A panoramic analysis of Lido's governance status: The vulnerabilities of DAO

Original Title: 《DAO Vulnerabilities: A Map of Lido Governance Risks \& Opportunities》

Original Author: BlockScience

Original Compilation: Jeanne Jiang， The SeeDAO

Research Background

Based on our research findings on DAO vulnerabilities, Lido initiated a proposal for a "Comprehensive Study on Lido DAO Governance Vulnerabilities" and reached out to us for a resilience assessment of the LIDO liquid staking protocol governance. In this article, we will share the assessment report on Lido DAO governance vulnerabilities, including the following sections:

• Research methods and approaches

• What is Lido, its significance in the Proof of Stake (PoS) space, and a stakeholder analysis diagram.

• Governance Intuition: Insights on governance minimization and "reasonable scale."

• An examination of Lido's vulnerabilities from the social, technical, and economic dynamics of the system.

• Conclusions and solutions.

The goal of this research is to depict the current state of Lido's governance to understand its objectives, dynamics, and risks. This can help guide the development of Lido's governance process, ensuring social and technical resilience while managing risks to support Lido's development goals and maintain its leading position in the liquid staking industry.

In this article, we define "vulnerability" as a concept related to "threat." "Vulnerability" typically arises from within the system rather than externally. Therefore, in many cases, once a vulnerability is identified, intervention can occur. Identifying vulnerabilities helps improve the system's adaptability, resilience, and growth opportunities, which is crucial for DAOs aimed at achieving decentralization and autonomy (independence from external directions).

Research Methods and Approaches

We employed qualitative analysis methods, including stakeholder interviews and research on literature, code repositories, block explorers, data dashboards, contract interfaces, public communication channels, and more. The scope of this research primarily focuses on Lido on Ethereum (Note: We did not run a full node to check and verify Lido contracts, nor did we access any network servers interacting with us). Additionally, Lido is a complex adaptive system, and the information gathered during the research period (from December 2021 to March 2022) was accurate, though some information may have changed since then.

What is Lido Liquid Staking?

Lido is a financial platform that provides ETH staking derivatives services and charges management fees. Lido allows users to earn liquidity token rewards without locking assets or maintaining their own staking infrastructure; simply depositing ETH into Lido's smart contract yields transferable stETH (the liquidity token for ETH staked on the Lido platform). In return, 10% of all ETH staking rewards (which can be changed through LDO voting) goes to Lido DAO, controlled by LDO token holders.

LDO token holders are the owners/managers of the platform. They manage the organizational structure of Lido DAO, a set of extension contracts, the treasury of Lido DAO, and the LDO token itself. Anything outside the Ethereum chain (multi-chain) or IRL (individuals) is not directly owned or managed by LDO token holders. While this may change in the future, Lido's governance responsibilities currently lie with on-chain LDO token voters and end-users and operators who vote with their feet.

Liquid staking is a high-tech, capital-intensive, and competitive market. By rapidly growing assets under management (AUM), Lido can increase the amount of management fees collected and continue to invest in further growth and security, aligning with the interests of LDO token holders.

Why Lido is Crucial in the Proof of Stake (PoS) Space

Block space production is a competitive market. The inflation rewards of Proof of Stake (PoS) are inherently centralized, with a few large players potentially dominating the market. Lido needs to capture enough market share to become the leading "decentralized" ETH staking service provider, and it already has a first-mover advantage.

If Lido succeeds, it will fill a significant gap between centralized exchange staking services and DIY interest staking in the public blockchain space. This way, individuals, institutions, decentralized applications (dApps), DAOs, and decentralized finance (DeFi) protocols can all benefit from simple, secure, and liquid staking of ETH. However, if Lido (or similar decentralized liquid staking solutions) fails to do this, centralized exchanges, constrained by the laws of their jurisdictions and regulators, are likely to control most of the staking on major blockchains like Ethereum, thus owning the majority of block space production on all major public blockchains. Block space is a key and valuable resource in public blockchains; whoever produces block space can reorder or censor transactions.

