Rocket Pool

Rocket Pool is a decentralised, non-custodial, and community owned staking protocol for Ethereum. Rocket Pool aligns the interests of two user groups; those that wish to participate in tokenised liquid staking; and those that wish to stake ETH and run a node.

ETH

Defi

Infrastructure

Staking

Solidity

Maximum Bounty

$150,000

Live Since

08 September 2021

Last Updated

31 March 2026

Runnable PoC Required

Submit a Bug

Information Scope Resources

Select the category you'd like to explore

Assets in Scope

Target	Name	Added on
	Set of utilities for working with SSZ serialisation and merklelisation	17 February 2026
	A linked list storage helper to test internal functions	17 February 2026
	A linked list storage helper for the deposit requests queue data	17 February 2026
	Verifier for beacon state proofs	17 February 2026
	Address set storage helper for RocketStorage data	17 February 2026
	Address queue storage helper for RocketStorage data	17 February 2026
	RPL token contract	17 February 2026
	rETH liquid staking token contract	17 February 2026
	The RocketVault contract must not be upgraded	17 February 2026
	The primary persistent storage for Rocket Pool	17 February 2026
	Base settings / modifiers for each contract in Rocket Pool	17 February 2026
	Receives priority fees and MEV via fee_recipient	17 February 2026

Target

Name

Set of utilities for working with SSZ serialisation and merklelisation

Added on

17 February 2026

Target

Name

A linked list storage helper to test internal functions

Added on

17 February 2026

Target

Name

A linked list storage helper for the deposit requests queue data

Added on

17 February 2026

Target

Name

Verifier for beacon state proofs

Added on

17 February 2026

Target

Name

Address set storage helper for RocketStorage data

Added on

17 February 2026

Target

Name

Address queue storage helper for RocketStorage data

Added on

17 February 2026

Target

Name

RPL token contract

Added on

17 February 2026

Target

Name

rETH liquid staking token contract

Added on

17 February 2026

Target

Name

The RocketVault contract must not be upgraded

Added on

17 February 2026

Target

Name

The primary persistent storage for Rocket Pool

Added on

17 February 2026

Target

Name

Base settings / modifiers for each contract in Rocket Pool

Added on

17 February 2026

Target

Name

Receives priority fees and MEV via fee_recipient

Added on

17 February 2026

Impacts in Scope

Critical	Direct theft of principal user funds exceeding $150,000 (excluding unclaimed yield), whether at-rest or in-motion
Critical	Permanent freezing of funds (cannot be rescued)
High	Manipulation of governance voting result deviating from voted outcome with cost impact
High	Direct theft of unclaimed yield, whether at-rest or in-motion
High	Direct theft of principal user funds with value > $50,000 and <$150,000 (excluding unclaimed yield), whether at-rest or in-motion
Medium	Manipulation of governance voting result deviating from voted outcome
Medium	Temporary freezing of funds
Medium	Direct theft of principal user funds with value < $50,000 (excluding unclaimed yield), whether at-rest or in-motion
Low	Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Low	Manipulation to gain unfair yield or commission advantage

Severity

Critical

Title

Direct theft of principal user funds exceeding $150,000 (excluding unclaimed yield), whether at-rest or in-motion

Severity

Critical

Title

Permanent freezing of funds (cannot be rescued)

Severity

High

Title

Manipulation of governance voting result deviating from voted outcome with cost impact

Severity

High

Title

Direct theft of unclaimed yield, whether at-rest or in-motion

Severity

High

Title

Direct theft of principal user funds with value > $50,000 and <$150,000 (excluding unclaimed yield), whether at-rest or in-motion

Severity

Medium

Title

Manipulation of governance voting result deviating from voted outcome

Severity

Medium

Title

Temporary freezing of funds

Severity

Medium

Title

Direct theft of principal user funds with value < $50,000 (excluding unclaimed yield), whether at-rest or in-motion

Severity

Low

Title

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Severity

Low

Title

Manipulation to gain unfair yield or commission advantage

View rewards

Out of scope

Default Out of Scope and rules

Smart Contract specific

Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
Impacts requiring basic economic and governance attacks (e.g. 51% attack)
Lack of liquidity impacts
Impacts from Sybil attacks
Impacts involving centralization risks

All categories

Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
Impacts caused by attacks requiring access to leaked keys/credentials
Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
Best practice recommendations
Feature requests
Impacts on test files and configuration files unless stated otherwise in the bug bounty program
Impacts requiring phishing or other social engineering attacks against project's employees and/or customers

Submit a Bug

Total Assets in Scope

Total Impacts in Scope