# CSM parameters

The doc aims to provide values for all configurable and constant CSM parameters and motivations for why they are proposed to be so.

## Constants

### `DEPOSIT_SIZE`
```solidity
uint256 private constant DEPOSIT_SIZE = 32 ether;
```
#### Proposed value = `32 ETH`

This constant represents the deposit size to activate a validator on the Beacon chain. Until [EIP-7251](https://eips.ethereum.org/EIPS/eip-7251) is implemented, `32 ETH` will be the only possible value. Given that CSM would require an upgrade to smart contracts after [EIP-7251](https://eips.ethereum.org/EIPS/eip-7251) i, it is proposed to have a constant value of `32 ETH` for the first version of CSM.

### `BEACON_ROOTS`
```solidity
address public constant BEACON_ROOTS = 0x000F3df6D732807Ef1319fB7B8bB8522d0Beac02;
```
#### Proposed value = `0x000F3df6D732807Ef1319fB7B8bB8522d0Beac02`

This constant represents the address of the [EIP-4788](https://eips.ethereum.org/EIPS/eip-4788) contract. The address is taken from the official [EIP docs](https://eips.ethereum.org/EIPS/eip-4788).

## Immutable variables

### `INITIAL_SLASHING_PENALTY`
```solidity
uint256 public immutable INITIAL_SLASHING_PENALTY;
```
#### Proposed value = `1 ETH`

This immutable variable is used by CSM to penalize the Node Operator's bond in case of validator slashing. Until  [EIP-7251](https://eips.ethereum.org/EIPS/eip-7251) is implemented, 1 ETH will be the maximal possible value (given the effective balance is 32 ETH). Given that CSM would require an upgrade to smart contracts after  [EIP-7251](https://eips.ethereum.org/EIPS/eip-7251), it is proposed to have an immutable value of `1 ETH` for the first version of CSM.

Note: This immutable variable is set indirectly by setting `minSlashingPenaltyQuotient = 32`.

### `elRewardsStealingFine`
```solidity
uint256 public immutable EL_REWARDS_STEALING_FINE;
```
#### Proposed value = `0.1 ETH`

This immutable variable is used by CSM to add an additional fine to the MEV stealing penalty in case the Node Operator has committed EL rewards (MEV) stealing.

It is proposed to set a `0.1 ETH` value for this immutable variable since this creates a disincentivisation to commit MEV stealing and compensate it "free of charge". Several actions are required from the DAO side in case of MEV stealing:
- Detect the fact of stealing;
- Report the fact of stealing to lock bond funds;
- Confirm the fact of stealing using Easy Track motion.
All these actions require effort and gas to perform; hence, the additional fine of `0.1 ETH` seems reasonable.

### `maxKeysPerOperatorEA`
```solidity
uint256 public immutable MAX_SIGNING_KEYS_PER_OPERATOR_BEFORE_PUBLIC_RELEASE;
```
#### Proposed value = `12`

This immutable variable is used by CSM to determine a maximal number of the validators operated by a single Node Operator in CSM during the Early Adoption period.

It is proposed to set a value of `12` for this immutable variable due to the following reasons:
- The Early Adoption period is aimed at attracting solo-stakers who typically operate a few validators due to hardware and financial limitations;
- Running `12` validators with CSM will be sufficient to cover operational costs with excess;
- Limit of `12` validators ensures that professional Node Operators will not be able to flood the module;
- Given the fact that bond requirements for the mainnet were reduced compared to the testnet, it is proposed to have the same `~16 ETH` worth of bond to correspond to keys limit;
- Once the Early Adoption period ends, this limit will be removed.

### `maxKeyRemovalCharge`
```solidity
uint256 public immutable MAX_KEY_REMOVAL_CHARGE;
```
#### Proposed value = `0.1 ETH`

This immutable variable is used by CSM to determine a maximal value to be set as `keyRemovalCharge`.

It is resonable to limit the maximal value of `keyRemovalCharge` with `0.1 ETH` given the maximal operational costs for the protocol assosiated with key removal. 

### `maxCurveLength`
```solidity
uint256 internal immutable MAX_CURVE_LENGTH;
```
#### Proposed value = `10`

This immutable variable is used by the CSM Accounting contract to determine a maximal number of validators starting from the very first one to have a custom bond requirements.

Given the focus of CSM on the Community Stakers and security considerations regarding [MEV stealing protection](https://research.lido.fi/t/risk-assessment-for-community-staking/5502), it is assumed that having a differing value for the bond of the 10th and further validators for CSM Node Operators makes no meaningful sense. Hence, it is proposed to allow custom bond values for the first 10 validators controlled by the CSM Node Operators while keeping the bond requirement constant for the rest of the validators.

### `minBondLockRetentionPeriod`
```solidity
uint256 public immutable MIN_BOND_LOCK_RETENTION_PERIOD;
```
#### Proposed value = `4 weeks`

This immutable variable is used by the CSM Accounting contract to determine a minimal value for the configurable `bondLockRetentionPeriod` parameter, which determines the time for which bond funds will be locked, given no further actions.

