (DG) mechanism represents a significant evolution in protocol governance. This iteration introduces changes to minimize governance through ossification and resolve principal-agent issues with a dispute and resolution mechanism for misaligned incentives between stakers and LDO holders.
The core problem the protocol faces is the principal-agent problem (PAP) because its code and parameters are controlled by the Lido DAO through LDO token voting. The DAO collects a 5% fee from staking rewards for its treasury, which could lead to conflicts of interest. While LDO holders are incentivized to maintain the protocol's success, their interests do not always align with those of the protocol users. Governance minimization and eventual ossification of the protocol code and parameters is the final solution but yet not feasible in the current Ethereum state.
The DG includes a dynamic, user-extensible timelock on DAO decisions. This allows stakers to have a direct influence on the timing of changes, enabling a more flexible and responsive governance structure that can adapt to the needs and preferences of its users.
The DG mechanism also incorporates a "rage quit" feature. This is tailored to the specifics of Ethereum withdrawals, providing stakers with an option to exit the protocol under certain conditions if they disagree with upcoming governance decisions. This ensures that stakers have a safeguard to protect their assets and interests, adding an extra layer of security and autonomy.
Conclusion
Lido has the single asset with the biggest liquidity in the market, its governance is robust and carries a lot of defensive walls. Decentralizing the protocol is an enormous challenge because of the impact on the ecosystem it might create by managing it wrongly. The flaws in the system were identified in the last three years and are being addressed with the introduction of a new update that has been the major discussion recently but has been a topic for the past two years. Most raised topics regarding the security of Lido Holders, Stakers, and Ethereum users are covered by DG's approach, and the only thing left for the public to understand is why the tokens cannot be delegated.
Know Your Entity
Stakers: These are users who stake their assets into the Lido protocol to earn staking rewards. In return, they receive staked tokens (e.g., stETH) representing their stake in the protocol.
Validators: Validators are responsible for validating transactions and creating new blocks on the blockchain. In the context of Lido, validators are often part of the underlying proof-of-stake (PoS) blockchain network (e.g., Ethereum 2.0) where the assets are staked.
Lido DAO: The Lido Decentralized Autonomous Organization (DAO) governs the protocol. It allows Lido token holders to participate in governance decisions, such as protocol upgrades and parameter changes.
Node Operators: Node operators run the infrastructure required for the Lido protocol to function, including running Ethereum nodes and validators.
Liquid Staking Providers: These are entities that provide the infrastructure and technology to enable liquid staking, allowing users to stake their assets and receive liquid tokens in return.
Token Holders: Token holders are individuals or entities that hold Lido's governance token (LDO). They can participate in governance decisions and potentially receive rewards from the protocol's revenue streams.