Stress Scenarios
This section presents a series of seven detailed stress scenarios exploring the slashing and liveness risks that can impact Lido’s validator set—and by extension, DeFi protocols like Aave that rely on wstETH as collateral.
Each scenario is modeled under both pre-Pectra and post-Pectra conditions to evaluate how changes introduced by the upgrade—such as reduced initial slashing penalties and fixed correlation penalty rounding—affect overall ETH losses. This dual analysis helps capture how validator economics and risk exposure evolve in a post-Pectra Ethereum.
What Risks Are Covered
The modeled scenarios span a diverse range of risk axes, including:
- Scope of Failure: from isolated operator-level events to network-wide failures.
- Nature of Event:
- Slashing-related: caused by double votes, surround votes, or faulty client logic.
- Consensus-related: extended validator inactivity leading to inactivity leaks and missed attestation penalties.
- Client Layer Affected:
- Consensus Layer (CL): where validator votes are coordinated.
- Execution Layer (EL): where blocks and payloads are processed.
- Client Market Share Impact:
- Minority client (<33%) failure vs. Majority client (>33% && <66%) failure.
- Impact of the Pectra Upgrade: comparing ETH losses under pre-Pectra vs post-Pectra slashing and penalty mechanics.
Simulation Methodology
To account for the evolving Ethereum validator landscape and protocol-level changes introduced in the Pectra upgrade, each stress scenario is modeled across two configurations:
- Pre-Pectra: Simulations use the slashing and penalty mechanics in place prior to the Pectra upgrade. These include a fixed 32 ETH
MAX_EFFECTIVE_BALANCE, a 1 ETH maximum initial slashing penalty, and the legacy correlation penalty behavior where rounding in integer math could result in a zero penalty if the slashed stake was below ~1.04% of the network. - Post-Pectra: Simulations reflect the new slashing regime introduced with Pectra. These include dramatically reduced initial slashing penalties due to the increase in
MIN_SLASHING_PENALTY_QUOTIENT, and importantly, a fix to correlation penalty rounding that ensures every slashing event results in a non-zero penalty, regardless of size.
This twofold modeling approach isolates the impact of the Pectra upgrade, allowing us to understand how validator penalty outcomes shift when failure scope remain constant.
Stake Distribution within Lido
Lido distributes stake evenly across its node operators. In theory, no single operator should control more than ~2.7% of the total delegated stake. In the stress scenarios analyzing operator-level failures, a 3% operator stake was deliberately selected to illustrate a worst-case configuration—accounting for potential minor imbalances between operators at the time of the incident.
Master Comparison Table
Below, we provide a Master Comparison Table summarizing all seven scenarios by likelihood, impact, ETH loss, impact on Lido’s stake, and DeFi downstream effects (especially on Aave). This table serves as a quick-reference framework for understanding which failure modes are most threatening and which are more tolerable under current and future Ethereum conditions.
| Scenario | Impact | Projected ETH Loss | % of Lido Stake | Impact on Aave |
|---|---|---|---|---|
| 1. Low-scale Isolated Slashing |  Negligible |
22.48 ETH | ~0% | Negligible |
| 2. Offline Incident | Negligible |
95.8 ETH | ~0% | Negligible |
| 3. Mixed Failure – Slash + Downtime |  Moderate |
1000 ETH | ~0.01% | Negligible |
| 4. High-Scale Slashing Event | Moderate |
7513 ETH | ~0.08% | Negligible |
| 5. EL Majority Client Bug | Moderate |
5,833.1 ETH | ~0.062% | Negligible |
| 6. CL Majority Client Bug |  Severe |
634,647.9 ETH | ~6.77% | High – $350M liq., $233K bad debt, moderate second-order effects |
| 7. CL Minority Bug w/ Slash | Severe |
1,409,226.8 ETH | ~15% | Systemic – $824M liq., $48M bad debt, severe second-order effects |
1. Low-scale Isolated Slashing Event (Operator-Level)
| Category | Rating |
|---|---|
| Impact | Negligible |
| Projected ETH Loss | 22.48 ETH |
| % of Lido Stake | ~0% |
| Impact on Aave | Negligible |
This scenario models a limited, localized slashing event affecting only a small portion of one operator’s validators. It reflects common real-world failure modes, such as a key leak or misconfigured anti-slashing protection, without broader network impact. While these events are rare, they remain the most plausible form of slashing due to human or operational error.
