59904 sc high it s possible to decrease twice delegator stake in certain conditions

Submitted on Nov 16th 2025 at 20:50:22 UTC by @Paludo0x for Audit Comp | Vechain | Stargate Hayabusa

Report ID: #59904
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/Stargate.sol
Impacts:
- Permanent freezing of funds
- Theft of unclaimed yield

Description

Brief / Intro

A delegator can trigger two scheduled decreases of the validator’s cumulative delegators effective stake by first calling requestDelegationExit while the validator is ACTIVE and later calling unstake after the validator becomes EXITED.

Vulnerability Details

Updates of delegatorsEffectiveStake are handled through _updatePeriodEffectiveStake, which reads the current cumulative value for _period using upperLookup and then adds or subtracts the token’s current effective stake:

function _updatePeriodEffectiveStake(
    StargateStorage storage $,
    address _validator,
    uint256 _tokenId,
    uint32 _period,
    bool _isIncrease
) private {
    // calculate the effective stake
    uint256 effectiveStake = _calculateEffectiveStake($, _tokenId);

    // get the current effective stake
    uint256 currentValue = $.delegatorsEffectiveStake[_validator].upperLookup(_period);

    // calculate the updated effective stake
    uint256 updatedValue = _isIncrease
        ? currentValue + effectiveStake
        : currentValue - effectiveStake;

    // push the updated effective stake
    $.delegatorsEffectiveStake[_validator].push(_period, SafeCast.toUint224(updatedValue));
}

There are two different paths which schedule a decrease of delegatorsEffectiveStake. These are represented below as steps.

Exit requested while validator is ACTIVE (schedules a decrease at completedPeriods + 2)

// Get the latest completed period of the validator
(, , , uint32 completedPeriods) = $.protocolStakerContract.getValidationPeriodDetails(
    delegation.validator
);
(, uint32 exitBlock) = $.protocolStakerContract.getDelegationPeriodDetails(delegationId);

// decrease the effective stake
_updatePeriodEffectiveStake($, delegation.validator, _tokenId, completedPeriods + 2, false);

This path schedules a decrease when the delegator calls requestDelegationExit while the validator is ACTIVE.

Unstake when validator is EXITED (or delegation is PENDING) (schedules a decrease at oldCompletedPeriods + 2)

if (
    currentValidatorStatus == VALIDATOR_STATUS_EXITED ||
    delegation.status == DelegationStatus.PENDING
) {
    // get the completed periods of the previous validator
    (, , , uint32 oldCompletedPeriods) = $
        .protocolStakerContract
        .getValidationPeriodDetails(delegation.validator);

    // decrease the effective stake of the previous validator
    _updatePeriodEffectiveStake(
        $,
        delegation.validator,
        _tokenId,
        oldCompletedPeriods + 2,
        false // decrease
    );

This path schedules a decrease when unstake is called and the validator is EXITED or the delegation is PENDING.

Because there is no specific guard preventing both scheduling actions for the same token, both scheduled decreases may subtract the same token’s effective stake at different future periods.

This is the snippet of the faulty code in unstake():

// if the delegation is pending or the validator is exited or unknown
// decrease the effective stake of the previous validator
if (
    currentValidatorStatus == VALIDATOR_STATUS_EXITED ||
    delegation.status == DelegationStatus.PENDING
) {
    // get the completed periods of the previous validator
    (, , , uint32 oldCompletedPeriods) = $
        .protocolStakerContract
        .getValidationPeriodDetails(delegation.validator);

    // decrease the effective stake of the previous validator
    _updatePeriodEffectiveStake(
        $,
        delegation.validator,
        _tokenId,
        oldCompletedPeriods + 2,
        false // decrease
    );
}

if (delegation.status == DelegationStatus.PENDING) {
    // We emit an event to signal that the NFT exited the current pending delegation
    // to ensure that indexers can correctly track the delegation status
    emit DelegationExitRequested(
        _tokenId,
        delegation.validator,
        delegation.delegationId,
        Clock.clock()
    );
}

