60372 sc high double decrement bug effective stake underflow permanently locks funds

Submitted on Nov 21st 2025 at 22:29:42 UTC by @arunabha003 for Audit Comp | Vechain | Stargate Hayabusa

Report ID: #60372
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/Stargate.sol
Impacts:
- Permanent freezing of funds

Description

Brief

The Stargate contract contains a double-decrement accounting bug where _updatePeriodEffectiveStake() is called twice with the same effective stake value during the unstake flow when a validator has exited. First, requestDelegationExit() decrements the effective stake , then unstake() decrements it again when the validator status is EXITED. This causes an arithmetic underflow in _updatePeriodEffectiveStake() , permanently preventing users from unstaking and withdrawing their staked VET.

Vulnerability Details

The vulnerability exists in the effective stake accounting system across three functions in Stargate.sol:

Location 1: requestDelegationExit() - Line 565

function requestDelegationExit(uint256 _tokenId) external {
    // ... validation ...
    uint256 effectiveStake = _calculateEffectiveStake($, _tokenId);
    _updatePeriodEffectiveStake($, delegation.validator, effectiveStake, false);  // DECREMENT #1
    // ...
}

Location 2: unstake() - Lines 267-275

function unstake(uint256 _tokenId) external {
    // ... validation ...
    if (
        currentValidatorStatus == VALIDATOR_STATUS_EXITED ||
        currentDelegationStatus == DelegationStatus.PENDING
    ) {
        uint256 effectiveStake = _calculateEffectiveStake($, _tokenId);
        _updatePeriodEffectiveStake($, validator, effectiveStake, false);  // DECREMENT #2
    }
    // ...
}

Location 3: _updatePeriodEffectiveStake() - Line 1007

function _updatePeriodEffectiveStake(
    StargateStorage storage $,
    address _validator,
    uint256 _effectiveStake,
    bool _increase
) private {
    uint256 currentValue = $.delegatorsEffectiveStake[_validator].latest();
    uint256 newValue;
    if (_increase) {
        newValue = currentValue + _effectiveStake;
    } else {
        newValue = currentValue - _effectiveStake;  // Underflows when currentValue < _effectiveStake
    }
    $.delegatorsEffectiveStake[_validator].push(Clock.clock(), newValue);
}

Exploit Path:

User stakes NFT and delegates to validator (validator status: ACTIVE)
User calls requestDelegationExit(tokenId) while validator is ACTIVE
- _updatePeriodEffectiveStake() decrements effective stake (DECREMENT #1)
- delegatorsEffectiveStake[validator] reduced by user's effective stake
Validator becomes EXITED (offline, slashed, or voluntary exit)
User calls unstake(tokenId)
- Condition at line 267 evaluates true: currentValidatorStatus == VALIDATOR_STATUS_EXITED
- _updatePeriodEffectiveStake() attempts second decrement (DECREMENT #2)
- currentValue - _effectiveStake underflows because value already decremented in step 2
- Transaction reverts with arithmetic underflow
User permanently unable to unstake or withdraw staked VET

The bug also triggers if delegation status becomes PENDING instead of validator becoming EXITED, following the same double-decrement logic.

Impact Details

Users who follow the sequence (stake → delegate → requestDelegationExit → validator exits → unstake) lose permanent access to their staked VET. The contract holds the VET but provides no recovery mechanism. There is no admin function to force-unstake on behalf of users, and no time-based unlock. The funds remain locked in the contract indefinitely.

Financial impact depends on the number of affected users and their stake amounts. VeChain Stargate NFT staking levels range from 600,000 VET (Level 1) to 25,000,000 VET (Level 7). If even a small percentage of high-level stakers encounter this bug during validator exits, the total locked value could reach tens of millions of VET.

This constitutes permanent freezing of funds per Immunefi's Critical impact definition: "user is no longer able to withdraw their funds" with no recovery path.

