Curve
Curve
Dec 12, 2023
Useful Links:
Website: https://www.staderlabs.com/
Contracts: Docs - Contracts
Governance: Stader Snapshot | Stader community forums
Markets: Curve ETHX-ETH | Curve ETHX-wstETH | Uniswap | PancakeSwap
Dashboards: ETHx Metrics | Node Operator Dashboard
Introduction
This report is conducted by the Prisma independent risk and research team operated by Llama Risk as part of a series on LSD collateral risk assessments. In this report, we examine Stader's ETHx.
This report will comprehensively cover all relevant risk factors of Stader ETHx for collateral onboarding. Our approach involves both quantitative and qualitative analysis to help determine whether the collateral can be safely onboarded and to what extent there should be restrictions on the protocol’s exposure to the collateral.
As Prisma will be onboarding a variety of LSDs as collateral, our review involves comparative analysis to determine suitability as collateral. Risks are categorized into:
Market Risk - risks related to market liquidity and volatility
Technology Risk - risks related to smart contracts, dependencies, and oracle price feeds
Counterparty Risk - risks related to governance, centralization vectors, and legal/regulatory considerations
These risk categories will be summarized in the final section of this report and are meant to assist tokenholders in their determination around ETHx onboarding and setting suitable parameters.
Section 1: Protocol Fundamentals
This section addresses the fundamentals of the proposed collateral. It is essential to convey (1) the value proposition of ETHx, and (2) the overall architecture of the protocol. This section contains descriptive elements that cannot be quantified and act as a descriptive introduction to the collateral.
This section is divided into 2 sub-sections:
1.1: Description of the Protocol
1.2: System Architecture
1.1 Description of the Protocol
Key metrics (as of November 24th, 2023)
Circulating Supply: 37,851
Staked Tokens: 41,904
Number of validators: 1057
Number of operators (mainnet): 195
Market share of ETH staked: 0.00424% (via data from DefiLlama)
Market share of LSDs: 0.37%
With the top three ETH staking entities accounting for over 90% of the LSD market by TVL, Stader aims to address the high concentration of staking power. Stader also addresses the challenge of permissionless node operation.
ETHx employs a multi-pool architecture that features both a permissionless pool for open node operation and a permissioned pool with vetted validators, ensuring consistent performance in phase I. In phase II, ETHx plans to pioneer dedicated stake pools that leverage Distributed Validator Technology (DVT) as a part of its forward-looking approach to technology adoption.
Source: Stader - Docs
1.1.1 Underlying Collateral
ETHx offers liquid ETH staking, providing users the dual benefit of earning staking rewards while maintaining liquidity. User ETH deposits are exchanged for ETHx tokens, creating a liquid representation of staked assets. The staked ETH is then channeled to the ETHx Node Network, where a decentralized network of nodes perform vital validation tasks, generating staking rewards. This accrued value, reflected in the increasing exchange rate of ETHx, allows users to directly earn staking rewards.
1.1.2 Yield Accrual Mechanism
Stader's liquid staking token, ETHx, uses an oracle contract that reflects an increase in ETHx value as staking rewards, MEV and tips accrue to user's staked ETH. This oraclized model is easier to integrate with the wider Defi ecosystem compared with rebasing tokens.
Stader relies on a whitelisted Oracle Committee that relay ETH TVL in the system to the oracle contract for the purpose of distributing yield. There is a rate and frequency limit imposed on the contract.
Validators perform validation tasks and rewards accrue to their pubkey addresses on the beacon chain. A distinct withdrawal mechanism, the ValidatorWithdrawalVault
, ensures equitable distribution among Stakers, Node Operators, and the Stader DAO Treasury. This mechanism is applied universally and maintains the collateral and commissions structure for permissionless and permissioned pool validators.
Moving to the execution layer, MEV and priority fees become relevant for node operators. MEV, an operator's ability to optimize transactions within a block, is a mandated component for all Stader node operators. Meanwhile, priority fees represent compensation for batching certain transactions in a block. A socializing pool facilitates consistent rewards, offering operators a share based on performance and the number of validators operated. Permissionless operators directly access a portion of execution layer rewards, complemented by a commission on the staked ETH. Permissioned operators earn a percentage commission on their entire staked amount.
1.1.3 Provider Fee
There is a 10% fee on both consensus and execution layer rewards that is equally distributed between node operators and Stader's Treasury.
1.1.4 Node Operator Set
Empowering smaller node operators is a focus for ETHx which is achieved through Stader’s permissionless pool. This pool allows anyone with 4.4 ETH worth of collateral to operate a node. By depositing 4 ETH and between 0.4 and 8 ETH worth of Stader governance token (SD) per validator, they can join the permissionless pool.
In contrast, the permissioned pool onboards select operators with a proven history of node operation, requiring no collateral and subject to KYC checks and a Stader DAO whitelist process via Snapshot.
To ensure a secure onboarding process, ETHx addresses potential exploit vectors.
Invalid key data submission during validator registration triggers Stader to deposit 1 ETH from the operator's security bond to the ETH deposit contract. Although unrecoverable in case of incorrect data, this safeguards Staker's ETH, with the operator still receiving 3 ETH back.
Additionally, the protocol combats frontrunning by splitting the 32 ETH deposit into two steps. Any attempt to frontrun in the permissionless pool results in the loss of the operator's 1 ETH, with the remaining 3 ETH penalized and transferred to the Stader Insurance Fund. For permissioned pool validators, a front-run leads to a transfer of 1 ETH from the Stader Insurance Pool to compensate for the loss, ensuring a fair and secure onboarding process for all operators.
1.1.5 Validator Selection
Validator selection, crucial for fairness and decentralization, uses a first-come-first-served approach for permissionless pools and round-robin for permissioned pools. Both aim for equitable distribution of staked ETH.
Stader efficiently distributes stakers' ETH, provisioning 28 ETH for permissionless pools and 32 ETH for permissioned pools. It ensures thorough security checks for validators before distribution, penalizing abnormal behavior. After activation on the Beacon Chain, validators are expected to maintain uptime and uphold execution layer rewards, with penalties enforced for deviations.
In summary, Stader's deposit workflow seamlessly integrates various pools, implements effective deposit limits, allocates stake, selects validators, and ensures secure and efficient distribution of staker assets to Beacon Chain validators.
1.1.6 Governance Model
There is a governance process involved with key aspects of the protocol, including contract upgrades, on/offboarding node operators, and parameter changes.
Draft proposals in the Stader ecosystem typically undergo a three-day discussion period on the Stader Forum, followed by a four-day off-chain voting period on Snapshot. Voting power in the system is granted to holders of the Stader governance token (SD). Voting results are determined by a simple majority and a 1m SD quorum requirement. Once a vote passes, the team executes the proposal with the required actions through their multisig composed of several independent members, as disclosed in the docs.
For the future, Stader aims to transition towards a complete on-chain governance, enabling SD and ETHx holders to actively propose and implement protocol changes.
