59244 sc insight missing event emission on critical state change

Submitted on Nov 10th 2025 at 10:42:38 UTC by @akioniace for Audit Comp | Vechain | Stargate Hayabusa

Report ID: #59244
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/Stargate.sol

Description

Brief / Intro

The contract Stargate does not emit an event upon a critical state change. This omission reduces on-chain transparency and makes it difficult for off-chain systems to track important changes. It also breaks the best practice of emitting events on important state changes.

Vulnerability Details

The function Stargate::setMaxClaimablePeriods performs a critical state change by updating the maximum claimable period value, but it does not emit any event notifying about this change. Emitting an event on such state updates helps off-chain infrastructure (indexers, explorers, frontends) and improves transparency and auditability.

Relevant code:

https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/blob/main/packages/contracts/contracts/Stargate.sol#L943-L951

    /// @inheritdoc IStargate
    function setMaxClaimablePeriods(
        uint32 _maxClaimablePeriods
    ) external onlyRole(DEFAULT_ADMIN_ROLE) {
        if (_maxClaimablePeriods == 0) {
            revert InvalidMaxClaimablePeriods();
        }
        _getStargateStorage().maxClaimablePeriods = _maxClaimablePeriods;
        // @audit-issue: missing event emission
    }

Impact Details

This is primarily a code-quality / best-practices issue. The consequences of missing event emission include:

Reduced Transparency: Off-chain parties cannot easily verify important state changes.
Poor Developer and User Experience: Front-ends and indexers cannot rely on an event to discover or react to the change without scanning on-chain state.
Security Concerns: Absence of event logs makes it harder to audit and detect malicious or accidental changes.

References

https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/blob/main/packages/contracts/contracts/Stargate.sol#L943-L951

Proof of Concept

Step 1

Copy-paste the following test function into packages/contracts/test/unit/Stargate/Rewards.test.ts:

it("should emit an event when max claimable periods is updated (currently missing)", async () => {
        // We expect the contract to emit something like "MaxClaimablePeriodsUpdated"
        // But since it does NOT, this test will fail — proving the missing event issue.

        await expect(
            stargateContract.connect(deployer).setMaxClaimablePeriods(2000)
        ).to.emit(stargateContract, "MaxClaimablePeriodsUpdated") // <-- just mocked event for showing 
          .withArgs(2000);
    });

Step 2

Run the tests. The test will fail with an error indicating no event was emitted:

@repo/contracts:test:hardhat:   203 passing (1m)
@repo/contracts:test:hardhat:   1 failing
@repo/contracts:test:hardhat: 
@repo/contracts:test:hardhat:   1) shard-u4: Stargate: Rewards
@repo/contracts:test:hardhat:        should emit an event when max claimable periods is updated (currently missing):
@repo/contracts:test:hardhat:      AssertionError: Event "MaxClaimablePeriodsUpdated" doesn't exist in the contract

Previous60149 sc insight revised missing input validation in addlevels can break multiple staking tier invariant in startgatenft Next59316 sc high off by one unlocks infinite vtho reward drain from ghost stakes

Was this helpful?

hashtagDescription

hashtagBrief / Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagReferences

hashtagProof of Concept

hashtagStep 1

hashtagStep 2