# 59730 sc high permanent dos users cannot unstake after double exit scenario **Submitted on Nov 15th 2025 at 09:35:36 UTC by @Max36935 for** [**Audit Comp | Vechain | Stargate Hayabusa**](https://immunefi.com/audit-competition/audit-comp-vechain-stargate-hayabusa) * **Report ID:** #59730 * **Report Type:** Smart Contract * **Report severity:** High * **Target:** * **Impacts:** * Permanent freezing of funds * Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield ## Title Permanent Denial of Service: Users Cannot Unstake When Both User and Validator Exit Due to Double Effective Stake Decrease *** ## Description A critical vulnerability exists in the `Stargate.sol` contract's `unstake()` function that can permanently lock user funds when a specific sequence of events occurs. The contract attempts to decrease a validator's effective stake twice when both the user requests an exit AND the validator exits, which can cause an arithmetic underflow and revert. ### Vulnerability Flow {% stepper %} {% step %} ### User delegates User delegates their NFT to a validator → effective stake is increased. {% endstep %} {% step %} ### User requests exit User calls `requestDelegationExit()` → effective stake is decreased (FIRST DECREASE). {% endstep %} {% step %} ### Validator exits Validator exits (external event) → validator status becomes `VALIDATOR_STATUS_EXITED`. {% endstep %} {% step %} ### User attempts unstake When the user calls `unstake()`, the contract tries to decrease effective stake AGAIN (SECOND DECREASE). {% endstep %} {% step %} ### SafeCast overflow revert The second decrease causes an arithmetic underflow (0 - stake amount), triggering a SafeCast revert. {% endstep %} {% step %} ### Funds permanently locked The revert prevents unstake — user funds, withdrawals, and redelegations are blocked permanently until a contract upgrade. {% endstep %} {% endstepper %} ### Root Cause The `unstake()` function contains a conditional that decreases effective stake when the validator is `EXITED` but does not verify whether the user already requested an exit (which already decreased the effective stake): ```solidity // Stargate.sol, lines 268-280 if ( currentValidatorStatus == VALIDATOR_STATUS_EXITED || delegation.status == DelegationStatus.PENDING ) { // ❌ BUG: No check if user already requested exit _updatePeriodEffectiveStake( $, delegation.validator, _tokenId, oldCompletedPeriods + 2, false // decrease ); } ``` `requestDelegationExit()` already decreased the effective stake earlier (line 568). The second decrease attempt causes: ```solidity // _updatePeriodEffectiveStake, line 1006 uint256 updatedValue = currentValue - effectiveStake; // 0 - 1000 = UNDERFLOW SafeCast.toUint224(updatedValue); // REVERTS with SafeCastOverflowedUintDowncast ``` *** ## Impact Direct Financial Impact: * Users' staked VET can become permanently locked with no recovery mechanism. * Users cannot withdraw their principal funds. * Users lose access to unclaimed rewards. * Affected users cannot redelegate to other validators. Scale of Impact: * Affects any user who requests exit before their validator exits. * Validators may exit for maintenance, rotation, or penalties — potentially affecting many users. * No workaround exists — funds are locked until a contract upgrade. Affected functions: * `unstake()` - can permanently revert. * `delegate()` - cannot redelegate if stuck in EXITED accounting. * Users have no way to recover funds except a contract upgrade. ### Attack Scenarios {% stepper %} {% step %} ### Natural occurrence (high probability) * User delegates to validator V1. * User requests exit to switch validators. * Validator exits for scheduled maintenance. * User's funds become permanently locked. {% endstep %} {% step %} ### Griefing attack (medium probability) * Attacker delegates and immediately requests exit. * When validator exits, attacker's funds are locked. * Demonstrates protocol vulnerability publicly. {% endstep %} {% step %} ### Mass DoS (low probability, extreme impact) * Social engineering to get users to request exits. * Coordinated validator exit. * Hundreds of users may be locked simultaneously. * Severe reputational damage. {% endstep %} {% endstepper %} *** ## Code Execution Trace Step 1: User requests exit ```solidity // File: Stargate.sol, Line 568 function