"Lido says it will provide staking services for ETH holders so they can contribute to the Eth2 PoS blockchain; it will also issue bETH tokens—1-to-1 representations of staked ETH—so users can continue using DeFi protocols."
Audits & Exploits
- Bug bounty program can be found here (7-7-2021). Bounty is 100k. Update (11-4-2022): "Lido offer three separate Immunefi bug bounties for three different chain deployments. All three offer rewards up to $2m, totaling $6m. Their mainnet program can be found here"
- Had done three audits (7-5-2021).
- Scored 92% on DeFi Safety (11-4-2022):
There is full coverage of Lido's most major deployed contracts by software function documentation. However, there are clearly a few missing as per their "Deployed Contracts" page. Lido's last code coverage test was run around 7 days ago at the time of writing this review, and can be found here (must be signed in to GitHub to view). The average result is 82% coverage. Lido has not undergone formal verification. Most issues underlined by the audit reports were fixed by the Lido team.
- Previously scored a 84% (7-7-2021): "Sigma Prime has done a Lido.fi security assessment in December 2020. Quantstamp has done a Lido.fi audit in December 2020. MixBytes has done a Lido.fi audit in April and May 2021. Lido.fi was launched December 20th 2021."
"Lido patched a front-end code injection vulnerability after it was responsibly disclosed by United Glboal Whitehat Security Team."
"Lido's admin control information is easily found and readily available in their docs. Lido uses an upgradeable proxy structure that allows their immutable smart contracts to update the state of these proxies. Since the implementation/logic/code that holds user funds is effectively immutable, and all upgrades are surface level parameter changes that must be voted on, we consider Lido as immutable and non-custodial - 100%. These details can be found here and here. All possible smart contract change capabilities of the Lido software is detailed here. A detailed list of parameters that can be voted upon by the DAO can be found in their Aragorn DAO interface. A timelock is identified here, but is not extensively detailed. The Lido timelock enforces a 72h lockup period."
"Lido DAO conducted a vote to upgrade the Lido withdrawal credentials to an upgradeable smart contract to eliminate the risk of collusion amongst withdrawal key signatories"
- From their blog (27-7-2021):
"While Lido is non-custodial, the protocol is not yet fully trustless. Due to the limited functionality ETH 2.0 staking at the time of the Lido’s launch deposits made into the protocol before July 15th, about 81% of deposits are not non-custodial. Rather, the withdrawal key (the private key that controls the ability to withdraw staked funds) for these assets is controlled by a 6/11 multisig scheme, with prominent DeFi community members and entities as signers."
- From their Primer (7-5-2021):
"Lido is managed by the Lido DAO. The DAO members govern Lido to ensure its efficiency and stability. Besides technical development, the Lido DAO’s mandate is to promote Lido and recruit new users, node operators, and validators with educational content, promotional campaigns, and affiliate marketing."
"The project has implemented a skeleton upgradable smart contract for making new withdrawals and new deposits fully non-custodial. The project is still seeking an optimal solution to become a trustless node operator. In a blog post outlining next steps, the Lido team identified three points where users currently still need to trust the company. These include deposits, withdrawals and becoming a node operator."
"Lido governance has lived up to this need for active management, as since December 2020 there have been 83 proposals being put to a formal on-chain vote through Aragon, the platform used to handle DAO operations.
Of these proposals, 70 have passed, with 13 either failing to reach a quorum or being outright rejected. By DeFi standards, Lido has also seen pretty good voter engagement, with an average turnout of 55.9 million tokens per vote, or 5.59% of the total supply. However, a deeper look at some voting metrics suggests that concerns surrounding centralized governance may be warranted. For instance, 79 of the 83 votes were unanimous, in that all tokens voted the same way. Furthermore, 22 proposals received an identical turnout. As an example, seven proposals had a total vote count of exactly 52,718,000 million."
- From Unchained (26-7-2022):
"Currently, Lido DAO holds the vast majority of its $285 million treasury in volatile assets ($247 million in LDO and $30 million in ETH). Lido DAO was looking to secure two years of runway for the team in stablecoins to prepare for a prolonged bear market by selling 20 million LDO tokens, with 10 million being sold outright to Dragonfly."