Trigger:
- Key leak affecting a small portion of a Lido node operator’s stake, or a local failure in anti-slashing protection.
Assumption:
- A Lido node operator was slashed on approximately 8,192 ETH of their stake.
- Total stake: 34,000,000 ETH
Simulation Output:
Projected Loss for Lido: Negligible – (22.48 ETH)
Simulations show that in a pre-Pectra environment, this scenario would have resulted in a total ETH loss of 270.55 ETH, primarily driven by a 256 ETH initial slashing penalty and zero correlation penalty due to rounding effects in the legacy integer math implementation.
In contrast, under post-Pectra conditions, the total ETH loss drops drastically to 22.48 ETH. This is primarily due to the significant reduction in the initial slashing penalty, which now caps at just 2 ETH thanks to the increase in MIN_SLASHING_PENALTY_QUOTIENT from 32 to 4,096. Additionally, correlation penalties are now always non-zero, due to rounding fixes introduced in EIP-7251, which results in a 5.92 ETH correlation penalty for this scenario.
Overall, the total ETH loss decreased by 91.7%, from 270.55 ETH to 22.48 ETH. This sharp drop transforms what was once a relatively costly slashing event into a minor, easily recoverable penalty—highlighting the effectiveness of the Pectra upgrade in mitigating the impact of isolated validator failures.
Downstream Effects on Aave: Negligible
2. Offline Incident – 100% Validator Downtime (Operator-Level)
| Category | Rating |
|---|---|
| Impact | Negligible |
| Projected ETH Loss | 95.84 ETH |
| % of Lido Stake | ~0% |
| Impact on Aave | Negligible |
A large Lido Node Operator experiences a total outage. Their validators fail to produce attestations or proposals for 7 full days.
Triggers:
- Operator pushes a breaking infrastructure change.
- All validators operated by this Node Operator go offline and remain non-participatory for 7 days.
- No malicious behavior, no slashing, but validators suffer missed attestation penalties.
Assumptions:
- The affected Lido node operator holds 3% (approximately 280,576 ETH) of the total Lido stake.
- The node operator was offline for 7 consecutive days.
- Total stake: 34,000,000 ETH
- Staked ETH with Lido: 9,370,630 ETH
Simulation Output:
Projected Loss for Lido: Low – 95.84 ETH
Based on our simulation results, we observed that a node operator who went offline for 7 days incurred a penalty of approximately 95.8 ETH due to missed attestations. This penalty remained consistent across all scenarios, regardless of whether it was pre-Pectra or post-Pectra. Importantly, the total penalty amount is relatively minor and can be recovered with consistent uptime.
In Ethereum, offline penalties are not particularly severe as long as the chain continues to finalize—meaning at least two-thirds of the validator set remains online. Typically, a validator can recover the losses from one day of downtime with one day of uptime. Therefore, in this case, the operator is expected to break even roughly 7 days after coming back online.
Downstream Effects on Aave: Negligible
3. Mixed Failure – Slash + Downtime (Operator-level)
| Category | Rating |
|---|---|
| Impact | Moderate |
| Projected ETH Loss | 1000 ETH |
| % of Lido Stake | ~0.01% |
| Impact on Aave | Negligible |
A large Lido Node Operator accidentally leaks one of their validator signing keys, resulting in 33% of their validators being slashed for double voting. Simultaneously, the incident takes down their full infrastructure, leaving 100% of their validators offline for 7 days, incurring missed attestation penalties.
Triggers:
- Faulty infrastructure exposes signing keys to the public.
- A malicious actor uses those keys to perform double votes, triggering slashing.