1.2 System Architecture
1.2.1 Network Architecture Overview
At its core is the StaderStakePoolManager, the exclusive ETHx minter, facilitating user interactions for staking and depositing ETH. This contract interacts with ETHx to mint tokens at the prevailing exchange rate.
The PoolSelector orchestrates the validator selection process, incorporating pool weights to determine selections, ensuring an organized and efficient validator selection process across both permissioned and permissionless pools. PermissionedPools and PermissionlessPools implement distinct validator selection logic, distributing validators among operators and managing deposits systematically.
The PermissionedNodeRegistry is a critical mapping tool, systematically tracking whitelisted permissioned operators and their associated details. The PermissionedPool registers validators on the beacon chain, allocating 1 ETH for selected validators and managing the remaining 31 ETH until key validation is confirmed.
The VaultFactory Contract deploys withdraw vault contracts for each validator, uniquely identified, while the PermissionlessNodeRegistry manages Operator and Validator Structs, deposit queues, and ETH collateral. The PermissionlessPool Contract receives funds from the Stake Pool Manager, executing deposit transactions and maintaining comprehensive pool statistics.
Contracts like the SocializingPool, WithdrawalVault, Penalty, PoolFactory, and StaderOracle contribute to MEV reward distribution, on-demand reward withdrawals, penalty enforcement, and secure market data feeds, respectively.
In the withdrawal and settlement processes, the UserWithdrawalManager handles user-initiated withdrawals, employing preventive measures against sandwich attacks. Simultaneously, the ValidatorWithdrawalVault manages the final 32 ETH from a successful node exit, settling funds through the SettleFunds
method, involving Staker, Node Operator, and Stader Treasury, ensuring transparent handling of ETHx token burning and validator fund settlements. This comprehensive architecture ensures a secure and efficient operation of the Stader ecosystem.
1.2.2 Architecture Diagram
The following Miro board covers the contracts and work flows involved with all system mechanics, including:
User Deposit Workflow
Permissioned Operator and Validator Workflow
Permissionless Operator and Validator Workflow
Deposit Workflow
Exchange Workflow
MEV Penalty Workflow
Pool Workflow
Validator Exit Mechanism
SD Collateral Onboarding for Permissionless Operators
Rewards Workflow
User Withdrawals Workflow
Section 2 Performance Analysis
This section evaluates ETHx from a quantitative perspective. It analyzes token usage and competitive metrics, and accounts for subsidized economic activity.
This section is divided into 3 sub-sections:
2.1: Usage Metrics
2.2: Competitive Analysis Metrics
2.3: Subsidization of Economic Activity
2.1 Usage Metrics
2.1.1 Total Value Locked (TVL)
ETHx has experienced steady growth since launch with a large TVL expansion in late October.
Source: Dune - ETHx General Metrics
For reference, Stader has additional products available on Polygon, Hedera, BSC, Fantom, Near, and Terra2. Note that Polygon has the second highest TVL after Ethereum, but Polygon staking takes place on mainnet and is included under the "Ethereum" category on DeFillama.
Source: DefiLlama - Stader
2.1.2 Transaction Count
ETHx has experienced a daily tx count ranging between 6 and 76 txs daily since August 1st. Average daily tx count has been increasing since mid-September.
Source: Dune - Stader ETHx - TXs and Price
2.1.3 DEX Trading Volume
Historical DEX trading volume is mostly on Curve, KyberSwap, UniV3, and Balancer. Trading volume is irregular, ranging from $1.2k to $3.9m over the past month.
Source: Dex.guru | Date: 10/23/2023 - 11/21/2023
2.1.4 Average Transaction Size
The average tx size has historically been cyclical, ranging from $1,560 to $1,075,633 since August 1st.
Source: Dune - Stader ETHx - TXs and Price
2.1.5 Volume to Market Capitalization Ratio
The daily volume to market cap ratio has historically been cyclical, ranging from .011% to 1.74% since August 1st.
Source: Dune - Stader ETHx - TXs and Price
2.1.6 LSD Token Velocity
The average ETHx holding time for current holder addresses is 32 days as of November 15. 1/3 have held ETHx for over 90 days followed by 21% having held for 30-90 days. Note that ETHx has not been live for over 180 days, hence 0% for that category in the chart below.
Source: Dex Guru - ETHx Token Profile | Date: 11/15/2023
2.1.7 Active Addresses/Users
Daily unique addresses involved with token transfer events has overall been increasing. There was a decline from August to September which has since reversed. Since August 1st, the daily unique senders/receivers has ranged from 8 to 62.
Source: Etherscan Analytics - ETHx
2.1.8 User Growth Rate
Addresses holding ETHx has been increasing since inception with a period of stagnation during the month of September followed by a growth spurt in early November.
Source: Dune Analytics
Weekly user growth: 12.43% (calculated 11/18/2023) Monthly user growth: 33.54% (calculated 11/18/2023)
2.1.9 Integration with Other Protocols
As of 11/22/2023, roughly 1/3 of the ETHx is deployed into DeFi applications. The majority of tokens are held in EOA or multisig wallets.
Source: Etherscan - ETHx | Date: 11/22/2023
Of the DeFi integrations, most tokens are deposited into Pendle's yield futures vault and into the Curve ETHx/ETH and ETHx/wstETH pools. The remainder are divided between UniV3, Wombat, and Balancer pools.
Source:Etherscan - ETHx | Date: 11/22/2023
See below a further breakdown of ETHx allocations within the constituent applications:
Source: DefiLlama | Date: 11/15/2023
2.2 Competitive Analysis Metrics
2.2.1 Market Share
Stader ETHx is relatively new, and currently only makes up 0.36% of the staked ETH market.
Source: DefiLlama | Date: 11/7/2023
Since its inception, ETHx has grown its overall marketshare, which despite its small size is currently at an ATH.
Source: DefiLlama | Date: 11/7/2023
2.2.2 Trading Volume Share in Total LSD Trading Volume
Compared to the LSD assets previously onboarded to Prisma (wstETH, rETH, sfrxETH, cbETH), ETHx has the lowest daily volume behind frxETH. However, of the tokens that have not yet been onboarded, it shows the highest share of trade volume at the time of the snapshot.
Source: CoinGecko | Date: 11/7/2023
2.2.3 Protocol Staking Yield
The STYETH index measures the average daily ETH staking yield. It is referenced against the daily yields on ETHx as reported by DeFiLlama. ETHx yields display much greater volatility and occasionally report 0 daily yield.
Source: DefiLlama and CompassFT
Stader's self-reported yield calculation formula is: Yield = ((ER today - ER yesterday) / ER yesterday) * 365. The discrepancy arises because the Stader oracle committee's consensus process for updating the ER is asynchronous and sometimes extends beyond 24 hours. This delay leads to platforms like DeFiLama, which take daily snapshots at specific times, reporting yield as zero on certain days.
For example, the last ER update was on October 6, 2023 at 11:07:11 AM UTC. The next consensus was reached on October 8, 2023 at 5:25:11 AM UTC. Due to this gap, the yield reported on the 8th was inaccurately high, at 6.4%, which is more than double that of the 6th October.
