Justin Drake 则提出了一个有趣的研究提案 ,描述了一种非中心化的流动性质押衍生品。它可以被个人质押者使用,但依赖于硬件飞地技术,例如英特尔的 SGX。(译者注:硬件飞地,Hardware Enclaves,是用于把可信执行分布到不可信平台的硬件抽象 )
https://notes.ethereum.org/@djrtwo/risks-of-lsd#The-Risks-of-LSD
06/03/2022
Liquid staking derivatives (LSD) such as Lido and similar protocols are a stratum for cartelization and induce significant risks to the Ethereum protocol and to the associated pooled capital when exceeding critical consensus thresholds. Capital allocators should be aware of the risks on their capital and allocate to alternative protocols. LSD protocols should self-limit to avoid centralization and protocol risk that can ultimately destroy their product.
Note, although current LSD protocols such as Lido have a lot of room for improvement, this article does not target short-comings in currently implemented designs. Instead, the aim is to show that LSD protocols have inherent issues when they exceed consensus thresholds.
In the extreme, if an LSD protocol exceeds critical consensus thresholds such as 1/3, 1/2, and 2/3, the staking derivative can achieve outsized profits compared to non-pooled capital due to coordinated MEV extraction, block-timing manipulation, and/or censorship – the cartelization of block space. And in this scenario, staked capital becomes discouraged from staking elsewhere due to outsized cartel rewards, self reinforcing the cartel’s hold on staking.
LSD protocols can minimize governance, upgradability, and other risks over time, but the question of “who” gets to be a part of the Node Operator (NO) set remains. This lever is the primary cause of cartelization.
Deciding “who” gets to be a NO is a matter of two questions – who is added to the set and who is removed the set. This can be designed in one of two ways in the long run – either via governance (a coin vote or other similar mechanism) or via an automated mechanism around reputation and profitability.
In the former – governance deciding NOs – the governance token (e.g. LDO) becomes a major risk to Ethereum. If the token can decide who can be a node operator in this theoretical majority-LSD, then the token holders can force cartel activities of censorship, multi-block MEV, etc, or else the NO is removed from the set.
In fact, the enforcement of such economically monopolistic activies only strengthens the token’s control over the NOs. In the event that the token exercises its monopoly to gain outsized profits through destructive mechanisms, then, in the extreme, NOs would not be nearly as profitable operating independently. Thus the governance token deciding NOs can become a self-reinforcing cartelization and abuse of the Ethereum protocol.
Governance deciding NOs has another distinct risk which is regulatory censorship and control. If pooled stake under one LSD protocol exceeds 50%, this pooled staked gains the ability to censor blocks (and worse-so at 2/3 due to being able to finalize such blocks). In a regulatory censorship attack, we now have a distinct entity – the governance token holders – that a regulator can make requests of censorship. Depending on the token distribution, this is likely a much simpler regulatory target than the Ethereum network as a whole. And, in fact, DAO token distributions are generally pretty terrible with just a few entities deciding most votes.
In any sort of token governance control over a majority-LSD, we thus rely on the benevolence of the DAO or however control is structured. Relying on such an entity’s benevolence, anonymity, or geographic distribution to prevent attacks is not safe, and we must assume not sufficient in the long run.
In the alternative design – economic and reputation based NOs – we actually end up in a similar, albeit automated cartelization. Firstly, entering the set would require time and capital (i.e. put some ETH on the line, akin to rocketpool design, and slowly show profitability and get more pooled ETH allocation). Although the entering of the set requiring time and money could make it hard for new entrants, it is not the true cartelization vector here. Instead it’s the requisite automated removal of NOs in the event that they do not perform to some profitability standard.
Kicking from the NO set on profitability is likely the only trustless (non-governance) method to ensure that NOs are good for the pool. Defining profitability is problematic – either you define some absolute number (e.g. getting good baseline issuance rewards) or you need to define some relative number (e.g. within 10% of average/normal profitability). Given the unpredictability of MEV/TX rewards in some time window but also given the importance of MEV rewards to profits in the long term, this needs to be dynamic and a comparison over some time period to other operators/validators. That is, the system cannot be designed to just have some absolute metric – must make X in TX fees – due to the high variance in economic activity of the system over time.
