Summary
This proposal introduces the Penalty Framework for the Curated Module v2 (CMv2) as the baseline process for assessing and applying penalties to Node Operators. The Framework establishes how the Curated Module Committee (CMC), with analysis and support from the NOM team (Node Operator Mechanisms workstream of DAO contributors), reviews incidents involving Node Operator conduct, misconfiguration, underperformance, or other protocol-impacting events.
This framework does not presume automatic penalties. Each incident is assessed on a case-by-case basis against factors such as impact, cause, preventability, responsiveness, transparency, recurrence, and whether the Node Operator took steps to avoid greater protocol risk.
Approving this Framework also establishes how it can be maintained going forward: the CMC becomes authorised to update operational elements specified below without a separate DAO vote for each change, provided the core principles, penalty mechanisms, Node Operator obligations, and governance structure remain unchanged.
Background
Node Operators operate validators as part of the Lido protocol. Failures in validator operations, such as missed block attestations or proposals, insecure key handling, delayed withdrawals, slashing, or misdirected execution layer rewards, can create direct and/or indirect losses for stakers and reputational risk for the Lido protocol. Not every such failure reflects Node Operator fault: some arise from causes outside their reasonable control, such as client bugs, relay failures, network-wide events, or coordinated risk mitigation. Hence, incidents need to be assessed on their specific circumstances rather than resolved through a fixed rulebook. This Framework sets out the principles, factors, and process that guide that assessment.
Penalties are not intended to be punitive by default. They exist to:
- Compensate the protocol for identifiable losses, missed rewards, or improperly redirected rewards.
- Discourage conduct that creates avoidable operational, security, or reputational risk.
- Encourage timely remediation and cooperation by Node Operators.
- Protect stakers and the protocol from losses caused by preventable conduct or non-compliance.
- Preserve the integrity and reliability of the Curated Module v2.
Core Principles
- Proportionality. The penalty amount should be proportionate to the actual or reasonably estimated harm, including direct losses, missed or misdirected rewards, added operational cost, and the risk the incident introduced to the protocol, adjusted for relevant aggravating or mitigating circumstances.
- Accountability. Where harm results from conduct the Node Operator could reasonably have prevented, such as misconfiguration, poor key management, inadequate monitoring, inadequate backup or failover arrangements, slow response, or deliberate misconduct, the CMC can apply a penalty and/or recommend additional measures. Harm resulting from causes genuinely outside the Node Operator’s control should be assessed accordingly, and such incidents may be considered as carrying less weight in the assessment of accountability.
- Preservation of protocol safety. The Framework shouldn't create an incentive to take unsafe action just to avoid a penalty. If a Node Operator, in coordination with NOM or other relevant Lido contributors, takes conservative action to reduce slashing or key-compromise risk, even if that results in downtime or missed rewards, that decision should be assessed in light of the risk avoided.
- Case-by-case assessment and non-exhaustivity. The CMC assesses each incident on its own facts, treating the Framework's categories as reference points rather than a rulebook of automatic triggers. Matching a listed category doesn't guarantee a penalty, and falling outside one doesn't guarantee immunity: the CMC can act on a pattern, a combination of incidents, or repeated lower-severity issues that don't fit into a single category. A list of common incident categories is provided in the forum post for illustration and is not exhaustive.
Assessment Factors
Assessment considers two key aspects: the actual event, its impact, duration, cause, intent, preventability and the way the Node Operator responded, including responsiveness, coordination, transparency, and any history of recurrence. Risk avoided and the quality of available evidence round out the assessment.
Penalty Mechanisms
After the CMC evaluates the above-mentioned factors and determines an applicable penalty, the Framework provides two options for resolution:
- General Delayed Penalty. The manual settlement mechanism, used after the CMC has already made a case-by-case decision that a penalty should be applied. Once decided, the CMC reports a penalty amount (estimated harm plus applicable penalty fee), which is locked from the Node Operator's bond. From there, the locked amount is either burned through governance/Easy Track to cover the loss, or released back if the Node Operator compensates directly or the CMC doesn't pursue it further within the period set by the CMv2 parameters.
- Voluntary Compensation Fast Track. If the NOM team, the CMC, and the Node Operator agree on the incident assessment and compensation amount, the Node Operator may voluntarily compensate the relevant amount to the Lido Execution Layer Rewards Vault, thereby bypassing the General Delayed Penalty route. However, the CMC and NOM team can still require remediation, post-incident explanation, or monitoring afterwards.
Review Process
- NOM identifies incidents through monitoring, validator performance data, relay or builder data, execution layer reward analysis, exit monitoring, key submission checks, public or community reports, Node Operator self-reporting, or other sources. A case may be opened where a material risk is identified, or the circumstances otherwise warrant investigation. At this stage, NOM may also determine whether urgent mitigation or additional information from the Node Operator is required.
- NOM gathers relevant information, which may include the incident timeline, affected validators and their balances, root cause analysis, infrastructure or configuration details, relay, builder, fee recipient, or reward-flow evidence, and remediation actions already taken or planned by the Node Operator. Failure to provide timely and complete information may be considered an aggravating factor.
- NOM prepares materials for CMC review, including the incident description, available evidence, Node Operator submissions, affected validators, estimated or actual losses, and any relevant mitigating or aggravating factors. Where precise calculation is not possible, losses may be reasonably estimated using conservative assumptions or other reasonable calculation methods.
- Reviewing that material alongside the Node Operator’s own submissions and any other relevant information, the CMC may decide that no penalty is warranted, further information or monitoring is required, voluntary compensation is appropriate, a General Delayed Penalty should be applied, the Node Operator’s stake allocation, participation in the Curated set, or type should be reviewed, or the matter should be escalated to the DAO.
Communication & Disagreement
Each reported penalty is published on the Lido Research Forum, including the incident description, the basis for the penalty, the category of harm, and the calculation/estimation approach used, subject to any confidentiality, security, or operational limits.
If a Node Operator disagrees with the assessment, the decision, the proposed compensation, or the penalty itself, they can respond on that Research Forum thread with additional evidence, alternative calculations, or mitigating context. The CMC will factor that in where timing allows, but disagreement alone doesn't pause urgent protective action if the CMC judges it necessary to protect the protocol. Separately, the Node Operator should be informed of the determination, its basis, and any expected remediation steps; urgent protective measures can be taken before the investigation is fully complete if needed.
Framework Maintenance & Future Updates
Approving this Framework also establishes how it will be maintained going forward: the CMC becomes authorised to update operational elements, including incident-assessment thresholds, benchmarks, calculation methodologies, examples, and procedural clarifications, without requiring a separate DAO vote for each change, provided the core principles, penalty mechanisms, Node Operator obligations, and governance structure set out here remain unchanged.
Any change that goes beyond routine maintenance, such as a change that materially affects the scope of penalties, a new penalty mechanism, a material change to Node Operator obligations, or a change to decision-making authority, still requires a full DAO vote.
All updates made under this maintenance authority, whether routine or otherwise, are published on the Research Forum for visibility.
Next steps
If approved:
- The Framework becomes the baseline process for assessing and applying penalties to CMv2 Node Operators, effective immediately.
- The CMC will be authorised to maintain and update the Framework’s operational elements, such as incident-assessment thresholds, benchmarks, calculation methodologies, examples, and procedural clarifications, as long as the core principles, penalty mechanisms, Node Operator obligations, and governance structure remain unchanged.