ETH Staking Options and Risks for the DAO

Summary

For consideration by Abitrum DAO’s delegates and voters, OpenZeppelin presents an overview of staking options, the risks they each have, and possible ways the DAO could stake its ETH reserves. If the DAO decides to stake, we recommend gradual investment into a regularly-rebalanced, diversified portfolio of LSTs actively managed in a DAO Treasury Management Vault to minimize trust and mitigate centralization while enabling adaptability to changing risk tolerance and market conditions.

Staking Overview

Staking ETH is part of the proof-of-stake process for Ethereum mainnet. Stakers are allowed to propose/validate specific, new blocks and attest to a correct path through the block tree building a canonical block chain as it goes. If a staker does not attest to a block at the right time they will lose part of their staked funds. Doing everything correctly currently gains stakers about 3% of their stake per year, making staking yield less than US treasuries but more attractive than just holding ETH in a wallet.

Staking, however, does have some interesting systemic concerns. For example, an entity that controls 33% of all staked ETH can delay finality which some have compared to holding finality hostage. An entity that controls 50% can begin to manipulate block chain fork choice and censor a small amount of blocks. An entity that controls 66% cannot forge transactions but otherwise completely controls what transactions occur on the network. They can censor and reorder transactions at will (including even halting finality). This allows them to dictate the rules of the mempool and have a powerful voice for their future vision of the network. Lido (discussed below) has flirted with the 33% threshold in the past and there are serious concerns that centralized exchanges could amass a concerning amount as well. The concentration of ETH is something that should be monitored regularly by the community. The worst-case scenario is that individual entities would be incentivized to create a cartel and reach the larger, more powerful thresholds that no one member of the cartel can reach on their own. Users aware of this possibility can counteract it by diversifying what entities they stake with. Self-staking would be one way to implement such a strategy and would contribute to the decentralization of the network.

Staking Options

Self-Staking

Self-staking is when users stake their own ETH by running their own validator node. This allows users to have full control over their funds so that they are able to withdraw their stake when and where they choose while also contributing to the decentralization of the network. The tradeoff for more control, though, is more responsibility. Should a user’s hardware go offline and the node not be present when they are required, they will be penalized the rewards amount they would have made. Worse, if a node makes a serious mistake (like proposing two different blocks) then they will lose a significant portion of their staked amount. The Ethereum Foundation documents the necessary validator software for a node so getting started should be quite easy.

Key Considerations

Running a node requires mitigations of the operational risks

• Hardware Failure: hardware failing would create downtime for the node and penalties
  • What redundancy solutions are in place?
• DDoS attacks: the node being down could cost you penalties
  • Are you implementing methods to detect and mitigate DDoS attacks?
• Node Software Bugs: The software running the node could have bugs causing the node to have bad behavior and be penalized. The worst case scenario can occur when a super majority of all clients run the same node software implementation. A bug in this case could mean all these nodes reaching finality on incorrect blocks and getting slashed on the chain that did not encounter the bug.
  • What execution client is running? consensus client? Are they part of a super majority of clients being run?
  • What will the software be running on? Is it reliable?
• Web2 Attack vectors: A node machine connected to the internet could receive malware. Worst case scenario is the heist of the node’s private keys. Vitalik cited this as the reason for him not staking his entire ETH amount.
  • Are you following good security practices?
  • Who has access to the machine and what powers do they have?

Mitigation of these risks usually requires utilizing battle-tested resources and practices. The good news is that spinning up a node and a secure plan for its operation can take place on the Holesky testnet. Users should spend time assessing their node setup and effectiveness on this testnet prior to moving to mainnet.

Staking As A Service

Staking-as-a-service (SaaS or sometimes StaaS) allows users to outsource the running of the validator node to a hired operator. There are two large distinctions here: custodial and non-custodial. Custodial SaaS means delivering complete control of your funds to an entity who promises to stake and reward in a certain way but users have no control over their funds, the entity’s behavior, and the regulatory regime of the entity. Examples of this are centralized exchanges like Coinbase and Kraken. Not only can the exchange’s regulatory regime change haphazardly and without warning, but the exchange itself also has its own security practices which may or may not be disclosed or correct and many numerous exchanges have lost user funds.

Non-custodial Saas includes services like Kiln and Stakefish. Users deposit their ETH with the provider who then runs the node for them. The node will have its own signing keys and allows the user to have their own, private fund keys which allow them to move funds in and out of the node. In this way, users will have more control over their funds but as determined by the staking provider.

Key Considerations

Utilizing a provider requires trust and verifying their system’s behavior. Vetting a SaaS provider means determining how much of their operation is programmatic and transparent and also measuring their operational history against their operational risk management practices.