If a "decentralized" system like Lido ensures the security of the majority of current and future Proof of Stake (PoS) blockchains, then block space is more likely to maintain credible neutrality (meaning it is less likely to be monopolized by a single or colluding group). This would elevate LDO as the governance token controlling block space production, as well as the value flowing from that block space production. This means Lido needs to identify and address internal social, technical, and economic vulnerabilities so that it can adjust itself to remain competitive and resilient to external threats and environmental changes, thus avoiding centralization or failure.

You can read Lido's white paper and 2022 OKRs for a better understanding of the project.

Lido Stakeholders

Figure 2: Stakeholder diagram of Lido on Ethereum. Some categories of stakeholders often overlap or interchange roles in different contexts. As Lido evolves, its stakeholder group may also change.

Lido has several key stakeholder groups that play an important role in achieving simple, secure, and liquid ETH. They are:

• Primary Stakeholders: Owners, operators, and users, such as LDO token holders, governance committee members, multi-signers, Lido employees, and stETH end-users.

• Secondary Stakeholders: External collaborators, such as DApps integrating stETH, validator operators, oracle operators, interface operators, etc.

• External Stakeholders: Groups or systems indirectly related to Lido, such as Layer 1 underlying blockchains, competitive staking-as-a-service providers, etc.

These stakeholders help achieve simple and secure ETH liquid staking. Some categories of stakeholders also frequently overlap in different contexts or switch between different roles. As development continues, Lido's stakeholder group may also change (especially across multiple chains, but this article primarily focuses on the Ethereum ecosystem, so this is not within the scope of our preliminary analysis).

Governance Intuition

Insights on Governance Minimization and Governance Scale

Lido has published a roadmap for "Trustless Staking on Ethereum," emphasizing governance minimization through smart contract custody and automated participation of node operators. "Governance minimization" often raises various assumptions among stakeholders, and clarifying its definition helps unify stakeholders' expectations for future governance discussions and decisions.

In this context, governance minimization means "reducing power and reliance on governance as much as possible." As Paradigm states, "The most widely used protocols will tend toward governance minimization." This viewpoint expresses that people prefer to use and trust a system that does not contradict their interests rather than one that the current owners or operators claim will not change.

Automated governance is one way to achieve governance minimization and is becoming increasingly popular, especially in DeFi protocols. Automated governance refers to algorithmizing the governance process through technological automation. For example, Lido's roadmap emphasizes the automation of functions such as validator node selection. We believe this refers to the automation of the governance process, as governance itself cannot be automated. If an algorithm makes a governance decision, it is because it was designed to govern in a specific way. Therefore, process automation shifts governance from the operational layer of the system to the design layer.

However, approving that design also requires governance, and introducing algorithmic governance brings in new governance dimensions (areas of action that need to shape behavior). Automation changes how governance operates within the system and who it is transparent and recognizable to, rather than merely simplifying processes or improving efficiency. Governance is more about which functions should be automated and which require human oversight.

Figure 3: From "Combining the Concepts of DAO and Cybernetics" (Zargham, Nabben, 2022)

In practice, this often appears as a reduction of human governance processes through the introduction of automation while intentionally applying human governance to other areas. However, if the governance process becomes so simplified or limited that the system can no longer be "guided" or governed, the ability to respond to unexpected threats and events will diminish. For instance, Lido may wish to limit the power of local teams while granting them the freedom to act within those limits to enhance operational efficiency (see below "Auxiliary Principles of Operational Efficiency"), which can maintain efficient operations while reducing systemic risks. As Lido evolves, balancing adaptability and resilience (robustness) and continuously adjusting this balance over time will be key to sustained success.

Governance Scaling

The challenge for Lido DAO is: How can the DAO ensure operational efficiency through automation and trust in code while providing enough awareness, access, and involvement for DAO governors regarding strategic responsibilities? This requires a governance scaling approach (what we know as "necessary diversity"), determining what can be eliminated and what is essential for guiding a system.

One way to think about governance scaling is to clarify the following points: What is actionable (and can be automated)? What strategies are adopted (which may require human input)? What can be monitored (in control theory terms, "through sensors and feedback")? What can be controlled (through "executive agencies")? These elements can be adjusted to achieve the reliability and operational efficiency needed to meet system goals.

