Curated Module

Curated Module Overview

📝 Summary

The Curated Module (CM) is Lido on Ethereum (LoE)’s origin, its first and - in terms of stake allocation - currently largest Staking Module (SM). Formerly known as the Node Operators Registry, the CM today, alongside the Simple DVT Module (SDVTM), operates as one of two permissioned and bondless SMs.

The CM consists of allow-listed independent professional staking organizations and Ethereum client teams, which operate validators using the protocol. Within the CM, stake is allocated in a “bottom-up” and withdrawn in a “top-down” approach based on the Node Operators (NOs)’ amount of currently active signing keys. Over time, this mechanic organically distributes stake evenly throughout the SM.

The CM, thanks to its maturity and robustness, acts as the fallback for whenever the remaining SMs have no depositable keys or are at capacity.

🔭 Vision

The ultimate goal of LoE in general, and the CM in particular, is the democratization of staking in Ethereum as enshrined in the Lido DAO Vibe and further refined in Hasu's GOOSE, ReGOOSE and GOOSE-2 proposals.

In the Lido protocol, the CM serves as the bulwark of the modular Staking Router (SR). Predicated on a permissioned, bondless design, historic onboardings where LDO tokenholders approved additions of NOs have focused on a diverse, distributed and ecosystem-aligned NO set. The CM allows for allocation of unrivaled amounts of stake, all while promoting credible neutrality for the network. Additionally, NOs have worked together with DAO contributors to make robust staking setups and transparency a priority, resulting in initiatives such as the Validators and Node Operator Metrics (VaNOM) reports. In practice, the participation of NOs from underrepresented regions, emphasis on varied infrastructural setups, and promotion of usage of minority clients in the CM have led to significant improvements in the decentralization of the Ethereum validator set as a whole.

As new modules and ways for NOs to use the Lido protocol are added, the robustness of the CM helps the protocol process both large amounts of deposits as well as withdrawals, allowing the protocol to keep pace with market demand at speed.

🏷️ Characteristics

Operator Onboarding: Permissioned & performed in waves as required

Bond Requirement: None
Rewards Share:

90% Stakers
10% Module

5% CM NO set
5% Lido DAO treasury

Distributed Validator Technology (DVT): Currently not supported
Stake Share Limit: None

📜 Status

Module Status: Live on mainnet & Holešky testnet

Node Operators UI

Node Operator Portal
Deployments

Core Protocol Contracts

Oracle Contracts

Easy Track Factories for Staking Modules

⚙️ Mechanisms

💹 Economics

The CM’s bondless economic model in tandem with LoE’s non-custodial design allows stakers to participate in securing the Ethereum network while simultaneously enjoying stETH’s unmatched utility and deep liquidity in exploring DeFi opportunities. All without the burden of having to deposit the full 32 ETH required to activate a validator or to technically operate the corresponding node - the latter being afforded by a broad set of independent professional NOs and client teams curated by LDO tokenholders for, i.e., values-alignment and diversity. This synergy aims to reward the contributions of both stakers and infrastructure providers for maintaining the overall health and security of the protocol.

Staker and NO rewards include both Execution Layer (EL) and Consensus Layer (CL) rewards. EL rewards and general block proposer expectations for NOs are addressed in the Block Proposer Rewards Policy. For information about historic protocol APR, you can visit the dedicated Dune dashboard, or utilize the Lido API to query a summary of the numbers yourself; for a per-module APR, the information available on Rated Network may be of use.

If incoming stake is directed to the CM by the Staking Router, the new stake is allocated prioritizing NO(s) that have the fewest amount of active validators (provided they also have depositable keys). From the perspective of validator exits, when needed e.g. as a result of demand for stETH withdrawals, the Validators Exit Bus Oracle (VEBO) prioritizes the exit of validators of NOs who operate the most active and longest-running keys. More information about validator exits can be found in the Validator Exits SNOP. Given these deposit and exit mechanisms, over time this creates an organic balancing act which results in a relatively flat distribution of stake, conducive to increasing fairness between NOs and the decentralization of the network.