• Transparency Allows Trust: black-box SaaS providers have no ability to convince users of their practices and guarantees.
  • What parts of the system are open source? audited? bug bounties?
  • How are critical components like keys and funds handled?
  • What fees do they charge? How is this verifiable?
• Best Practices Are Best: providers that have plans for mitigating the operational issues above demonstrate competence. Look for providers that are open and proactive at describing the risks within their systems and how they handle them.
  • How long has the provider been operating?
  • How much have they experienced penalties over their operation? What for? Have they ever been slashed?
  • Do they describe mitigations to the operational risks described above?
• Keep Things Permissionless: if a system is permissionless to enter and exit, then malicious operators and regulatory regimes cannot interfere with user funds.
  • Is it permissionless to join?
  • Is there a regulatory regime that affects the provider? Does it require Know-Your-Customer information to join?
  • What keys are required to be handed over? Are there separate keys for signing and moving funds?

Good vetting goes a long way but ultimately SaaS requires trust. Diversification among many different, qualified providers could protect a user from concentrated bad effects if there are enough trusted providers to be found.

Pooled Staking

Pooled staking is when users deposit their funds together for a node operator to utilize and share staking rewards. Pools that are largely managed on-chain are the most common and provide smart contracts for users to manage their participation. Less common are SaaS-like pools where fund management and rewards are handled off-chain to some degree. By far the most common on-chain solution is for pools to provide ERC20-compliant liquid staking tokens (LSTs) for user deposits. This provides a unique opportunity for users. First, it’s incredibly convenient. A simple deposit is often enough to begin. And second, these pools allow users to stake but then re-deploy their LSTs to other financial purposes. In this way, users can stake and then gain further returns on their capital. Posting these tokens as collateral for more ETH and then repeating the staking process is not uncommon and allows users to create leveraged, staked positions but exposes them to the risks of market prices moving drastically against them and swallowing their initial staking capital. Examples of staking pools include Rocket Pool and of course Lido which is the single largest staked ETH holder.

Key Considerations

Staking pools have similar risks to SaaS providers but must also handle commingled funds across possibly multiple node operators. As mentioned above, Lido is the giant in this space and its operation is handled by the Lido DAO. So responsible users of the protocol should keep themselves apprised of the DAO’s initiatives and votes. Also, the systemic concerns begin appearing here as well. Lido has been criticized for not doing enough to counter its profit-seeking motivation and the power of the market incentives for cartel-like behavior cannot be dismissed. Lastly and perhaps most difficult to measure, the ability of users to easily create large leveraged positions could create a catastrophic financial contagion scenario in the face of a large transaction or price movement. For example, June 2022’s stEth depeg was the catalyst for the bankruptcy of Celsius, Voyager, and Three Arrows Capital.

• Systemic Risks: Users should be cognizant of the health of the network and play a responsible part. Diversification among different pools can help mitigate centralization risks.
  • How much staked ETH does the pool own?
  • How many node operators does it employ? How are these node operators chosen? Are there policies in place to limit incentives for collusion?
• Market Risks: Liquid staking tokens allow users the opportunity to re-deploy their capital but that means they’re subject to the market moving against them.
  • Does it provide a liquid staking token? Does it swap for ETH one for one or by an oracle?
  • How well does the LST price track the price of ETH through time? What is its market history? Are there other market factors that can be seen to influence the price of the LST? Has it ever depegged?
  • What financial analyses are available to assess the financial status and risks of the LST? of its penetration into other markets? of its use in leveraged positions?
  • Will you be re-investing your LSTs and putting your ETH stake at risk?
• Pool-specific Operational Risks: DAOs (malicious or not) could enact bad upgrades, switch infrastructures, or mandate new policies within an ecosystem that was assumed to behave a different way by users. Commingling of funds also presents a new difficult task with its own risks.
  • What components are on-chain and off-chain? How are they controlled? What is the governance structure?
  • Is there an operating DAO? Is it dominated by a few actors? What are its goals, initiatives, and vote history? Has it defined a philosophy toward its role and services?
  • How do funds enter and exit the pool? How are they then staked and unstaked?

Restaking

In addition to Ethereum’s proof of stake process, there are other processes called Actively Validated Services (AVSs) which also require staked assets to operate. Restaking is the practice of using ETH or liquid staking tokens to stake on AVSs. They can be oracles, bridges, cryptography schemes, etc. An example of a restaking protocol is Eigenlayer and examples of AVSs are Lagrange and Gasp. Usually, restaking providers give ERC20-compliant liquid restaking tokens (LRTs) for deposits and these have similar risks to LSTs in the market. This is a relatively newer service and does have slightly higher returns than the above options but at higher risk of losing funds due to the added complexity of running these services. These are much more complicated than liquid staking pools and are utilized by many to lever up a position and get the highest possible return from a staking-based strategy. Leverage among LRTs, like leverage of LSTs, complicates markets in ways that are difficult to quantify and investigate.