This profitability comparison metric works well when all operators are using “honest” techniques, but if any amount of the NOs defect to utilizing destructive techniques such as multi-block MEV or adjusting block release times to capture more MEV, then they skew the profitability target such that honest NOs will eventually be automatically ejected if they do not join in on the destructive techniques.
This means that in either method – governance of NOs or economic selection/ejection – such a pool exceeding consensus thresholds becomes a stratum for cartelization. It’s either a direct cartel by governance or it’s a destructive, profitability cartel through smart contract design.
An aside – some suggest that LSD ETH holders could have a say in governance of their underlying LSD protocol, and thus become a safety backstop on what might be a poorly distributed, plutocratic token.
It is important to note here that ETH holders are not by definition Ethereum users, and in the long run, we expect that there are massively more Ethereum users than ETH holders (people with ETH held beyond the amount needed to facilitate TXs). This is a critical and important fact that informs Ethereum governance – there is no on-chain governance granted to ETH holders or stakers. Ethereum is the protocol that users choose to run.
ETH holders in the long run are just a subset of users, so staked ETH holders are even a subset from there. In the extreme of all ETH becoming staked ETH under one LSD, governance vote weights or aborts by staked ETH do not protect the Ethereum platform for users.
Thus even if the LSD protocol and the LSD holders are aligned on subtle attacks and capture, users are not and can/will react.
Even with time-delays in LSD governance such that pooled capital can exit the system before a change occurs, LSD protocols suffer from frog-boil governance attacks. Small, slow changes are unlikely to get staked capital to exit the system, but the system can still drastically change over time.
Additionally, as mentioned above, LSD holders are not the same as Ethereum users. LSD holders might be fine with some sort of censorship-requisite governance vote, but this is still an attack on the Ethereum protocol and one that users and developers will mitigate through the means at their disposal – social intervention.
Note: “Staked ETH can always exit in the event of malicious governance” is not actually technically true today and is not certain to be true in the future. The validator’s active key is the only key allowed to exit from staking in the current Ethereum PoS design. Although there are a number of proposals to add the feature for BLS and smart contract withdrawal credentials to initiate exits, these are not yet agreed upon in either intent or design.
Much of the above discussion focuses on risks an LSD pool, such as Lido, pose to the Ethereum protocol and not actually the risk to those holding capital in the pooled system. Thus this appears to suffer from the tragedy of the commons – each individual making a rational decision to stake with the LSD protocol is making a good decision for the user but an increasingly bad decision for the protocol. But, in fact, risk to the Ethereum protocol and risk to capital allocated to the LSD protocol when exceeding consensus thresholds are tied together.
Cartelization, abusive MEV extraction, censorship, etc are all threats to the Ethereum protocol and ones that users and devs will respond to in the same methods available for traditional centralization attacks - leak or burn through social intervention. Thus pooling of capital into this stratum for cartelization puts not only the Ethereum protocol at risk, but, in turn, the pooled capital.
These may seem like “tail risks” that are hard to take seriously or that might never happen, but if we’ve learned anything in crypto it’s – if it can be exploited or has some unlikely “critical edge case”, then it will be exploited or collapse much sooner than you think. Time and time again in this open and dynamic setting brittle systems collapse and vulnerable systems are exploited for both fun and profit.
The Ethereum protocol and users can recover from an LSD centralization and governance attack, but it won’t be pretty. I recommend that Lido and similar LSD products self-limit for their own sake, and I recommend capital allocators to acknowledge the pooling risks inherent to LSD protocol designs. Capital allocators should not allocate to LSD protocols exceeding 25% of total staked Ether due to the inherent and extreme risks associated.
