Difference between revisions of "Lido (LDO)"

From CryptoWiki

Line 11: Line 11:
*[[Bug bounty]] program can be found [https://immunefi.com/bounty/lido/ here] (7-7-2021). Bounty is 100k.
*[[Bug bounty]] program can be found [https://immunefi.com/bounty/lido/ here] (7-7-2021). Bounty is 100k.
*Had done [https://github.com/lidofinance/audits three] audits (7-5-2021).
*Had done [https://github.com/lidofinance/audits three] audits (7-5-2021).
*Scored a 84% on DeFi Safety (7-7-2021): ''"[[Sigma Prime]] has done a Lido.fi [https://github.com/lidofinance/audits/blob/main/Sigma%20Prime%20-%20Lido%20Finance%20Security%20Assessment%20Report%20v2.1.pdf security assessment] in December 2020. [[Quantstamp (QSP)|Quantstamp]] has done a Lido.fi [https://github.com/lidofinance/audits/blob/main/QSP%20Lido%20Report%2012-2020.pdf audit] in December 2020. [[MixBytes]] has done a Lido.fi audit in April and May 2021. Lido.fi was launched December 20th 2021."''
*Scored a 84% on [[Defi|DeFi]] Safety (7-7-2021): ''"[[Sigma Prime]] has done a Lido.fi [https://github.com/lidofinance/audits/blob/main/Sigma%20Prime%20-%20Lido%20Finance%20Security%20Assessment%20Report%20v2.1.pdf security assessment] in December 2020. [[Quantstamp (QSP)|Quantstamp]] has done a Lido.fi [https://github.com/lidofinance/audits/blob/main/QSP%20Lido%20Report%2012-2020.pdf audit] in December 2020. [[MixBytes]] has done a Lido.fi audit in April and May 2021. Lido.fi was launched December 20th 2021."''


=== Bugs/Exploits ===
=== Bugs/Exploits ===


* [https://weekinethereum.substack.com/p/week-in-ethereum-news-october-9-2021?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjo0MjM2NTgzMCwiXyI6IitrN3VtIiwiaWF0IjoxNjMzOTI4ODQ2LCJleHAiOjE2MzM5MzI0NDYsImlzcyI6InB1Yi0xMDcxIiwic3ViIjoicG9zdC1yZWFjdGlvbiJ9.5OB0hDpEp From] [[Week In Ethereum|Week in Ethereum]] (5-10-2021):
* [https://www.blockthreat.io/p/blockthreat-week-10-2022?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJfIjoiUEUyT2QiLCJpYXQiOjE2NDc4MzE0MzIsImV4cCI6MTY0NzgzNTAzMiwiaXNzIjoicHViLTgxMDUiLCJzdWIiOiJwb3N0LXJlYWN0aW9uIn0.81G45qAJDykIxkDYox9jlsafna-IIdIcSCDY91bd_Wc&s=r From] [[Blockthreat]] (16-3-2022):
''"Lido patched a [https://blog.lido.fi/lido-ui-potential-malicious-code-injection-bug-bounty-report/ front-end code injection vulnerability] after it was responsibly disclosed by United Glboal Whitehat Security Team."''
*[https://weekinethereum.substack.com/p/week-in-ethereum-news-october-9-2021?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjo0MjM2NTgzMCwiXyI6IitrN3VtIiwiaWF0IjoxNjMzOTI4ODQ2LCJleHAiOjE2MzM5MzI0NDYsImlzcyI6InB1Yi0xMDcxIiwic3ViIjoicG9zdC1yZWFjdGlvbiJ9.5OB0hDpEp From] [[Week In Ethereum|Week in Ethereum]] (5-10-2021):


''"Staking pool [https://blog.lido.fi/vulnerability-response-update/ vulnerability] impacting Lido and [[Rocket Pool (RPL)|Rocket Pool]], deposit can be [[Frontrunners|frontrun]] putting funds at risk, flagged by [[StakeWise (SWISE)|StakeWise]], raised in Eth Research in late 2019."''
''"[[Staking Pool|Staking pool]] [https://blog.lido.fi/vulnerability-response-update/ vulnerability] impacting Lido and [[Rocket Pool (RPL)|Rocket Pool]], deposit can be [[Frontrunners|frontrun]] putting funds at risk, flagged by [[StakeWise (SWISE)|StakeWise]], raised in Eth Research in late 2019."''