To address this, Stader is collaborating with their oracle partners to increase the frequency of oracle operations, aiming for quicker consensus achievement. This should help provide more accurate and timely yield data.
2.2.4 Slashing Rate
ETHx has not yet been integrated into Rated.network to more conveniently access this data. The team is actively working on this and intend for this information to be available by mid-December.
Currently, the Stader team is monitoring the performance of all validators and operators using their in-house monitoring system. For a detailed view of the ETHx validators' performance, please refer to this spreadsheet.
To date, ETHx validators have had no instances of slashing. This information is recorded and can be verified in column R under the "Permissionless Validators Performance" and "Permissioned Validators Performance" tabs in the above spreadsheet.
Note that ETHx stakers are protected against slashing as permissionless Node operators bond 4 Eth and at least 0.4 Eth worth of SD as collateral.
2.3 Subsidization of Economic Activity
2.3.1 Existence of an Incentive Program
Stader (SD) is the utility and governance token of the Stader ecosystem. It is an ERC-20 token with a total supply of 150m tokens. SD is used for incentives and at the moment rewards Stader liquidity providers and ETHx Node Operators for locking SD tokens. (source). The incentive program for ETHx Node Operators also includes ETHx Boosted Commission, a 13,000 SD top-up pool for Rolling Beta Node Operators and $65,000 reward pool for AVADO users (AVADO -mini-pc for running staking nodes). (source)
ETHx Stakers
Stader Incentive Program for ETHx stakers was dedicated to participants who staked their Ethereum tokens with Stader during their launch month (from July 10, 2023, to August 9, 2023 UTC). The incentive program offers a 50% boost on rewards (in the form of Stader governance token SD) without any upper limit on the stake amount. ETHx staked in LPs is also eligible for the reward boost. The rewards, calculated daily, were aggregated for the entire duration of the launch month and were provided as an air-drop after the launch month.
The rewards are calculated on a daily basis by enhancing the base staking rate by 50% (after accounting for a 10% commission).
ETHx Node Operator
For eligibility in the boosted commission program, node operators must have joined ETHx within a month of launch, register a node on the Stader mainnet network, and add four validators within the launch month. The enhanced commission, applicable for the first year post-launch, will be disbursed monthly as SD rewards based on monthly performance. Notably, the boost is exclusive to the initial four validators per operator spun during the launch month, with any additional validators incurring a standard 5% commission.
Avado is Stader’s plug-and-play PowerUp partner. The partnership aims to lower the technical barriers of running an ETH node. A healthy prize pool of $65000 has also been apportioned to incentivize ETHx node operators using Avado machines.
2.3.2 Size of the Incentive Program in USD
The SD token incentives emission program is updated on a monthly basis. The image below shows SD incentives data and distribution over supported chains for the last 3 months (screenshot below):
Source: Stader Governance Forum
The bar chart below shows the total SD incentive distribution for the last 11 months (blue bar) and the share of total incentives distributed to the Ethereum Network (red bar).
Source: Stader Governance Forum
In total, 2,779,657 $SD tokens have been distributed over 11 months in 2023, of which 734,756 SD were distributed to ETHx on the Ethereum Network.
Section 3 Market Risk
This section addresses the ease of liquidation based on historical market conditions. It seeks to clarify (1) the Liquid Staking Basis & Volatility of ETHx, and (2) the liquidity profile of the collateral. Market risk refers to the potential for financial losses resulting from adverse changes in market conditions.
This section is divided into 2 sub-sections:
3.1: Volatility Analysis
3.2: Liquidity Analysis
3.1 Volatility Analysis
3.1.1 Liquid Staking Basis (LSB)
Note: The “Liquid Staking Basis & Volatility Analysis” section is based on data provided by the CoinGecko Terminal API. We used OHLCV (Open, High, Low, Close, Volume) daily data for the analysis.
The LSB (Liquid Staking Basis) represents the price difference between ETHx (liquid staking token) and its underlying asset, ETH. It measures the deviation of the ETHx price from the ETH price.
Source: Coingecko Historical Data
The LSB values range from negative to positive, indicating periods when ETHx traded at a discount or premium relative to ETH. The overall trend shows that ETHx has generally traded at a slight discount to its underlying ETH.
Absolute Liquid Staking Basis (LSB_abs)
The LSB_abs represents the absolute value of the LSB, indicating the magnitude of the price difference between ETHx and ETH without considering the direction (premium or discount).
Source: Coingecko Historical Data
This Dune query additionally demonstrates the methodology to derive the LSB.
3.1.2 LSD Volatility
The Volatility chart below shows the ETHx daily returns compared to the previous day snapshot price according to Coingecko data.
Source: CoinGecko
3.1.3 Yield Volatility
Yield volatility is calculated from DeFillama data Median APY. According to available data, ETHx had 0 APY on 6 days. The data is compared against the STYETH ETH staking yield index data.
As explained in section 2.2.3 on ETHx staking yield, the yield volatility is due to asynchronous harvesting by the oracle committee that sometimes extends beyond 24 hours. The Stader team is working with the oracle committee to increase the frequency of oracle operations to provide more accurate and timely data.
Source: DefiLlama and STYETH Compass Index
Over the time period, ETHx exhibited an average APY 0.14% lower than the index.
ETHx
Average 3.63%
Min 0.00%
Max 11.90%
STYETH
Average 3.77%
Min 3.43%
Max 4.23%
3.2 Liquidity Analysis
3.2.1 Supported DEXs and CEXs
ETHx can be traded on Curve, PancakeSwap, UniswapV3, Balancer, and Wombat DEXs. It is not listed on any CEX venues. Note in the image below that Messari does not track the Wombat exchange, although the pool can be seen on the Wombat app.
Source: Messari | Date: 11/14/2023
3.2.2 LSD Token Total On-chain Liquidity
According to DexGuru data (on November 14th, 2023), ETHx total on-chain liquidity on Ethereum is $15,604,044. DexGuru does not calculate the total quantity of tokens in a liquidity pool, but rather the value that they can be swapped for.
Source: DexGuru | Date: 8/16/2023 - 11/14/2023
3.2.3 Liquidity Utilization Rate
The liquidity utilization rate takes the liquidity on exchange divided by the daily volume.
Source: DexGuru) | Date: 8/16/2023 - 11/14/2023
The time period produced the following statistics:
Average Liquidity Utilization Rate 2.74%
Min Liquidity Utilization Rate 0.00%
Max Liquidity Utilization Rate 22.51%
3.2.4 LSD Leverage Ratio
ETHx is not supported as collateral on lending protocols, although it has recently passed a Snapshot temp check on November 23rd for onboarding onto Aave.
3.2.5 Slippage
On November 14th, the slippage was 9.71% when 5845.65 ETHx (~$12.1m) is exchanged for ETH. This is high slippage when compared to the previously onboarded LSD tokens prevalent in DeFi (frxETH, stETH, rETH).
cbETH shows 37.28% slippage for the same swap size, although most volume for cbETH takes place on centralized exchange.
