Penalties
Reasons
There are several reasons for the CSM Node Operator's bond to be penalized:
- The operator has stolen EL rewards (MEV). Penalty amount =
amount stolen + fixed stealing fine(can be applied across multiple NO validators); - The validator's withdrawal balance is less than
DEPOSIT_AMOUNT(32 ETH). Covers cases of a meaningful downtime and slashing. Penalty amount =DEPOSIT_AMOUNT - validator's withdrawal balance; - The operator has not exited the validators in time. Penalty amount =
exitDelayPenalty(a fixed amount set by the DAO); - The validator has been ejected via EIP-7002 due to an excessive number of strikes. Penalty amount =
badPerformancePenalty(a fixed amount set by the DAO); - Force ejection via EIP-7002 was triggered for the validator. Penalty amount =
min(actual TW fee paid, maxWithdrawalRequestFee).
The first penalty has the form of a delayed penalty with a challenge period. A dedicated committee (reporter) detects MEV stealing (violation of the Lido on Ethereum Block Proposer Rewards Policy) and reports this fact on-chain, locking the bond funds. Settlement over EasyTrack motion (settler) ensures alignment between the DAO and the detection committee. Once the penalty is settled (confirmed), all Node Operators' benefits are reset due to the violation of protocol rules. If the penalty is not settled for the lockPeriod, the locked bond is automatically unlocked.
The second penalty type is calculated using the validator withdrawal balance (actual reporting is described in the section below). This penalty is applied immediately within the reporting transaction. If the initial slashing penalty is applied (first penalty type), it will be accounted for to avoid double penalization.
Penalties from the third to fifth types are applied upon validator withdrawal reporting to avoid double penalization.
Immediate and delayed
The following penalization schemes are introduced:
- Immediate penalization. For penalties that are unambiguous and can be assessed via trustless proofs;
- Delayed penalty with challenge period. For cases where false positives may occur or investigation might be needed;
- Delayed penalty without a challenge period. For cases where the penalty is recorded immediately but applied upon the validator withdrawal reporting.
The challenge period for delayed penalties is implemented by separating the two roles involved in the application of the penalty.
The first role is the "reporter". Members of this role can initially report a fact that should result in a penalty. Bond tokens will be locked but not burned or confiscated at this stage. "Reporters" can also revoke the initial report in case of the challenge resolution in favor of the Node Operator.
The second role is called "settler". Members of this role can finalize (settle) previously reported penalties.
Separating these two roles ensures that a penalty can only be applied when two independent actors agree.
Mechanics
There are two mechanics related to Node Operator bond penalization.
The first one is burning stETH shares using the Burner contract. Once confiscated shares are burnt, the total amount of stETH shares decreases. Hence, shareRate increases, effectively distributing all burned stETH value between other stETH holders.
The second mechanic is transferring confiscated stETH to the Lido DAO Treasury. This approach is applied to penalties that are used to address protocol operational costs (e.g., keyRemovalCharge).
Penalized funds are burned for most of the reasons described in the previous section. At the moment, there are two penalties transferred to the Treasury: keyRemovalCharge and triggerableWithdrawalRequestFee.
Insufficient bond
If, after penalties have been applied, a Node Operator's bond is less than required to cover the current Node Operator's validators, all new rewards will be used to replenish the NO bond until it is back to the required level. Node Operators can also "top-up" the bond themselves (by submitting the required difference) to be able to claim new rewards.
Any unbonded validators are requested to exit. Unbonded but not deposited keys are excluded from the stake allocation queue.
If the penalty exceeds the amount of the Node Operator bond available, all available bond tokens will be burned, and no debt will occur since it will never be repaid.
Bad performance strikes
Strikes assignment
Once in a frame, CSM Performance Oracle delivers an additional tree root with information about "strikes" for the validators. A strike means that the validator performed below the threshold in this frame. When updating this tree, CSM Performance Oracle considers the previous values from the old tree. All strikes older than the strikesLifetime oracle frames (ex. 6 frames) are dropped.
Strikes tree leaves have a form of {noID, validatorPubkey, [strikeTimestamps]}.
It is crucial to note that strikes are not a penalty but an indicator of bad performance that should be considered by the Node Operators as a signal to improve their performance.
Ejection due to strikes
Once the number of strikes reaches the strikesThreshold (ex. 3 strikes in 6 months), the permissionless method can trigger exit for the validator and record that a badPerformancePenalty should be confiscated from the Node Operator's bond upon validator withdrawal reporting.
Ejection parameters are subject to the Lido DAO decision
Validator ejection via EIP-7002 comes with a price. This price should be confiscated from the Node Operator's bond and transferred to the Lido DAO treasury to cover corresponding operational expenses.