- Operator reacts by shutting down infra to prevent further damage, causing full offline status.
Assumptions:
- The affected Lido node operator holds 3% (approximately 280,576 ETH) of the total Lido stake.
- ~33% of the operator’s stake (approximately 92,160 ETH) is slashed, and the remaining 67% is taken offline for 7 days, with the slashed 33% being placed into a forced withdrawal queue for 8,192 epochs.
- Total stake: 34,000,000 ETH
- Staked ETH with Lido: 9,370,630 ETH
Simulation Output:
Projected Loss for Lido: Low – (1000 ETH)
Post-Pectra, total losses in this scenario decrease by 67.8%, from 3,108.09 ETH to 1,000.02 ETH. The sharpest drop comes from the initial slashing penalty, which falls by 99.2% (from 2,880 ETH to 22.50 ETH) due to changes introduced by EIP-7251. However, this is partially offset by the correlation penalty, which rises from 0 ETH to 749.42 ETH, due to the removal of the rounding behavior that previously allowed correlation penalties to be skipped below a ~1.04% threshold.
The attestation penalty from 7 days of downtime remains unchanged at 228.09 ETH, as it is not affected by Pectra.
Overall, while still non-trivial, the reduction in penalties post-Pectra makes this scenario significantly more manageable for the protocol. If the DAO chooses to cover the loss from its slashing insurance fund (currently holding ~6,500 stETH), this incident could be fully absorbed without impact on stETH holders.
Downstream Effects on Aave: Negligible
4. High-Scale Slashing Event (Operator-level)
| Category | Rating |
|---|---|
| Impact | Moderate |
| Projected ETH Loss | 7513 ETH |
| % of Lido Stake | ~0.08% |
| Impact on Aave | Negligible |
Due to an extreme operational failure (e.g. widespread key leak or internal compromise), 100% of the validators operated by a large Lido Node Operator are slashed for violating consensus rules (e.g., double voting). All are forcibly exited, incurring the initial slashing penalty, correlation penalty, and missed attestation penalties over the full 36-day withdrawal delay period.
Trigger
- A Node Operator has their entire set of validator keys leaked. (e.g., local keystore misconfiguration).
- A malicious actor double-signs for every validator.
Assumptions:
- The affected Lido node operator holds 3% (approximately 280,576 ETH) of the total Lido stake.
- 100% of the operator’s stake is slashed, and the operator is placed in a forced withdrawal queue for 8,192 epochs.
- Total stake: 34,000,000 ETH
- Staked ETH with Lido: 9,370,630 ETH
Simulation Output
Impact on Lido’s Stake: Moderate - (7513.12 ETH)
The initial slashing penalty drops dramatically by 99.2% after Pectra (from 8,768 ETH to 68.50 ETH) thanks to the updated MIN_SLASHING_PENALTY_QUOTIENT. However, with the rounding bug in correlation penalty math now fixed via EIP-7251, the correlation penalty jumps from 0 to 6,946.14 ETH, making up the bulk of post-Pectra losses.
In total, Pectra reduces the slashing impact by 1,753.36 ETH (or 18.9%) for this high-scale event. While this is a meaningful reduction, the introduction of non-zero correlation penalties post-Pectra ensures that slashing events of this magnitude continue to carry substantial financial consequences.
The attestation penalty remains unchanged at 498.48 ETH, as it is independent of Pectra-related changes.
Despite the sizable ETH loss, this scenario still falls within the range of manageable outcomes. Lido DAO’s slashing insurance fund, currently holding ~6,500 stETH, could absorb the majority of this impact—assuming the DAO elects to activate the coverage.
Downstream Effects on Aave: Negligible
5. Consensus Breaking Execution Layer Majority Client Bug (Finality Lost for 24 Hours)
| Category | Rating |
|---|---|
| Impact | Moderate |
| Projected ETH Loss | 5,833.1 ETH |
| % of Lido Stake | ~0.062% |
| Impact on Aave | Negligible |
A critical bug is discovered in a majority Execution Layer client, such as Geth or Nethermind, which causes affected validators to produce invalid execution payloads that break consensus when included in attestations.
