Overview
Chaos Labs provides an analysis of wstETH’s historical performance, as well as ongoing developments at Lido that may affect its risk profile. We support increasing its LT in Liquid E-Modes on Ethereum Core, Prime, Arbitrum, and Base to 96%.
wstETH
While wstETH has historically been one of the most important and trusted assets on Aave, it is critical to examine its changing risk profile before determining the appropriate LT and LTV, as the suggested change would increase the amount of possible leverage from ~18.18x to 25x. First, we examine the asset’s historical performance.
Historical Performance
As displayed in our previous recommendation regarding the creation of Liquid E-Modes for wstETH/WETH on Arbitrum, Base, and Ethereum Core, wstETH has displayed strong stability relative to its exchange rate. On August 5, 2024 — the day of the largest discount observed in the past year — wstETH fell 1.85%.
On Arbitrum, it fell 1.66%, and on Base, it fell 2.1%.
Because wstETH utilizes an exchange-rate oracle, leveraged users were not liquidated during this event. However, in the rare situation in which wstETH/WETH leverage accounts are marked for liquidation when the market discount exceeds the liquidation bonus (as the result of interest accruing), liquidations would not be processed; given that the historical discounts have been short-lived, this does not present a problem.
The largest risk to Aave lies in the possibility of a slashing event that would cause the exchange rate to decrease, potentially pushing a large amount of leveraged positions into liquidation territory.
Bunker Mode
As a slashing event occurs, Lido’s Bunker Mode gets activated. Bunker Mode is a critical security mechanism designed to protect users who are unstaking their ETH during rare but potentially highly adverse network conditions on the Ethereum blockchain. This protective feature is activated in specific catastrophic scenarios to prevent sophisticated actors from gaining an unfair advantage while ensuring the overall security of the protocol.
Bunker Mode is triggered under three main conditions: during mass slashing events where validators face severe penalties, when penalties exceed rewards in the current period between Oracle reports, or when Lido validators demonstrate lower than expected performance with penalties exceeding rewards. When Bunker Mode is activated, withdrawal requests are temporarily suspended until these negative events are resolved and a thorough assessment of lost ETH due to slashing is completed. This assessment period results in a minimum additional wait time of 18 days for users attempting to withdraw their staked ETH, after which Lido returns to its normal “Turbo Mode” operations.
To improve Aave’s response in the case of a catastrophic event, it may be desirable to utilize a Risk Oracle that freezes the market as soon as Bunker Mode is enabled. This would prevent users from depositing in the market and borrowing against wstETH at a potentially higher value than should be allowed.
SVR
There is a further nuance in the form of the coming implementation of Chainlink’s SVR. However, given the binary aspect of a slashing event, and the lack of time continuity of the event, the block delay in the oracle price for liquidations caused by the use of SVR does not increase the cost or risk of liquidation.
This, coupled with the fact that liquidation events of LST-WETH positions are rare, thanks to the high collateral/debt asset correlation, and either caused by a slashing event or accrued interest, means that increasing the liquidation bonus after adopting SVR strictly improves the risk profile of wstETH, while minimally affecting the user’s experience.
Community Staking Module Transition
Lido’s Community Staking Module (CSM) has officially transitioned from its Early Adoption phase to a fully permissionless platform as of February 1, 2025. This significant upgrade eliminates previous barriers to entry, enabling anyone to become a validator with just 2.4 ETH as an initial bond (reduced from the traditional 32 ETH requirement), and only 1.3 ETH for subsequent validators.
The primary function of the ETH bond in Lido’s CSM is to serve as a security mechanism that protects the protocol and its users. This bonding approach facilitates permissionless onboarding while managing the inherent risks of allowing anyone to operate validators.
The bond acts as collateral against potential validator misbehavior or operational failures. A notable characteristic of the CSM bond implementation is that only ETH (or its staked variations) is accepted as a bond token. The protocol explicitly avoids requiring secondary bonding assets, making it more appealing to ETH maximalists who prefer not to be exposed to other assets with potential value fluctuations relative to ETH.
