Comparative Analysis: Pros and Cons of Permissioned vs Open Validator Sets

Written by Stakely.

The decentralized nature of Web3 has led to a revolution in how digital systems can be organized. However, controversies have arisen regarding who should operate nodes within a Liquid Staking protocol, and how this should be done. Two main approaches are considered: a set of permissioned operators and a set of permissionless operators. In this comparative analysis, we will explore these approaches in detail, examining their pros and cons and how they align with the philosophy of Web3.

Understanding the flow of funds in Liquid Staking protocols

Liquid staking protocols in the Ethereum ecosystem operate by holding funds within a secure smart contract. This setup provides a measure of control, allowing the smart contract to manage which validators are entrusted with the funds. In addition, it can implement safeguards such as requiring an exit message from the validator to guarantee the recovery of funds in case of misconduct.

The rewards generated by a validator within this system can be categorized into two different groups:

• Consensus layer rewards: These rewards are both controllable and non-stealable. When the validator is created and deposited, the destination address is specified, ensuring a secure path for the rewards to reach their intended destination.
• Execution layer rewards: Unlike withdrawal rewards, these are susceptible to theft in circumstances where malicious behavior is involved.

Pros and Cons of Open Validator Sets

Open or permissionless validator sets adhere to a decentralized philosophy where anyone can become a node operator within a liquid staking protocol. This approach ensures that the network remains open and inclusive, reflecting the fundamental principles of Web3.

Pros

• Decentralization: In line with the Web3 philosophy, anyone can run nodes, thus encouraging broader participation.
• Economic accessibility: Compared to the 32 ETH required to run a traditional validator, collateral as low as 4 ETH per validator in most protocols makes it much more accessible. 

Cons

• MEV (Maximum Extractable Value): Although remote, the risk of MEV theft is a real concern. This theft occurs when a validator faces a situation where it might be more profitable to steal the rewards from a block (containing several ETH) and lose the collateral they’ve deposited, rather than acting honestly.
• High collateral requirements: To avoid MEV theft, some protocols require collateral as high as 8 ETH per validator, as in the case of Rocket Pool. While 4 ETH is the majority choice, high collaterals may present a barrier for some users, leading to economic challenges and insufficient validators.
• APR decline: In liquid staking protocols, rewards are distributed between the ETH in validators and the ETH waiting to enter the validators. A large queue of ETH can lead to a decrease in the APR, making it less attractive and leading to a decline in value.
• Risks from anonymous operators: An anonymous operator controlling a large number of nodes can potentially execute a Sybil Attack, causing harm even at the expense of losing collateral.
• Lower performance: Inexperienced users may not achieve optimal performance, leading to reduced overall efficiency.

Pros and Cons of Permissioned Validator Sets

Permissioned validator sets represent a more controlled approach where validators are specifically chosen. This often means working with specialized node operators. While this method might seem to contradict the decentralization principles of Web3, it can offer benefits in security, performance, and stability.

Pros:

• Specialized node operators: Chosen operators can run thousands of validators without collateral, ensuring sufficient validators for the available ETH.
• Reduced risk of misconduct: Businesses with people responsible for their actions provide a disincentive for malicious behavior, and insurance may cover certain losses.
• Alignment with current technology: While the ecosystem matures, permissioned operators continue to play a crucial role in network security.

Cons:

• Centralization: This approach conflicts with the decentralized philosophy of Web3 and may be subject to manipulation, control, and special interests.
• Risk of Cartel Formation: By relying on selected node operators, there’s a risk that a group of powerful entities could collude to form a cartel, exerting undue influence and control over the network.

Permissionless vs Permissioned: Key differences to determine which suits your project

The choice between permissionless and permissioned validator sets is often challenging, reflecting differing priorities in decentralization, security, and economic accessibility. The following table provides a comparative overview of these two models, highlighting the key differences and potential advantages and disadvantages. Understanding these distinctions can guide project developers in selecting the model that best aligns with their goals and values.

A real-world look at permissioned, permissionless, and hybrid approaches

Rocket Pool: Embodying fully decentralized liquid staking

Rocket Pool stands out as Ethereum’s most decentralized liquid staking protocol, allowing anyone to join as a node operator to help secure the Ethereum network.

To become a node operator, an individual requires a collateral of 8 ETH plus 2.4 ETH worth of RPL, Rocket Pool’s native token. In addition, node operators not only earn commission from staking ETH in the deposit pool but also receive RPL rewards for providing RPL collateral. This approach to collateral demonstrates how flexible and accessible structures can successfully facilitate decentralized participation.

StaFi: A permissionless use case

As one of the earliest permissionless liquid staking protocols for Ethereum, StaFi embarked on an ambitious path that required an 8 ETH collateral for operating a node. With Ethereum at an ATH of $4,000, this 8 ETH collateral represented a significant economic barrier, especially when withdrawals in the Beacon Chain were still uncertain. This high entry barrier led to the ensuing unpeg of StaFi’s rETH token. The challenge did not deter the team; instead, they created a set of permissioned validators to manage the excess ETH in the queue. By later removing the collateral requirement, they successfully navigated a complex situation. 

Swell and Lido: A permissioned approach

The permissioned use cases of Swell and Lido provide insights into more controlled environments:

• Lido, with Stakely as one of the selected node operators, demonstrates how community-based governance can be integral to selecting and managing node operators. By entrusting validators’ selection to community votes, Lido ensures alignment with the DAO’s values and a focus on track record and industry reputation.

• Swell‘s permissioned group of professional node operators, including Stakely, was selected based on expertise and risk management practices. By selecting professional node operators based on specific criteria, Swell aims to gradually evolve into a permissionless system. This illustrates a transitional approach that combines technical excellence with a commitment to diversity.

Stader: A blended model

Finally, Stader offers an interesting fusion of both permissionless and permissioned systems. By allowing nodes to participate with a 4 ETH collateral and additional 0.4 ETH in Stader’s token (SD), while distributing excess ETH among permissioned operator nodes, Stader creates a dynamic that leverages the strengths of both models. This highlights how flexibility can be maintained within a framework that seeks to balance openness and control.

Future outlook: balancing permissioned and permissionless validator sets

In the ever-evolving landscape of blockchain technology, the future promises innovations that may reshape the balance between permissionless and permissioned validator sets. We expect the gradual reduction of complexity in running validators, the predictability of MEV, and the decline in hardware costs.

The current challenge in defining the collateral requirements for a validator centers on the unpredictable nature of MEV theft, where assessing how much MEV a malicious validator might extract is not easily quantifiable. The introduction of MEV-BURN, capping gains from block production, will simplify the calculation of necessary collateral.

These developments not only lowers collateral needs but also encourages a shift towards more permissionless validator sets, allowing more participants to contribute to the network’s security and performance. However, until this level of maturity and stability is achieved, permissioned node operators will continue to play an essential role in safeguarding the network and liquid staking protocols.

Conclusion

The decision between permissioned and permissionless validator sets in blockchain, especially in the context of Liquid Staking, involves complex trade-offs. While permissioned sets offer specialized expertise and security, they compromise on the decentralization ideals of Web3. Conversely, permissionless sets keep true to the Web3 philosophy but come with their unique set of risks and challenges.

As the technology evolves, the balance may shift, but for now, both approaches are crucial in their ways. The challenge lies in navigating these intricacies to find a solution that aligns with both the philosophical fundamentals of decentralization and the practical needs of security and accessibility.