Lido on Ethereum Validator Exits Policy

STATUS: V1.0

A. Background

Ethereum validator exit mechanisms

Currently, there are two ways an Ethereum validator can exit. The first is a voluntary exit, a validator may choose to voluntarily stop performing duties (proposing blocks and attesting to blocks) by submitting a voluntary exit transaction to the beacon chain. The second is forced ejection from the protocol – this could be triggered by slashing or insufficient effective balance (the current threshold is 16 ETH). Additionally, there are ongoing discussions in the Ethereum community around introducing a third method for exiting validators, namely withdrawal credential based triggers of a validator.

Voluntary Exit

A validator can initiate a voluntary exit provided that it is currently active, has not been slashed, and has been active for at least 256 epochs (~27 hours). It does so by signing a “voluntary exit message” (VEM) using the validator key, and broadcasting it to the Consensus Layer (CL) client – or directly (e.g. via an API) – to be processed. Once the validator’s exit message is processed, the validator joins the exit queue. After initiating a voluntary exit, the validator is expected to keep performing duties until it has successfully exited to avoid incurring any penalties. Once the validator has reached the exit epoch, it ceases to perform duties and stops receiving rewards and penalties (enters the “withdrawable” state). Once in the withdrawable state, the validator waits until its index is parsed by the withdrawals sweep operation in order for the balance of the validator to be withdrawn to its specified Execution Layer (EL) 0x01 withdrawal credentials (note that validators with 0x00 withdrawal credentials will need to rotate to 0x01 in order for the withdrawal to be processed, otherwise they are skipped).

Forced Exit

Forced exits are not relevant for the purposes of this policy document, but occur either as a result of a validator being slashed or as a result of their effective balance falling below the EJECTION_BALANCE threshold (currently 16 ETH).

Triggerable Exit

Proposals have been made to introduce functionality into Ethereum that would allow withdrawal credentials (from the EL) to signal and initiate an exit for related validators. Such functionality would provide increased assurances with respect to the timely and orderly exit of validators for staking solutions, as well as potential counter-measures against malicious or ill-performing Node Operators. The downside to this, however, is that triggerable exits incur on-chain gas costs for transactions which do not exist on the CL side – this makes them less suitable than the CL-initiated variant for the average validator exit use case (nor are they a cure-all since validators may still misbehave while in the exit queue). Once/if triggerable exits become available on Ethereum, this policy will need to be updated to detail how, and in which cases, they can be utilized by the protocol.

B. Policy

B.1 Goals

Validator exits may be utilized by fully-functioning staking protocols, including Lido, for the following reasons:

The proposed V2 upgrade of Lido on Ethereum protocol would put in place a series of mechanisms based on on-chain signalling that will serve to notify Node Operators who participate in the protocol when they need to process validator exits.

B.2 Scope

This policy applies to the Lido on Ethereum protocol, the Node Operators that participate in the curated Node Operator registry (“Node Operator(s)”), and the validators that they operate as a part of the protocol. Validators outside of the curated registry are currently out of scope of this policy but may be included in later revisions.

B.3 Policy Statement

B.3.I Validator Exit Order

The exit sequence of Lido on Ethereum validators (i.e. validators submitted to Lido Node Operator Registries which have been deposited to) should follow a deterministic order so that they can be computed independently and trustlessly if needed. The current proposal for exit order is the “combined approach” discussed in the relevant topic “Withdrawals: on Validator Exiting Order”.

B.3.II Performance Expectations Over Time

As this is a new policy concerning new functionality of the Ethereum protocol, the proposed enforcement mechanisms, service level expectations, and associated timeframes detailed in this first version of the policy are mild enough to allow for working out initial kinks without an unreasonable penalty. Once the processes and mechanisms around the automation of validators exits have matured, this policy should be revised. In particular, time windows for service level expectations should be tightened and penalties for non-performance should be increased.