The bond can be provided in various forms - ETH, stETH, or wstETH - with automatic conversion to stETH happening within the contract. The use of stETH in this manner raises the possibility of socialized losses. However, the CSM V2 introduces bad performance strikes, in which validators receive strikes for performing below a certain performance threshold. Once the number of strikes reaches a defined strikesThreshold, the validator can be ejected and a “bad performance penalty” seized from the Node Operator’s bond.
Additionally, to reduce the risk of uncovered losses, the CSM uses a bonding mechanism that associates bonds with the Node Operator instead of the individual validator. This ensures that the aggregate total of bonds provided by an operator with multiple validators could be used to cover losses caused by any one of its validators.
The transition to a fully permissionless system removed the 12-validators-per-node-operator limit and increased the module capacity to 2%, enabling independent operators to join the network.
Lido’s dashboard indicates there are currently 391 community node operators, representing about 1.7% of the current share and approaching the 2% capacity.
This transformation improves wstETH’s risk profile through enhanced decentralization and security. By lowering the entry barriers for node operators, the CSM enables a more diverse and distributed validator set, reducing centralization risks that previously concentrated staked ETH. The ETH-based bonding mechanism serves as coverage against potential losses from validator misbehavior, further securing the protocol’s stability.
Lido V3
Lido V3 will introduce significant architectural changes to the protocol through the implementation of stVaults, introducing modular smart contracts that operate alongside the Lido Core Protocol. These vaults maintain strict adherence to foundational principles: they must not increase risks for stETH holders, stETH token must remain fungible and 1:1 redeemable to ETH through Lido Core, and their introduction must not negatively impact stETH rewards.
The technical implementation divides components into two layers: Essential (foundational contracts establishing relationships between Lido Core and stVaults) and Advanced (more complex code built atop Essential components). At its core, a stVault is a non-custodial delegated liquid staking smart contract associated with a single node operator or DVT NO cluster that can mint stETH.
Technical Components and Parameters
The stVaults architecture comprises four essential technical components, including an isolated StakingVault smart contract representing a staking position managed by the vault owner, containing funding, withdrawal, and validator management functionality. The VaultHub contract is the central integration point connecting stVaults with Lido Core, responsible for handling vault connections, minting/burning stETH, and implementing rebalancing mechanisms. The AccountingOracle provides validator balances as part of daily reports and handles historical data required for vault accounting and fee collection. Finally, the Predeposit Guarantee is a specialized contract that mitigates deposit frontrunning vulnerabilities through a guarantee mechanism.
Each stVault’s state is defined by valuation, or the estimated total of all vault validator balances plus any ETH held by the vault contract itself, based on Oracle-provided data, and the the amount of ETH blocked from withdrawal, backing minted stETH tokens. If locked exceeds valuation, the vault cannot mint stETH, withdraw ETH, or deposit new validators.
Additionally, the VaultHub tracks crucial parameters, including sharesMinted, reserveRatio, or the percentage of vault’s ETH kept as reserve for minted stETH, which must meet the reserveRatioThreshold, essentially a value that determines how overcollateralized an stVault should be. Finally, there is a shareLimit that caps the amount of stETH share that can be minted by an stVault.
A rebalancing is triggered the vault’s reserve for minted stETH falls below its reserveRatioThreshold because of slashing or prolonged penalties. Once triggered, no further deposits or withdrawals are allowed until vault health is restored. The rebalancing amount follows a mathematical formula to maintain the appropriate reserve ratio.
Risk Implications and Considerations
Ultimately, this evolution introduces additional complexity to the Lido ecosystem, though there are safeguards put in place to mitigate any potential risks to stETH. Stage 1 and Stage 2 of the rollout will provided an extended period of time for early adopters to experiment with stVaults on testnet, allowing for in-depth testing and development leading to further refinement. However, as it is currently presented, there does not appear to be a material change in wstETH’s risk profile that would prevent an increase to 96% LT.
Recommendation
We concur with the proposed parameters for Liquid E-Modes on Ethereum Core, Ethereum Prime, Arbitrum, and Base.
Next Steps
We will move forward and implement these updates via the Risk Steward process.
Disclaimer
Chaos Labs has not been compensated by any third party for publishing this response.
Copyright
Copyright and related rights waived via CC0