- There is a proposal to sell "10,000 ETH of Treasury funds to DAI. This should cover about two years for 50-people team & ops expenses of the protocol maintenance budget." (3-6-2022)
"Lido has a total supply of 1 billion tokens. At launch, 36% was allocated to the DAO treasury, a combined 35% to team members (This includes founders, initial protocol developers, and future employees), 22% to investors, and 6.5% to staking validators and the withdrawal key signers.
These latter three groups tokens have a one-year lockup, followed by a one-year vesting period.
As we can see, this means that 63.5% of the total supply was allocated to protocol insiders. Because of this, it’s reasonable to say that control over Lido is still highly concentrated. In addition, the impending expiry of the lockup period poses the risk of placing perpetual downward pressure on the price of LDO due to sales from these parties. While the effect of this may not be felt as strongly during a bull run, it could potentially exacerbate declines should the market turn bearish. Only 2.8% of the total LDO supply is circulating in the open market."
"The sole, albeit incredibly important, purpose of LDO is governance over the protocol. There are currently no direct mechanisms to drive value to the token, such as buybacks or a staking mechanism that locks up supply, meaning that LDO is more akin to a traditional, growth-stage equity."
- Ownership of Lido’s governance token is relatively concentrated. The top 9 addresses hold ~46% of governance power, and a small number of addresses typically dominate proposals (17-9-2022).
- From Unchained (26-7-2022):
"Yesterday, Lido DAO voted “No” on a proposal that would’ve seen 10 million LDO tokens accounting for 1% of the token’s total supply (worth roughly $14.5 million) sold to Dragonfly Capital. Overall, the voting ended with 43 million LDO, or 66%, of tokens voting no and 21 million LDO tokens, or 33%, voting yes. Interestingly, while 609 users voted, 20.6 million of the ~21 million LDO votes that voted “Yes” came from just two entities."
"With 1,243 commits and 68 branches, Lido's main software repository is liquid gold."
- Built on: Ethereum, added Polygon support (3-2022). Terra Classic, Kusama and Solana are also supported (11-4-2022). stETH is also available on Aztec, Argent and more L2s to come (18-7-2022).
How it works
- From the primer (7-5-2021):
"The stETH token balance is based on the amount of ether deposited in Lido with associated total rewards and slashing penalties. Since the beacon chain is a separate network, Lido smart contracts cannot get direct access to its data. Communication between the Ethereum 1.0 part of the system and the beacon network is performed by the Lido DAO appointed oracles. They monitor node operators’ beacon chain accounts and submit corresponding data to Lido’s Ethereum 1.0 smart contracts. On every update submitted by oracle, the system recalculates the stETH token ratio. If the overall staking rewards are greater than the slashing penalties, the system registers a profit. In this case, the stETH token balances will increase and Lido would apply a 10% fee. The fee is applied by minting stETH tokens corresponding to 10% of Lido's profit. The minted stETH tokens are distributed between the node operators and the DAO’s treasury account. Node operators’ part of the fee is distributed proportionally to the corresponding active validation keys on the beacon chain.
Slashing penalties negatively impact stETH token balances. To compensate for this negative impact, part of the Lido fee is transferred to the slashing insurance provider who protects against reasonably-sized slashing events. The Lido DAO governance must intervene in case of massive slashings. Withdrawals will be available once transfers are implemented in Ethereum 2.0 (scheduled as Phase 2). Once Ethereum 2.0 transfers are rolled out, the Lido DAO would upgrade Lido to implement the feature. Before that point, rewards restaking is not available either."
"After a user clicks “deposit” on Lido’s interface, their tokens are sent to the protocol’s staking contracts. These contracts pool together all user funds and then distribute them to DAO-selected node operators, of which there are currently nine, in increments of 32 ETH. These node operators are the entities responsible for managing and maintaining validators, meaning they’re the ones doing the actual staking.
