The Tie Research
Centralization Risks for Post-Merge Ethereum
The merge will bring new centralization concerns to Ethereum’s forefront, with three obstacles posing potential problems. While solvable, if left unchecked, runaway centralization in the following areas has the potential to control and derail the blockchain:
- Consensus Layer Client Diversity
- Execution Layer Client Diversity
- Staking Pools & CEX Staking Dominance
Ethereum nodes are run on top of clients, more easily understood as software engines, without which nodes would be unable to verify block and transactional data. There are many clients written in many languages; however, miners, node operators, and validators tend to gravitate towards the select reputationally pristine few. After all, a poorly written client can affect hash rate, validator uptime, attestations, block proposal frequency, and, in the worst case for validators, impose slashing risks.
Post-merge, both the consensus and execution layers of Ethereum will run on the Beacon chain, each with their own set of clients, and each with their own client diversity concerns.
The following text will outline the unique risks to each Ethereum layer with respect to client diversity in both their current and post merge states. Additionally, we’ll analyze the current distribution of pooled staking on the Beacon chain, and how this centralization is exacerbated by monopolistic liquid staking derivatives.
From its genesis, Ethereum has opted for a multi-client approach to validating blocks. Clients were built by different teams, with different languages, with the primary goal of increasing immunity to existential infections. Specifically, this was done to insure against unwanted and otherwise incorrect block proposals. All things equal, this is superior to a single client approach.
That being said, a multi-client approach that lacks sufficient diversity is worse than a chain running on a single client.
In a situation where one consensus client retains a super majority, and that client incorrectly proposes a block, everything begins to critically break down. Not only would that incorrect block be validated as ‘correct’, but all opposing minority clients would be slashed for violating consensus, despite proposing the truly correct block.
When a blockchain running on a single client incorrectly proposes a block, however, the same false record is validated, but without slashing minority clients, since they do not exist. In either of these two cases, the incorrect block is validated. But in the multi-client case, the super majority client also punishes innocent and diligent participants.
Healthy client diversity is fundamental to Ethereum’s transition to proof of stake, and the first half of 2022 saw a concentrated, community driven effort to spread the client share of Ethereum’s burgeoning consensus layer. Some progress has been made in reducing Prysm usage, and its dominance has indeed dropped from supermajority (>66% share), to merely majority usage.
It is not technically feasible to know the exact client distribution on Ethereum’s Beacon chain, but there have been several reputable attempts at estimation.
The two data sources we’ll look at tell a similar story, although the severity of Prysm’s dominance varies based on the sampling method. As described by Ether Alpha at Clientdiversity.org, Sigma Prime and Miga Labs have developed two distinct methods to identify the severity of the problem:
“Miga Labs uses a crawler to count beacon nodes and their self-reported identity. However, this means that validators sharing a node are counted only once and nodes with fewer validators have a greater influence on the estimate. (Miga Labs )
Another method developed by Sigma Prime’s Michael Sproul [analyzes] each client’s block proposal style as described in this tweet thread.”
Below I’ve summarized both of these sampling methods with an upper and lower usage estimate.
While Prysm dominance still clearly threatens Ethereum’s overall health, the problem was much worse only a few months prior. Indeed, for the entirety of 2021, Prysm’s usage was estimated to be closer to 70%.
In March of this year, the Kiln testnet merged the execution and consensus layers, simulating the much anticipated Ethereum mainnet merge. There was a hiccup with Prysm, while the other clients merged without issue. Client diversity on Kiln is not equal to the client diversity on the Beacon chain. In fact, Prysm only accounts for around 20% of validators on Kiln, not enough to derail consensus over the testnet merge and prevent finality. Although client diversity was not critical in this test merge, it is a cautionary tale to the current insecurity of the Beacon chain.
The Beacon chain does have disincentives inplace that attempt to thwart single client dominance, although these disincentives are trumped by a supermajority client. If a client with greater than 1/3 share of total staked Eth proposes a faulty block, all Eth maintained by that client is slowly drained away until all other clients combined reach greater than 2/3 share of staked Eth. This correctly incentivizes validators to run on clients with less than 1/3 of staked Eth, as a faulty block proposal would incur drastically less loss.
However, this incentive structure does not apply to clients with over 2/3 staked Eth, as their supermajority status would prevent the aforementioned penalties. In fact, this safety net does the opposite: once a client reaches super majority status, new validators gain protection by joining the top client.
As such, the potential for a runaway super client remains a real concern. A properly decentralized Ethereum consensus layer requires no client retaining more than 1/3 share. Prysm is far from this threshold, and a potential threat will hang over Ethereum’s new security model until Prysm usage is further minimized.