Because between 33% and 66% of the validator set uses the faulty EL client, the network cannot finalize, as fewer than two-thirds of validators are now effectively contributing to consensus.
This results in the Beacon Chain entering inactivity leak mode, where all offline or faulty validators are penalized with quadratically increasing inactivity penalties over time — even though no slashing occurs.
Trigger
- A bug in the EL client (e.g., Geth or Nethermind) causes block execution failures or invalid payloads.
Assumptions
- Validator Exposure: 40% of active validators are assumed to be running the faulty EL client.(As of this analysis, Geth holds a 41% market share and Nethermind 38%, according to data from clientdiversity.org.)
- Incident Duration: Inactivity leak persists for 24 hours due to prolonged lack of finality
- Slashing Events: No slashing occurs — validators are not malicious, but their votes are ineffective due to faulty execution payloads
- Lido Exposure: In the worst-case scenario, 40% of the stake on Lido is running the faulty EL client, and none of the Lido operators are able to switch to a functioning client until finality is restored. (As of the latest data shared by Lido DAO in their Q4 2024 Operator Metrics report, curated module operators run 39.55% Nethermind and 35.57% Geth)
- Total stake: 34,000,000 ETH
- Staked ETH with Lido: 9,370,630 ETH
Recovery Path
- Validators can recover by switching EL clients to a healthy implementation.
- Once the execution client team has investigated it and developed a solution, it will be upgraded to the fixed version.
- Finality resumes once at least 66% of validators produce valid attestations.
Simulation Output
Projected Loss for Lido: Medium - 5833.1 ETH
This scenario underscores the importance of client diversity. If no single Execution Layer (EL) client exceeds 33% market share, Ethereum can continue finalizing blocks even if minority client fails—completely avoiding inactivity leaks like the one modeled here. The 24-hour non-finality period and resulting ETH penalties only occur because a majority of validators rely on a small set of EL clients.
To Ethereum’s credit, this risk has been substantially reduced over time. Geth held a supermajority (>66%) of the EL client share for a very long time, which would have posed an existential risk: a bug in a supermajority client could have caused mass validator leakage and required slashing-level ETH losses just to restore finality. Worse, it could have triggered a chain split or forced the entire community to socially coordinate around a faulty chain, undermining Ethereum’s credibility and trustworthiness.
Today, thanks to community-wide efforts to diversify client usage, no EL client holds more than 50% market share—eliminating the supermajority risk. Still, the goal should be to prevent any client from exceeding 33% usage. While an majority EL client bug is recoverable (unlike its Consensus Layer counterpart), the ETH loss, coordination cost, and reputational impact can still be significant. Client diversity is the best long-term defense against this risk.
Fortunately, most professional operators—particularly those in Lido’s curated module—already maintain parallel client stacks, allowing rapid failover in case of issues. This makes the modeled loss here a worst-case projection, with the real-world outcome likely far less severe.
Downstream Effects on Aave: Negligible
6. Consensus Layer Majority Client Bug (Finality Blocked, Inactivity Leak Triggered)
| Category | Rating |
|---|---|
| Impact | Severe |
| Projected ETH Loss | 634,647.9 ETH |
| % of Lido Stake | ~6.77% |
| Impact on Aave | High – $350M liquidations, $233K bad debt, moderate second-order effects |
A critical bug is discovered in a majority Consensus Layer (CL) client—such as Prysm—used by approximately 40% of Ethereum validators. In this case, validators running the faulty client incorrectly compute which epoch should be finalized due to a misinterpretation of the consensus state. This leads them to cast invalid source votes, locking themselves into a divergent chain. As a result, their attestations become ineffective, preventing the network from reaching finality and triggering an inactivity leak.
Because these validators control more than one-third of the total stake, the remaining 60% cannot reach the two-thirds threshold required for finality. This leads the Beacon Chain to enter inactivity leak mode, during which validators on the faulty client begin to lose ETH through quadratically increasing penalties for failing to participate.