Finally, the CM also acts as the fallback for all other SMs active in LoE today. This is enabled by the module having no limit on its "stake share limit", ergo always being available for deposit allocation if other modules are full or lack capacity of depositable keys.

🎁 Rewards Share

Staking rewards in the CM are currently split in a straight-forward manner: 90% of the daily rewards go to stakers via stETH rebases, while the remaining 10% go to the CM module share, which is equally distributed between the CM NOs and the Lido DAO treasury with 5% each.

Like for Simple DVT and the Community Staking Module (CSM), the lion's share for fulfilling validator duties - attesting to and proposing new blocks, participating in sync committees, and reporting network violations of the slashing rules - goes to stakers who provide the ETH deposits essential to Ethereum’s security.

For the technical component of validation, unlike in the SDVTM, CM NOs do not have to split their rewards with cluster peers and a DVT infrastructure provider, which is why the CM NO share (5%) is relatively lower than that of the SDVTM (8%). In contrast to the CSM, NOs that use the CM to run validators for LoE do not have to provide a bond, which is why the CM NO share (5%) is comparatively lower than that of the CSM (6%). For the CM NO portion, the share of each NO is calculated pro-rata based on the amount of validators operated by each NO as a share of total CM validators. The relative performance of NOs compared to each other and the relative performance differences in staking rewards for specific days are not taken into account.

The remaining portion (5%) of the CM module share (10%) goes towards the Lido DAO treasury for the ongoing development and maintenance of the CM.

Rewards Share in the Curated Module

Stakers	Module
90% to stETH rebases	10% - 5% to CM Node Operators, pro-rata based on active validators - 5% to Lido DAO treasury

🔮 Oracles

The Lido Oracle Daemon monitors the state of the protocol across both the Consensus Layer (CL) and Execution Layer (EL) and regularly submits update reports to the LoE smart contracts.

There are two Lido Oracle sub-modules relevant to the CM:

The Accounting Oracle (AO) updates the protocol TVL, allowing for the daily rebase which reflects the rewards from the previous day in stETH holders' balances and the rewards shared to NOs as well as the DAO Treasury, updates information about the number of exited and stuck validators, reports possible slashings, and processes stETH withdrawal requests. The AO also provides information to the protocol in case bunker mode needs to be enabled — a protective mechanism for the event of mass slashings or large negative rebases.
The VEBO is a mechanism for the protocol and SMs to request validator exits (e.g. in the case that funds are needed to fulfill withdrawal requests).

More information can also be found in the Oracle Operator Manual.

Contract Addresses

‣

Toggle for details

🛡️ Security

LoE has a whole range of security mechanisms built in. These begin with the non-custodial design, whereby no one has access or control over staker funds. DAO governance ensures that changes to LoE's permissioned NO sets, like of the CM, parameters and code are only possible with the approval of LDO token holders. This dimension will be further strengthened by the Dual Governance currently under development and thanks to its additional inclusion of stETH holders, will lead to an unprecedented involvement and control of the community over the protocol. Each line of code undergoes several extensive audits, is only deployed on-chain once all critical findings have been resolved, and is complementarily published alongside the audit reports as open source code for everyone to inspect, e.g. on GitHub. If, against all odds, a vulnerability can be discovered there, one of the most extensive Immunefi bug bounty programs is available to reward benign researchers for their contributions to the security of the protocol. The selection process of NOs for the CM begins with an open and transparent application process after which the Lido Node Operator Sub-governance Group (LNOSG) recommends a non-binding shortlist of NOs for consideration. Applications are assessed not only on the basis of performance and technical expertise, but also based on factors such as NO security practices, geographic distribution as well as the diversity of the hardware and node setups used. Through this value alignment, the LoE NO set has led network robustness, decentralization, and resiliency efforts, e.g. through calls for more balanced use of client software and the introduction and scaling of out-of-protocol proposer-builder separation (PBS).

🤝 Node Operators

In the CM, NOs are the professional services providers who run and manage the infrastructure and operations. The current 37-entity-set of independent staking providers and client teams of the CM has been onboarded in a total of six waves.