Relative to the consensus layer, the execution layer client spread is much less diverse, with the majority of the load falling onto Geth. Currently, super majorities on the two layers do not impose equal existential risks, as a critical failure on the consensus layer is guaranteed to have more catastrophic effects. This however, will change after the merge.
Contrary to the consensus layer, the client diversity on the execution layer has actually been getting worse, giving further credence to the lack of urgency in ameliorating Geth’s dominance.
In June of 2020 Geth’s dominance was only 75%. Back then, the second largest client, Parity, had 15% share, and OpenEthereum followed behind with 5%. Parity has since merged with OpenEthereum, and, as seen above, their combined share has dropped from 20% to 5%. In that regard, the consolidation did not have the intended effect.
Currently, the consequences of centralization on the two layers are not equal. Geth dominance concerns do not extend to finality, because it is currently only running on Ethereum’s POW chain. Someone will always execute a block, even if a super majority client is unable to do so. For example, if there is an issue with Geth, and users running the client are not able to interpret instructions and execute blocks, the chain will not halt. Instead, responsibility will switch to users running Erigon, Besu etc., who will in turn happily reap increased mining rewards. As we noted above, the consensus layer does not have this luxury and requires the entire group's participation.
Due to this, Geth centralization concerns have been set aside for now, kicking the proverbial can down the road.
Unlike consensus clients on the Beacon chain, which have little variance in performance during uptime, execution layers vary greatly in quality. Geth’s massive head start accelerated this gap, but the problem is more fundamental. Consensus layer clients have clear specifications to follow, whereas execution layer clients have degrees of freedom, with different strategies often pursued. This pioneering has led to uncertainty on some clients; Erigon, Besu, and Nethermind are still sorting out issues.
However, after the merge, the consensus layer will rely upon the execution layer for chain reality, forcing it to inherit the responsibility of finality. The two become intertwined, and diversity on one is only as good as diversity on the other. In other words, after the merge, all consensus clients will eventually make their decisions based on the information given to them by their chosen execution layer.
While the community is currently focused on Prysm’s dominance, Geth will likely be seen as the next largest centralization vector after the merge. Competitor clients such as Besu and Nethermind hope to strengthen their reputation before the consequences of finality set in.
Finally, client diversity is further complicated by versioning, meaning that not all nodes are running the same version of Geth. A large portion of Geth block producers do not consistently update their nodes to the most recent version of the software, while others intentionally customize versions to better maximize their MEV strategy–typically some fork of MEV-Geth.
In that sense, all Geth operators are not strictly running the same code, which, all things equal, is preferable. Still, the differences between Geth 1.10.19 and Geth 1.10.16 are negligible when comparing Geth to another client managed by a different team, written in a different language, and with different logic.
Moving beyond client diversity concerns, the pooled distribution of Eth on the Beacon chain is similarly becoming concentrated in fewer and fewer hands, presenting very real, measurable centralization concerns for Ethereum’s future.
Staking Pools & CEX Staking
Validator counts for on-chain staking pools such as Lido are easily retrievable, as we can see the precise volume of the liquid staking tokens on-chain. In other words, we know exactly how much stETH has been minted.
For CEX validator count, we once again run into uncertainty. Exchanges like Coinbase don’t directly stake from their known addresses. Rather, they fund a fresh wallet with Eth, initiate a validator deposit, and then send the dust to one of their known wallets. Because there isn’t a single deposit address, bots must tally all the funds they believe to be managed by the exchange. This wallet hopping strategy is used by Coinbase, Kraken, Binance, and others.
Still, the data is reliable from a comparative standpoint. Several active Ethereum community members have attempted similar estimations; the above validator distribution is provided by Invis from pools.invis.cloud.
Any analysis of staked Eth must be viewed with withdrawals in mind. Not only are these funds irreversibly locked until the merge, but a second hard fork enabling Eth withdrawals must also occur before any realization of return can be made. As of writing, roughly 13 out of the 121 million Eth in existence are locked into the Beacon chain deposit contract. After withdrawals are enabled, it is likely we’ll see the staked Eth distribution shaken up and redistributed, but until then, only further additions can be made.
Looking long term, the percentage of staked Eth is likely to only increase; a successful merge, and a successful enabling of withdrawals will dramatically decrease the associated risks taken on by validators. At least temporarily, staking yields will be considerably higher after the merge– fees paid to miners are effectively redirected to stakers. However, this higher yield will further incentivize staking demand, causing returns to eventually reach a dynamic equilibrium.
All of this is to say, the centralization risk of staked Eth is the most uncertain of the three vectors we’ve looked at, and, due to commoditization and eventual low switching costs in the form of liquid derivatives, likely to be the least sticky vector. However, one can’t rule out arbitrary lockups by centralized entities preventing withdrawals, reallocation, or otherwise hindering a timely exit.