Unlike Execution Layer bugs, the impact of a consensus-layer bug is more severe: validators cannot safely switch to a healthy client without risking slashing via the surround vote rule. Their only viable option is to remain inactive and incur penalties until finality can be restored.
Finality can only be restored once the effective balance of the faulty 40% drops below one-third of the total stake. For this to occur, each affected validator with a 32 ETH balance must lose approximately 7.2 ETH, assuming the faulty client controls 40% of the network. In a network with 1.05 million active validators, reaching this level of ETH burn would require around 13 days of continuous inactivity leak—after which the healthy 60% can regain finality, and the faulty validators can safely rejoin the network.
Trigger
- A faulty release of a consensus client is deployed (e.g., a Prysm/Lighthouse bug affecting attestation logic or fork choice rule).
Assumptions
- Validator Exposure: 40% of validators run the faulty CL client. (As of this analysis, Prysm holds a 41.35% market share and Lighthouse 34.67%, according to data from clientdiversity.org.)
- Incident Duration: Finality can only be restored once enough ETH has leaked from faulty validators to reduce their voting power below one-third. Assuming the faulty client has a 40% market share and there are 1.05 million active validators, this would take approximately 13 days.
- Slashing Events: It is assumed that validators won’t attempt to switch clients or exit and vote improperly.
- Lido Exposure: 30% of the stake on Lido is running the faulty CL client. (As of the latest data shared by Lido DAO in their Q4 2024 Operator Metrics report, curated module operators run 27.53% Lighthouse and 23.14% Vouch (multi-node validator client).
- Total stake: 34,000,000 ETH
- Staked ETH with Lido: 9,370,630 ETH
Recovery Path
- Validators running the faulty client are effectively locked out of consensus.
- They must remain inactive and absorb penalties while waiting for the two-thirds threshold to be reached.
- Once finality is restored, validators on the faulty client can safely switch to a healthy client.
Simulation Output
Projected Loss for Lido: High (634,647.9 ETH)
In this scenario, where approximately 30% of Lido Node Operators run a faulty majority consensus client and are locked into 13 days of inactivity leak, Lido is projected to incur a loss of roughly 634,647.9 ETH, representing a 6.77% reduction in total ETH backing for stETH.
However, client diversity remains the ultimate safeguard against such scenarios. Ongoing efforts—such as Lido’s operator set requirements and community initiatives—are steadily pushing toward reducing the dominance of any single Consensus Layer (CL) client. While Prysm and Lighthouse still hold more than 33% market share, these figures are gradually decreasing, and a further drop below the critical 33% threshold would significantly mitigate the risk of consensus-halting bugs.
Encouragingly, Lido has already made strong strides in reducing correlated CL risk exposure. Many curated Node Operators now run minority clients (e.g., Teku, Nimbus), and some employ multi-node setups like Vouch, which enhances both resilience and client diversity within a single validator instance.
In the event of a prolonged negative CL rebase—such as 13 days of inactivity leak triggered by this incident—Lido would activate “bunker mode.” This protocol-level mechanism temporarily pauses withdrawal requests to prevent sophisticated users from exiting the staking pool ahead of penalties being applied. The purpose of bunker mode is to enforce the “socializing principle”, ensuring that penalties are fairly distributed across both exiting and remaining stETH/wstETH holders. Bunker mode remains active until the CL rebase becomes positive again, meaning the validator set has recovered and the penalty application has ceased.
Without bunker mode, users aware of the event could unstake before the penalties are reflected in the oracle reports, leaving the remaining pool to absorb the losses. This would break the fairness assumption underpinning stETH’s design. The bunker system, therefore, is not just a failsafe—it is a critical alignment mechanism for preserving fairness, integrity, and trust in the protocol during tail-risk events.
