# 60210 sc high during a validator exit users will be unable to unstake due to underflow **Submitted on Nov 20th 2025 at 00:08:26 UTC by @oxrex for** [**Audit Comp | Vechain | Stargate Hayabusa**](https://immunefi.com/audit-competition/audit-comp-vechain-stargate-hayabusa) * **Report ID:** #60210 * **Report Type:** Smart Contract * **Report severity:** High * **Target:** * **Impacts:** Permanent freezing of funds ## Description ### Brief / Intro During a validator EXIT, users will be unable to unstake due to an underflow issue inside the `unstake()` function. ### Vulnerability Details The unstaking process in the current implementation of Vechain staking is implemented in two main user actions: {% stepper %} {% step %} ### User requests delegation exit 1. A user requests to exit delegation validator X.\ In `requestDelegationExit` the validator's effective stake for the next period is reduced: ```solidity function requestDelegationExit( uint256 _tokenId ) external whenNotPaused onlyTokenOwner(_tokenId) nonReentrant { ... // decrease the effective stake _updatePeriodEffectiveStake($, delegation.validator, _tokenId, completedPeriods + 2, false); emit DelegationExitRequested(_tokenId, delegation.validator, delegationId, exitBlock); } ``` {% endstep %} {% step %} ### User calls unstake() 2. The user then calls `unstake()` to get their staked VET tokens back and claim earned rewards. {% endstep %} {% endstepper %} If the validator has not been exited before the user calls `unstake()`, the user receives their VET back as expected. However, a problematic sequence creates an underflow: {% stepper %} {% step %} ### Problematic sequence ā€” part 1 * User requests exit from validator X (reducing the validator effective stake for the upcoming period). {% endstep %} {% step %} ### Problematic sequence ā€” part 2 * Validator X is exited (validator becomes status EXITED). {% endstep %} {% step %} ### Problematic sequence ā€” part 3 * User calls `unstake()`. Because the validator status is EXITED, `unstake()` attempts to call `_updatePeriodEffectiveStake` again ā€” even though the effective stake was already reduced when the user requested exit. {% endstep %} {% endstepper %} This double deduction creates two failure modes: * If the user is the sole delegator to that validator, the second deduction causes an underflow, permanently locking the user's tokens. * If there are multiple delegators, the second deduction corrupts the validator's effective stake and will cause other delegators' future unstake calls to underflow as well, propagating the issue. Relevant excerpt from `unstake()`: ```solidity function unstake( uint256 _tokenId ) external whenNotPaused onlyTokenOwner(_tokenId) nonReentrant { ... // if the delegation is pending or the validator is exited or unknown // decrease the effective stake of the previous validator if ( currentValidatorStatus == VALIDATOR_STATUS_EXITED || delegation.status == DelegationStatus.PENDING ) { // get the completed periods of the previous validator (, , , uint32 oldCompletedPeriods) = $ .protocolStakerContract .getValidationPeriodDetails(delegation.validator); // decrease the effective stake of the previous validator _updatePeriodEffectiveStake( $, delegation.validator, _tokenId, oldCompletedPeriods + 2, false // decrease ); } ... } ``` The PoC attached with this report demonstrates the bug. The fix is to avoid decreasing effective stake twice for the same delegation/validator (i.e., ensure `_updatePeriodEffectiveStake` isn't called redundantly when the exit was already processed in `requestDelegationExit`). ## Impact Details {% hint style="danger" %} Complete lock of the user's VET tokens (the `token.vetAmountStaked` associated with the NFT). The only contract function that sends out those VET tokens is `unstake()`, so this underflow can permanently prevent users from reclaiming funds. {% endhint %} ## References ## Proof of Concept
PoC test (paste into Rewards.test.ts and run) ```js it.only("poc for locked stake:", async () => { const levelSpec = await stargateNFTMock.getLevel(LEVEL_ID); tx = await stargateContract.connect(user).stake(LEVEL_ID, { value: levelSpec.vetAmountRequiredToStake, }); await tx.wait(); const tokenId = await stargateNFTMock.getCurrentTokenId(); log("\nšŸŽ‰ Staked token with id:", tokenId); tx = await stargateContract.connect(user).delegate(tokenId, validator.address); await tx.wait(); log("\nšŸŽ‰ Delegated token to validator", validator.address); // fast forward some periods tx = await protocolStakerMock.helper__setValidationCompletedPeriods(validator.address, 5); // await tx.wait(); log("\nšŸŽ‰ Set validator completed periods to 5"); // request to exit the delegation tx = await stargateContract.connect(user).requestDelegationExit(tokenId); await tx.wait(); log("\nšŸŽ‰ Requested to exit the delegation"); // validator exits tx = await protocolStakerMock.helper__setValidatorStatus( validator.address, VALIDATOR_STATUS_EXITED ); await tx.wait(); tx1 = await stargateContract.connect(user).unstake(tokenId); await tx1.wait(); }); ``` Expected revert seen when underflow occurs: ``` Error: VM Exception while processing transaction: reverted with panic code 0x11 (Arithmetic operation overflowed outside of an unchecked block) at Stargate._updatePeriodEffectiveStake (contracts/Stargate.sol:1039) at Stargate.unstake (contracts/Stargate.sol:285) ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/vechain-or-stargate-hayabusa/60210-sc-high-during-a-validator-exit-users-will-be-unable-to-unstake-due-to-underflow.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.