Scrub Check - Withrawal Credentials

In October 2021, a vulnerability around the interaction with the deposit contract was discovered. In short, it was possible for a node operator to set withdrawal credentials other than the intended minipool smart contract and effectively steal the portion coming from rETH by frontrunning the deposit to the deposit contract.

Rocket Pool addressed this issue by doing two separate deposits into the deposit contract. The first one uses ETH coming from the node operator. A scrub period was introduced before the second deposit. During that period, the oDAO verifies that the first deposit happened as expected and nobody frontran it. If at least 51% of members vote to scrub a minipool, that minipool is dissolved and ETH from the rETH side is returned. A RPL penalty for the node operator is currently deactivated.

This duty introduces a high level of trust for rETH holders since a compromised oDAO would be able to execute the withdrawal credential exploit.