60171 sc low levels added after deployment lack boost price initialization resulting in free boosting

Submitted on Nov 19th 2025 at 14:44:28 UTC by @aman for Audit Comp | Vechain | Stargate Hayabusa

Report ID: #60171
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateNFT/StargateNFT.sol
Impacts:
- Theft of unclaimed royalties

Description

Brief/Intro

The addLevel function allows new levels to be added after deployment, but there is no accompanying function to set the boostPricesPerBlock for these newly added levels. As a result, users can benefit from boost features without paying any fee in VTHO tokens, bypassing the intended waiting period and staking directly on the validator for free.

Vulnerability Details

A new feature introduced in this version allows users to perform boosting, where they pay a token fee to bypass the maturity period and stake immediately to start earning rewards. Under normal operation, levels and their corresponding boost prices are set during initialization inside initializeV3 as follows:

/audit-comp-vechain-stargate-hayabusa/packages/contracts/contracts/StargateNFT/StargateNFT.sol:226
226:     function initializeV3(
227:         address stargate,
228:         uint8[] memory levelIds,
229:         uint256[] memory boostPricesPerBlock
230:     ) external onlyRole(UPGRADER_ROLE) reinitializer(3) {
....
239:         DataTypes.StargateNFTStorage storage $ = _getStargateNFTStorage();
240:         $.stargate = IStargate(stargate);
241:         for (uint256 i; i < levelIds.length; i++) {
242:             Levels.updateLevelBoostPricePerBlock($, levelIds[i], boostPricesPerBlock[i]);
243:         }
244:     }

Here at Line 242 the boostPricesPerBlock for each level is set.

However the levels can also be added after this flow via the addLevel function as follows:

/audit-comp-vechain-stargate-hayabusa/packages/contracts/contracts/StargateNFT/StargateNFT.sol:302
302:     function addLevel(
303:         DataTypes.LevelAndSupply memory _levelAndSupply
304:     ) public onlyRole(LEVEL_OPERATOR_ROLE) {
305:         Levels.addLevel(_getStargateNFTStorage(), _levelAndSupply);
306:     }

StargateNFTContract::addLevel -> Levels::addLevel:

/audit-comp-vechain-stargate-hayabusa/packages/contracts/contracts/StargateNFT/libraries/Levels.sol:88
 88:     function addLevel(
 89:         DataTypes.StargateNFTStorage storage $,
 90:         DataTypes.LevelAndSupply memory _levelAndSupply
 91:     ) external {
 92:         // Increment MAX_LEVEL_ID
 93:         $.MAX_LEVEL_ID++;
 95:         // Override level ID to be the new MAX_LEVEL_ID (We do not care about the level id in the input)
 96:         _levelAndSupply.level.id = $.MAX_LEVEL_ID;
 98:         // Validate level fields
 99:         _validateLevel(_levelAndSupply.level);
101:         // Validate supply
102:         if (_levelAndSupply.circulatingSupply > _levelAndSupply.cap) {
103:             revert Errors.CirculatingSupplyGreaterThanCap();
104:         }
106:         // Add new level to storage
107:         $.levels[_levelAndSupply.level.id] = _levelAndSupply.level;
108:         _checkpointLevelCirculatingSupply(
109:             $,
110:             _levelAndSupply.level.id,
111:             _levelAndSupply.circulatingSupply
112:         );
113:         $.cap[_levelAndSupply.level.id] = _levelAndSupply.cap;
114: 
...
125:     }

As shown above, boostPricePerBlock is never initialized for newly added levels. Consequently, any user can call the boost or stakeAndDelegate functions on levels created via the addLevel function without paying any fee. This allows them to bypass the intended maturity period and immediately stake VET on the validator.

Impact Details

The vulnerability lets users bypass the boost fee entirely, granting them free boosts. Although no protocol funds are lost because fees are burned, the fee mechanism becomes ineffective.

Proof of Concept

Unit test demonstrating the issue (Boost.test.ts)

Add the following unit test case to the file Boost.test.ts and run with command npx hardhat test.

Note: Also import time (and optionally mine) from @nomicfoundation/hardhat-network-helpers.

import { mine, time } from "@nomicfoundation/hardhat-network-helpers";