Key Considerations

Restaking has all the complexity of liquid staking pools and then more. Restaking’s complexity and the less-developed markets for their tokens create serious risks that may not be worth it for an investor like Arbitrum DAO where safety of the funds is prioritized.

Considerations for the DAO

All of the above describe staking risks but not their prevalence. As staking operations and markets become more mature, these risks become less and less likely. So how should the DAO proceed?

Determining a Strategy

In the future, when issues arise and theses no longer hold true, having a written-down investment plan helps justify the path taken and determine what will need to be done next. The DAO should commit to defining:

1. What their staking and investment goals are
2. What is the timeframe of their staking/investing
3. Of the risks described above, what are they willing to take on and how much

As we’ve seen from discussions, the staking goals of the DAO appear to be to protect against ETH inflation, to generate revenue from the ETH reserves they hold, and to do all of this as safely as possible. Whether the DAO has specific, future liabilities they are working towards, we are not aware but these should be part of the investment plan if they exist. The time frame appears to be indefinite, i.e. it seems that this may be a permanent use of the ETH reserves. As for risks, the DAO should determine what risks it likes and what it doesn’t.

Risk Assessment and Diversification

Let’s start a risk assessment by stating that individual staking may be operationally infeasible for a DAO to run. Multi-sigs, payment agreements, and all sorts of logistics can be set up, but the DAO would ultimately have to trust someone to handle the hardware, software, and funds correctly. So all the set up work is effectively the same as staking via with a SaaS provider but with extra, time-intensive steps to begin. This means that there is no option where the DAO stakes without trusting someone. Put another way, to stake the DAO will have to reasonably trust another party with their funds.

We also do not go into much detail about Restaking and risks and leave it to the DAO to make that determination if they so choose. LRTs are easier to depeg and markets are harder to analyze therefore we’d recommend the DAO consider LSTs and build experience in these services before considering LRTs.

This leaves SaaS and Staking Pools. From an operational risk and security perspective, there are SaaS providers and Staking Pools with histories of security and good practices. Each will need to be vetted as described above but the general difference between the two are the market forces that act on pools’ liquid staking tokens. Whether to accept market risks is for the DAO to decide. But having worked in the DeFi space, we see that good investment practice is to document the LST’s market forces, the possible blind spots, the market history, have a plan of action that is ready and easy to implement in case certain conditions arise, visit the assumptions and theses of the plan regularly, and to change the plan if the DAOs understanding of things changes.

To protect itself from catastrophic, operational failure, OpenZeppelin will vet the security and posture of the different options the DAO considers. The DAO could also split its staked ETH across different options, limiting the max amount they can lose in the worst case scenario. The DAO can also consider slowly staking its ETH over time as it grows comfortable with the different options and strategy as a whole.

Strategy Execution

A DAO treasury management protocol like Aera can be used for securing a diverse portfolio of assets, not limited to the recommended LSTs, with programmatically constrained active management. A solution like this allows the DAO to remain in control of treasury funds and respond to market conditions faster than a governance vote.

Links and References

• https://eips.ethereum.org/EIPS/eip-3675
• https://eips.ethereum.org/EIPS/eip-2982
• https://ethereum.org/en/staking/
• https://github.com/djrtwo/writing/blob/main/docs/2022-05-30_the-risks-of-lsd.md
• https://github.com/SomerEsat/ethereum-staking-guides
• https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4840805
• https://docs.ethstaker.cc/ethstaker-knowledge-base
• https://ethereum.org/en/developers/docs/consensus-mechanisms/pos/attack-and-defense/
• https://www.coindesk.com/learn/restaking-101-what-are-restaking-and-liquid-restaking/

Because governance would likely be doing a fairly passive, stake-and-hold strategy, can you also expand your overview to include trade offs of then depositing the staked ETH onto a portfolio of Arbitrum lending protocols? There’s extra yield and that then (in theory) gets the assets circulating again. Including that optional extra layer of an ETH strategy would be helpful.

Great overview!

In the original post we described creating leveraged, staked positions which implies the use of lending protocols.

Supplying to lending protocols, without borrowing in order to earn yield, is a lower-risk alternative to creating leveraged, staked positions. Although both options share the same operational and technology risks, borrowing incurs significantly more market risk. Depositing across a portfolio of lending protocols trades concentration risk for potentially more operational and technology risk.
In the case that a leveraged-staking strategy is profitable, supplying for yield alone is likely the lower-reward option. Further analysis of specific lending protocols and the economic impact of supplying LSTs, possibly with consideration of the Research or Risk members of the ARDC, may be useful in developing Arbitrum DAO’s strategy.