Impact Details

The share formula used by _claimableRewardsForPeriod:

uint256 delegationId = $.delegationIdByTokenId[_tokenId];
(address validator, , , ) = $.protocolStakerContract.getDelegation(delegationId);

uint256 delegationPeriodRewards = $.protocolStakerContract.getDelegatorsRewards(
    validator,
    _period
);

// get the effective stake of the token
uint256 effectiveStake = _calculateEffectiveStake($, _tokenId);
// get the effective stake of the delegator in the period
uint256 delegatorsEffectiveStake = $.delegatorsEffectiveStake[validator].upperLookup(
    _period
);
// avoid division by zero
if (delegatorsEffectiveStake == 0) {
    return 0;
}

// return the claimable amount
return (effectiveStake * delegationPeriodRewards) / delegatorsEffectiveStake;

Consequences:

When the second decrease lands on a period where the cumulative already reflects the first decrease (zero in a single-delegator validator), the subtraction attempts cause an underflow and therefore revert inside _updatePeriodEffectiveStake.
When there are multiple delegators so the cumulative stays > 0, the double subtraction understates the denominator from that later period onward, inflating all other positions' shares.

Critical impact: Permanent freezing of funds — in pools where there is a sole delegator, the second scheduled decrease causes an underflow reverting _updatePeriodEffectiveStake. All flows that must apply this scheduled decrease will keep reverting, effectively freezing funds permanently.

Proof of Concept

PoC logs and test cases (expand to view)

PoC 1 — demonstrates the vulnerability (revert / underflow when sole delegator):

delegatorsEffectiveStake before unstake: 0

balance before unstake: 49999998999435010749972320 
expected payout: 1000000000000000000

delegatorsEffectiveStake after revert: 0

balance after revert: 49999998999309969383653880 
delta: -125041366318440
    ✔ schedules a second decrease and reverts (underflow) if I am the sole delegator (43ms)

PoC 2 — demonstrates expected behaviour when validator stays ACTIVE (no second scheduled decrease):

delegatorsEffectiveStake before unstake: 0

balance before unstake: 49999998999435010749972320 
expected payout: 1000000000000000000

delegatorsEffectiveStake after unstake: 0

balance after unstake: 49999999998914239240352854 
delta: 999479228490380534
    ✔ does not schedule a second decrease when the validator stays active (67ms)

PoC tests to copy into Delegation.test.ts:

it("schedules a second decrease and reverts (underflow) if I am the sole delegator", async function () {
    const levelSpec = await stargateNFTMock.getLevel(LEVEL_ID);
    await (await stargateContract.connect(user).stake(LEVEL_ID, { value: levelSpec.vetAmountRequiredToStake })).wait();
    const tokenId = await stargateNFTMock.getCurrentTokenId();

    await (await stargateContract.connect(user).delegate(tokenId, validator.address)).wait();

    const P0 = 10;
    await protocolStakerMock.helper__setValidationCompletedPeriods(validator.address, P0);
    expect(await stargateContract.getDelegationStatus(tokenId)).to.equal(DELEGATION_STATUS_ACTIVE);

    await (await stargateContract.connect(user).requestDelegationExit(tokenId)).wait();

    const P2 = 12;
    await protocolStakerMock.helper__setValidatorStatus(validator.address, VALIDATOR_STATUS_EXITED);
    await protocolStakerMock.helper__setValidationCompletedPeriods(validator.address, P2);

    const periodOfSecondDecrease = P2 + 2;
    const denominatorBefore = await stargateContract.getDelegatorsEffectiveStake(
        validator.address,
        periodOfSecondDecrease
    );
    const token = await stargateNFTMock.getToken(tokenId);
    const balBefore = await ethers.provider.getBalance(user.address);
    log(
        "\nperiod:",
        periodOfSecondDecrease,
        "\ndelegatorsEffectiveStake before unstake:",
        denominatorBefore.toString()
    );
    log(
        "\nbalance before unstake:",
        balBefore.toString(),
        "\nexpected payout:",
        token.vetAmountStaked.toString()
    );

