60516 sc high incorrect boundary check in claimabledelegationperiods allows claiming rewards beyond delegation end period

Submitted on Nov 23rd 2025 at 16:33:02 UTC by @Oxodus for Audit Comp | Vechain | Stargate Hayabusa

• Report ID: #60516

• Report Type: Smart Contract

• Report severity: High

• Target: https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/Stargate.sol

• Impacts:

  • Protocol insolvency

  • Theft of unclaimed yield

Description

Brief/Intro

The _claimableDelegationPeriods function in the Stargate contract contains an incorrect boundary check (endPeriod > nextClaimablePeriod) that should use >= instead of >. This logic flaw allows delegators to claim rewards for periods beyond their delegation's end period when endPeriod equals nextClaimablePeriod, potentially claiming rewards they are not entitled to and draining rewards that should belong to other delegators or future periods.

Vulnerability Details

In the _claimableDelegationPeriods function lines 916-922 , the condition checking if a delegation has ended uses a strict greater than operator:

if (
    endPeriod != type(uint32).max &&
    endPeriod < currentValidatorPeriod &&
    endPeriod > nextClaimablePeriod  // @audit should be >=
) {
    return (nextClaimablePeriod, endPeriod);
}

The issue arises when endPeriod equals nextClaimablePeriod. In this case:

• The condition endPeriod > nextClaimablePeriod evaluates to false

• The function bypasses this branch and falls through to the next condition

• It returns (nextClaimablePeriod, completedPeriods) instead of (nextClaimablePeriod, endPeriod)

• This allows the delegator to claim rewards up to completedPeriods, which can be significantly greater than endPeriod The correct logic should recognize that when endPeriod >= nextClaimablePeriod, there are still claimable periods from nextClaimablePeriod up to and including endPeriod. The current implementation incorrectly excludes the edge case where they are equal.

Impact Details

1. Protocol Insolvency The Stargate contract holds VTHO rewards to distribute to delegators based on their participation in completed periods. When exited delegators fraudulently claim rewards for periods they didn't participate in, they drain VTHO from the contract that should be reserved for legitimate claimants. If multiple delegators exploit this vulnerability across different validators and time periods, the cumulative theft can exceed the contract's VTHO balance. This leaves the protocol insolvent, resulting in a direct loss of funds for legitimate users.

2. Theft of Unclaimed Yield Exited delegators can claim VTHO rewards for periods 7, 8, 9, etc., even though their delegation ended at period 6. These rewards rightfully belong to delegators who were actively staking during those periods. By exploiting the boundary check flaw, malicious actors directly steal yield that was earned by the effective stake of legitimate active delegators on the validator during post exit periods.

References

https://github.com/vechain/stargate-contracts/blob/jose/update-contracts-to-hayabusa/packages/contracts/contracts/Stargate.sol#L916

Proof of Concept

Proof of Concept

• Modify the "test:thor-solo" line in the package.json file in the packages/contracts folder to the following, to allow us to run only the POC test "test:thor-solo": "hardhat test --network vechain_solo --grep \"POC: Boundary check\"",

• Paste the following test in the Rewards.test.ts file

• run the yarn contracts:test:integration test to run the test, you will see the following logs