Source: DefiLlama - Liquidity Tool | Date: 11/14/2023
As liquidity has substantially improved in the past month, a second snapshot was taken on November 26th. A 5758 xETH (~12.1m) swap size only incurs a 1.49% slippage at this time.
Source: DefiLlama - Liquidity Tool | Date: 11/26/2023
Section 4 Technological Risk
This section addresses the persistence of collateral properties from a technological perspective. It aims to convey, (1) where technological risk arises that can change the fundamental properties of the collateral (e.g. unresolved audit issues), and (2) do any composability/dependency requirements present potential issues (e.g. is a reliable pricefeed oracle available?).
This section is divided into 3 sub-sections:
4.1: Smart Contract Risk
4.2: Product and Layer Composability
4.3: Oracle Pricefeed Availability
4.1 Smart Contract Risk
4.1.1 Protocol Audits
Stader-ETHx has undergone audits conducted by SigmaPrime, Halborn, and Code4rena. The detailed audit reports can be found below:
(ETHx Component, Audit Report, Findings)
Smart Contracts, ETHx Smart Contracts audit by Halborn (July 4), 3 Medium, 5 low, 6 info
Smart Contracts, ETHx Smart Contracts audit by Sigma Prime (June 1), 3 high, 6 medium, 3 low, 10 info
Smart Contracts, ETHx Smart Contracts audit by Code4rena (July 19), 1 high, 14 medium, 24 low
Stader node - Permissionless, ETHx Permissionless Stader node audit by Halborn (June 27), 4 low, 13 info
Stader node - Permissioned, ETHx Permissioned Stader node audit by SigmaPrime, 1 low, 4 info
Oracles, ETHx Oracles audit by Halborn (June 1), 1 high, 3 low, 8 info
Off-Chain, ETHx Off-chain audit by Halborn (July 5), 2 medium, 5 low, 4 info
4.1.2 Concerning Audit Signs
Several issues raised by audits that qualified as Medium risk were not resolved by Stader. User funds are not at risk with the medium-risk issues identified. Stader has had comprehensive discussions with their auditors about these matters, and after a thorough review and mutual agreement, have marked these issues as closed:
ETHx Smart Contracts audit by Halborn - Link (July 4)
Audit Finding (HAL-02): Slashing of a validator in the settleFunds() function of the ValidatorWithdrawalVault contract poses a risk of exceeding the actual penalty due. The issue arises in the implementation of the slashValidatorSD() function, where the calculation of sdToSlash relies on the minimum threshold of the pool (poolThreshold.minThreshold) rather than the accurate deficit between operatorShare and penaltyAmount.
It was advised to pass the precise deficit between operatorShare and penaltyAmount to the slashValidatorSD() function and compare it with poolThreshold.minThreshold using Math.min. The issue has been partially solved by the Stader team. They acknowledge the concern and explain that in cases where the penalty surpasses operatorShare, a fixed amount of SD equivalent to 0.4 ETH is deducted. This approach has been effectively communicated to all Node Operators. Importantly, this penalty does not impact the funds staked by users, providing reassurance in the system's overall integrity.
ETHx Smart Contracts audit by Sigma Prime - Link (June 1)
ETHX2-05 HasEnoughSDCollateral()
Check Is Performed Only Once During Onboarding
A concern was identified regarding the validation of SD token quantity during the onboarding of new validators. The check for sufficient SD collateral occurs only once, within the addValidatorKeys() call. This process, contingent upon the price value during onboarding, allows potential exploitation of price volatility.
The audit flagged this as a Medium severity issue with Low impact but High likelihood. The potential consequence is a compromise in the security offered by SD tokens to users against fraudulent or negligent validators. The fluctuation in the market value of SD collateral over the staking duration could alter stakers' incentives, potentially making malicious activities more profitable.
The audit team recommended that stakers should pause accruing rewards until they increase the SD collateral amount to pass the hasEnoughSDCollateral() check. The development team, in response, acknoledged the issue with the assurance that when the minimum SD requirement is not met, operators cease getting SD rewards. They believe this is a sufficient motivating factor for operators to maintain the threshold. Importantly, it was clarified that this issue is specific to Node Operators and does not impact Staked ETH.
ETHX2-06 Submit Functions Are Susceptible To Front Running When Trusted Nodes Are Removed
A vulnerability was identified in the submit functions, specifically when trusted nodes are removed. The issue revolves around the possibility of front-running when a trusted node is removed using the removeTrustedNode() function. The concern is that, despite removal, the node could still vote on balances, withdrawals, or beaconStateRoots due to the current voting process allowing submissions without a delay period if the reporting block is >= to the current block.number.
The severity is rated as medium with high impact and low likelihood. The recommendation from the testing team suggests introducing a delay before voting begins to prevent malicious entities from voting prior to their removal. The development team, however, closed the issue, asserting that the problem is not applicable in their context. They argue that only approved trusted nodes, which deposit USDC collateral off-chain, are allowed to join. Additionally, trusted nodes are changed in a time-spaced manner to ensure backward compatibility. The development team emphasized that this issue specifically affects the Oracle committee and is unrelated to Staked ETH.
4.1.3 Bug Bounty
Stader has an active bounty program with ImmuneFi offering up to $1 million in rewards to individuals who discover and report bugs and vulnerabilities.
4.1.4 Immutability
All the smart contracts are Proxy Upgradeable.
4.1.5 Developer Activity
The image below shows development activity and the number of contributors per day over a 3-month period:
Source: Santiment Network | Date: 8/15/2023 to 11/16/2023
4.1.6 SC Maturity
The contracts were deployed to mainnet on 5th of June, 2023 by Strader: Deployer. The first transfer of ETHx took place on that day itself (with an amount of 0.01 ETHx).
4.1.7 Previous Incidents
There have not been any security incidents related to ETHx contracts to date.
4.2 Product and Layer Composability
4.2.1 Dependencies
Due to the division between the Ethereum consensus layer and execution layer, an oracle is required to transmit data about about the state of validators to set the ETHx exchange rate, on/offboard validators, and penalize faulty validators.
Stader makes use of an Oracle Committee composed of whitelisted oracle operators that provide data to ETHx smart contracts. Oracle operators are selected through a rigorous process involving KYC/KYB and assessment of their historical proficiency. Collectively they contribute data to ETHx smart contracts. These operators receive compensation from the Stader treasury for their service and to cover expenses related to maintaining dedicated infrastructure.
Consensus mechanisms such as majority, median, and deviation threshold are employed across Oracle data feeds. They ensure accurate values from multiple independent Oracle node operators. Values are reported to the Stader Oracle Contract.
Source: ETHx Docs
The Oracle Committee monitors essential data including exchange rates, withdrawn validators, missed attestations, and validator statistics. Exchange rates critical for staking and withdrawal processes are updated through consensus mechanisms with inspections ensuring validity.