    await expect(stargateContract.connect(user).unstake(tokenId)).to.be.reverted;

    const denominatorAfter = await stargateContract.getDelegatorsEffectiveStake(
        validator.address,
        periodOfSecondDecrease
    );
    log(
        "\ndelegatorsEffectiveStake after revert:",
        denominatorAfter.toString()
    );
    const balAfter = await ethers.provider.getBalance(user.address);
    log(
        "\nbalance after revert:",
        balAfter.toString(),
        "\ndelta:",
        (balAfter - balBefore).toString()
    );
});

it("does not schedule a second decrease when the validator stays active", async function () {
    const levelSpec = await stargateNFTMock.getLevel(LEVEL_ID);
    await (await stargateContract.connect(user).stake(LEVEL_ID, { value: levelSpec.vetAmountRequiredToStake })).wait();
    const tokenId = await stargateNFTMock.getCurrentTokenId();

    await (await stargateContract.connect(user).delegate(tokenId, validator.address)).wait();

    const P0 = 20;
    await protocolStakerMock.helper__setValidationCompletedPeriods(validator.address, P0);
    expect(await stargateContract.getDelegationStatus(tokenId)).to.equal(DELEGATION_STATUS_ACTIVE);

    await (await stargateContract.connect(user).requestDelegationExit(tokenId)).wait();

    const P2 = 22;
    await protocolStakerMock.helper__setValidationCompletedPeriods(validator.address, P2);
    await protocolStakerMock.helper__setValidatorStatus(validator.address, VALIDATOR_STATUS_ACTIVE);

    const controlPeriod = P2 + 2;
    const denominatorBeforeControl = await stargateContract.getDelegatorsEffectiveStake(
        validator.address,
        controlPeriod
    );
    log(
        "\nperiod before unstake:",
        controlPeriod,
        "\ndelegatorsEffectiveStake before unstake:",
        denominatorBeforeControl.toString()
    );

    const balBefore = await ethers.provider.getBalance(user.address);
    const token = await stargateNFTMock.getToken(tokenId);
    log(
        "\nbalance before unstake:",
        balBefore.toString(),
        "\nexpected payout:",
        token.vetAmountStaked.toString()
    );

    await expect(stargateContract.connect(user).unstake(tokenId)).to.not.be.reverted;

    const denominatorAfterControl = await stargateContract.getDelegatorsEffectiveStake(
        validator.address,
        controlPeriod
    );
    log(
        "\ndelegatorsEffectiveStake after unstake:",
        denominatorAfterControl.toString()
    );

    const balAfter = await ethers.provider.getBalance(user.address);
    const balanceDelta = balAfter - balBefore;
    log(
        "\nbalance after unstake:",
        balAfter.toString(),
        "\ndelta:",
        balanceDelta.toString()
    );
});

Summary

Root cause: lack of guard to prevent scheduling the same token's effective stake to be decreased twice via two different code paths (requestDelegationExit while ACTIVE and unstake when EXITED/PENDING).
Consequences: underflow reverts when sole delegator -> permanent freeze; incorrect reward distribution when multiple delegators -> inflated shares for others.
Files referenced: Stargate.sol (target repository link above).

Previous59866 sc high the delegator s rewards in period 1 cannot be claimed Next59919 sc high loss of funds delegators can claim rewards for periods where they had no stake

Was this helpful?

hashtagDescription

hashtagBrief / Intro

hashtagVulnerability Details

hashtagExit requested while validator is ACTIVE (schedules a decrease at completedPeriods + 2)

hashtagUnstake when validator is EXITED (or delegation is PENDING) (schedules a decrease at oldCompletedPeriods + 2)

hashtagImpact Details

hashtagProof of Concept

hashtagSummary