In other words, "decentralizing" for the sake of "decentralization" is inefficient. Perhaps it is more effective to reduce single points of failure, limit the authority of operators, and provide users with the option to "participate" or "exit" the system. From this perspective, limiting LDO token holders' power over most matters while retaining their authority over core functions requiring human input is actually a good thing. This may contradict the mainstream concept of "what is a DAO," but it may also not.

The risk of overly simplifying governance is that it eliminates adaptability. If the purpose of governance is to enable a system to adapt and fulfill its functions, then the governance dimension should be as small as possible within a certain range, but not too small. The purpose of defining the governance dimension is to establish a scale that is as small as possible but controllable. If the governance dimension is too large, it becomes unmanageable and unobservable, thus undermining governance. If the governance dimension is too small, there is not enough manipulation to influence and guide the system. The appropriate size of the governance dimension is to guide the system toward its goals through just the right amount of manipulation rather than excessive manipulation. The various vulnerabilities discussed in this article are about minimizing governance risks and how to distinguish governance from operations.

Lido's Vulnerabilities

From the perspective of token system security, one of the main purposes of "decentralization" is to prevent any party (internal or external) from imposing its will on the direction of system development and its stakeholders. If a system is "decentralized," even if you do not trust the participants, you can trust the system. This section aims to explore areas where Lido may have "single points of failure" (centralization) that could reduce its resilience and hinder its ability to become a simple, secure, and liquid token.

One way to think about this issue is through the concepts of controllability and observability in cybernetics. Here, "controllability" refers to the lever controls within the system, while "observability" refers to how to observe and measure the system's behavior.

• Is the system controllable (able to be influenced by signals to reach a given state within a limited time)? Is it observable (can key changes in state be understood from the system's output)? If so, how is it controllable, and how is it observable?

• Where is the most effective place to increase sensors (to measure state and product output to create feedback loops) and executive agencies (to exert force or control levers)?

• Which states in the system should be quantified, and which can be estimated?

Based on this approach, we will begin exploring the vulnerabilities of Lido's governance dimension, including: a collection of controllable and observable things; the system's goals and its optimization capabilities. We will analyze from social, technical, and economic perspectives.

Figure 4: The Transformative Dynamics of Lido's Vulnerabilities

Social Vulnerabilities

Goal Adaptability

Adaptability and governance minimization are inseparable. Some may think that adaptability (change) and governance minimization (stability) are opposites, but this is not the case.

Adaptability is the ability to change. In contrast, governance minimization limits what can change and how it can change within the system. Over time, by increasing constraints on decision-making, adaptability enables governance minimization without completely losing governance capacity when unexpected events arise. This allows a system to develop more resiliently in a constantly changing environment.

Function Determines Form

The organizational form of an institution needs to follow the function it aims to optimize. Broadly speaking, Lido is a "DAO," but the organizational form it takes depends on the functions it seeks to achieve and the environment it operates in. At a macro level, the concepts of "decentralization" and "autonomy" in a DAO mean that no single party controls the system. However, this concept differs when applied to staking-as-a-service and the consensus of underlying protocols. Lido's governance needs to keep the system as simple as possible while allowing it to be adaptable to provide simple, secure, and liquid staking. The correct scope of Lido's governance dimension is determined by the system's purpose and possibilities (or reachability). Lido needs to be capable of adapting to changing L1 protocols (like ETH2.0) and multiple blockchain ecosystems while effectively pursuing its goals.

Lido's governance process has undergone adjustments and developments, constraining existing functions while enabling new functionalities to optimize its objectives. One example is Easy Track governance. This is a subsystem of Lido that provides operators with the freedom to quickly launch with minimal support (adaptability) while limiting what can be implemented (governance minimization). This reduces governance risks while separating high-level goal-setting decisions (Aragon voting) from low-level execution decisions (Easy Track voting).

Lido is exploring increasing the voting time and difficulty for the DAO, as well as imposing more restrictions on Easy Track governance. In the future, by creating operational function subsystems that are separate from strategic and overall DAO decision-making, Lido can achieve minimized governance (reducing activities at the super-user level) and evolve towards trustless Ethereum staking (more activities at the ordinary user level).