Downstream Effects on Aave: High
With stETH and wstETH experiencing a 6.77% of their backing penalties, even though penalties will apply over the next 13 days, it is safe to assume that the market would front-run this, and the price will drop to fair value immediately. Given this inherent delay and the application of bunker mode, the market price would thus find parity at a value reflective of its post-penalty backing, thereby deviating more than 1 - E-mode LT and leading to continuous arbitrage against Aave. Such a scenario would require swift freezing of the market before causing severe instability within the protocol, as outlined in the LST Oracle Implementation section. The implementation of a Risk Oracle or dual Price Oracle structure would help eliminate such second-order effects entirely.
Furthermore, with an aggregation of penalties occurring once each day through Lido’s AccountingOracle, and thus debasing periodically, the market price deviation from the exchange rate of wstETH would result in moderate overpricing, making potential liquidations of wstETH-collateralized stablecoin debt positions unprofitable. This deviation would effectively decay over time to ultimately reflect the market-priced fair valuation by the 13th day, given by the information uncovered on day 1. Should ETH’s price decline over this 13-day window, wstETH collateral—currently supporting approximately $450 million in stablecoin debt with a Liquidation Threshold of 81%—retains a buffer before any risk of bad debt materializes. Within such a scenario, the liquidation bonus is likely to be scaled upward to adequately compensate liquidators to offload such debt when triggered due to an ETH price decrease.
With the WETH market being underwritten by the vast majority of wstETH collateral while representing a significant portion of collateralized WETH debt, WETH suppliers are likely to react such that they minimize overall exposure to mispriced collateral and eventual bad debt accrual. The integration of Umbrella would result in supplied WETH being allocated as a “junior tranche” to then cover any shortfall as the first line of defense, while the cooldown period ensures that they cannot exit early. However, such activity is still moderately conducive to non-umbrella WETH supplier withdrawals, especially if the underlying ETH price drops, forcing rehypothecated supplied WETH collateral to exit the market.
In this scenario, the WETH interest rate curve can be adjusted as part of an implicit optimization problem aimed at minimizing systemic withdrawal risk while preserving protocol solvency. The optimization would consider the distribution of WETH-collateralized debt and the proportion of LST and LRT-backed positions. If native WETH collateral exposure is dominant and at risk of liquidation while market utilization nears 100%, increasing the curve’s slope may adequately compensate new suppliers. Conversely, if a large share of debt is backed by LSTs or LRTs, lowering rates can prevent premature unwinds and bad debt accumulation triggered by significant net interest accrual.
In any case of Aave-Native mitigation, after the accumulated debasing events, Aave users who supplied wstETH as collateral will face a significant drop in collateral value. Based on current health factors and LTV thresholds, our simulations indicate that this price decline is projected to trigger $350 million in liquidations across Aave’s wstETH markets, with Aave incurring potentially $233,000 in bad debt, the majority of which naturally stems from WETH debt positions in e-mode.
7. Minority Consensus Layer Client Bug Triggers Slashing Event
| Category | Rating |
|---|---|
| Impact | Severe |
| Projected ETH Loss | 1,409,226.8 ETH |
| % of Lido Stake | ~15% |
| Impact on Aave | Systemic Risk – $824M liquidations, $48M bad debt, severe second-order effects |
A critical bug is introduced in a minority consensus client (e.g., Teku), which controls ~25% of Ethereum validators. The bug causes validators using the client to sign slashable messages, such as double attestations or surround votes. While the issue does not impact the broader network’s ability to finalize, it results in widespread slashing of validators on the faulty client.
Due to client diversity within Lido, 20% of its validator set is exposed to the bug — leading to a material reduction in backing for stETH and downstream implications for DeFi protocols like Aave.
Trigger
- A release of a minority CL client contains a bug in the attestation logic, leading to conflicting or out-of-order attestations that are picked up by slashers.
Assumptions
- Validator Exposure: 25% of validators run the faulty CL client. (As of this analysis, Teku holds a 24% market share, according to data from clientdiversity.org.)
- Slashing Events: It is assumed that all validators running faulty CL are slashed simultaneously within the same epoch.