/audit-comp-vechain-stargate-hayabusa/packages/contracts/test/unit/StargateNFT/Boost.test.ts:344
344: 
        it.only("should be able to boost a token owned by another user with my own allowance", async () => {
            const levelOperator = otherAccounts[2];
            const grantTx = await stargateNFTContract.grantRole(
                await stargateNFTContract.LEVEL_OPERATOR_ROLE(),
                levelOperator.address
            );
            await grantTx.wait();
            const newLevelAndSupply = {
                level: {
                    id: 25, // This id does not matter since it will be replaced by the real one
                    name: "My New Level",
                    isX: false,
                    vetAmountRequiredToStake: ethers.parseEther("1000000"),
                    scaledRewardFactor: 150,
                    maturityBlocks: 30,
                },
                cap: 872,
                circulatingSupply: 0,
            };
            const currentLevelIds = await stargateNFTContract.getLevelIds();
            const bosteddAmount = await stargateNFTContract.boostAmountOfLevel(1);
            console.log("bosteddAmount of level 1", bosteddAmount);
            tx = await stargateNFTContract.connect(levelOperator).addLevel(newLevelAndSupply);
            await tx.wait();
            const expectedLevelId = currentLevelIds[currentLevelIds.length - 1] + 1n;
            // mint the NFT for the user
            const bosteddAmount2 = await stargateNFTContract.boostAmountOfLevel(expectedLevelId);
            console.log("bosteddAmount of level added via addLevel", bosteddAmount2);

            tx = await stargateNFTContract.mint(expectedLevelId, user.address);
            await tx.wait();
            const tokenId = await stargateNFTContract.getCurrentTokenId();
            console.log("✅ Minted NFT with id", tokenId);
            const maturityPeriodEndBlock =
                await stargateNFTContract.maturityPeriodEndBlock(tokenId);
            expect(maturityPeriodEndBlock).to.be.greaterThan((await time.latestBlock()).toString());

            const boostAmount = await stargateNFTContract.boostAmount(tokenId);
            expect(boostAmount).to.equal(0);
            const oldBalance = await vthoTokenContract.balanceOf(user.address);
            // boost the NFT with other user
            tx = await stargateNFTContract.connect(otherUser).boost(tokenId);
            await tx.wait();
            log("✅ Boosted NFT");
            const newVthoBalance = await vthoTokenContract.balanceOf(user.address);
            log("👀 New VTHO balance", newVthoBalance);
            expect(newVthoBalance).to.equal(oldBalance);
            const maturityPeriodEndBlockAfterBoost =
                await stargateNFTContract.maturityPeriodEndBlock(tokenId);
            expect(maturityPeriodEndBlockAfterBoost).to.equal((await time.latestBlock()).toString());
        });

References

Add any relevant links to documentation or code.

Previous60169 sc high exited delegations can continue to claim rewards due to logic fall through in claimabledelegationperiods Next60173 sc high the phantom claimable periods can permanently lock the staked vet for ended delegations

Was this helpful?

import { mine, time } from "@nomicfoundation/hardhat-network-helpers"; /audit-comp-vechain-stargate-hayabusa/packages/contracts/test/unit/StargateNFT/Boost.test.ts:344 344: it.only("should be able to boost a token owned by another user with my own allowance", async () => { const levelOperator = otherAccounts[2]; const grantTx = await stargateNFTContract.grantRole( await stargateNFTContract.LEVEL_OPERATOR_ROLE(), levelOperator.address ); await grantTx.wait(); const newLevelAndSupply = { level: { id: 25, // This id does not matter since it will be replaced by the real one name: "My New Level", isX: false, vetAmountRequiredToStake: ethers.parseEther("1000000"), scaledRewardFactor: 150, maturityBlocks: 30, }, cap: 872, circulatingSupply: 0, }; const currentLevelIds = await stargateNFTContract.getLevelIds(); const bosteddAmount = await stargateNFTContract.boostAmountOfLevel(1); console.log("bosteddAmount of level 1", bosteddAmount); tx = await stargateNFTContract.connect(levelOperator).addLevel(newLevelAndSupply); await tx.wait(); const expectedLevelId = currentLevelIds[currentLevelIds.length - 1] + 1n; // mint the NFT for the user const bosteddAmount2 = await stargateNFTContract.boostAmountOfLevel(expectedLevelId); console.log("bosteddAmount of level added via addLevel", bosteddAmount2); tx = await stargateNFTContract.mint(expectedLevelId, user.address); await tx.wait(); const tokenId = await stargateNFTContract.getCurrentTokenId(); console.log("✅ Minted NFT with id", tokenId); const maturityPeriodEndBlock = await stargateNFTContract.maturityPeriodEndBlock(tokenId); expect(maturityPeriodEndBlock).to.be.greaterThan((await time.latestBlock()).toString()); const boostAmount = await stargateNFTContract.boostAmount(tokenId); expect(boostAmount).to.equal(0); const oldBalance = await vthoTokenContract.balanceOf(user.address); // boost the NFT with other user tx = await stargateNFTContract.connect(otherUser).boost(tokenId); await tx.wait(); log("✅ Boosted NFT"); const newVthoBalance = await vthoTokenContract.balanceOf(user.address); log("👀 New VTHO balance", newVthoBalance); expect(newVthoBalance).to.equal(oldBalance); const maturityPeriodEndBlockAfterBoost = await stargateNFTContract.maturityPeriodEndBlock(tokenId); expect(maturityPeriodEndBlockAfterBoost).to.equal((await time.latestBlock()).toString()); });

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagProof of Concept