Communication & Coordination

Communication and emergency planning are crucial for the operation and governance of a DAO. The DAO needs to avoid excessive coordination costs arising from communication while having clear crisis response plans and crisis adaptation processes. This is a cross-functional area, and Lido can achieve specialization when it expands its operational scale to multiple underlying protocols, execution teams, and validator nodes, transforming teams into multiple working groups directly affiliated with the DAO.

Currently, communication within the Lido team and stakeholders in the DAO is conducted informally. If a vulnerability arises, a contentious debate occurs, or any trust-breaking scenario emerges, users find it difficult to obtain information and take action to protect their interests. Some key communication functions rely on specific team members seeing information in semi-open channels and whether they realize the need to share that information with the broader Lido community. If information is not seen, people will leave the project. As the project continues to scale, key functions must be composed of programs rather than individuals. The potential for communication breakdowns is also a governance risk.

Governance design plays an important role in improving communication within the DAO. To reduce reliance on individual team members, organizational functions can be established to enhance adaptability and reduce redundancy. Organizational functions can be defined based on roles, responsibilities, and processes, allowing stability even when personnel changes occur. This way, the organization can continue to operate stably even as contributors change over time.

Auxiliary Principles of Operational Governance

The principles mentioned by economist Elinor Ostrom in "Governing the Commons" represent a method of bottom-up self-governance strategies. Ostrom referred to the principle of "nested enterprises," suggesting that long-lasting, complex resource systems are often planned as many layers of nested organizations working together to accomplish supply, monitoring, enforcement, conflict resolution, and governance activities. In other words, composite, scalable organizations can operate at multiple levels—across individuals, organizations, and broader systems. By nesting organizations, users can leverage many different scopes of organizations to better govern their resources at each scope, enhancing overall efficiency, ownership, accountability, and scale.

This form of governance is closely related to "resilience," which is the "ability to adapt and transform in response to disturbances to continue fulfilling its core functions."

An appropriate starting point for this governance design is the auxiliary principle: delegating decision-making authority to the lowest competent level in the governance arrangement. The auxiliary principle is planned based on the function of the organization rather than specific actors within the system. Defining an organizational function provides a container that is endowed with the necessary powers and incentives to fulfill its function, rather than relying on certain individuals. This allows redundancy to be appropriately designed within each organizational function and creates a common understanding for interactions between each function. It also allows system owners to grant or revoke rights to operate within these "containers."

Lido has begun to do this by establishing different voting channels and business budgets for some teams, requiring DAO voting only when changing amounts (e.g., LEGO grants). Understanding the auxiliary principle and the principles of nested governance can help Lido test and implement this approach in appropriate areas.

Ownership and Operational Rights of Non-Crypto Assets

Non-crypto assets here refer to anything related to Lido DAO, including the name "Lido," information stored under "Privacy Policy," website domains, communication infrastructure, software subscriptions, etc., that require legal entities and/or non-crypto payments to own and operate digital property or intellectual property.

If a controversial governance event occurs, the intellectual property (IP) of the name "Lido" is most likely to become the center of legal or political struggles. Currently, it is not registered, and no one explicitly owns it.

To avoid potential risks such as ecosystem partners exiting, lawsuits (e.g., Craig Wright Bitcoin lawsuit), or community forks, Lido may consider establishing a subsidiary that reports to the DAO to handle legal business or open-source IP.

Technical Vulnerabilities

Figure 5: An Incomplete Overview of Lido's Technical Architecture

This section explores Lido's main governance mechanisms and the associated technical vulnerabilities.

Global Nodes (Lido Aragon DAO, currently controlled by LDO token voting)

• Node operator registration

• Oracle operator registration

• Financial management

• DAO permissions and ACL

Subsystems

• Easy Track governance

• Lido node operator secondary governance group

• Lido ecosystem grant organization

• reWards committee

• Deposit guardianship committee

Main Coordination Channels

• Telegram (informal chat)

• Governance Forum (detailed discussions)

• Snapshot (signature voting)

• Social Media (notifications and updates)

Early Voting in Aragon

Lido on Ethereum is controlled through Aragon DAO and by LDO token voting, including the Lido treasury, ETH2 withdrawal keys, lists of node and oracle operators, DAO access control list (ACL) permissions, execution of EVM scripts, and more. Therefore, the voting application effectively serves as root access to Lido.