`bondLockRetentionPeriod` is introduced to ensure that locked bond funds will be unlocked automatically once the `bondLockRetentionPeriod` ends. Since MEV stealing confirmation requires some time from the Lido DAO side (verification of the MEV stealing fact + actual confirmation by EasyTrack that takes 72 hours), setting the lower boundary for the bondLockRetentionPeriod value to 4 weeks is considered safe.

### `maxBondLockRetentionPeriod`
```solidity
uint256 public immutable MAX_BOND_LOCK_RETENTION_PERIOD;
```
#### Proposed value = `365 days`

This immutable variable is used by the CSM Accounting contract to determine a maximal value for the configurable `bondLockRetentionPeriod` parameter, which determines the time for which bond funds will be locked, given no further actions.

`bondLockRetentionPeriod` is introduced to ensure that locked bond funds will be unlocked automatically once the period ends. To provide a feasible unlock time without actions from the Lido DAO side, it is proposed to set the upper boundary for the period to `1 year` (or `365 days`). 

### `earlyAdoptionTreeRoot`
```solidity
bytes32 public immutable TREE_ROOT;
```
#### Proposed value = `0x359e02c5c065c682839661c9bdfaf38db472629bf5f7a7e8f0261b31dc9332c2`

This variable is used by the CSM Early Adoption contract to determine the root of the [Early Adoption](https://hackmd.io/@lido/HyKgaBMj6) eligible participants.

See https://research.lido.fi/t/community-staking-module/5917/62 for details

## Storage variables
### `keyRemovalCharge`
```solidity
uint256 public keyRemovalCharge;
```
#### Proposed value = `0.05 ETH`

This variable is used by CSM to determine the amount of ETH to be confiscated from the Node Operator's bond in case deposit data is deleted. Due to CSM's [optimistic FIFO](https://hackmd.io/gGRgZ0yeTnm-9SSFuHrXwg?view#Stake-allocation-queue) stake allocation queue, deletion of deposit data might require a call to the `cleanDepositQueue` method to ensure proper queue operation.

According to the approximate gas estimations, a call of the `csm.cleanDepositQueue(150)` (clean the next 150 queue items) with 1 invalid batch in the queue costs around `1,000,000` gas. With a gas cost of `50 gwei` (extreme value), the call will cost ~ `0.05 ETH`.

> **Note:** `keyRemovalCharge` value is configurable after deployment, hence, it can be set to a different value later (can even be `0`)

### `chargePenaltyRecipient`
```solidity
address public chargePenaltyRecipient;
```
#### Proposed value = [`0x3e40D73EB977Dc6a537aF587D48316feE66E9C8c`](https://etherscan.io/address/0x3e40D73EB977Dc6a537aF587D48316feE66E9C8c) (Lido Treasury)

This variable is used by the CSM Accounting contract to determine the recipient of the [`charge` type penalty](https://hackmd.io/gGRgZ0yeTnm-9SSFuHrXwg?view#Mechanics). A penalty that is not burned but confiscated with the following transfer.

Given that all operational costs for the Lido On Ethereum protocol are covered by the Lido DAO Treasury, it is proposed to transfer funds confiscated from the Node Operator's bond to the Lido DAO Treasury.

### `bondLockRetentionPeriod`
```solidity
uint256 bondLockRetentionPeriod;
```
#### Proposed value = `8 weeks`

This variable is used by the CSM Accounting contract to determine the time for which bond funds will be locked, given no further actions.

Given the limitations above, it is proposed to set the actual value for the `bondLockRetentionPeriod` to 8 weeks. This will give enough time for the Lido DAO to act in case of MEV stealing detection and ensure no excessive lock time in case no actions are taken by the Lido DAO.

### `setResetBondCurveAddress`

#### Proposed value = [`0xC52fC3081123073078698F1EAc2f1Dc7Bd71880f`](https://app.safe.global/home?safe=eth:0xC52fC3081123073078698F1EAc2f1Dc7Bd71880f) (CSM multisig)

This address will be granted with two roles: `SET_BOND_CURVE_ROLE` and `RESET_BOND_CURVE_ROLE`.

With these roles, the address will be able to set and reset the bond curve for the particular Node Operator.

### `bondCurve`

#### Proposed value = `[2.4 ether, 3.7 ether]`

- Validator 1 - `2.4 ETH`
- Validator >= 2 - `1.3 ETH`

This variable is used by the CSM Accounting contract to determine the default bond requirements for the CSM Node Operators.

Corresponding research with regard to the bond curves can be found [here](https://research.lido.fi/t/risk-assessment-for-community-staking/5502/4).

### `earlyAdoptionBondCurve`

#### Proposed value = `[1.5 ether, 2.8 ether]`

- Validator 1 - `1.5 ETH`
- Validator >= 2 - `1.3 ETH`

This variable is used by the CSM Accounting contract to determine the bond requirements for the [Early Adoption](https://hackmd.io/@lido/HyKgaBMj6) participants.

