Summary

RocketPool rETH tokens have a deposit delay that prevents any user who has recently deposited to transfer, mint or burn tokens. In the past this delay was set to 5760 blocks mined (aprox. 19h, considering one block per 12s). This delay can prevent DittoETH protocol users from withdrawing or unstaking if another user staked recently.

Currently this delay is zero. Any future changes made to this delay by the admins could potentially lead to a denial-of-service (even under normal flow of operations) for -

• depositEth()

• withdraw()

• unstake()
  
  

These are major functionalities of the protocol, and therefore, it should be classified as a medium severity issue.

Vulnerability Details

Protocol users' deposit or withdraw actions could prevent other users from depositing, withdrawing or unstaking rETH for a few hours. Given that many users would call these functions throughout the day (and that the actual transaction is executed by the protocol address from inside the BridgeRouterFacet.sol::depositEth or BridgeRouterFacet.sol::withdraw or similar), the delay would constantly reset, making the functions unusable. It's important to note that this only occurs when these functions are used through the BridgeReth route. If rETH is obtained & returned from an external pool like Uniswap, the delay is not affected.

A malicious actor can also exploit this to be able to block all withdrawal/unstake calls. Consider the following scenario where the delay was raised again to 5760 blocks. Bob (malicious actor) calls depositEth() with the minimum amount, consequently triggering deposit to RocketPool and resetting the deposit delay. Alice tries to withdraw her funds, but during rETH transfer/burn, it fails due to the delay check, reverting the call.
If Bob manages to repeatedly deposit() the minimum amount every 19h (or any other interval less then the deposit delay), all future calls for withdrawal will revert.

Similar past bug report with context

First, the context & similarity with current scenario: A bug was discovered in RocketPool's rETH tokens that can cause a denial-of-service attack on the unstake() mechanism of the Asymmetry protocol. This bug is caused by the possibility of rETH's deposit-delay set to 5760 blocks (approx. 19 hours) that prevents any user who has recently deposited to transfer or burn tokens. This delay can prevent Asymmetry protocol users from unstaking if another user staked recently. A malicious actor can exploit this bug by repeatedly staking the minimum amount every 19 hours, blocking all unstake calls. This bug could be mitigated by modifying the function to obtain rETH only through the UniswapV3 pool, as users will avoid any future issues with the deposit delay mechanism. The bug was confirmed by Asymmetry.

Link to past bug report: Medium Severity Asymmetry Finance Bug

Impact

DoS attack ( or even normal flow of operations ), can break direct withdrawal/unstaking of rETH if deposit-timelock of rETH is changed by RocketToken admins.

Tools Used

Manual inspection.

Recommendations

Change the BridgeReth.sol deposit + withdraw + unstaking implementations to acquire & release rETH only by swapping via an external pool like Uniswap v3.