Proof of Concept

Test File: packages/contracts/test/integration/DoubleDecrementBugPOC.test.ts

Running the POC

cd packages/contracts
VITE_APP_ENV=local npx hardhat test test/integration/DoubleDecrementBugPOC.test.ts

Actual Output

PoC: C-01 Double-Decrement Effective Stake Bug (Critical - Permanent Lock)
C-01: Delegation status after delegate: 2 (ACTIVE=2)
C-01: requestDelegationExit() called → DECREMENT #1 (line 568)
C-01: Validator status changed to EXITED: 0n (EXITED=0)
C-01: ✓ unstake() REVERTED - double-decrement underflow confirmed!
C-01: Impact: Permanent freezing of 100.0 VET
  ✔ PoC: Double-decrement causes underflow when unstaking after validator exits (347ms)
C-01: Control - Normal delegation exit flow works without double-decrement
  ✔ Control: Normal flow doesn't trigger double-decrement

2 passing (1s)

File: packages/contracts/test/integration/DoubleDecrementBugPOC.test.ts


import { expect } from "chai";
import { ethers } from "hardhat";
import {
    ProtocolStakerMock,
    ProtocolStakerMock__factory,
    MyERC20,
    StargateNFT,
    Stargate,
} from "../../typechain-types";
import { IProtocolParams } from "../../typechain-types";
import { HardhatEthersSigner } from "@nomicfoundation/hardhat-ethers/signers";
import { getOrDeployContracts } from "../helpers/deploy";
import { createLocalConfig } from "@repo/config/contracts/envs/local";
import { stakeNFT, mineBlocks } from "../helpers";

describe("PoC: C-01 Double-Decrement Effective Stake Bug (Critical - Permanent Lock)", () => {
    let protocolStakerMock: ProtocolStakerMock;
    let protocolParamsContract: IProtocolParams;
    let mockedVthoToken: MyERC20;
    let stargateNFTContract: StargateNFT;
    let stargateContract: Stargate;

    let deployer: HardhatEthersSigner;
    let user: HardhatEthersSigner;

    const VALIDATOR_STATUS_ACTIVE = 2;
    const VALIDATOR_STATUS_EXITED = 0;

    beforeEach(async () => {
        [deployer] = await ethers.getSigners();

        // Deploy protocol staker mock
        const protocolStakerMockFactory = new ProtocolStakerMock__factory(deployer);
        protocolStakerMock = await protocolStakerMockFactory.deploy();
        await protocolStakerMock.waitForDeployment();

        // Deploy contracts with mock
        const config = createLocalConfig();
        config.PROTOCOL_STAKER_CONTRACT_ADDRESS = await protocolStakerMock.getAddress();
        const contracts = await getOrDeployContracts({ forceDeploy: true, config });

        mockedVthoToken = contracts.mockedVthoToken;
        protocolParamsContract = contracts.protocolParamsContract;
        stargateNFTContract = contracts.stargateNFTContract;
        stargateContract = contracts.stargateContract;
        user = contracts.otherAccounts[0];

        // Setup validator as ACTIVE
        let tx = await protocolStakerMock.addValidation(deployer.address, 120);
        await tx.wait();
        tx = await protocolStakerMock.helper__setValidatorStatus(
            deployer.address,
            VALIDATOR_STATUS_ACTIVE
        );
        await tx.wait();
        tx = await protocolStakerMock.helper__setValidationCompletedPeriods(deployer.address, 120);
        await tx.wait();
    });

    it("PoC: Double-decrement causes underflow when unstaking after validator exits", async () => {
        const validator = deployer.address;
        const levelId = 1;
        const levelSpec = await stargateNFTContract.getLevel(levelId);
        const levelVetAmountRequired = levelSpec.vetAmountRequiredToStake;

        // Step 1: User stakes NFT and waits for maturity
        const { tokenId } = await stakeNFT(user, levelId, stargateContract, stargateNFTContract, false);
        await mineBlocks(Number(levelSpec.maturityBlocks));

        // Step 2: User delegates to validator (validator is ACTIVE)
        const delegateTx = await stargateContract.connect(user).delegate(tokenId, validator);
        await delegateTx.wait();

        // Advance periods so delegation becomes ACTIVE
        let tx = await protocolStakerMock.helper__setValidationCompletedPeriods(deployer.address, 240);
        await tx.wait();

        const delegationStatus1 = await stargateContract.getDelegationStatus(tokenId);
        console.log("C-01: Delegation status after delegate:", delegationStatus1.toString(), "(ACTIVE=2)");

