Purpose: Determines whether system claims and deployments are independently verifiable without reliance on insider assertions.
Question: Is the token contract source code publicly available and verified against deployment?
Status: ✅
Notes: The LDO token contract is published and verified on Etherscan. It uses the MiniMeToken standard with a TokenManager controller. The contract source is available at the verified Etherscan address.
Evidence:
Question: Are protocol contracts publicly available and verified against deployment?
Status: ✅
Notes: All core protocol contracts (StakingRouter, Agent, DualGovernance, Executor, EmergencyProtectedTimeLock) are published and verified on Etherscan with source code available.
Evidence:
Question: Is core protocol software/IP (and any associated licensing rights, where applicable) owned or controlled by a tokenholder-controlled legal entity?
Status: ✅
Notes: Lido Labs BORG Foundation is a memberless DAO-adjacent foundation company under which the Lido DAO has defined governance controls (including appointing/removing directors and overseeing BORG structures).
Evidence:
Purpose: Identifies who can override system outcomes through gatekeeping, privileged powers, rule changes, or ownership concentration.
Question: Are there no "Guardian" or "Admin" roles capable of freezing, blacklisting, or seizing tokens?
Status: ✅
Notes: Controller can burn tokens from any address and enable/disable transfers. Currently, BURN_ROLE on the TokenManager is given to no one, but permission manager is Voting contract. To enable burning, proposal must go through Governance 1B to call setPermission on ACL.
Evidence:
Question: Are significant ownership restrictions or protocol parameters (risk/economic) gated specifically by holders?
Status: ✅
Notes: Users funds that have been deposited into Lido Protocol are accumulated in the buffer and can only be deposited into a staking module by DepositSecurityModule which is controlled by Guardians, not LDO holders.
Guardians are addresses of node operators + LDO dev team, connected to automated software that performs security checks on deposits and runs on trusted entities.
While deposits are operationally executed by the DepositSecurityModule (Guardians), this does not constitute privileged protocol control independent of LDO holders:
-
Guardians are fully accountable to LDO holders. They can be rotated, replaced, or their mandate changed through on-chain voting.
-
Guardians do not control protocol parameters or economic risk. They cannot change staking ratios, fee splits, module shares, or risk parameters. All meaningful economic and risk-related decisions remain under LDO control.
Evidence:
- DepositSecurityModule
- Lido.sol deposit logic
- Guardians
- Guardians use automated software
- Guardians cannot control stake allocation
Question: Does any one group control a majority share of the voting supply?
Status: TBD
Notes: Aragon has not checked the distribution of LDO holders outside of the core team is >50%
Evidence: None
Question: Does an on-chain workflow exist that gives holders ultimate voting power? (e.g., Timelocks or DAOs).
Status: ✅
Notes:
Governance 1A: Voting (LDO holders) → DualGovernance (stETH challenge window) → EmergencyProtectedTimeLock (time delay) → Executor → Agent → Protocol Contracts. LDO holders have ultimate control, constrained by stETH right to exit when disagreeing. This flow is used for protocol-related contracts.
Governance 1B: Voting (LDO holders) → Protocol Contracts. This flow is used for DAO-related contracts.
Governance 2: Lido Easy Track is an optimistic governance system where certain operations can be vetoed by LDO holders but are assumed to pass. This is primarily used for granting, treasury operations, and management of staking modules.
Easy Track Motions proposers (committees) create motions for predefined actions like staking limit increases or grants top-ups. Motions pass automatically unless ≥0.5% LDO objects within 72 hours. Permissionless execution post-timelock if unopposed; rejected motions escalate to full Aragon vote. Max 20 active motions; emergency dev multisig pause available.
Evidence:
- Voting
- DualGovernance
- EmergencyProtectedTimeLock
- Executor
- Agent
- Easy Track Interface
- Easy Track Guide
Question: Are all significant privileged roles (those impacting value/ownership) gated by the holder workflow and revocable?
Status: ✅
Notes: All critical roles flow through governance-controlled contracts, ensuring LDO holders maintain ultimate control over the protocol.
Voting: Voting contract is controlled by LDO holders.
Agent: EXECUTE_ROLE is given to Executor. Executor is owned by EmergencyProtectedTimeLock, which is controlled by DualGovernance, which is controlled by Voting contract.