Lido, with over 1/3 of all staked ETH, was the first to offer a staking token and is by far the largest staking entity. Their stETH token was quickly integrated with popular DeFi tools like Aave, Maker, Bancor, etc... This first mover status allowed them to rapidly expand and eat the liquid staking market. To be blunt, this wasn’t necessarily because they were the first to solve a unique technical problem. Lido’s centralized and permissioned structure allowed them to rapidly onboard massive amounts of Eth in a short period of time. Marketing also helped.
Rather than needing to onboard both infrastructure providers and liquid stakers in tandem–a tedious network balance similarly faced by rideshare companies– Lido has essentially outsourced all infrastructure to a few handpicked entities. In the Uber analogy, Lido doesn’t need more drivers to onboard massive amounts of riders; they’re sending a dozen large taxi companies all the users they can attract for a cut of the revenue.
This quick, and centralized strategy has additional downside besides the obvious rug risk.
The total number of minted stETH is equivalent to the number of Eth staked within their protocol, minus any pending in queue. There isn’t a buffer, or a pool to withdraw from or deposit into. Currently, if one wants to exit their liquid staking position with Lido, the only option is exchanging on a DEX. Comparatively, if one wants to enter a liquid staking position with Lido they have the same DEX option, as well as direct minting via the protocol. This obvious mismatch, while presumably temporary until withdrawals from the Beacon chain are enabled, is the fundamental driver for the current stETH:ETH discount in DeFi.
Lido currently controlling roughly 1/3 of all staked Ether is a legitimate concern, and absolutely worth monitoring. If Lido were to control over half of all staked Ether, the DAO could be viewed as parasitically attacking the consensus of the entire blockchain. If Lido controlled over 2/3 of all staked Ether, they would effectively own the entire blockchain, and the decentralized internet experiment would be over.
To address the topical elephant in the room, I don’t anticipate the reward adjusted price of stETH spiraling away from the price of ETH in a fashion similar to UST. It is fully backed, albeit with centrally held keys holding funds inaccessible until Q4 or Q1 2023 at the earliest. Essentially, stETH is trading as a zero-coupon bond; because it can’t immediately pay out interest, it effectively trades at a discount. This delta is priced by the time-weighted risk of holders ability to redeem their stETH for ETH after withdrawals are enabled.
Of course there are other liquid staking projects aiming to take market share away from Lido. Some, such as Rocket Pool, have the added benefit of trustlessness and decentralization; that is, even if they became the majority pool, the risk calculation would be fundamentally different.
More than client diversity spreads, there is reason to believe the staked ETH distribution will look drastically different in the years to come. Yields outside of staking for ETH have fallen dramatically, leaving low-risk staking yield as an enticing opportunity. As staking on Ethereum rushes to become the treasury bond for ETH denominated investors, the total number of staked ETH is likely to grow significantly from the current 13 million.
At first glance, this paper could be interpreted as declaring three organizations as potential threats….which is partially true. Although innocuous victims of their own success, Ethereum’s health is better served by distributing reliance of core infrastructure to multiple actors in each subsector.
The current state size of Ethereum creates challenges for client teams–whether they’re building a new client, or maintaining an existing one. Clients are vigorously maintained by small, often rotating teams, and often with too little pay. Developers have argued that state size adds tremendous complexity to client work, and there aren't adequate monetary incentives for client teams.
Future Ethereum upgrades such as a statelessness and state expiry, which are not directly intended to help client diversity, may give current and future client teams great relief. Shrinking Ethereum’s state to a manageable size primarily helps decentralize the validator network by reducing hardware requirements and reducing sync times, but there are many second order effects. While rarely discussed, it is reasonable to assume that future EIPs targeting Ethereum’s state size will drastically reduce the complexity and workload of client development and maintenance.
The staking pool market is young and rapidly developing. Unlike mining, where hardware is highly specific to each pool, stakers will have minimal switching costs after withdrawals are enabled. For the majority of 2021, stETH was the only liquid staking derivative available within DeFi. It remains to be seen how competing tokens such as Rocket Pool’s rEth will fare, or where the distribution will fall in the long-term. Exchanges retaining massive caches of staked eth create other problems, and could disillusion those embracing Ethereum for its bankless nature.
For now, Ethereum is able to shrug off client diversity and staking centralization concerns. In the coming months and years, this luxury will vanish, and depending on the community response, these problems will be mitigated or ignored.
This report is for informational purposes only and is not investment or trading advice. The views and opinions expressed in this report are exclusively those of the author, and do not necessarily reflect the views or positions of The TIE Inc. The Author may be holding the cryptocurrencies or using the strategies mentioned in this report. You are fully responsible for any decisions you make; the TIE Inc. is not liable for any loss or damage caused by reliance on information provided. For investment advice, please consult a registered investment advisor.
Sign up to receive an email when we release a new post