🗣️ Lido Node Operator Sub-governance Group

The LNOSG is a committee of NO representatives and industry experts that, together with the contributors to the Node Operator Mechanisms (NOM) workstream, aids the Lido community in curating the CM by providing counseling. Ultimately the LDO token holders are responsible for all actions though, as the LNOSG does not have control over the CM or any other part of the protocol. Maintenance of the CM is largely automated by LoE, and all regular module operations occur through the use of Easy Track motions which are an optimistic form of governance that allows for any LDO holder to object to actions proposed by curated NOs, NOM, or members of the LNOSG which a token holder may not be in agreement with. Key task of the LNOSG is to advise on the on- and off-boarding of CM NOs. This includes the due diligence on the teams behind potential NOs, evaluation of infrastructure setups and performance metrics, review of the value alignment and impact of community contributions, and making recommendations to the Lido community based on the findings gained and NOM's detailed insights into participant behavior during testnets and the application process. Other LNOSG activities include the participation in discussions on developments in the Ethereum, Lido protocol and broader staking ecosystem, as well as sharing proposals and updates on improvements to LoE with the community through the Research Forum and governance channels.

🤝 Onboarding, Lifecyle & Business Continuity

To date, 39 NOs have been registered with the CM, 37 of which still actively utilize the module today — albeit sometimes under different names due to mergers, acquisitions, or rebrandings that have taken place since the NOs have been onboarded. The high-level goal of the CM's demand-based onboarding approach is to maximize the positive impact of new NOs on the decentralization and resilience of the Ethereum network as well as the profitability of LoE, while minimizing the potential risks posed by the NOs and the protocol.

The CM’s lifecycle - from an NO expressing interest to join, over the operation of the first validators, to those keys or even the NO exiting the CM - is the following:

An NO expresses to the Lido community its interest to join the curated set via a dedicated form adherent to the announcement of an onboarding wave on the Lido Research Forum, X, Discord or Telegram.
The application is evaluated by the LNOSG and contributors to the NOM workstream and, if deemed suitable, the NO is shortlisted for discussion and vote on the inclusion in the CM registry of the Lido community
If the vote is affirmative, the NO’s address provided to the Lido DAO for the purpose of submitting signing keys to be used by the protocol and receiving stETH as a compensation for the services provided, will be added to the list of active NOs. Note that the address should be supplied with a limit of zero signing keys.
Once activated, the NO can generate and submit sets of signing public keys and associated signatures for future validators that it will operate. When generating the signatures, the NO must use withdrawal credentials derived from the withdrawal address supplied by the protocol.
Community members will check the submitted keys for correctness and, if everything is compliant, vote for approving them. After successful approval, the keys become usable by the protocol.
The share of LoE's total pooled ETH allocated to the CM is distributed evenly between all active NOs in 32 ETH chunks. When the SR distributes the next deposit, it takes the first unused signing key as well as associated signature from an NO’s usable set and performs the deposit to the official DepositContract, submitting the pooled funds. At that time, the NO should have its validator already running and configured with the public key being used.
From this point, the NO is responsible for keeping the validator associated with the signing key operable and well-behaving.
As long as the validator is running, the AO periodically reports the combined balance of all validators launched by the protocol. When this balance increases as a result of CL rewards, MEV and priority fees paid on the EL, the CM fee is charged and distributed among the active NOs as described in section Rewards Share.
If stakers request withdrawals in excess of what is readily available to the protocol, the VEBO algorithmically determines which validators have to exit and publishes a report on the requests which should be picked up and executed on by the NO through exiting the requested validator.
If, at any time, an NO is unable to continue operations, e.g. has become insolvent, the NO must notify the community via the Lido Research Forum of the circumstances and signal intent to exit all of the validators the NO operates using the CM. If LDO tokenholders do not instruct the NO otherwise, the NO must proceed with triggering all of the exits. Contributors to the NOM workstream will assist the NO in completing the offboarding process from the CM registry.

The table below gives an overview of the scope of the past onboarding waves, the IDs and names of the CM NOs as of December 2024.

Yellow entries: NOs that are undergoing LNOSG reassessment and/or are awaiting Lido community affirmation with respect to a possible continuation - e.g. because they have recently been acquired.

