search
Active Boosts

60470 sc high double decrease of validator stake in stargate sol

Submitted on Nov 23rd 2025 at 04:40:04 UTC by @FrontRunner for Audit Comp | Vechain | Stargate Hayabusaarrow-up-right

  • Report ID: #60470

  • Report Type: Smart Contract

  • Report severity: High

  • Target: https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/Stargate.sol

  • Impacts:

    • Theft of unclaimed yield

hashtag
Description

hashtag
Brief/Intro

A specific sequence of actions can cause a user's delegated stake to be subtracted twice from the validator's total. This artificially deflates the validator's stake, leading to inflated reward calculations for all remaining delegators of that validator. This constitutes a value leak from the protocol's reward pool, as it allows other users to claim more rewards than they are entitled to.

hashtag
Vulnerability Details

The core of the vulnerability lies in the redundant stake-decreasing logic present in two separate functions: requestDelegationExit and unstake.

requestDelegationExit(): When a user signals their intent to stop delegating, this function correctly calls _updatePeriodEffectiveStake(..., false) to schedule a decrease in the validator's total effective stake for a future period.

unstake(): This function contains a conditional block that also calls _updatePeriodEffectiveStake(..., false) if the validator's status is EXITED or if the user's delegation status was PENDING.

The flaw is triggered when both conditions are met for the same delegation. If a user calls requestDelegationExit and, before they call unstake, the validator itself also exits, the logic in unstake does not account for the fact that the stake decrease has already been processed. This results in the same stake being subtracted from the validator's total for a second time.

hashtag
Attack Scenario

  1. A user has an ACTIVE delegation to an ACTIVE validator.

  2. The user calls requestDelegationExit(tokenId). The Stargate contract correctly schedules a decrease in the validator's effective stake.

  3. The validator's status changes to VALIDATOR_STATUS_EXITED due to external circumstances before the user unstakes.

  4. The user calls unstake(tokenId). The delegation status is EXITED (because the exit period has passed). The validator status is VALIDATOR_STATUS_EXITED. The condition if (currentValidatorStatus == VALIDATOR_STATUS_EXITED || delegation.status == DelegationStatus.PENDING) evaluates to true. _updatePeriodEffectiveStake(..., false) is called again for the same stake, causing an arithmetic underflow when calculating the validator's new total stake.

The if condition does not check if requestDelegationExit has already been successfully called and processed the stake decrease. When the validator has exited, this block is executed unconditionally, leading to the double-decrease bug.

hashtag
Impact Details

The double-subtraction of stake artificially deflates the validator's delegatorsEffectiveStake. When rewards are calculated for the remaining delegators, their share of the total rewards is determined by their stake relative to this deflated total. Remaining delegators receive a proportionally larger share of the rewards for that period.

hashtag
References

https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/blob/e9c0bc9b0f24dc0c44de273181d9a99aaf2c31b0/packages/contracts/contracts/Stargate.sol#L231

https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/blob/e9c0bc9b0f24dc0c44de273181d9a99aaf2c31b0/packages/contracts/contracts/Stargate.sol#L523

hashtag
Proof of Concept

hashtag
Proof of Concept

Previous60506 sc high double delegatorseffectivestake decrease permanently prevents single nft from unstakingNext60466 sc medium maxclaimableperiodsexceeded lock zero reward backlog permanently locks nfts

Was this helpful?