Summary

RocketPool rETH tokens have a deposit delay that prevents any user who has recently deposited to transfer or burn tokens. In the past this delay was set to 5760 blocks mined (aprox. 19h, considering one block per 12s). This delay can prevent DittoETH users from unstaking if another user deposited recently.

While it's not currently possible due to RocketPool's configuration, any future changes made to this delay by the admins could potentially lead to a denial-of-service attack on the ùnstake() mechanism.

Vulnerability Details

Currently, the delay is set to zero, but if RocketPool admins decide to change this value in the future, it could cause issues. Specifically, protocol users depositing actions could prevent other users from unstaking for a few hours. Given that many users call the depositETH function throughout the day, the delay would constantly reset, making the unstaking mechanism unusable.

A malicious actor can also exploit this to be able to block all unstake calls. Consider the following scenario where the delay was raised again to 5760 blocks. Bob (malicious actor) call depositETH() with the minimum amount, consequently triggering deposit to RocketPool and resetting the deposit delay. Alice tries to unstake her funds, but during rETH burn, it fails due to the delay check, reverting the unstake call.

If Bob manages to repeatedly depositETH() the minimum amount every 19h (or any other interval less then the deposit delay), all future calls to unstake will revert.

Impact

Users are unable to unstake rETH

Tools Used

Manual Review

Recommendations

Exchange rETH to ETH via Uniswap pool, don't use rETH.burn()