Lido 和类似协议等流动性抵押衍生品 (LSD) 是卡特尔化的一个层级,当超过关键共识阈值时,会对以太坊协议和相关的汇集资本产生重大风险。资本分配者应意识到其资本的风险并分配给替代协议。LSD 协议应该自我限制,以避免最终破坏其产品的中心化和协议风险。
请注意,尽管当前的 LSD 协议(如 Lido)还有很大的改进空间,但本文并未针对当前实现的设计中的不足之处。相反,其目的是表明 LSD 协议在超过共识阈值时存在固有问题。
在极端情况下,如果 LSD 协议超过 1/3、1/2 和 2/3 等关键共识阈值,由于协调的 MEV 提取、块时间操纵,与非集合资本相比,Staking 衍生品可以获得超额利润和/或审查制度——区块空间的卡特尔化。在这种情况下,由于卡特尔的巨额奖励,质押的资本不鼓励在其他地方进行质押,从而增强了卡特尔对质押的控制。
LSD 协议可以随着时间的推移最大限度地减少治理、可升级性和其他风险,但“谁”成为节点运营商 (NO) 集的一部分的问题仍然存在。这个杠杆是卡特尔化的主要原因。
决定“谁”被拒绝是两个问题的问题——谁被添加到集合中,谁被移除。从长远来看,这可以通过两种方式之一进行设计——通过治理(硬币投票或其他类似机制)或通过围绕声誉和盈利能力的自动化机制。
在前者——治理决定 NO——治理代币(例如 LDO)成为以太坊的主要风险。如果代币可以决定谁可以成为这个理论上的多数 LSD 中的节点运营商,那么代币持有者可以强制进行审查、多块 MEV 等卡特尔活动,否则从集合中删除 NO。
事实上,这种经济垄断行为的实施只会加强代币对 NO 的控制。如果代币通过破坏性机制行使垄断地位以获取巨额利润,那么在极端情况下,独立运营商的利润将几乎没有那么高。因此,决定 NO 的治理代币可能成为对以太坊协议的自我强化卡特尔化和滥用。
决定 NO 的治理具有另一个明显的风险,即监管审查和控制。如果在一个 LSD 协议下的汇集权益超过 50%,则该汇集权益将获得审查区块的能力(更糟糕的是,由于能够最终确定此类区块,因此只有 2/3)。在监管审查攻击中,我们现在有一个独特的实体——治理代币持有者——监管机构可以提出审查请求。根据代币分布,这可能是一个比整个以太坊网络简单得多的监管目标。而且,事实上,DAO 代币的分配通常非常糟糕,只有少数实体决定了大多数选票。
因此,在对多数 LSD 的任何形式的代币治理控制中,我们都依赖于 DAO 的仁慈,或者无论控制是结构化的。依靠这样一个实体的仁慈、匿名或地理分布来防止攻击是不安全的,我们必须假设从长远来看是不够的。
在替代设计中——基于经济和声誉的 NOs——我们实际上最终陷入了类似的,尽管是自动化的卡特尔化。首先,进入集合需要时间和资金(即投入一些 ETH 上线,类似于 Rocketpool 的设计,并慢慢显示盈利能力并获得更多汇集的 ETH 分配)。虽然进入需要时间和金钱的集合可能会使新进入者变得困难,但这并不是真正的卡特尔化向量。相反,如果 NO 的表现不符合某些盈利标准,则必须自动删除它们。
从盈利能力的 NO 中踢出可能是确保 NO 对矿池有益的唯一无需信任(非治理)的方法。定义盈利能力是有问题的——要么你定义一些绝对数字(例如获得良好的基线发行奖励),要么你需要定义一些相对数字(例如在平均/正常盈利能力的 10% 以内)。鉴于 MEV/TX 奖励在某个时间窗口内的不可预测性,但也考虑到 MEV 奖励对长期利润的重要性,这需要是动态的,并且需要在一段时间内与其他运营商/验证者进行比较。也就是说,由于系统的经济活动随时间推移存在很大差异,因此系统不能设计为仅具有某些绝对指标——必须将 X 计入 TX 费用。