At the time of writing this article (March 2022), the permissions of Lido DAO include:

• Any address with vested or unvested LDO tokens can create a new vote.

• To pass a vote, the number of participating votes needs to account for at least 5% of the LDO token supply (approval/quorum).

• At the end of the voting window, a proposal can only pass if 50% of voting participants approve it (support/threshold).

• If 50% of the total supply votes for or against a proposal, it meets the absolute majority and can be executed immediately.

These factors may reduce the likelihood of governance capture or governance compromise.

• Do not lower the voting support threshold.

• Consider increasing difficulty (time, support, and participation), minimizing root access as much as possible (using subsystems more) [in progress].

• Consider creating more Lido subsystems (like Easy Track) with restricted permissions, allowing operators the freedom to act within those constraints, thus reducing the need to frequently use the main (root access) voting application.

• Distribute LDO widely among ecosystem participants, especially long-term participants. This way, more governance participants' interests align with Lido's long-term vision. In the future, a time-weighted voting system (voting delegation, trust voting, etc.) could even be added to grant more governance power to long-term stakeholders.

• Create automated monitoring tools to provide alerts for each vote, preferably with additional warnings for unusual EVM scripts (e.g., fund transfers >X%).

• Assess where automation can be applied, how it can assist the governance process, and what additional dynamics (governance dimensions) it introduces.

Since Aragon Voting equates to root access to the DAO, governance compromise could pose a severe existential threat to Lido.

Custodial Interfaces

Interfaces are the portals connecting users and services. Typically, users trust what the interface presents to them. While seeing is believing, seeing does not equate to understanding. When most users connect their Ethereum wallets or interact with dApps, they often do not verify whether what is displayed on their screens is genuinely on-chain. This creates a risk that interfaces may be unavailable or misleading, leading users not to take the best actions to represent their interests. For Lido to respond to internal and external pressures, stakeholders need to be able to find information and act on it. Any factors that hinder or interfere with this could become risks to governance awareness and participation.

Potential threats include, but are not limited to:

• Scrutinizing interfaces to prevent stakeholder usage.

• Modifying data displayed by interfaces, making coordination/communication difficult and/or inducing users to vote on erroneous proposals.

• Hacking interfaces to steal users' assets.

For example, the recent exploitation of Badger DAO's interface resulted in losses of up to $120 million. This was not related to their contracts or the Ethereum blockchain but was due to issues with their website.

Another example is third-party contract verification. Security researcher @Samczun recently discovered a zero-day vulnerability in Etherscan's contract verification engine. Besides discovering the vulnerability, the best way to prevent zero-day vulnerabilities is to minimize reliance on trusted third parties.

Overall, the attack surface of interfaces is generally larger than that of smart contracts, and they are less transparent, making it challenging to ensure security. Of course, there are measures that can make interfaces more resilient:

• Content Addressing: The initial approach is to use content-addressed interfaces as much as possible. If each version is immutable, this can help minimize governance of the interface. Then, content-addressed interfaces can be hosted on IPFS or Arweave. The TornadoCash interface is an example of this.

• Self-Hosted Interfaces: It is also important to make it easier for users to launch or host their interfaces. This would allow individuals to run their own interfaces without trusting third parties, while also enabling ecosystem partners (and scammers) to host their Lido interfaces in case the main interface goes down. This lays the foundation for a competitive interface market and does not require reliance on any specific service provider.

• Multiple Independent Interfaces: Another strategy to mitigate interface vulnerabilities is to create a competitive market among providers. It is more difficult and unlikely for attackers to compromise multiple interfaces or data providers. With multiple options, users can compare results across different providers.

Validator Diversity

As mentioned in the Lido research forum, the diversity of validator clients is crucial for reducing correlation and dependence on a single infrastructure provider. If all Lido validators use the same client software, a single error could impact Lido's entire assets under management, but if Lido validators use diverse clients, any single error would only affect a subset of the assets under management. This may be particularly important after the Ethereum merge, as validators will be able to capture maximum extractable value (MEV), but most ETH2 clients do not provide MEV-related functionalities (which may lead to competition around Ethereum clients post-merge). The Lido Node Operator Group (LNOSG) is working towards achieving "trustless Ethereum staking," and LDO token holders should pay attention to these changes, especially regarding approving new node operators and/or any automated systems for ranking and rewarding node operators.