Red entries: NOs that aren’t active anymore and have left the CM NO set.

¹: started as Certus One before it got acquired by Jump Trading, rebranded a first and a second time before deciding to voluntarily exit LoE, a process that was completed with Jump Crypto's deactivation approved by the Lido community.

²: started as SkillZ before it rebranded.

³: got acquired by and merged with #13 Blockdaemon, a process that was completed with Anyblock Analytics' deactivation approved by the community.

⁴: got acquired by Solstice Labs, it is currently undergoing LNOSG reassessment with respect to a possible continuation.

⁵: started as HashQuark before it rebranded.

⁶: started as Codefi Staking before it rebranded, it is the organization developing the Besu & Teku clients.

⁷: started as CryptoManufaktur before it got acquired by Galaxy Digital, rebranded and got approved for continuation by the Lido community.

⁸: is the organization developing the Nethermind client.

⁹: is the organization developing the Lodestar client.

¹⁰: started as Prysmatic Labs before it got acquired by Offchain Labs and rebranded, it is the organization developing the client Prysm.

¹¹: is the organization developing the Lighthouse client.

¹²: got acquired by Bitwise, it is currently undergoing LNOSG reassessment with respect to a possible continuation and is the organization developing the Vouch client and Dirk keymanager.

¹³: is the organization developing the Nimbus client.

¹⁴: started as Numic before it got acquired by Pier Two, rebranded, got approved for continuation by the Lido community and is the organization developing the Lantern light client.

🛠️ Expectations & Consequences of Non-conformance

The CM, in line with the LoE, has a number of expectations of its NOs: good performance, robustness and resilience in businesses and setups, and foremost an ethos alignment with the underlying network. The specifiable aspects of the individual dimensions of Ethereum validator operations are detailed in dedicated documents and reflect the current state of Ethereum, LoE as well as the expectations and approaches of each of its SM. Formerly known as policies, two of these docs, which will be called Standard Node Operator Protocols (SNOPs) in the future, revolve around Block Proposer Rewards and Validator Exits.

The most important and relevant to the CM NOs expectations are the following: When generating, validating and submitting signing keys as well as configuring LoE validators, care must be taken to use the correct parameters. Apart from withdrawal credentials to be derived from the withdrawal address provided by the protocol, this also plays a crucial role in terms of the feeRecipient for MEV and the priority fees, which must always be set to the LidoExecutionLayerRewardsVault to avoid MEV hiding related consequences. Further attention with regard to MEV and PBS is required when subscribing to relays serving blocks from external builders. While NOs should subscribe to as many of the relays on the must-include and any number of the entries on the allow-list, both of which maintained by the Relay Maintenance Committee (RMC) and curated through DAO governance by LDO token holders, no unvetted relays should be set. A list of the vetted relays can be found on the Node Operator Portal or on-chain by querying the respective smart contract’s get_relays method. NOs must also timely process the exit requests pertaining to the validators they operate for the CM, e.g. by using the Keys API to pre-sign voluntary exit messages (VEMs) and the Validator Ejector to capture and process the requests emitted by the VEBO. Alternatively, custom implementations of community-built open-source tooling or any internal tools, APIs or manual processes may be used to aid in identifying and processing signalled requests.

Non-conformance with the expectations, parameters and afforded time frames as described in the guiding documents and SNOPs may lead to consequences like issues and requests of remediative actions being publicly raised on the Lido Research Forum, no new stake being allocated, NO rewards being reduced, exits of validators run for the CM being prioritized and, in the most egregious of cases, the respective NO being offboarded from the CM or LoE protocol as a whole.

📢 Communication

🔗 Channels

For further discussion and updates, refer to:

Lido Discord: https://discord.com/invite/lido
Lido Telegram

Public Channel: https://t.me/lidofinance
Private NOs Channel: Lido Validators

Lido X: https://x.com/lidofinance
Lido Research Forum: https://research.lido.fi/

📚 Resources

NOs interested or participating in the curated set may refer to the Node Operator Portal for initial information on the onboarding process, operations & expections, resources & tooling as well as the following for further reading.

