DittoETH

summary :

• The RocketPool rETH tokens deposit delay, can prevent Ditto protocol users from withdrawing RETH or unstaking for ETH if others have recently staked. Future changes to this delay could lead to a denial-of-service attack, rendering the unstaking mechanism unusable. Malicious actors could exploit this to block all withdrawal attempts, causing significant disruptions in user transactions and functionality.

Vulnerability Details:

• RocketPool rETH tokens have a deposit delay that prevents any user who has recently deposited to transfer or burn tokens. In the past this delay was set to 5760 blocks mined (aprox. 19h, considering one block per 12s). This delay can prevent Ditto protocol users from withdrawing RETH or unstaking ETH if another user staked recently through RethBridge.

• While it's not currently possible due to RocketPool's configuration, any future changes made to this delay by the admins could potentially lead to a denial-of-service attack on the withdraw() and unstakeEth() functions through RethBridge contract. which is a major functionality of the protocol.

• Currently, the delay is set to zero, but if RocketPool admins decide to change this value in the future, it could cause issues. Specifically, protocol users deposit actions could prevent other users from withdrawing .
  

• Given that many users depositting throughout the day, the delay would constantly reset, making the withdrawing mechanism unusable.

• A malicious actor can also exploit this to be able to block all withdraws calls. Consider the following scenario where the delay was raised again to 5760 blocks. malicious call depositEth(address bridge) from diamond passing RETH bridge.with the minimum amount, consequently triggering deposit to RocketPool and resetting the deposit delay. Alice tries to unstake her funds, but during rETH burn, it fails due to the delay check, reverting the withdraw call.

• If Bob manages to repeatedly deposit() the minimum amount every 19h (or any other interval less then the deposit delay), all future calls to withdraw will revert.

Recommends :

• as an option,consider modifying Reth derivative to obtain rETH only through the UniswapV3 pool(E.I) when users deposit eth, on average users will get less rETH due to the slippage, but will avoid any future issues with the deposit delay mechanism.