Contract Upgrades

Rocket Pool uses a hub-and-spoke architecture that allows contracts to be upgraded. In the current state of the protocol, upgrades are deemed necessary to allow for bug fixes, protocol improvements and adjustments to the development of Ethereum.

Currently, any oDAO member can propose a contract upgrade (or addition of a new network contract). After a vote delay (currently set to 7 days), members vote until 51% quorum is reached. After that, the upgrade can be executed. For the MinipoolDelegate contract specifically, the node operator has to opt-in to upgrades and has the ability to rollback to a previous version (the LEB8 MinipoolDelegate contract prevents rolling back).

The trust level that comes with contract upgrades is generally very high and only limited by the vote delay. Any network contract is able to change variables stored in RocketStorage. In particular, any measures that are put in to limit oDAO power (like Guardrails - Balance Submission and Guardrails - MEV Penalties) can be undone through contract upgrades.

Value at risk includes RPL and RPL slated for auction are vulnerable, ETH in the deposit pool and smoothing pool (see also ETH Balance Submission and Reward Tree - Smoothing Pool). While MinipoolDelegates are protected by the opt-in mechanism, the presence of MEV Penalties in existing delegates undermines the value of that feature, since an attacker could combine a malicious MinipoolDelegate upgrade with penalizing the existing delegate to blackmail node operators into upgrading.