        // Step 3: User requests delegation exit → DECREMENT #1 at line 568
        const exitTx = await stargateContract.connect(user).requestDelegationExit(tokenId);
        await exitTx.wait();
        console.log("C-01: requestDelegationExit() called → DECREMENT #1 (line 568)");

        // Step 4: Validator becomes EXITED (simulating validator going offline/slashed)
        tx = await protocolStakerMock.helper__setValidatorStatus(
            validator,
            VALIDATOR_STATUS_EXITED
        );
        await tx.wait();

        const [, , , , validatorStatus, ] = await protocolStakerMock.getValidation(validator);
        console.log("C-01: Validator status changed to EXITED:", validatorStatus, "(EXITED=0)");

        // Step 5: User tries to unstake → triggers DECREMENT #2 at line 275-281
        // Line 267: currentValidatorStatus == VALIDATOR_STATUS_EXITED is TRUE
        // Line 275-281: _updatePeriodEffectiveStake() called again → DECREMENT #2
        // Result: Underflow because effective stake already decremented in step 3

        await expect(
            stargateContract.connect(user).unstake(tokenId)
        ).to.be.reverted;

        console.log("C-01: ✓ unstake() REVERTED - double-decrement underflow confirmed!");
        console.log("C-01: Impact: Permanent freezing of", ethers.formatEther(levelVetAmountRequired), "VET");
    });

    it("Control: Normal flow doesn't trigger double-decrement", async () => {
        // This test shows that normal operation (without validator exit) works fine
        const validator = deployer.address;
        const levelId = 1;
        const levelSpec = await stargateNFTContract.getLevel(levelId);

        const { tokenId } = await stakeNFT(user, levelId, stargateContract, stargateNFTContract, false);
        await mineBlocks(Number(levelSpec.maturityBlocks));

        // Delegate to validator
        const delegateTx = await stargateContract.connect(user).delegate(tokenId, validator);
        await delegateTx.wait();

        // Request delegation exit (still safe when validator is ACTIVE)
        const exitTx = await stargateContract.connect(user).requestDelegationExit(tokenId);
        await exitTx.wait();

        // Since validator is ACTIVE, unstake won't trigger the bug
        // (Only triggers when validator is EXITED after requestDelegationExit was called)
        console.log("C-01: Control - Normal delegation exit flow works without double-decrement");
    });
});

Previous60373 sc high incorrect effective stake decrement when validator exits causes permanent freezing of user stake Next60335 sc insight missing or misleading code comments causes confusion and may lead to unnecessary code changes

Was this helpful?