当所有运营商都使用“诚实”技术时,这种盈利能力比较指标效果很好,但如果任何数量的 NO 都倾向于使用破坏性技术,如多块 MEV 或调整块发布时间以获取更多 MEV,那么他们就会扭曲盈利目标这样,如果诚实的 NO 不参与破坏性技术,最终将被自动驱逐。
这意味着在任何一种方法中——NO 的治理或经济选择/驱逐——这样一个超过共识阈值的池将成为卡特尔化的阶层。它要么是治理上的直接卡特尔,要么是通过智能合约设计的破坏性、盈利性卡特尔。
顺便说一句——一些人认为 LSD ETH 持有者可以在其底层 LSD 协议的治理中拥有发言权,从而成为可能分布不均的财阀代币的安全支持。
在这里需要注意的是,ETH 持有者并不是按照定义的以太坊用户,从长远来看,我们预计以太坊用户的数量远远多于 ETH持有者(持有 ETH 的人超过了促进 TX 所需的数量)。这是告知以太坊治理的一个关键而重要的事实——没有授予 ETH 持有者或利益相关者的链上治理。以太坊是用户选择运行的协议。
从长远来看,ETH 持有者只是用户的一个子集,因此质押的 ETH 持有者甚至是其中的一个子集。在所有 ETH 在一个 LSD 下成为质押 ETH 的极端情况下,治理投票权重或质押 ETH 中止并不能保护用户的以太坊平台。
因此,即使 LSD 协议和 LSD 持有者在微妙的攻击和捕获方面保持一致,用户也不会也可以/将会做出反应。
即使 LSD 治理存在时间延迟,使得集合资金可以在变化发生之前退出系统,LSD 协议也会遭受青蛙煮沸治理攻击。小而缓慢的变化不太可能让质押资本退出系统,但随着时间的推移,系统仍会发生巨大变化。
此外,如上所述,LSD 持有者与以太坊用户不同。LSD 持有者可能会接受某种审查制度所需的治理投票,但这仍然是对以太坊协议的攻击,用户和开发人员将通过他们可以使用的手段——社会干预来减轻攻击。
注意:“在恶意治理的情况下,质押的 ETH 总是可以退出”在今天在技术上实际上并不正确,并且在未来也不一定是正确的。验证者的活动密钥是当前以太坊 PoS 设计中唯一允许退出 Staking 的密钥。尽管有许多提议为 BLS 和智能合约提款凭证添加功能以启动退出,但在意图或设计上尚未达成一致。
上述大部分讨论都集中在 LSD 池(例如 Lido)对以太坊协议构成的风险上,而不是实际上对池化系统中持有资金的人的风险。因此,这似乎遭受了公地悲剧的影响——每个人做出理性决定与 LSD 协议进行质押对用户来说都是一个好的决定,但对协议来说却是一个越来越糟糕的决定。但是,事实上,当超过共识阈值时,以太坊协议的风险和分配给 LSD 协议的资本风险是捆绑在一起的。
卡特尔化、滥用 MEV 提取、审查等都是对以太坊协议的威胁,用户和开发人员将采用与传统中心化攻击相同的方法来应对这些威胁——通过社会干预泄露或烧毁。因此,将资本汇集到这一层进行卡特尔化不仅会使以太坊协议面临风险,而且反过来也会使汇集的资本面临风险。
这些可能看起来像是难以认真对待或可能永远不会发生的“尾部风险”,但如果我们在加密货币中学到了任何东西——如果它可以被利用或有一些不太可能的“关键边缘情况”,那么它将是被剥削或崩溃的时间比你想象的要早得多。在这种开放和动态的环境中,脆弱的系统一次又一次地崩溃,脆弱的系统被利用来获取乐趣和利润。
以太坊协议和用户可以从 LSD 集中化和治理攻击中恢复,但它不会很漂亮。我建议 Lido 和类似的 LSD 产品为了自身的利益而自我限制,并且我建议资本分配者承认 LSD 协议设计固有的池化风险。由于相关的固有和极端风险,资本分配者不应向 LSD 协议分配超过总质押 Ether 的 25%。