Corresponding research with regard to the bond curves can be found [here](https://research.lido.fi/t/risk-assessment-for-community-staking/5502/4). Early Adoption benefits approach is described [here](https://blog.lido.fi/introducing-early-adoption-for-community-staking-module/).

### `elRewardsStealingReporter`

#### Proposed value = [`0xC52fC3081123073078698F1EAc2f1Dc7Bd71880f`](https://app.safe.global/home?safe=eth:0xC52fC3081123073078698F1EAc2f1Dc7Bd71880f) (CSM multisig)

This address will be granted with the role: `REPORT_EL_REWARDS_STEALING_PENALTY_ROLE`.

With this role, the address will be able to report the facts of MEV or EL rewards stealing by CSM Node Operators to lock a bond amount equal to stolen ETH. Penalty application is performed by `easyTrackEVMScriptExecutor` granted with the `SETTLE_EL_REWARDS_STEALING_PENALTY_ROLE` role.

## CSM Oracle

### `avgPerfLeewayBP`
```solidity
uint256 public avgPerfLeewayBP;
```
#### Proposed value = `500 BP`

This variable is used by the CSM FeeOracle contract to determine the difference between average network validator performance and CSM validator performance that is treated as "good performance". The actual formula is `performanceThreshold = avgPerformance - avgPerfLeewayBP`.

It is proposed to set the `avgPerfLeewayBP` to `500 BP` (5%) to provide meaningful leeway for the community validator's performance while keeping the threshold high enough to maintain compatible APR for the stETH holders.

### `oracleReportEpochsPerFrame`
#### Proposed value = `225 * 28`

This variable indicates the length of the CSM Performance Oracle frame. It is proposed that it be set at `28 days`.

> **Note:** One day = (3600 * 24) / (32 * 12) = 225 epochs. 

Motivation is presented in the [CSM Architecture](https://hackmd.io/gGRgZ0yeTnm-9SSFuHrXwg?view#Performance-Oracle) document.

### `oracleMembers`
#### Proposed value = `current Lido Oracle members`
```
0x140bd8fbdc884f48da7cb1c09be8a2fadfea776e [Chorus One]
0x404335bce530400a5814375e7ec1fb55faff3ea2 [Staking Facilities]
0x007de4a5f7bc37e2f26c0cb2e8a95006ee9b89b5 [p2p]
0x946d3b081ed19173dc83cd974fc69e1e760b7d78 [Stakefish]
0xe57B3792aDCc5da47EF4fF588883F0ee0c9835C9 [MatrixedLink]
0x61c91ECd902EB56e314bB2D5c5C07785444Ea1c8 [bloXroute]
0x1ca0fec59b86f549e1f1184d97cb47794c8af58d [Instadapp]
0xA7410857ABbf75043d61ea54e07D57A6EB6EF186 [Kyber Network]
0xc79F702202E3A6B0B6310B537E786B9ACAA19BAf [Chainlayer]
```

Given that CSM Oracle has a form of the common Lido Oracle module, it is reasonable to ask existing Lido Oracle members to run CSM Oracle instances.

### `hashConsensusQuorum`
#### Proposed value = `5`

Given that CSM Oracle will have the same members as the common Lido Oracle, it is reasonable to use the same value for the quorum = 5.

### `fastLaneLengthSlots`
#### Proposed value = `1800`

The 'fast lane' was introduced in the Lido v2 upgrade to monitor the Oracle runners' performance and participation. Given the data observed on the testnet, it is proposed to set the value to 6 days (1800 slots).

## GateSeal

### `gateSealFactory`
#### Proposed value = `0x6C82877cAC5a7A739f16Ca0A89c0A328B8764A24`

The address of the deployed [`gateSealFactory`](https://github.com/lidofinance/gate-seals/).

### `sealDuration`
#### Proposed value = `6 days`

This variable indicates the length of pause activated by the corresponding GateSeal instance. It is proposed that it be set at `6 days` (the same as for the `WithdrawalQueue`). `6 days` is sufficient to prepare for an emergency upgrade and initiate on-chain votes to upgrade contracts or prologue pause.

### `sealExpiryTimestamp`
#### Proposed value = `deployTime + 365 days`

This variable indicates the period during which the corresponding GateSeal instance can be used. It is proposed to set it at `deployTime + 365 days` (the same as for the WithdrawalQueue). `365 days` is sufficient to ensure CSM code reliability or to deploy a new GateSeal instance.

### `sealingCommittee`
#### Proposed value = [`0xC52fC3081123073078698F1EAc2f1Dc7Bd71880f`](https://app.safe.global/home?safe=eth:0xC52fC3081123073078698F1EAc2f1Dc7Bd71880f) (CSM multisig)

It is proposed that CSM Multisig be used as the `sealingCommittee` address in CSM to allow for a fast reaction to unexpected situations during CSM operation.