- Slashing Protection: It is assumed that all validators’ slashing protection databases either failed or were disabled at the time of the incident. While this is a highly unlikely scenario—given that slashing protection is a simple and well-tested piece of logic—we include it to illustrate the worst-case outcome.
- Lido Exposure: 20% of the stake on Lido is running the faulty CL client. (As of the latest data shared by Lido DAO in their Q4 2024 Operator Metrics report, curated module operators run 21.1% Teku).
- Total stake: 34,000,000 ETH
- Staked ETH with Lido: 9,370,630 ETH
Simulation Output
Projected Loss for Lido: Severe (1,409,226.78 ETH)
This scenario leads to a modeled loss of 1,409,226.78 ETH, equivalent to ~15% of Lido’s total staked ETH. The majority of the loss stems not from the initial slashing penalty—which is minimal post-Pectra—but from the correlation penalty, which scales sharply due to the large share of validators affected simultaneously.
Affected validators lose nearly 75% of their stake, primarily due to the high correlation penalty, which is amplified by the sizable market share of the faulty consensus client. Notably, the Pectra upgrade has minimal impact on mitigating losses in this scenario, as the vast majority of the penalty arises from correlation effects rather than initial slashing penalties.
Given the sheer scale of this event, bunker mode by Lido will be activated by temporarily pausing withdrawals from stETH and wstETH contracts. This is a critical defense mechanism designed to prevent sophisticated users from front-running the penalties during the 18-day delay before correlation penalties are fully applied. By doing so, Lido ensures that losses are socialized evenly across all holders and not disproportionately borne by those who remain in the protocol after others have exited.
Downstream Effects on Aave: Severe
The projected 15% depeg in the stETH-to-ETH exchange rate would be fully reflected in wstETH, causing a dramatic drop in the value of wstETH collateral held on Aave. Much like the scenario above, the news of such a correlated slashing event would trigger panic, prompting stETH and wstETH holders to rush to DEXs to exit their positions. With bunker mode activated and DEXs as the only available exit path, the price of stETH would likely reprice immediately—well in advance of the correlation penalties that are formally applied 18 days later.
As per above, the market price would thus find parity at a value reflective of its post-penalty backing, thereby deviating more than 1 - E-mode LT and leading to continuous arbitrage against Aave. Such a scenario would require an even swifter freezing of the market before causing severe instability within the protocol, as outlined in the LST Oracle Implementation section. The implementation of a Risk Oracle or dual Price Oracle structure would be integral in eliminating such second-order effects.
In contrast to an inactivity leak, which results in periodic stake debasement, the correlation penalty is not applied until the 18th day. Consequently, any deviation between the market price and the exchange rate of wstETH prior to this application leads to pronounced overpricing, rendering liquidations of wstETH-collateralized stablecoin debt positions economically unviable. This overvaluation persists throughout the entire 18-day window, with the deviation remaining effectively constant.
If ETH’s price declines during the 18-day period, wstETH collateral—currently underwriting approximately $450 million in stablecoin debt with a Liquidation Threshold of 81%—retains a buffer before the emergence of bad debt. Within such a scenario, the liquidation bonus is likely to be increased to adequately compensate liquidators to offload such debt when triggered due to an ETH price decrease. However, the extent of the deviation is likely to contribute to bad debt, per the LTV bad debt threshold of 1/(1+liquidation bonus), likely being lower than the LT and thus the outstanding debt position LTVs.
A more severe manifestation of this dynamic would closely resemble the previously described scenario involving WETH market imbalances, mispriced wstETH collateral, and systemic withdrawal pressures. However, in this case, the risk vectors would be amplified, characterized by deeper price dislocations, accelerated bad debt formation, and more pronounced liquidity fragmentation. The same mechanisms, such as Umbrella’s junior tranche structure and interest rate curve optimization, would remain relevant but would require more aggressive parameter adjustments and tighter coordination to mitigate the compounding risks of correlated liquidations and collateral flight.