The Committee oversees withdrawn validators, addressing the prompt distribution of accumulated ETH. For missed attestations, a governance vote determines penalties, emphasizing Staker rewards over Node Operator collateral. Validator statistics, including exit time and balances, guide withdrawals. The Committee addresses potential MEV misappropriation ensuring fair distribution and compensation for Stakers.
Stader has formed a partnership with Chainlink and intends to add Proof of Reserve data feeds to provide further assurances that limit the risk associated with the Oracle Committee.
4.2.2 Withdrawal Processing
Decentralized exchanges provide quick and easy exchange from ETHx to ETH. Meanwhile, ETHx holders can opt for direct redemption through ETHx smart contracts:
Submission of ETHx Tokens: Stakers transfer their ETHx tokens to the UserWithdrawalManager contract in proportion to the expected ETH they want to redeem, based on the current exchange rate quoted by the oracle contract. User requests are queued to be processed in the subsequent steps.
Finalization of Withdrawal Requests: Finalization, a protocol declaration, signals that a user-requested ETH is available to claim. This call operates on a first-come, first-serve basis, with each withdrawal request undergoing a mandatory delay to prevent sandwich attacks and deter malicious behaviors. ETHx tokens are burned, and ETH is moved from the deposit pool to make it available for claiming.
Claiming Process: Once a user request is finalized, the recipient can immediately claim it by initiating a transaction with the ETHx smart contracts. This action sends the ETH back to the recipient's address, concluding the redemption process.
While this method can provide superior rates compared to DEX, the redemption time varies based on factors such as the requested ETH amount, availability of ETH in the deposit pool, and queue length. Smaller redemptions (<1000 ETH) may conclude in a few hours, while larger ones (>100,000 ETH) can extend to 7-10 days.
The smart contract leverages various sources, including the deposit pool, staking rewards, and released staked ETH from withdrawn validators. Validator exits, managed through a heuristic algorithm considering parameters like exit queue status and anticipated demand, are executed in a permissionless manner. The unstaked ETH from exited validators is then directed to ETHx smart contracts for subsequent redemptions or staking. The UserWithdrawalManager.sol contract plays a key role in this process, holding the burner role for ETHx tokens and managing the permissionless withdrawal methods.
4.3 Oracles Pricefeed Availability
4.3.1 Understanding the Oracle
ETHx pricefeed options recommended by Stader:
ETHx doesn't have a Chainlink market price feed at this time. They have an oracle contract available that takes the ETH/USD price reported by Chainlink multiplied by the ETHx internal oracle rate. There is an alternative oracle available from Redstone, although this provider has much lower total value staked compared to Chainlink and has less history to assess its reliability.
A potential alternative may involve the Curve EMA oracle built into the Curve ETHx/ETH pool. The pool implementation uses a stableswap pair with naked ETH and is not the latest implementation available. Curve has been making incremental upgrades to its stableswap pools with the introduction recently of stablewap-ng. This implementation has an improved EMA oracle and support for tokens with internal rate oracles. Furthermore, Curve is recommending projects move away from pools paired with naked ETH.
ETHx already has a sizable amount of liquidity in its Curve pools to ensure the EMA in not manipulable (over $10m TVL). The EMA time is currently over 1 hour, which may be too slow to reliably process liquidations. The EMA should be set to a value that balances rapid response to spot price with manipulation resistance. The oracle should be designed with guardrails in place and should undergo an audit before acceptance as a suitable oracle. Furthermore, precautions should be taken to fully understand the Curve EMA oracle for the specific pool being used. A recent implementation introduced a bug to the Curve pool oracles, which is being rectified and Curve has clarified that current stableswap oracles are safe.
4.3.2 Token Liquidity and Distribution
Liquidity for Stader liquid staking token ETHx, is found on Decentralized Exchanges (DEXs), including Curve, Pancakeswap, and Uniswap. The majority of DEX liquidity is in the Curve ETHx/ETH and Curve ETHx/wstETH pools.
Source: Etherscan | Date: 11/22/2023
The combined TVL in the Curve pools is over $25m. In the past month, liquidity overall has greatly expanded from $4m to over $17m in available ETHx liquidity.
Source: Dex.guru | Date: 10/23/2023 - 11/22/2023
There is a relatively high concentration of ETHx in Curve pools, increasing dependence on the Curve pool's reliable operation. Bugs or other issues related to Curve pools may have a severely detrimental effect on available ETHx liquidity.
Section 5 Counterparty Risk
This section addresses the persistence of ETHx's properties from an ownership rights perspective (i.e. possession, use, transfer, exclusion, profiteering, control, legal claim). The reader should get a clear idea of (1) who can legitimately change properties of the collateral (e.g. minting additional units) and what their reputation is, (2) the extent that changes can be implemented and the effect on the collateral.
This section is divided into 4 subsections:
5.1: Governance
5.2: Decentralization of the LSD
5.3: Economic Performance
5.4: Legal
5.1 Governance
5.1.1 Governance Scope
There exists an implicit trust assumption in Stader team to operate the protocol responsibly and to respect outcomes determined on Snapshot voting, as governance is currently conducted off-chain and managed by the Stader multisig. Governance discussions take place on the Community Forum before going to a vote. SD token holders have proportional governance power within the system.
The system contracts are fully upgradeable proxies. Governance also sets privileged roles in the system, including contracts ownership roles, the operator role, the Oracle Committee membership, and whitelisting permissioned node operators. Governance can update parameters in the system and allocate the DAO Treasury.
5.1.2 Access Control
The Community multisig
The 6-of-9 Community multisig has the potential to unpause and upgrade contracts via a timelock set with a minimum delay of 7 days. The community multisig also can rotate the Manager and Operator addresses.
Members include:
Mark Zeller: Active ETH community member. Member at Aave DAO
DefiDad: Active Web3 community member
Ignacio Iglesias Castreño: Co-founder at Stakely, blockchain network infrastructure provider
Edouard Lavidalle: Co-founder at Stakin, blockchain network infrastructure provider
Pratik Agarwal: Accel Partners, Global VC fund
Richard Galvin: CEO at Digital Asset Capital Management
Steven Shi: Investment Partner at Amber Group
Matt Batsinelas: Founder at Glass Markets
Amitej Gajjala: Member at Stader DAO
Source: Pod.xyz
The Manager multisig
The 3-of-5 Manager multisig is in charge of maintaining the protocol's overall health. It can pause contracts and adjust associated configuration parameters. It has the manager and operator roles on the StaderConfig contract. This multisig is expected to be used infrequently.
Source: Pod.xyz
The Operator
The Stader team controls the Operator role, and its primary responsibilities include overseeing the health of the ETHx node operator network, distributing rewards, implementing node configuration changes and managing validator exits. This address is an EOA. It can:
Distribute rewards.
Update max count of node operators permissible to run nodes.
Update max count of Validator keys addable in a tx.
Update max count of verified keys addable in a tx.
Update max count of validators that can get 32 ETH deposits in a tx.
Update list of validators to be exited
The Oracle Committee
A Snapshot vote in June approved an initial Oracle Committee. The manage critical operations involving data transmission between the consensus and execution layer, including handling deposits, withdrawals, and rewards distribution. Its responsibilities include:
Provide ETHx:ETH exchange rate based on ETH staked in the system.