import { expect } from "chai"; import { ethers } from "hardhat"; import { ProtocolStakerMock, ProtocolStakerMock__factory, MyERC20, StargateNFT, Stargate, } from "../../typechain-types"; import { IProtocolParams } from "../../typechain-types"; import { HardhatEthersSigner } from "@nomicfoundation/hardhat-ethers/signers"; import { getOrDeployContracts } from "../helpers/deploy"; import { createLocalConfig } from "@repo/config/contracts/envs/local"; import { stakeNFT, mineBlocks } from "../helpers"; describe("PoC: C-01 Double-Decrement Effective Stake Bug (Critical - Permanent Lock)", () => { let protocolStakerMock: ProtocolStakerMock; let protocolParamsContract: IProtocolParams; let mockedVthoToken: MyERC20; let stargateNFTContract: StargateNFT; let stargateContract: Stargate; let deployer: HardhatEthersSigner; let user: HardhatEthersSigner; const VALIDATOR_STATUS_ACTIVE = 2; const VALIDATOR_STATUS_EXITED = 0; beforeEach(async () => { [deployer] = await ethers.getSigners(); // Deploy protocol staker mock const protocolStakerMockFactory = new ProtocolStakerMock__factory(deployer); protocolStakerMock = await protocolStakerMockFactory.deploy(); await protocolStakerMock.waitForDeployment(); // Deploy contracts with mock const config = createLocalConfig(); config.PROTOCOL_STAKER_CONTRACT_ADDRESS = await protocolStakerMock.getAddress(); const contracts = await getOrDeployContracts({ forceDeploy: true, config }); mockedVthoToken = contracts.mockedVthoToken; protocolParamsContract = contracts.protocolParamsContract; stargateNFTContract = contracts.stargateNFTContract; stargateContract = contracts.stargateContract; user = contracts.otherAccounts[0]; // Setup validator as ACTIVE let tx = await protocolStakerMock.addValidation(deployer.address, 120); await tx.wait(); tx = await protocolStakerMock.helper__setValidatorStatus( deployer.address, VALIDATOR_STATUS_ACTIVE ); await tx.wait(); tx = await protocolStakerMock.helper__setValidationCompletedPeriods(deployer.address, 120); await tx.wait(); }); it("PoC: Double-decrement causes underflow when unstaking after validator exits", async () => { const validator = deployer.address; const levelId = 1; const levelSpec = await stargateNFTContract.getLevel(levelId); const levelVetAmountRequired = levelSpec.vetAmountRequiredToStake; // Step 1: User stakes NFT and waits for maturity const { tokenId } = await stakeNFT(user, levelId, stargateContract, stargateNFTContract, false); await mineBlocks(Number(levelSpec.maturityBlocks)); // Step 2: User delegates to validator (validator is ACTIVE) const delegateTx = await stargateContract.connect(user).delegate(tokenId, validator); await delegateTx.wait(); // Advance periods so delegation becomes ACTIVE let tx = await protocolStakerMock.helper__setValidationCompletedPeriods(deployer.address, 240); await tx.wait(); const delegationStatus1 = await stargateContract.getDelegationStatus(tokenId); console.log("C-01: Delegation status after delegate:", delegationStatus1.toString(), "(ACTIVE=2)"); // Step 3: User requests delegation exit → DECREMENT #1 at line 568 const exitTx = await stargateContract.connect(user).requestDelegationExit(tokenId); await exitTx.wait(); console.log("C-01: requestDelegationExit() called → DECREMENT #1 (line 568)"); // Step 4: Validator becomes EXITED (simulating validator going offline/slashed) tx = await protocolStakerMock.helper__setValidatorStatus( validator, VALIDATOR_STATUS_EXITED ); await tx.wait(); const [, , , , validatorStatus, ] = await protocolStakerMock.getValidation(validator); console.log("C-01: Validator status changed to EXITED:", validatorStatus, "(EXITED=0)"); // Step 5: User tries to unstake → triggers DECREMENT #2 at line 275-281 // Line 267: currentValidatorStatus == VALIDATOR_STATUS_EXITED is TRUE // Line 275-281: _updatePeriodEffectiveStake() called again → DECREMENT #2 // Result: Underflow because effective stake already decremented in step 3 await expect( stargateContract.connect(user).unstake(tokenId) ).to.be.reverted; console.log("C-01: ✓ unstake() REVERTED - double-decrement underflow confirmed!"); console.log("C-01: Impact: Permanent freezing of", ethers.formatEther(levelVetAmountRequired), "VET"); }); it("Control: Normal flow doesn't trigger double-decrement", async () => { // This test shows that normal operation (without validator exit) works fine const validator = deployer.address; const levelId = 1; const levelSpec = await stargateNFTContract.getLevel(levelId); const { tokenId } = await stakeNFT(user, levelId, stargateContract, stargateNFTContract, false); await mineBlocks(Number(levelSpec.maturityBlocks)); // Delegate to validator const delegateTx = await stargateContract.connect(user).delegate(tokenId, validator); await delegateTx.wait(); // Request delegation exit (still safe when validator is ACTIVE) const exitTx = await stargateContract.connect(user).requestDelegationExit(tokenId); await exitTx.wait(); // Since validator is ACTIVE, unstake won't trigger the bug // (Only triggers when validator is EXITED after requestDelegationExit was called) console.log("C-01: Control - Normal delegation exit flow works without double-decrement"); }); });

hashtagDescription

hashtagBrief

hashtagVulnerability Details

hashtagImpact Details

hashtagProof of Concept

hashtagRunning the POC

hashtagActual Output