We note that this is a core competitive advantage of Lido, and it seems that Lido is already aware of this and is making efforts.

Economic Vulnerabilities

Lido produces block space in the Proof of Stake (PoS) system through competition. Block subsidies, fees, and future MEV can be obtained as rewards.

Investing in block production is forward-looking and probabilistic. This means that if you control ten percent of the validation rights (staked tokens), you may earn around ten percent of block rewards in the future. However, if other validators increase their stakes, you can only earn a lower proportion of block production rewards. To remain competitive, you must purchase more tokens. This creates an incentive mechanism to buy as many tokens as possible early on, allowing you to participate in staking and earn rewards sooner. The earlier you stake, the sooner you earn money, and the sooner you earn money, the more you can stake. In short, PoS validation could be a winner-takes-all market, with many benefits in the staking market. Lido's goal is to become a leader in merged staking with a decentralized, non-custodial staking pool model.

It is important to mention the competitive dynamics in the market where Lido operates; validators dominating PoS networks may become highly valuable, making governance over those validators valuable as well. However, this could lead to competition for control over the system (think of MEV's curve wars). If this occurs, two forces may enable such a system to avoid centralization while continuing to provide neutral competitive decentralized block space production: competitive markets and DAOs.

• If block space is a competitive market, users and validators will have choices. They can choose which tokens to buy and sell, as well as which chains to use or validate. If one party becomes the producer of the majority of blocks in the network, they are unlikely to "raise rents," and users and validators can easily sell their tokens and choose to leave. That is to say, professional PoS validators are high-tech and capital-intensive. Those who excel in this area may receive more capital (tokens, computers, and financing), allowing them to participate across all chains.

• If a decentralized governance system controls most block production, that system can be guided by a different group of stakeholders while not being controlled by any one of them. How this manifests in practice depends on the token distribution and governance of that staking system, but over time it may involve minimizing the governance dimension. By minimizing governance of resources, stakeholders' ability to compete for and capture that resource is also minimized. Therefore, if it is anticipated that a system will be contested, governance should be reduced as soon as possible and to the greatest extent possible, but only when it achieves this while maintaining the adaptability it needs to function.

Conclusions and Next Steps

The goal of this article is to identify Lido's governance vulnerabilities based on the dynamics of the system at social, technical, and economic levels. Once vulnerabilities are identified, they can be "governed" to enhance Lido's adaptability and resilience. Since systems are dynamic and constantly changing, the process of transforming governance vulnerabilities into opportunities will also be ongoing.

The vulnerabilities of governing social-technical systems require an analysis of human stakeholders and technical mechanisms. Governance is the use of levers within the boundaries of a system to guide that system. Lido's current structure enables it to provide a decentralized platform for Ethereum's liquid staking while also having enough control to adapt to the changing architecture during the transition from Ethereum 1.0 to 2.0. Over time, as Ethereum becomes more stable, the adaptability of Lido's governance structure can be continuously applied, making Lido more resilient. This is critically important, as Lido expands across multiple blockchains and becomes more valuable, governance over Lido's liquid staking will also become valuable.

By minimizing single points of failure, increasing the difficulty of "root-level" governance, leveraging the auxiliary nature of organizational functions, and creating more subsystem governance mechanisms (like Easy Track) that can quickly execute decisions within constraints, Lido can enhance its resilience. Lido's goal is to contribute to decentralized ETH liquid staking while reducing systemic risks associated with any specific actor or operational process. Ideally, addressing vulnerabilities can lower the likelihood of malicious attacks or underperformance while rewarding productive contributions in a more permissionless and efficient manner. This requires immediate attention at the strategic level.

Completing this task in the emerging, high-risk fields of decentralized autonomous organizations and liquid staking is highly complex. We commend the Lido team and community for their contributions to achieving decentralized liquid staking for Ethereum.

This report was co-authored by Kelsie Nabben, Burrrata, Michael Zargham, and Jessica Zartler. Special thanks to the Lido team, Lido stakeholders who participated in interviews, and all the feedback provided by the BlockScience team, especially Jeff Emmett, Peter Hacker, and David Sisson for their significant assistance.