Provide a list of ETHx validators that have exited to distribute ETH to various stakeholders.
Penalize node operators for missing attestations based on a governance vote decision.
Provide statistics about ETH balances of slashed validators, validators in the exit queue, and latest validators withdrawn to compute validator exit times.
Provide data validator quantity and attestations performed to inform reward distribution of execution layer ETH and SD for operators participating in the socializing reward contracts.
Provide a 24-hour TWAP SD price to ensure permissionless node operators are adequately collateralized.
Monitor and report MEV misappropriation by node operators, which can result in slashin node operator collateral.
The Committee consists of 7 members:
4 permissioned node operators (Stakin, Cryptomanufaktur, Kiln, Stakely.io)
1 prominent ETH community member (Mark Zeller)
2 Stader team members, one of which is planned to transition over to a community member
Together, these entities form a governance structure that oversees decision-making & operations in the ETHx ecosystem. Their collective efforts prioritize transparency, accountability, and a careful balance of oversight, control and flexibility.
5.1.3 Distribution of Governance Tokens
Team and Advisor tokens were allocated with a 6 month cliff and 36 month linear vest. Likewise, Team and Advisor tokens were subject to a 36 month linear vest after the TGE.
Source: Stader Labs Site
The Ecosystem and DAO Fund are reserved as incentives for supplying liquidity to the SD token and on DEXs and intended to remain out of circulation until allocated. This may be a determination of governance.
Source: Stader Labs Site
According to Etherscan data, ~75% of SD tokens are distributed between 5 wallets, all gnosis multisigs. There are the following safes associated with Stader protocol:
Rewards wallet
DAO fund
Ecosystem fund
Team tokens
These tokens are not vested.
Source: Etherscan - ETHx Holders | Date: 11/14/2023
Source: Etherscan - ETHx Holders | Date: 11/14/2023
5.1.4 Proposals Frequency
The Stader Snapshot is active with a frequency of 0-3 proposals per month. All proposals are overwhelmingly in support, with very few against votes. An overview of historical proposals is below:
Source: StaderDAO Snapshot
5.1.5 Participation
As per the above image/table, there are an average 29 voters and an average of 1.6 million SD votes across all the proposals so far.
The Governance Forum statistics show 34 monthly active users and 16 weekly active users:
Source: Stader Governance Forum
5.1.6 Governance Attack Vectors
As of now, all snapshot vote decisions are carried out by the multisig. Further operational controls are managed by a team-controlled EOA (the Operator) and the Oracle Committee. With this underlying trust assumption, external governance manipulation is not possible.
5.2 Decentralization of the LSD
5.2.1 Number of Node Operators & Total Number of Validators
There are a total of 189 Node operators of which 6 are permissioned and 183 are permissionless node operators as of 15th November 2023.
Source: Dune - Node Operator Dashboard
There are 1016 validators of which 503 are permissioned validators (150 queued permissioneless validators) and 782 are permissionless validators (53 queued permissionless validators) as of 15th November 2023.
Source: Dune - Node Operator Dashboard
Source: Dune - Node Operator Dashboard
5.2.2 Validator Enter/Exit (Churn)
This data is not readily available. Stader is working with rated.network to improve transparency around validator activity.
5.2.3 Stakers per Validator
As of 15th November, there are 718 ETHx holders and 1016 validators. At 32 ETH per validator, there is an average of 1.415 stakers per validator.
5.2.4 Stake Distribution Across Geographic Jurisdictions
This data is not readily available. Stader plans to make this data available in Q1 2024.
5.2.5 Consensus client distribution
This data is not readily available. Stader is working with rated.network to improve transparency around validator activity.
5.3 Economic Performance
5.3.1 Revenue Source
In the consensus layer, rewards stem from block attestations and proposals. Validators that deposit 32 ETH earn rewards sent to their pubkey addresses on the beacon chain. The ValidatorWithdrawalVault ensures fair distribution among Stakers, Node Operators, and the Stader DAO treasury, maintaining security collateral and commission structures for both permissionless and permissioned pool validators.
Shifting to the execution layer, node operators earn MEV and priority fees. MEV revenue is earned by all Stader node operators. Priority fees, compensating for batching specific transactions, provide additional income. A socializing pool ensures consistent rewards, based on performance and the number of validators operated. Permissionless operators directly access execution layer rewards, complemented by a commission on staked ETH. Permissioned operators earn a percentage commission on their entire staked amount.
Stader retains 10% of all staking fees and splits that share 50:50 between the protocol Treasury and sharing with node operators.
5.3.2 Revenue
Protocol revenue accumulates to the 2-of-3 Treasury multisig and to the Stader Operator Rewards Collector contract. Revenue accumulation in the past 90 days is shown below:
Source: TokenTerminal | Date: 11/18/2023
5.3.3 Net Profit
Protocol expenses are unknown, although the revenue growth can be derived from the total assets staked and the daily yield to determine fees and protocol revenue. Monthly revenue has been in an overall uptrend from $23.75k in June to $27.4k in November.
Source: TokenTerminal | Date: 11/18/2023
Source: TokenTerminal | Date: 11/18/2023
Source: TokenTerminal | Date: 11/18/2023
5.4 Legal
5.4.1 Legal Structure
Stader Labs, founded in April 2021, is registered as a legal entity under the name "STADER LABS," with its headquarters located in Singapore. Additionally, there is a mention of "Stakeinfra Technologies Inc." in relation to Stader Labs, with its headquarters located in Panama.
Stakeinfra Technologies Inc. is acknowledged as the company operating Stader Labs, as stated on their website. The country of incorporation of the legal entity is Panama. Details regarding the company's ownership structure, including specific information about shareholders, investors, or the percentage of ownership, are not readily accessible in the open sources linking to Panama business registry.
There is also no explicit information available in the community forum about creating DAO legal wrapper(s) or other legal structures associated with Stader DAO.
5.4.2 Licenses
In Panama, there are not any regulations specifically tailored to blockchain or cryptocurrencies. Both the Superintendence of Banks (SBP) and the Superintendence of the Securities Market (SMV) have made informal remarks regarding this matter. In 2018, the SBP conveyed that it doesn't oversee cryptocurrencies and that no financial institutions in Panama sought permission to engage with them. Similarly, in the same year, the SMV clarified that: (1) they don't categorize cryptocurrencies as securities; (2) cryptocurrencies are not recognized as official currencies; (3) no specific licensing is mandated for cryptocurrency operations; and (4) brokerage firms are not allowed to provide advice or trade in cryptocurrencies.
The SMV recently issued Opinion No.1-2023 primarily crafted to address queries about the permissibility of licensed Broker-Dealer firms engaging in activities related to digital assets and cryptocurrencies. In keeping with its prior stance, the SMV reaffirmed that its jurisdiction is confined only to matters explicitly governed by law. Thus, it emphasized its inability to oversee, regulate, supervise, or make determinations on issues not expressly set forth in legislation. Following a thorough review of regulations, the SMV clarified that current rules do not classify cryptocurrencies as "securities," "money," or "electronic currency." Furthermore, referencing their earlier statement, SMV opinion 7-2018, concerning Bitcoin, they emphasized that the definition of "securities" excludes digital currencies.