== Governance ==
== Governance ==
Line 46: Line 48:
* [https://thedefiant.io/lido-eth-staking-decentralized/ From] [[The Defiant]] (28-7-2021):
* [https://thedefiant.io/lido-eth-staking-decentralized/ From] [[The Defiant]] (28-7-2021):


''"The project has implemented a skeleton upgradable smart contract for making new withdrawals and new deposits fully non-custodial. The project is still seeking an optimal solution to become a trustless node operator.  In a [https://blog.lido.fi/the-road-to-trustless-ethereum-staking/ blog post] outlining next steps, the Lido team identified three points where users currently still need to trust the company. These include deposits, withdrawals and becoming a node operator."''
''"The project has implemented a skeleton upgradable [[Smart Contract|smart contract]] for making new withdrawals and new deposits fully non-custodial. The project is still seeking an optimal solution to become a trustless node operator.  In a [https://blog.lido.fi/the-road-to-trustless-ethereum-staking/ blog post] outlining next steps, the Lido team identified three points where users currently still need to trust the company. These include deposits, withdrawals and becoming a node operator."''


* [https://newsletter.banklesshq.com/p/is-lido-undervalued?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjozOTkyOTUzNCwiXyI6IitrN3VtIiwiaWF0IjoxNjI5MDg1MDA5LCJleHAiOjE2MjkwODg2MDksImlzcyI6InB1Yi0xNjAxNSIsInN1YiI6InBvc3QtcmVhY3Rpb24ifQ.Sy68yXp13LbehJ8h1wRQQoAb86 From] [[Bankless DAO (BANK)|Bankless]] (13-8-2021):
* [https://newsletter.banklesshq.com/p/is-lido-undervalued?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjozOTkyOTUzNCwiXyI6IitrN3VtIiwiaWF0IjoxNjI5MDg1MDA5LCJleHAiOjE2MjkwODg2MDksImlzcyI6InB1Yi0xNjAxNSIsInN1YiI6InBvc3QtcmVhY3Rpb24ifQ.Sy68yXp13LbehJ8h1wRQQoAb86 From] [[Bankless DAO (BANK)|Bankless]] (13-8-2021):
Line 94: Line 96:
* [https://newsletter.banklesshq.com/p/is-lido-undervalued?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjozOTkyOTUzNCwiXyI6IitrN3VtIiwiaWF0IjoxNjI5MDg1MDA5LCJleHAiOjE2MjkwODg2MDksImlzcyI6InB1Yi0xNjAxNSIsInN1YiI6InBvc3QtcmVhY3Rpb24ifQ.Sy68yXp13LbehJ8h1wRQQoAb86 From] [[Bankless DAO (BANK)|Bankless]] (13-8-2021):
* [https://newsletter.banklesshq.com/p/is-lido-undervalued?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjozOTkyOTUzNCwiXyI6IitrN3VtIiwiaWF0IjoxNjI5MDg1MDA5LCJleHAiOjE2MjkwODg2MDksImlzcyI6InB1Yi0xNjAxNSIsInN1YiI6InBvc3QtcmVhY3Rpb24ifQ.Sy68yXp13LbehJ8h1wRQQoAb86 From] [[Bankless DAO (BANK)|Bankless]] (13-8-2021):


''"After a user clicks “deposit” on Lido’s interface, their tokens are sent to the protocol’s staking contracts. These contracts pool together all user funds and then distribute them to DAO-selected node operators, of which there are currently nine, in increments of 32 ETH. These node operators are the entities responsible for managing and maintaining validators, meaning they’re the ones doing the actual staking.''
''"After a user clicks “deposit” on Lido’s interface, their tokens are sent to the protocol’s staking contracts. These contracts [[Pool Together|pool together]] all user funds and then distribute them to DAO-selected node operators, of which there are currently nine, in increments of 32 ETH. These node operators are the entities responsible for managing and maintaining validators, meaning they’re the ones doing the actual staking.''


''Node operators do not have access to user funds, but instead a [[Public Key|public validation key]] that allows them to validate [[transactions]] with another user's [[stake]]. This means that Lido is [[non-custodial]]."''  
''Node operators do not have access to user funds, but instead a [[Public Key|public validation key]] that allows them to validate [[transactions]] with another user's [[stake]]. This means that Lido is [[non-custodial]]."''  
Line 117: Line 119:
* From this insurance [https://www.coingecko.com/buzz/decentralized-insurance-deep-dive deep dive] (3-2021):
* From this insurance [https://www.coingecko.com/buzz/decentralized-insurance-deep-dive deep dive] (3-2021):