🎓Tech Talks & Lectures

Learn more through the recordings of our tech talks and Node Operator Community Calls (NOCCs)

📄 Documentation

Improvement Proposals (LIPs) & Architecture Decision Records (ADRs):

Lido Docs
Lido Node Operator Portal

🛡️ Audits

Lido on Ethereum Audits

📈 Analytics

Follow the Discussion on VaNOM on the Lido Research Forum

All-in-One Lido Analytics Dune Dashboard

📈 Module Performance & Statistics

Mainnet

Holešky testnet

⚠️ Risk Mitigation

Not exclusive to the CM or LoE, there exist some risks when staking using liquid staking protocols (LSPs).

Like for any on-chain system, there is an inherent risk that LoE could contain a smart contract vulnerability or bug. This is why - as already described in the Security section - to mitigate smart contract risk, all core contracts are audited, the entire Lido code is open source, and covered by an extensive Immunefi bug bounty program.

Another aspect to consider is slashing risk. During active network participation, validators risk staking penalties, with up to 100% of staked funds at risk for severe misbehavior. To minimize slashing risk, the SR allocates stake evenly across the CM’s broad NO set of independent professional staking organizations and Ethereum client teams, who are also consistently supported in improving their processes, e.g. via the promotion of initatives like the Distributed Utilization of Configurations and Knowledge (D.U.C.K.), with additional mitigations in the form of LoE’s bunker mode and self-coverage Insurance Fund.

A third dimension is users risking an exchange price of stETH which is lower than its inherent value due to withdrawal restrictions on LoE, making arbitrage and risk-free market-making impossible.

The most important control mechanism in Lido is token governance. Every proposal, e.g. for the addition of an NO, a change in LoE’s strategic direction or code, requires the approval of the Lido community for at least a Snapshot, if not an additional on-chain vote. Thus, active participation in LDO governance is the strongest option to mitigate risks that could arise from emerging developments that a staker does not agree with. For those who do not have the capacity to always stay up-to-date on the latest proposals and vote on them, there is the possibility to transfer the voting weight of one’s LDO tokens to a delegate, who then participates on your behalf, a privilige that can of course be revoked by the staker at any time. With Dual Governance, Lido decision making will soon become even more inclusive, allowing even those who hold stETH, but no LDO, to delay enactment of proposals against their liking, if they succeed in mobilizing enough disapproving stETH to reach the required veto threshold and thus signal that they demand rectification of the proposal, or at least enough time to withdraw their tokens from the system before changes come into effect.

Contributors to the Lido DAO are driven to mitigate all the above risks to the extent possible. Despite this, they may still exist and, as such, it is the duty of contributors to communicate them.

Finally, the above-mentioned and many other aspects are made available transparently on the Scorecard, allowing everyone to get an impression of the latest updates and current state of LoE.

			#21 Consensys ⁶	#29 Attestant (BVI) Limited¹²	#37 ParaFi Technologies LLC
Wave 0 / Genesis	Wave 1	Wave 2	Wave 3	Wave 4	Wave 5
#0 Staking Facilities	#5 Blockscape	#9 RockX	#14 Stakin	#22 RockLogic GmbH	#30 Launchnodes
#1 Jump Crypto¹	#6 DSRV	#10 Figment	#15 ChainLayer	#23 Galaxy⁷	#31 SenseiNode
#2 P2P.ORG - P2P Validator	#7 Everstake	#11 Allnodes	#16 Simply Staking	#24 Kukis Global	#32 A41
#3 Chorus One	#8 Kiln²	#12 Anyblock Analytics³	#17 BridgeTower⁴	#25 Nethermind⁸	#33 Develp GmbH¹³
#4 stakefish		#13 Blockdaemon	#18 Stakely	#26 ChainSafe⁹	#34 Ebunker
			#19 InfStones	#27 Prysm Team at Offchain Labs¹⁰	#35 Gateway.fm AS
			#20 HashKey Cloud⁵	#28 Sigma Prime¹¹	#36 Pier Two¹⁴
					#38 RockawayX Infra