Panama has evidently adopted a hands-off stance due to the absence of stringent regulations concerning cryptocurrencies. Currently, there are no legal precedents in the country that categorize cryptocurrencies as monetary tools, securities, official currencies, or digital assets. Given this backdrop, it's reasonable to infer that staking-as-a-service as part of the wider digital assets category is legally permissible in Panama at this time.
Stakeinfra Technologies Inc. sought legal counsel from a reputable law firm to ascertain whether their MATICX token could be classified as a security under United States Securities Laws. Pertinent findings concerning Stakeinfra Technologies' involvement in staking services provision, as they relate to ETHx, justify referencing the key conclusions drawn from this legal evaluation.
The Company is responsible for managing the official website of the Project (https://www.staderlabs.com/), ensuring the Tokens' proper functionality, and updating the Project's principal documents. Moreover, the Company undertakes marketing initiatives and continuously develops new features and utilities for Token holders, catering to interests in the digital currency sphere and staking programs.
The Token's functionalities do not endow users with any rights to engage in or claim profits, revenues, or other monetary benefits solely by owning the Tokens. An exception to this rule is the potential earnings users may accrue by participating in staking programs available on the Platform.
In their examination based on the Howey test, legal experts concluded that MATICX does not constitute a security. The token fails to fulfill all the criteria of the Howey Test, thereby not conforming to the legal definition of a security under U.S. law.
While there is no explicit determination regarding the structure and classification of ETHx, the findings for MATICx suggest that a similarly structured token would likely be exempt from such regulatory classification. However, a definitive opinion on this matter would require a dedicated investigation into the specificities of the particular staking product.
5.4.3 Enforcement Actions
There have been no documented regulatory enforcement actions or legal proceedings initiated against Stader Labs to date.
5.4.4 Sanctions
The Terms of Service provide a set of user representations regarding sanctions. Users of Stader Labs' services represent and warrant that they are not:
Subject to any sanctions administered or enforced by any country, government, or international authority, including but not limited to the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the US Department of State, the United Nations Security Council, the European Union, Her Majesty's Treasury, the Hong Kong Monetary Authority, or the Monetary Authority of Singapore.
Located in, organized in, a citizen of, or a resident in a country or territory that is the subject of such sanctions.
Listed in any list of sanctioned persons, including those maintained under the sanctions such as the List of Specially Designated Nationals and Blocked Persons or the Foreign Sanctions Evaders List maintained by OFAC.
Directly or indirectly owned or controlled by any person subject to the above-mentioned sanctions.
Currently, Stader Labs has yet to integrate technical measures specifically designed for compliance with international sanctions. With this, we address the absence of technological solutions that would actively prevent sanctioned persons from interacting with the protocol. However, the team has acknowledged this gap and is actively working to address it. They have indicated that the implementation of such compliance measures is a part of their development roadmap. According to their projections, the solutions are expected to be enabled within a few months.
5.4.5 Liability Risk
Under the terms of service, Stakeinfra Technologies Inc. (referred to as "the Company") has several key obligations:
Provision of the App: The Company makes the App available to users, which includes a set of infrastructure-level smart contracts deployed on various blockchain networks. The App facilitates users in managing their digital assets staked with third-party staking protocols.
Non-Custodial Protocol: The Company operates a non-custodial protocol, meaning it does not hold or control users' digital assets. Users interact with smart contracts to manage their staking, and the assets are held in the users' selected electronic wallets.
Maintenance of the Site and App: The Company reserves the right to modify, suspend, or discontinue any part of the Site or the App, with the acknowledgment that it will not be liable for any modification, suspension, or discontinuance.
No Financial Services: The Company clarifies that it does not provide banking, brokerage, fund management, financial advisory, or similar services through the App or Smart Contracts.
Stader Labs places significant responsibility on the users for the security of their assets and compliance with relevant laws, and it does not involve itself in the financial aspects of the transactions made on its platform.
Users can visualize their staking arrangements on the platform's interface or access the smart contracts through APIs. The platform's smart contracts are designed to be modular, open, and interoperable across different blockchains. Users are responsible for the security of their electronic wallets and the digital assets within. Stader does not have access to or responsibility for these wallets or assets.
The platform connects users with various third-party staking protocols and validators. Users can enter into direct contractual arrangements with these providers, deposit digital assets with these third parties, withdraw assets, and potentially earn staking rewards, fees, and token rewards. The rates and rewards are determined independently by these third parties. The fee structure places the onus of financial responsibility squarely on the user. Users must be aware of and prepared to pay various fees associated with their transactions, including gas fees and potential additional charges by Validator Service Providers or Stader Labs.
In summary, these clauses collectively establish a legal framework that places significant responsibility on the user for managing their digital assets, while limiting the company's liability for third-party actions and the inherent risks of using a blockchain-based application. The terms also reflect а cautious approach to the experimental nature of Smart Contracts and the volatile landscape of blockchain technologies.
The terms include several disclaimers and limitations of liability:
Non-Liability for Third Parties: The Company is not liable for the acts or omissions of any third parties, including electronic wallet providers, blockchain networks, or Validator Service Providers.
No Responsibility for Digital Assets: The Company does not hold or control users' digital assets and is not responsible for any loss or damage to these assets.
No Endorsement of Validators: The Company does not endorse any Validator Service Provider and is not responsible for their services or content.
No Financial Advice: The Company does not provide financial, legal, regulatory, or tax advice, and content on the Site or App should not be considered a substitute for professional advice.
No Liability for Transactions: The Company is not liable for any transactions users engage in via the App, Smart Contracts, or blockchain networks.
The exclusion of liability for loss of profits, goodwill, business reputation, data, and the cost of procurement of substitute goods or services, even if the company is advised of the possibility of such damages, is significant. This means that users cannot claim these types of damages in case of any issue arising from their use of the services. The liability of the company is further capped to the greater of the amount the user paid in the 12 months preceding the claim or US$200. This cap provides a tangible limit to the company's potential financial exposure, though it might be seen as relatively low depending on the context of the transaction or the user's investment.
5.4.6 Adverse Media Check
We found no information regarding Stader Labs/ Stakeinfra Technologies Inc. being accused of money laundering, corruption, sanctions exposure, or threat financing. Per the limits of the available information in the sources we can access there are not any specific allegations or reports regarding unlawful activities.
Section 6: Risk Management
This section will summarize the findings of the report by highlighting the most significant risk factors in each of the three risk categories: Market Risk, Technology Risk, and Counterparty Risk.
6.1.1 Market Risk
LIQUIDITY: Does the LSD have a liquid market that can facilitate liquidations in all foreseeable market events?