Post-debasing, this level of price shock would lead to the vast majority of wstETH-denominated E-mode positions underwater and leave bad debt within the protocol. Based on current Aave positions, the debasing alone is estimated to trigger a minimum of $824 million in liquidations and cause $48 million in bad debt, among the second-order effects as described above.
Important Context: Why This Scenario Is Extremely Unlikely
This scenario represents an edge case of edge cases and is included primarily to illustrate a theoretical worst-case outcome for wstETH users and Lido.
- This scenario assumes that 100% of validators using the affected client simultaneously broadcast slashable attestations and that every single slashing protection database failed at the same epoch — an extraordinarily rare confluence of failures.
- It further assumes that slashing protection systems failed entirely, meaning validators signed conflicting messages without safeguards in place. This is extraordinarily unlikely, as virtually all production-grade validator setups use dedicated slashing protection mechanisms.
- Tools like Web3Signer and Dirk are explicitly designed to prevent validators from signing messages that would result in slashing. Even if a validator is running a buggy consensus client that misinterprets the fork choice or source epoch, these tools act as a final checkpoint, preventing slashable messages from being broadcast based on the validator’s local history.
- In Ethereum’s entire PoS history (~3 years), there has never been a bug-related slashing event. This is due to rigorous design standards and redundant safety checks in all major consensus clients, which explicitly prevent the signing of slashable messages.
Despite its vanishingly low probability, this scenario is included to model the upper bound of systemic risk that could occur if multiple defense layers failed simultaneously, offering critical insight into the importance of diverse, redundant, and secure validator infrastructure.
Conclusion
This analysis demonstrates that the severity and scope of risks to Lido and DeFi protocols like Aave vary greatly depending on the nature of the failure and whether the issue originates at the operator or network level. By modeling outcomes both pre- and post-Pectra, we observe that the Pectra upgrade significantly reduces initial slashing penalties while simultaneously ensuring that all slashing events now result in non-zero correlation penalties. These changes shift the risk profile in meaningful ways, mitigating the impact of isolated failures but preserving strong disincentives for correlated slashing behavior.
Even in the most extreme operator-level cases—such as the full slashing of a top Lido Node Operator controlling 3% of total stake—the impact on the stETH-to-ETH exchange rate remains relatively small. The downstream effects on Aave are minimal, with only negligible liquidations and no significant bad debt. These outcomes become even less severe in a post-Pectra Ethereum, where lower initial slashing penalties reduce the financial consequences of isolated operator errors. Taken together, this suggests that individual operator failures are generally survivable and do not pose systemic risk to Lido or the broader DeFi ecosystem.
By contrast, critical bugs in majority consensus clients—such as Prysm or Lighthouse—continue to represent the most dangerous class of failures. These incidents can trigger Beacon Chain non-finality, force prolonged inactivity leaks, and lead to significant ETH losses as validators are effectively trapped until the faulty client’s voting power drops below one-third. Execution Layer bugs, even in majority clients, are far less severe: validators can safely switch clients without risking slashing and resume participation with minimal disruption. This makes EL bugs both easier to manage and quicker to recover from.
As covered in the Mitigation Measures section, several tools already exist to reduce operator, protocol and network-level risk — including slashing protection databases, multi-client coordination layers (e.g., Vouch, Vero), redundant infrastructure, and DVT — all of which help minimize the risks associated with running Ethereum validators. On Aave’s side, assuming an adverse scenario were to unfold, a suite of proactive risk measures can be deployed to minimize direct losses and contain second-order effects within the protocol. These include automated market freezes for LST or LRT assets, deficit coverage through the Umbrella mechanism, and dynamic adjustments to key risk parameters—such as interest rate curves and liquidation bonuses—all serving as additional layers of protection.
Ultimately, stress testing should be a continuous process, not a one-time exercise. As Ethereum evolves and Lido’s validator set grows in complexity, regularly modeling worst-case scenarios across both node operator and client failure dimensions ensures that risks remain visible, measurable, and actionable. Our hope is that this analysis can serve as a foundation for ongoing risk monitoring and informed governance decisions moving forward.