"Currently, 90% of the earnings from staking go to depositors, while the DAO has a 10% cut of rewards. Currently, this fee is allocated at 50/50 split between node operators and slashing insurance. Since its launch in December 2020, Lido has generated $3.02 million in protocol revenue, about $4.53 million when annualized."
"Those with less than 32 ETH will also be able to pool with other users to stake on Eth2, allowing even small holders to do their part in securing the network. Lido also says it will keep track of staking rewards being earned on the Eth2 blockchain and generate new bETH accordingly on the existing Ethereum chain, allowing staking users to capture staking rewards without delay."
- From this insurance deep dive (3-2021):
"Lido Finance purchased $200 million worth of cover from Unslashed Finance for its stETH (ETH 2.0 staking) to cover the risk of slashing penalties. Slashing refers to penalties exerted towards the Proof of Stake (PoS) network’s validator when the validators fail to maintain the network consistently."
Lido details their oracle's capabilities to "remove the ability to significantly change the price in a single block" here. Lido effectively does this by using "daemon oracles: that report to their overarching LidoOracle contract. This architecture effectively removes incentives from attempting sandwich/front running attacks by increasing the amount of data sources that would need to be exploited, which therefore makes it computationally intensive and expensive. Lido applies the same architecture they use for mitigating sandwich attacks via oracles to their flash loan mitigation strategy."
Their Other Projects
- Can be found [Insert link here].
- Lido, the largest liquid staking protocol on the Ethereum network, is now (29-6-2022) responsible for almost 32% of Beacon Chain’s validators.
- From Our Network (1-4-2022):
"Lido has exceeded 2.9m ETH Staked in ETH2. Total ETH staked in ETH2 exceeded 10m this past month. Though the overall rate of additional ETH being staked started to slow down at the end of last year, the share of ETH2 staking activity attributed to Lido grew in the same time frame (crossing the 25% mark). Lido’s share of the total amount of ETH staked spiked significantly in March 2022, partly due to anticipation of the coming merge but also new usage of stETH by individuals and smart contracts (eg. AAVE listing)."
"over 9,500 addresses have deposited funds into Lido. Despite this strong overall growth, a deeper look into user metrics raises some areas of concern. A substantial portion of staked funds has come from a small number of large holders. More than 325,000 ETH (44%) can be attributed to just 14 users that have deposited more than 10,000 ETH, while an additional 231,000 (35%) can be attributed to an additional 67 users that have deposited between 1000-10,000 ETH. This means that 0.69% of depositors account for 79% of deposits, suggesting that Lido’s customer base, and therefore sources of revenue, are highly concentrated and dependent on this small group of holders."
- Over 400,000 ETH have been staked with Lido (22-5-2021) Lido is the 3rd largest ETH depositor address behind only exchanges like Kraken and Binance.\
- As of 7-5-2021 it has 5435 addresses staking 283,124 ETH.
Projects that use or built on it
- Anchor; "Lido, a core staking primitive in Anchor" (16-3-2021)
- Ethereum; stETH which can be used in Curve (5-2021).
- Terra; has bLUNA which is used in Anchor (4-2021).
Pros and Cons
- Is growing towards a DAO (4-2021).
- Has gained wide support and therefore has great liquidity (6-2021).
- Has high concentration of tokens in whale hands (7-2022), see Coin Distribution.
- Is as of now still permissioned (4-2021). Has changed largely (2022), see Governance.
Team, Funding, Partners
- Full team can be found here.
Terra, KR1, Stakefish, and Staking Facilities, among others. Angel investors, including Rune Christensen of MakerDAO, Stani Kulechov of Aave, and Kain Warwick of Synthetix, also participated in the round.
- Raised another $73M led by Paradigm (5-5-2021).
- Compound, Kraken, Lido, Synthetix, The Graph, and Uniswap have donated $250,000 each to support Ethereum execution-layer client teams (8-2021).
- Matter Labs; according to Matter Labs, the founders and leadership of a bunch of DeFi projects, among which this project, joined in on the $50m raise for zkSync (8-11-2021).