ETHx is a relatively recent addition to the LSD market and has been working to expand its market liquidity across multiple DEXs, including Curve, PancakeSwap, Uniswap, and Balancer. It is still a small player in the overall LSD space, making up under 0.4% of the market by TVL and having nearly 45k ETH staked.
Onchain liquidity has been growing over the past month by around 100%. Most of that liquidity has been centered on Curve pools paired with ETH and wstETH. Over 3/4 of total liquidity is on Curve, creating a greater dependence on the proper operation of the Curve pools to ensure available liquidity.
Compared to major players in the LSD market like stETH and rETH, ETHx has a short history and has not yet developed mature and diverse markets. The trend is positive, but caution should be taken to gradually onboard this asset that it continues to demonstrate a strong trajectory.
VOLATILITY: Has the LSD had any significant depeg event (post merge)?
ETHx has historically traded at a slight discount to its underlying ETH since mid-July. The discount has generally ranged around 0.15% - 0.35% over the time period. There is a withdrawal mechanism that may involve a queue and can take up to 7-10 days to process for large withdrawals. This creates a reasonable pathway to arbitrage any negative depeg ETHx may experience, although the arbitrage may be prolonged in severe market conditions. This is consistent with limitations of other LSD products such as stETH, rETH, and sfrxETH.
Overall, ETHx hasn't experienced issues historically with maintaining its peg. It is possible it shares challenges in the future similar to rETH, another product that involves permissionless node operation. The additional onboarding requirements involve greater complexity that may lead to congestion that results in positive depeg, which may disrupt operation but is less concerning from a collateral risk perspective compared with negative depegs. The multiple pool strategy used by ETHx that also onboards permissioned node operators may mitigate such challenges.
6.1.2 Technology Risk
SMART CONTRACTS: Does the analysis of the audits and development activity suggest any cause for concern?
ETHx has undergone multiple audits by several independent auditors, including 3 audits of the ETHx smart contracts, 1 on permissioned nodes, 1 on permissionless nodes, 1 on oracle, and 1 on off-chain processes. Most findings were resolved, although several were acknowledged by the team and closed with explanations provided in section 4.1.2.
There is additional complexity to the ETHx design that incorporates both permissioned and permissionless node operation, a unique design decision compared with frontrunner decentralized LSD projects. There have not been any security incidents in the project's short life (contracts deployed June 5th) and an ImmuneFi bug bounty program promises up to $1m for responsible disclosure of bugs.
DEPENDENCIES: Does the analysis of dependencies (e.g. oracles) suggest any cause for concern?
There is an Oracle Committee that handles important data transmission between the consensus and execution layer to inform the ETHx exchange rate, withdrawn validators, missed attestations, validator statistics, operator rewards, SD price, and MEV misappropriation monitoring. The committee consists of 7 whitelisted members and the proper operation of the protocol depends on their honest and reliable operation.
There is not a Chainlink pricefeed available for ETHx at this time. We recommend for integration as collateral to take the Chainlink ETH/USD feed combined with a Curve pool EMA from an ETHx/ETH pool. The current Curve pool liquidity should be migrated to the latest stableswap-ng implementation and maintain greater than $10m total pool TVL. Consultation should be done with Curve directly to ensure proper integration of the pool oracle and the oracle contract should be audited by an independent source.
6.1.3 Counterparty Risk
CENTRALIZATION: Are there any significant centralization vectors that could rug users?
In the early stage of the project, there is not an onchain DAO, although Stader has a governance token and intends to decentralize in the future. Currently, critical operations are divided between the team-controlled 3-of-5 Manager multisig, the 6-of-9 Community multisig, the Operator EOA, and the Oracle Committee. The members of the Community multisig and Oracle Committee are publicly disclosed.
The Community multisig controls critical aspects of the system, including to upgrade contracts. Theoretically, if the multisig were malicious or compromised, it has the power to rug users. A 7-day timelock serves to protect users against malicious action. The privileged roles listed above are all necessary for the reliable operation of the protocol.
LEGAL: Does the legal analysis of the protocol suggest any cause for concern?
The absence of a definitive regulatory framework in Panama should not be construed as a carte blanche for companies to operate without licensing. The stability and endurance of the current favorable regulatory environment are uncertain, especially considering potential pressures from FATF to adopt specific regulatory measures. Stader Labs has demonstrated a concept for structuring ETHx in a manner compliant with existing regulations. To advance this initiative, the implementation of strategies for mitigating sanctions risks and conducting a thorough legal analysis of ETHx as a security or financial instrument are critical milestones that the team aims to accomplish.
6.1.4 Risk Rating
Based on the risks identified for each category, the following chart summarizes a risk rating for wstETH as collateral. The rating for each category is ranked from excellent, good, ok, and poor.
We rank ETHx ok in liquidity for being in the early stage of establishing liquidity across several venues. Liquidity is showing strong growth but most is concentrated on a single venue and does not have a long history of showing robust liquidity.
We rank ETHx good in volatility for having a withdrawal mechanism available to arb potential negative depegs and combining multiple node operator pools, which may improve scalability in times of high growth.
We rank ETHx ok in smart contracts due to increased complexity involved with allowing both permissioned and permissionless node operators. ETHx has had multiple audits and a bug bounty program, but has only been live on mainnet for several months.
We rank ETHx ok in dependencies because it does not have a Chainlink pricefeed available and it will require additional effort to make a suitable onchain solution.
We rank ETHx ok in decentralization because in the early stage of the project's development, many critical processes are entrusted to the team and to whitelisted committees.
We rank ETHx ok in legal because Panama fully lacks VASP legislation that exposes risk from the FATF, as there is uncertainty around the eventual regime. Stader plans to implement sanctions measures in a few months, at which point its score can be reassessed.
ETHx shows potential to become a formidable competitor in the LSD market, although it is a relatively new product compared to others we have reviewed. Because of its short history, we recommend to exercise caution with onboarding. In particular, Stader has been working to strengthen ETHx's liquidity profile. It has been showing positive growth trends, but liquidity metrics should be closely monitored to ensure liquidity remains strong across various market conditions.
An immediate blocker to overcome before considering onboarding ETHx is to establish a reliable pricefeed that accounts for the market price of ETHx. Currently, a contract is available that combines Chainlink ETH/USD with the internal ETHx rate and RedStone also has an ETHx pricefeed available. We recommend to use Chainlink ETH/USD combined with an onchain ETHx/ETH data source to establish the ETHx market price. This may require Stader to consult with Curve developers on properly integrating the Curve pool EMA oracle and to migrate liquidity to the latest Curve stableswap-ng implementation. This solution also depends on Stader ensuring the pool has sufficient liquidity of at least $10m total TVL.
Most concerns we have around ETHx as collateral stem from its short history. Its TVL is still quite low and because of uncertainties due to maturity level of the contracts and short market history, a conservative approach to onboarding in advised. Despite concerns, ETHx shows a commitment to security, to continuing a trajectory of a strong liquidity profile, and has a plausible pathway to decentralization. It is furthermore a product that introduces unique design features like a multi-pool architecture. ETHx certainly has potential to become a valued addition to a diversified basket of LSD collateral types.