''"Lido Finance [https://blog.lido.fi/lido-unslashed-finance-partner-to-insure-ethereum-staking-service/ purchased] $200 million worth of [[cover]] from [[Unslashed Finance]] for its stETH (ETH 2.0 staking) to cover the risk of [[slashing]] penalties. Slashing refers to penalties exerted towards the [[Proof of Stake (PoS)]] network’s [[validator]] when the validators fail to maintain the network consistently."''
''"Lido Finance [https://blog.lido.fi/lido-unslashed-finance-partner-to-insure-ethereum-staking-service/ purchased] $200 million worth of [[cover]] from [[Unslashed Finance]] for its stETH (ETH 2.0 staking) to [[COVER|cover]] the risk of [[slashing]] penalties. Slashing refers to penalties exerted towards the [[Proof of Stake (PoS)]] network’s [[validator]] when the validators fail to maintain the network consistently."''
== Oracle Method ==
== Oracle Method ==
== Privacy Method ==
== Privacy Method ==
Line 123: Line 125:
== Their Other Projects ==
== Their Other Projects ==
== Roadmap ==
== Roadmap ==
* Can be found [Insert link here].
* Can be found [Insert [[LINK|link]] here].


== Usage ==
== Usage ==

Revision as of 06:16, 21 March 2022

Basics

"Lido says it will provide staking services for ETH holders so they can contribute to the Eth2 PoS blockchain; it will also issue bETH tokens—1-to-1 representations of staked ETH—so users can continue using DeFi protocols."

History

Audits & Exploits

Bugs/Exploits

"Lido patched a front-end code injection vulnerability after it was responsibly disclosed by United Glboal Whitehat Security Team."

"Staking pool vulnerability impacting Lido and Rocket Pool, deposit can be frontrun putting funds at risk, flagged by StakeWise, raised in Eth Research in late 2019."

Governance

Admin Keys

"Lido.fi uses Aragon as a DAO framework that the base themselves off of. In their docs, they provide operator frameworks. Pause Control documentation explained, but no evidence of regular tests."

"Lido DAO conducted a vote to upgrade the Lido withdrawal credentials to an upgradeable smart contract to eliminate the risk of collusion amongst withdrawal key signatories"

  • From their blog (27-7-2021):

"Lido validators are controlled by a 6-of-11 multisig of reputable Ethereum builders. We have since transitioned custody to a smart contract, but this cannot extend to existing deposits yet."

"While Lido is non-custodial, the protocol is not yet fully trustless. Due to the limited functionality ETH 2.0 staking at the time of the Lido’s launch deposits made into the protocol before July 15th, about 81% of deposits are not non-custodial. Rather, the withdrawal key (the private key that controls the ability to withdraw staked funds) for these assets is controlled by a 6/11 multisig scheme, with prominent DeFi community members and entities as signers."

DAO

"Lido is managed by the Lido DAO. The DAO members govern Lido to ensure its efficiency and stability. Besides technical development, the Lido DAO’s mandate is to promote Lido and recruit new users, node operators, and validators with educational content, promotional campaigns, and affiliate marketing."

"The project has implemented a skeleton upgradable smart contract for making new withdrawals and new deposits fully non-custodial. The project is still seeking an optimal solution to become a trustless node operator. In a blog post outlining next steps, the Lido team identified three points where users currently still need to trust the company. These include deposits, withdrawals and becoming a node operator."

"Lido governance has lived up to this need for active management, as since December 2020 there have been 83 proposals being put to a formal on-chain vote through Aragon, the platform used to handle DAO operations.

Of these proposals, 70 have passed, with 13 either failing to reach a quorum or being outright rejected. By DeFi standards, Lido has also seen pretty good voter engagement, with an average turnout of 55.9 million tokens per vote, or 5.59% of the total supply. However, a deeper look at some voting metrics suggests that concerns surrounding centralized governance may be warranted. For instance, 79 of the 83 votes were unanimous, in that all tokens voted the same way. Furthermore, 22 proposals received an identical turnout. As an example, seven proposals had a total vote count of exactly 52,718,000 million."

Treasury

Token

Launch

Token allocation

"Lido has a total supply of 1 billion tokens. At launch, 36% was allocated to the DAO treasury, a combined 35% to team members (This includes founders, initial protocol developers, and future employees), 22% to investors, and 6.5% to staking validators and the withdrawal key signers.

These latter three groups tokens have a one-year lockup, followed by a one-year vesting period.

As we can see, this means that 63.5% of the total supply was allocated to protocol insiders. Because of this, it’s reasonable to say that control over Lido is still highly concentrated. In addition, the impending expiry of the lockup period poses the risk of placing perpetual downward pressure on the price of LDO due to sales from these parties. While the effect of this may not be felt as strongly during a bull run, it could potentially exacerbate declines should the market turn bearish. Only 2.8% of the total LDO supply is circulating in the open market."