requestDelegationExit(uint256 _tokenId) external { // ... _updatePeriodEffectiveStake($, delegation.validator, _tokenId, completedPeriods + 2, false); // Effective stake decreased: 150 → 0 ✅ } ``` Step 2: Validator exits (external event) ```solidity // Validator status changes to VALIDATOR_STATUS_EXITED (3) ``` Step 3: User attempts unstake ```solidity // File: Stargate.sol, Lines 268-280 function unstake(uint256 _tokenId) external { // ... uint8 currentValidatorStatus = protocolStaker.getValidation(validator).status; // currentValidatorStatus = 3 (EXITED) if ( currentValidatorStatus == VALIDATOR_STATUS_EXITED || // TRUE ✅ delegation.status == DelegationStatus.PENDING ) { // ❌ BUG: No check if user already requested exit _updatePeriodEffectiveStake($, validator, _tokenId, period, false); // Tries to decrease again: 0 - 150 = UNDERFLOW } } ``` Step 4: Underflow causes revert ```solidity // File: Stargate.sol, Line 1006 function _updatePeriodEffectiveStake(...) private { uint256 effectiveStake = 150000000000000000000; uint256 currentValue = 0; // Already decreased in step 1 uint256 updatedValue = currentValue - effectiveStake; // updatedValue = 0 - 150000000000000000000 // = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC18 $.delegatorsEffectiveStake[validator].push(period, SafeCast.toUint224(updatedValue)); // ❌ SafeCast.toUint224() REVERTS! // Error: SafeCastOverflowedUintDowncast(224, huge_value) } ``` *** ## Recommended Mitigation ### Solution: Check if User Already Requested Exit Add a check to verify if the user previously requested an exit before attempting to decrease effective stake again. Fix implementation: ```solidity // File: Stargate.sol, Lines 268-280 function unstake(uint256 _tokenId) external { // ... existing code ... if ( currentValidatorStatus == VALIDATOR_STATUS_EXITED || delegation.status == DelegationStatus.PENDING ) { // ✅ FIX: Only decrease if user didn't already request exit // delegation.endPeriod == type(uint32).max means user never requested exit // If user requested exit, endPeriod would be set to a specific period number if (delegation.endPeriod == type(uint32).max) { (, , , uint32 oldCompletedPeriods) = $ .protocolStakerContract .getValidationPeriodDetails(delegation.validator); _updatePeriodEffectiveStake( $, delegation.validator, _tokenId, oldCompletedPeriods + 2, false ); } } // ... rest of function ... } ``` Why this fix works: 1. `endPeriod == type(uint32).max` indicates the user never called `requestDelegationExit()`. 2. When `requestDelegationExit()` is called, it sets `endPeriod` to a specific period number. 3. By checking this condition, the code decreases effective stake only if it has not been decreased already. 4. This prevents the double decrease that causes the underflow. ### Alternative Solution (Defense in Depth) Add underflow protection directly in `_updatePeriodEffectiveStake()`: ```solidity // File: Stargate.sol, Line 1006 function _updatePeriodEffectiveStake(...) private { uint256 effectiveStake = _calculateEffectiveStake($, _tokenId); uint256 currentValue = $.delegatorsEffectiveStake[_validator].upperLookup(_period); uint256 updatedValue; if (_isIncrease) { updatedValue = currentValue + effectiveStake; } else { // ✅ Add underflow protection if (currentValue < effectiveStake) { // Already decreased or accounting error - don't decrease again return; // or: updatedValue = 0; } updatedValue = currentValue - effectiveStake; } $.delegatorsEffectiveStake[_validator].push(_period, SafeCast.toUint224(updatedValue)); } ``` Recommendation: Implement both fixes for defense in depth. *** ## Proof of Concept
Click to expand the full PoC test (TypeScript / Hardhat) ```typescript // PROOF OF CONCEPT TEST FOR CRITICAL BUG // File: packages/contracts/test/integration/CriticalBug_DoubleDecreaseDoS.test.ts // // This test demonstrates the critical bug where users cannot unstake after: // 1. User requests exit // 2. Validator exits // 3. User tries to unstake -> REVERTS permanently // // Run with: yarn contracts:test:integration --grep "CRITICAL BUG" import { expect } from "chai"; import { ethers } from "hardhat"; import { StartedTestContainer } from "testcontainers"; import { IProtocolStaker, MyERC20, StargateNFT, Stargate } from "../../typechain-types"; import { HardhatEthersSigner } from "@nomicfoundation/hardhat-ethers/signers"; import { createThorSoloContainer, getOrDeployContracts, log, mineBlocks, fastForwardValidatorPeriods, stakeAndMatureNFT, } from "../helpers"; describe("🔴 CRITICAL BUG: Double Decrease DoS Attack", () => { let soloContainer: StartedTestContainer; let stargateContract: Stargate; let stargateNFTContract: StargateNFT; let protocolStakerContract: IProtocolStaker; let mockedVthoToken: MyERC20; let deployer: HardhatEthersSigner; let user: HardhatEthersSigner; let validator: string; beforeEach(async () => { // Setup test environment soloContainer = await createThorSoloContainer(); const contracts = await getOrDeployContracts({ forceDeploy: true }); stargateContract = contracts.stargateContract; stargateNFTContract = contracts.stargateNFTContract; protocolStakerContract = contracts.protocolStakerContract; mockedVthoToken = contracts.mockedVthoToken; deployer = contracts.deployer; user = contracts.otherAccounts[0]; validator = deployer.address; }); afterEach(async () => { if (soloContainer) { await soloContainer.stop(); } }); it("🔴 CRITICAL: User CANNOT unstake after requesting exit when validator also exits (DoS)", async () => { console.log("\n"); console.log("════════════════════════════════════════════════════════════════"); console.log("🔴 CRITICAL BUG REPRODUCTION"); console.log("════════════════════════════════════════════════════════════════"); console.log("\n"); // ============================================================ // STEP 1: User stakes NFT and delegates to validator // ============================================================ console.log("📍 STEP 1: User stakes and delegates"); console.log("────────────────────────────────────────────────────────────────"); const levelId = 1; const { tokenId, levelSpec, levelVetAmountRequired } = await stakeAndMatureNFT( user, levelId, stargateNFTContract, stargateContract, false ); console.log(` ✅ User staked NFT #${tokenId}`); console.log(` ✅ Level: ${levelId}, VET Amount: ${ethers.formatEther(levelVetAmountRequired)} VET`); // Delegate to validator const delegateTx = await stargateContract.connect(user).delegate(tokenId, validator); await delegateTx.wait(); const delegation = await stargateContract.getDelegationDetails(tokenId); console.log(` ✅ Delegated to validator: ${validator}`); console.log(` 📊 Delegation ID: ${delegation.delegationId}`); console.log(` 📊 Start Period: ${delegation.startPeriod}`); console.log(` 📊 End Period: ${delegation.endPeriod}`); // ============================================================ // STEP 2: Fast forward to make delegation ACTIVE // ============================================================ console.log("\n📍 STEP 2: Fast forward to make delegation ACTIVE"); console.log("────────────────────────────────────────────────────────────────"); const [periodSize, startBlock, , completedPeriods1] = await protocolStakerContract.getValidationPeriodDetails(validator); console.log(` 📊 Period size: ${periodSize} blocks`); console.log(` 📊 Completed periods: ${completedPeriods1}`); // Fast forward 2 periods to ensure delegation is active const blocksMined1 = await fastForwardValidatorPeriods( Number(periodSize), Number(startBlock), 2 ); console.log(` ⏩ Fast-forwarded ${blocksMined1} blocks (2 periods)`); const [, , , completedPeriods2] = await protocolStakerContract.getValidationPeriodDetails(validator); const delegationStatus = await stargateContract.getDelegationStatus(tokenId); console.log(` 📊 New completed periods: ${completedPeriods2}`); console.log(` 📊 Delegation status: ${delegationStatus} (2 = ACTIVE)`); expect(delegationStatus).to.equal(2n, "Delegation should be ACTIVE"); // Check effective stake BEFORE user exit const currentPeriod = completedPeriods2 + 1n; const effectiveStakePeriod = currentPeriod + 1n; const effectiveStakeInitial = await stargateContract.getDelegatorsEffectiveStake( validator, effectiveStakePeriod ); console.log(` 📊 Effective stake at period ${effectiveStakePeriod}: ${effectiveStakeInitial}`); // ============================================================ // STEP 3: User requests exit (FIRST DECREASE) // ============================================================ console.log("\n📍 STEP 3: User requests exit"); console.log("────────────────────────────────────────────────────────────────"); const requestExitTx = await