There are several risks for governance in the world of DeFi protocols. The Lido DAO thinks every day about how to avoid protocol capture and how to improve our governance process.
Among other measures to mitigate threats tracked on the Lido on Ethereum Scorecard, we mentioned the concept of a Timelock as a significant safeguard:
Currently, there is no timelock between DAO vote finalization and execution.
Now that the DAO has voted to proceed with this, it’s time to do it!
About The Lido DAO Voting Process
Most decisions made by the Lido DAO go through an on-chain voting phase (you can read more about the Lido DAO governance process here: lido.fi/governance-process).
There are two requirements for a vote to pass:
- Minimum approval (a.k.a "quorum"): more than 5% of the total token supply must vote 'yes'.
- Support: more than 50% of the tokens used to vote must vote 'yes'.
Consider the following hypothetical situation, which is of concern:
- Before voting begins, an attacker has (or possibly buys) more than 5% of the total LDO supply. At the time of writing 1 LDO = $0.62, therefore 5% of the total supply = $31M.
- The attacker posts a sabotage vote that is clearly not supported by DAO members and for which no one is voting (for obvious reasons). Everyone observing expects it to fail since minimal support has not been reached.
- In the last block before the vote ends, it has a minimum (possibly 0) number of 'For' votes and some number of 'Against' votes.
- Right before the vote ends, the attacker throws in his LDOs, the community does not have time to react, the voting ends and now satisfies both conditions for execution.
- In the next block, the attacker enacts their sabotage vote, with the implicit consequences.
We believe we have found a solution that is both elegant and striking in its simplicity and as far as we are aware, this idea hasn't been implemented anywhere before.
What’s The Idea & How Does It Work?
On-chain voting in the Lido DAO lasts 72 hours (in fact, it can be any timeframe, and can be changed in the future through another DAO vote). The essence of our solution is that we divide these 72 hours into 2 parts:
- The main phase, lasting 48h, is conventional voting. Anyone with LDO can freely vote either 'for' or 'against'.
- The objection phase, lasting 24h, is when LDO holders can only vote 'against' or change their vote from 'for' to 'against'.
This schema prevents the specific scenario of “last block vote hijack”. Even if the votes sent in the last block before the end of the main phase changes the result of the vote to 'for', Lido DAO members have the 24 hour objection phase to vote against.
Votings usually choose between “do something” and “do nothing”. We believe that in the classical implementation, without the Objection phase, those who support changes are in a better position. On the last block, they have open information and then they can make the outcome of the vote the way they want. And those who want to “do nothing” usually do not vote if the proposal does not have support anyway and wait for the end. Now those who oppose the proposal also have access to open information and can vote «against» rather than abstain «against».
There are some concerns that remain when using a two-step solution, but neither of them are as dangerous as the “last block vote hijack” scenario that affects the current governance process. These are:
- The “last-minute” vote problem in this scheme still remains since anyone with enough LDO can now object and defeat any governance motion at the very last moment. However, on balance the possibility of suddenly accepting some sabotage changes is considerably more dangerous to the Lido DAO than having a "regular" governance motion blocked at the last minute.
- A variation on the above could be where a malicious voter initially votes 'for', misleading other users about their intention, and then switch their vote to 'against' at the last moment to block the proposal.
A two-phase voting schema allows us to have timelock + veto-like behavior for votings. This way, in case something bad happens, the community will have 24 hours during the timelock to react.
This is an important step for Lido DAO to harden its governance process and mitigate against protocol capture or damage. It is an important safety measure that is part of a broader effort that also includes a novel “dual governance” proposal that is also currently live on the research forum. We welcome your views and feedback on that topic too.