Utility

"The sole, albeit incredibly important, purpose of LDO is governance over the protocol. There are currently no direct mechanisms to drive value to the token, such as buybacks or a staking mechanism that locks up supply, meaning that LDO is more akin to a traditional, growth-stage equity."

Token Details

Stablecoin

Technology

Implementations

How it works

"The stETH token balance is based on the amount of ether deposited in Lido with associated total rewards and slashing penalties. Since the beacon chain is a separate network, Lido smart contracts cannot get direct access to its data. Communication between the Ethereum 1.0 part of the system and the beacon network is performed by the Lido DAO appointed oracles. They monitor node operators’ beacon chain accounts and submit corresponding data to Lido’s Ethereum 1.0 smart contracts. On every update submitted by oracle, the system recalculates the stETH token ratio. If the overall staking rewards are greater than the slashing penalties, the system registers a profit. In this case, the stETH token balances will increase and Lido would apply a 10% fee. The fee is applied by minting stETH tokens corresponding to 10% of Lido's profit. The minted stETH tokens are distributed between the node operators and the DAO’s treasury account. Node operators’ part of the fee is distributed proportionally to the corresponding active validation keys on the beacon chain.

Slashing penalties negatively impact stETH token balances. To compensate for this negative impact, part of the Lido fee is transferred to the slashing insurance provider who protects against reasonably-sized slashing events. The Lido DAO governance must intervene in case of massive slashings. Withdrawals will be available once transfers are implemented in Ethereum 2.0 (scheduled as Phase 2). Once Ethereum 2.0 transfers are rolled out, the Lido DAO would upgrade Lido to implement the feature. Before that point, rewards restaking is not available either."

"After a user clicks “deposit” on Lido’s interface, their tokens are sent to the protocol’s staking contracts. These contracts pool together all user funds and then distribute them to DAO-selected node operators, of which there are currently nine, in increments of 32 ETH. These node operators are the entities responsible for managing and maintaining validators, meaning they’re the ones doing the actual staking.

Node operators do not have access to user funds, but instead a public validation key that allows them to validate transactions with another user's stake. This means that Lido is non-custodial."

Fees

"Currently, 90% of the earnings from staking go to depositors, while the DAO has a 10% cut of rewards. Currently, this fee is allocated at 50/50 split between node operators and slashing insurance. Since its launch in December 2020, Lido has generated $3.02 million in protocol revenue, about $4.53 million when annualized."

Upgrades

Staking

"Those with less than 32 ETH will also be able to pool with other users to stake on Eth2, allowing even small holders to do their part in securing the network. Lido also says it will keep track of staking rewards being earned on the Eth2 blockchain and generate new bETH accordingly on the existing Ethereum chain, allowing staking users to capture staking rewards without delay."

Liquidity Mining

Scaling

Interoperability

Other Details

"Lido Finance purchased $200 million worth of cover from Unslashed Finance for its stETH (ETH 2.0 staking) to cover the risk of slashing penalties. Slashing refers to penalties exerted towards the Proof of Stake (PoS) network’s validator when the validators fail to maintain the network consistently."

Oracle Method

Privacy Method

Compliance

Their Other Projects

Roadmap

  • Can be found [Insert link here].

Usage

"over 9,500 addresses have deposited funds into Lido. Despite this strong overall growth, a deeper look into user metrics raises some areas of concern. A substantial portion of staked funds has come from a small number of large holders. More than 325,000 ETH (44%) can be attributed to just 14 users that have deposited more than 10,000 ETH, while an additional 231,000 (35%) can be attributed to an additional 67 users that have deposited between 1000-10,000 ETH. This means that 0.69% of depositors account for 79% of deposits, suggesting that Lido’s customer base, and therefore sources of revenue, are highly concentrated and dependent on this small group of holders."

Projects that use or built on it

Competition

Coin Distribution

Pros and Cons

Pros

  • Is growing towards a DAO (4-2021).
  • Has gained wide support and therefore has great liquidity (6-2021).

Cons

Team, Funding, Partnerships, etc.

Team

  • Full team can be found [here].

"It is spearheaded by team members from P2P Validator, including CTO Vasiliy Shapovalov and CEO Jordan Fish."

Funding

"Raised $2 million from investors like ParaFi Capital, Semantic Ventures, and more."

Terra, KR1, Stakefish, and Staking Facilities, among others. Angel investors, including Rune Christensen of MakerDAO, Stani Kulechov of Aave, and Kain Warwick of Synthetix, also participated in the round.

Partners