TokenManager: MINT_ROLE is given to Voting contract. BURN_ROLE is given to no one as of now, but its permission manager is Voting contract.
StakingRouter: STAKING_MODULE_MANAGE_ROLE is given to Agent contract. Since Agent is only callable by Governance 1, all operations are controlled by LDO holders.
Evidence:
Question: Do holders control the upgrade logic via governance, or is the contract immutable?
Status: ✅
Notes: The LDO token contract is immutable with no proxy pattern. However, it has a controller address (TokenManager) that can call privileged functions (generateTokens, destroyTokens, enableTransfers, claimTokens). Additionally, the token's doTransfer function includes a hook that calls the controller contract, which is upgradeable.
Since TokenManager is upgradeable via Aragon proxy, the token's behavior can be modified through controller upgrades, making LDO Token partially upgradeable in practice.
Upgrading TokenManager requires calling setApp(tokenManager, …) on the Kernel, protected by APP_MANAGER_ROLE, which is assigned to the Agent contract.
Evidence:
Question: Is the supply fixed/programmatic, or do holders control the minting process? (No third-party "Minter" roles).
Status: ✅
Notes: The LDO token's controller (TokenManager) can mint unlimited tokens. However, minting requires MINT_ROLE on TokenManager, which is held by the Voting contract.
This enforces the minting path: Voting (LDO holders) → TokenManager → Token.generateTokens(). No supply cap exists, but all mints require tokenholder approval.
Evidence:
Question: Do holders control the implementation logic of the specific "Engine" or product?
Status: ✅
Notes: The protocol contracts can be upgraded by the Agent contract (hence, by LDO holders).
StakingRouter: proxy_getAdmin is set to Agent.
Agent: Uses Aragon v1 Proxy and upgrading requires calling setApp(Agent, …) on the Kernel, which requires APP_MANAGER_ROLE (currently given to Agent itself). Hence, upgrade is controlled by LDO holders.
DualGovernance, Executor, EmergencyProtectedTimeLock are NOT upgradeable.
Evidence:
Purpose: Measures whether programmatic mechanisms convert system operation into observable token-level economic benefit.
Question: Are value flows currently active and governed by holders (non-discretionary)?
Status:
Notes: LDO token holders currently have no direct value accrual mechanism from protocol revenue. However, governance is exploring buyback mechanisms to return value to token holders, with proposals under consideration for liquid buyback execution using protocol treasury funds.
Evidence:
Question: Is the protocol treasury programmatically controlled by the token-governance workflow?
Status: ✅
Notes: The Lido DAO Treasury is the Agent contract itself, controlled by LDO holders. Decisions on Treasury Management excluded from the Dual Governance scope and can't be challenged by stETH holders. The Treasury Management Committee is responsible for maintaining and executing policies related to treasury management in accordance with the approved principles. The committee proposes and enacts strategies and decisions via Governance 2.
LDO holders, via Governance 1A, control treasury revenue by approving staking modules and setting and updating each module's treasury fee in the StakingRouter. This fee determines the portion of staking rewards routed to the Lido treasury.
Evidence:
Question: Can holders modify accrual parameters (e.g., changing fee splits or rates)?
Status: ✅
Notes: To add a new staking module or update it with new fees, full governance flow required, hence controlled by LDO holders.
Evidence:
Purpose: External systems, entities, or agreements materially affecting outcomes.
Question: Are core trademarks and brand assets owned or controlled by a tokenholder-controlled legal entity?
Status:
Notes: European trademark registrations for LIDO list Lido Labs Foundation as the owner.
Evidence:
Question: Are primary domains and distribution assets owned or controlled by a tokenholder-controlled legal entity?
Status: ✅
Notes: Lido Labs BORG Foundation is a memberless DAO-adjacent foundation company under which the Lido DAO has defined governance controls (including appointing/removing directors and overseeing BORG structures).
Evidence:
Question: Are primary domains and distribution assets owned or controlled by a tokenholder-controlled legal entity?
Status: ✅
Notes: Lido Labs BORG Foundation is a memberless DAO-adjacent foundation company under which the Lido DAO has defined governance controls (including appointing/removing directors and overseeing BORG structures).
Evidence: