Calling requestDelegationExit records a first effective-stake decrement, util validator status changed to EXITED, USER try to call unstake , and enters the EXITED/PENDING branch and applies a second decrement for the same period, causing an underflow (panic 0x11) before any transfers.
Vulnerability Details
First decrement: requestDelegationExit calls _updatePeriodEffectiveStakefor the next period (Stargate.sol #L568).
Second decrement: unstake in the currentValidatorStatus == EXITED || status == PENDING branch calls _updatePeriodEffectiveStake again Stargate.sol (#L266-#L283), leading to underflow when the checkpointed value is already zero.
Impact Details
Once triggered, every unstake attempt reverts; delegations cannot be changed, so the user’s staked VET remains locked in the staking contract. Funds are not stolen but are permanently frozen.
Affected flow: stake + delegate → requestDelegationExit (first decrement) → validator becomes EXITED → any unstake reverts on second decrement.
References
add a status judge before call _updatePeriodEffectiveStake in unstake.
bool shouldDecrement = (delegation.status == DelegationStatus.PENDING) ||
(currentValidatorStatus == VALIDATOR_STATUS_EXITED && delegation.status == DelegationStatus.NONE); // or some other scenery can do decreament
if (shouldDecrement) {
_updatePeriodEffectiveStake(..., false);
} else {
// status == EXITED has been decreased in requestDelegationExit, skip
}