# 59742 sc high user funds get stucked in the contract when validators exits **Submitted on Nov 15th 2025 at 12:18:00 UTC by @danvinci\_20 for** [**Audit Comp | Vechain | Stargate Hayabusa**](https://immunefi.com/audit-competition/audit-comp-vechain-stargate-hayabusa) * **Report ID:** #59742 * **Report Type:** Smart Contract * **Report severity:** High * **Target:** * **Impacts:** * Permanent freezing of funds ## Description ### Summary The system decreases a user’s effective stake when they request a delegation exit and then decreases it again when they later call `unstake()` if the validator has already exited. Because the validator is already in an exited state, the second decrease is performed using a later period index, causing `_updatePeriodEffectiveStake()` to underflow during: ```solidity updatedValue = currentValue - effectiveStake; ``` This results in a panic(0x11) arithmetic underflow, reverting `unstake()`. Since `unstake()` is the only mechanism for the user to retrieve their staked VET, the user’s funds become permanently stuck in the Stargate contract, with no recovery path. ### Vulnerability Details Relevant Code Paths * When `requestDelegationExit()` is called, the contract immediately reduces the user's effective stake: ```solidity _updatePeriodEffectiveStake( $, delegation.validator, _tokenId, completedPeriods + 2, false ); ``` * Later, if the validator exits before the user calls `unstake()`, the `unstake()` function performs another decrease: ```solidity if ( currentValidatorStatus == VALIDATOR_STATUS_EXITED || delegation.status == DelegationStatus.PENDING ) { (, , , uint32 oldCompletedPeriods) = $.protocolStakerContract.getValidationPeriodDetails(delegation.validator); _updatePeriodEffectiveStake( $, delegation.validator, _tokenId, oldCompletedPeriods + 2, false // decrease again ); } ``` * Inside `_updatePeriodEffectiveStake` the underflow occurs: ```solidity uint256 updatedValue = _isIncrease ? currentValue + effectiveStake : currentValue - effectiveStake; // underflows on second decrease ``` Because the second decrease subtracts the same `effectiveStake` from a smaller `currentValue`, the result becomes negative, causing a panic(0x11). This reverts the `unstake()` call entirely. As a result, the user can never unstake or retrieve their VET, leaving their funds permanently stuck inside the Stargate contract. ## Recommendation {% hint style="warning" %} Guard to ensure effective stake is only decreased once per delegation lifecycle and avoid trying to reduce effective stake for periods when there are no stakers. {% endhint %} ## Proof of Concept
Test showing the revert (add this test to Delegation.test.ts and run: yarn hardhat test --network vechain_solo test/integration/Delegation.test.ts) ```javascript it.only("user funds get stucked in the contract", async () => { const paramsKey = "0x00000000000064656c656761746f722d636f6e74726163742d61646472657373"; const stargateAddress = await protocolParamsContract.get(paramsKey); const expectedParamsVal = BigInt(await stargateContract.getAddress()); expect(stargateAddress).to.equal(expectedParamsVal); const validatorAddress = await protocolStakerContract.firstActive(); expect(compareAddresses(validatorAddress, deployer.address)).to.be.true; const [leaderGroupSize, queuedValidators] = await protocolStakerContract.getValidationsNum(); expect(leaderGroupSize).to.equal(1); expect(queuedValidators).to.equal(0); //staking the token here const levelId = 1; const levelSpec = await stargateNFTContract.getLevel(levelId); const levelVetAmountRequired = levelSpec.vetAmountRequiredToStake; // Stake an NFT of level 1 const stakeTx = await stargateContract .connect(user) .stake(levelId, { value: levelVetAmountRequired }); await stakeTx.wait(); log("\nπŸŽ‰ Correctly staked an NFT of level", levelId); // Assert that user1 is the owner of the NFT, and the NFT is under the maturity period const tokenId = await stargateNFTContract.getCurrentTokenId(); expect(await stargateNFTContract.ownerOf(tokenId)).to.equal(user.address); expect(await stargateNFTContract.isUnderMaturityPeriod(tokenId)).to.be.true; // Fast-forward until the NFT is mature await mineBlocks(Number(levelSpec.maturityBlocks)); log("\nπŸš€ Fast-forwarded", Number(levelSpec.maturityBlocks), "blocks to mature the NFT"); // Assert that the NFT is mature, so it can be delegated expect(await stargateNFTContract.isUnderMaturityPeriod(tokenId)).to.be.false; //new validator enters the staker const newValidator = (await ethers.getSigners())[5]; const addValidatorTx = await protocolStakerContract.connect(newValidator).addValidation(newValidator.address, 12, { value: ethers.parseEther("25000000"), }); await addValidatorTx.wait(); log("\nπŸŽ‰ Correctly added a new validator to the protocol"); // Stargate <> ProtocolStaker - delegate the NFT to the validator const delegateTx = await stargateContract.connect(user).delegate(tokenId, newValidator.address); await delegateTx.wait(); console.log("\nπŸŽ‰ Correctly delegated the NFT to validator", newValidator.address); let delegation = await stargateContract.getDelegationDetails(tokenId); let [start,] = await protocolStakerContract.getDelegationPeriodDetails(delegation.delegationId); console.log("start period of delegation: ", start); let [period,startBlock,,completedPeriods] = await protocolStakerContract.getValidationPeriodDetails(newValidator.address); console.log("completedPeriods Before: ", completedPeriods); await fastForwardValidatorPeriods( Number(period), Number(startBlock), 5 ); [,,,completedPeriods] = await protocolStakerContract.getValidationPeriodDetails(newValidator.address); console.log("completedPeriods Now: ", completedPeriods); const requestExitTx = await stargateContract.connect(user).requestDelegationExit(tokenId); await requestExitTx.wait(); console.log("\nπŸŽ‰ correctly request exit"); delegation = await stargateContract.getDelegationDetails(tokenId); console.log("end period of delegation: ", delegation.endPeriod) await protocolStakerContract.connect(newValidator).signalExit(newValidator.address); let [,,exitBlock,] = await protocolStakerContract.getValidationPeriodDetails(newValidator.address); console.log("endPeriod of Validator: ", exitBlock); await fastForwardValidatorPeriods( Number(period), Number(startBlock), 3 ); let [,,,,status,] = await protocolStakerContract.getValidation(newValidator.address); console.log("status is 3 showing exit: ", status); //now the user who delegated wants to exit unstake but gets a revert await expect( stargateContract.connect(user).unstake(tokenId) ).to.be.revertedWithPanic(0x11); }); ``` Output observed: ``` πŸŽ‰ Correctly delegated the NFT to validator 0x61E7d0c2B25706bE3485980F39A3a994A8207aCf start period of delegation: 1n completedPeriods Before: 0n completedPeriods Now: 5n πŸŽ‰ correctly request exit end period of delegation: 6n endPeriod of Validator: 120n status is 3 showing exit: 3n βœ” user funds get stucked in the contract (6211ms) ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/vechain-or-stargate-hayabusa/59742-sc-high-user-funds-get-stucked-in-the-contract-when-validators-exits.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.