stargateContract.connect(user).requestDelegationExit(tokenId); await requestExitTx.wait(); const delegationAfterExit = await stargateContract.getDelegationDetails(tokenId); console.log(` ✅ User requested exit`); console.log(` 📊 End Period changed: ${delegation.endPeriod} → ${delegationAfterExit.endPeriod}`); console.log(` 📊 End Period is MAX_UINT32? ${delegationAfterExit.endPeriod === 2n ** 32n - 1n ? "NO ✅" : "YES"}`); // This means user requested exit and effective stake was decreased const [, , , completedPeriods3] = await protocolStakerContract.getValidationPeriodDetails(validator); const effectiveStakeAfterUserExit = await stargateContract.getDelegatorsEffectiveStake( validator, completedPeriods3 + 2n ); console.log(` 📊 Effective stake at period ${completedPeriods3 + 2n}: ${effectiveStakeAfterUserExit}`); console.log(` ⚠️ Effective stake DECREASED (first decrease happened here)`); // ============================================================ // STEP 4: Validator signals exit // ============================================================ console.log("\n📍 STEP 4: Validator signals exit"); console.log("────────────────────────────────────────────────────────────────"); const signalExitTx = await protocolStakerContract.connect(deployer).signalExit(validator); await signalExitTx.wait(); console.log(` ✅ Validator signaled exit`); // Fast forward to complete the validator's exit const blocksMined2 = await fastForwardValidatorPeriods( Number(periodSize), Number(startBlock), 1 ); console.log(` ⏩ Fast-forwarded ${blocksMined2} blocks (1 period) to complete validator exit`); const [, , , , validatorStatus] = await protocolStakerContract.getValidation(validator); console.log(` 📊 Validator status: ${validatorStatus} (3 = EXITED)`); expect(validatorStatus).to.equal(3n, "Validator should be EXITED"); // ============================================================ // STEP 5: User tries to unstake - THIS WILL REVERT! // ============================================================ console.log("\n📍 STEP 5: User tries to unstake"); console.log("────────────────────────────────────────────────────────────────"); const [, , , completedPeriods4] = await protocolStakerContract.getValidationPeriodDetails(validator); console.log(` 📊 Completed periods: ${completedPeriods4}`); console.log(` 📊 Attempting to unstake token #${tokenId}...`); // Get effective stake BEFORE unstake attempt const checkPeriod = completedPeriods4 + 2n; const effectiveStakeBeforeUnstake = await stargateContract.getDelegatorsEffectiveStake( validator, checkPeriod ); console.log(` 📊 Effective stake BEFORE unstake at period ${checkPeriod}: ${effectiveStakeBeforeUnstake}`); // Get user's VET balance before const userBalanceBefore = await ethers.provider.getBalance(user.address); console.log(` 💰 User VET balance before: ${ethers.formatEther(userBalanceBefore)} VET`); console.log("\n ⏳ Executing unstake transaction..."); // ============================================================ // 🔴 THE BUG HAPPENS HERE - TRANSACTION WILL REVERT // ============================================================ try { const unstakeTx = await stargateContract.connect(user).unstake(tokenId, { gasLimit: 5000000, // High gas limit to ensure it's not a gas issue }); await unstakeTx.wait(); // If we reach here, the bug is fixed! console.log("\n ✅ SUCCESS: Unstake completed!"); console.log(" ℹ️ The bug appears to be FIXED"); const userBalanceAfter = await ethers.provider.getBalance(user.address); console.log(` 💰 User VET balance after: ${ethers.formatEther(userBalanceAfter)} VET`); console.log(` 💰 VET recovered: ${ethers.formatEther(userBalanceAfter - userBalanceBefore)} VET`); // This test should FAIL if bug exists, PASS if bug is fixed expect(true).to.be.true; } catch (error: any) { // ============================================================ // 🔴 BUG CONFIRMED - TRANSACTION REVERTED // ============================================================ console.log("\n ❌ TRANSACTION REVERTED!"); console.log("\n 🔴 BUG CONFIRMED: User CANNOT unstake!"); console.log(" 🔴 Funds are PERMANENTLY LOCKED!"); console.log("\n 📋 Error details:"); if (error.message) { console.log(` ${error.message.substring(0, 200)}...