B.3.III Node Operator Responsibilities

Node Operators who participate in the Lido on Ethereum protocol have a duty to correctly exit validators in a timely manner as determined by the protocol’s requirements and rules (as set by the DAO). If they are requested to exit validators ( via signalling using oracles or the exit daemon infrastructure) by the protocol for any of the reasons described in the section “B1-Goals” and as per the validator exit order approved by the DAO.

In order to determine whether Node Operators have appropriately executed the required actions, this policy seeks to outline the time that Node Operators are afforded to do so, and what the penalties for non-conformance should be.

Generally speaking, Node Operators are expected to exit the indicated validators in a reasonable time frame. The actual mechanisms for validators to be exited are at the discretion of Node Operators, and open source tooling will be available to aid Node Operators in identifying signalled validator exit requests, as well as in processing these requests.

The tooling shall consist of three components, which may be used by Node Operators to operate semi- or fully- automated processing of validator exit requests. Node Operators may instead choose to use any of the below modules with a custom implementation (e.g. to utilize a Just-In-Time approach to the generation of VEMs as opposed to pre-generating a certain % of them).

Validator exit requests are signalled to all Node Operators via the on-chain Exit Bus Oracle reports multiple times a day. Node Operators have a duty to set up infrastructure to capture signalled validator exit requests and process relevant (i.e. pertaining to their validators) requests as soon as possible.

For clarity:

B.3.IV Monitoring and Penalties

Additionally, there will be another piece of tooling dubbed the “Monitor Daemon” which will serve to reconcile signalled validator exit requests with processed exits by the Beacon Chain in order to determine if validators have been exited in a timely manner. The results of this monitoring will be publicly available in order to enable the DAO to access to the data it needs to understand the rate, flow, and efficacy of validator exits.

Although the process can be largely automated, to account for differences in infrastructure, working hours, and mechanism timings, the below are the required service levels for validator exits that Node Operators must adhere to.

If Node Operators are processing signalled validator exit requests as soon as they are available, the shortest possible time for a validator exit request to go from “signalled” to “processed” will be somewhere within the range of a few minutes to an hour. With respect to validator exit performance, each Node Operator may be considered to have one of the below three statuses.

Event Requirement to not be considered Delayed Requirement not be considered Delinquent
Processing of signalled validator exit requests All signalled requests are processed ASAP (no longer than 1 day) Some signalled requests are taking longer than 1 but less than 4 days to process
Escalation of inability to execute signalled validator exit request with reason ASAP but no longer than 1 day ASAP but no longer than 4 days

In the case that Node Operators are not processing validator exit requests in a timely manner, the below actions shall be taken: If a Node Operator has a status of Delayed, the NOM workstream will raise an issue in with the Node Operator and request remediative action.

In the case that a Node Operator cannot, for any reason, exit a validator (e.g. loss of the private key associated with that validator), they are expected to reimburse stakers by supplying the maximum irretrievable balance of the validator (i.e. 32 ETH, since anything over that can be obtained via partial rewards). Doing so renders the validator in question “unrecoverable and reimbursed” and does not count against the Node Operator in terms of assessing its validator exit request status.

B.3.V Out of Order Exits and NO Business Continuity

Out of Order Exits

Out of Order exits refers to exits that are made by a Node Operator when a validator exit request has not been made for a (set of) validator(s) by the Lido protocol. In the case of processing such an exit, the Node Operator must notify the DAO via the Lido forums (https://research.lido.fi) that such an exit has been processed, how many and which validators have been exited, and the reason for the exit.

Business Continuity and Other Considerations

If at any time a Node Operator is unable to continue to participate in the Lido on Ethereum protocol (e.g. has become insolvent), it must notify the DAO via the Lido forums (https://research.lido.fi) of the circumstances and signal its intent to exit all of the validators that it operates as a part of the protocol. If the DAO does not otherwise instruct the Node Operator via a ratified vote within 8 days, it must proceed with triggering the exit of all of the validators.