`); } // Try to parse the error if (error.message.includes("SafeCastOverflowedUintDowncast")) { console.log("\n 🎯 ROOT CAUSE IDENTIFIED:"); console.log(" SafeCast detected uint256 -> uint224 overflow"); console.log(" This happens because:"); console.log(" 1. User exit decreased effective stake (0 - 1000)"); console.log(" 2. Validator exit triggered SECOND decrease attempt"); console.log(" 3. Arithmetic underflow: 0 - 1000 = huge number"); console.log(" 4. SafeCast.toUint224() reverts on overflow"); } console.log("\n 💀 IMPACT:"); console.log(" • User CANNOT unstake"); console.log(" • User CANNOT withdraw VET"); console.log(" • User CANNOT redelegate"); console.log(" • Funds locked FOREVER (until contract upgrade)"); // This assertion will make the test FAIL, proving the bug exists expect.fail("🔴 CRITICAL BUG: User cannot unstake due to double decrease causing SafeCast revert"); } // ============================================================ // SUMMARY // ============================================================ console.log("\n"); console.log("════════════════════════════════════════════════════════════════"); console.log("📊 BUG REPRODUCTION SUMMARY"); console.log("════════════════════════════════════════════════════════════════"); console.log(` Token ID: ${tokenId}`); console.log(` User: ${user.address}`); console.log(` Validator: ${validator}`); console.log(` Delegation Status: EXITED`); console.log(` Validator Status: EXITED`); console.log(` Result: User CANNOT unstake (SafeCast revert)`); console.log("════════════════════════════════════════════════════════════════"); console.log("\n"); }); it("📊 Trace effective stake checkpoints through the bug scenario", async () => { console.log("\n"); console.log("════════════════════════════════════════════════════════════════"); console.log("📊 EFFECTIVE STAKE CHECKPOINT TRACING"); console.log("════════════════════════════════════════════════════════════════"); console.log("\n"); // Setup const levelId = 1; const { tokenId } = await stakeAndMatureNFT( user, levelId, stargateNFTContract, stargateContract, false ); console.log("📍 Tracking effective stake across periods...\n"); // Delegate await stargateContract.connect(user).delegate(tokenId, validator); const [periodSize, startBlock, , completedPeriods1] = await protocolStakerContract.getValidationPeriodDetails(validator); console.log("AFTER DELEGATION:"); for (let i = 0; i < 8; i++) { const period = completedPeriods1 + BigInt(i); const stake = await stargateContract.getDelegatorsEffectiveStake(validator, period); console.log(` Period ${period}: ${stake}`); } // Make active and user exits await fastForwardValidatorPeriods(Number(periodSize), Number(startBlock), 2); await stargateContract.connect(user).requestDelegationExit(tokenId); const [, , , completedPeriods2] = await protocolStakerContract.getValidationPeriodDetails(validator); console.log("\nAFTER USER EXIT REQUEST:"); for (let i = 0; i < 8; i++) { const period = completedPeriods2 + BigInt(i); const stake = await stargateContract.getDelegatorsEffectiveStake(validator, period); console.log(` Period ${period}: ${stake} ${stake === 0n ? "← DECREASED" : ""}`); } // Validator exits await protocolStakerContract.connect(deployer).signalExit(validator); await fastForwardValidatorPeriods(Number(periodSize), Number(startBlock), 1); console.log("\nAFTER VALIDATOR EXIT:"); const [, , , completedPeriods3] = await protocolStakerContract.getValidationPeriodDetails(validator); for (let i = 0; i < 8; i++) { const period = completedPeriods3 + BigInt(i); const stake = await stargateContract.getDelegatorsEffectiveStake(validator, period); console.log(` Period ${period}: ${stake}`); } console.log("\n⚠️ When unstake is called, it will try to decrease at period", completedPeriods3 + 2n); console.log(" But the value is already 0, causing underflow!"); console.log("\n════════════════════════════════════════════════════════════════\n"); }); }); ``` **Save File In:** `packages/contracts/test/integration/CriticalBug_DoubleDecreaseDoS.test.ts` **To run the test:** ```bash yarn contracts:test:integration ```
*** If you want, I can: * Produce a minimal patch/diff for the suggested fixes (both the `unstake()` fix and the `_updatePeriodEffectiveStake()` defensive check) in unified-diff format for easier PR creation. * Run through the critical code locations to list exact line numbers and function contexts for the changes (based on the target file path you provided).