'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
What is DualDefense?
DualDefense is a service that combines traditional security audits with HackenProof’s crowdsourced audits, powered by our community of ethical hackers. After a project completes its main audit, HackenProof bug hunters additionally review the code.
If critical bugs are found during the Crowdsourced Audit period, rewards are covered by the DualDefense Flash Pool — a fund supported by the staking community. This unique model prevents unexpected costs from being shifted to the project itself.
Auditors, the staking community, and bug hunters all work together to protect digital systems. By joining DualDefense, projects of any type — from Web3 smart contracts to traditional Web2 applications — gain maximum protection and engage a diverse security research community to uncover vulnerabilities before they can affect users.
About VeChain
VeChain is a public blockchain platform designed to connect blockchain technology with real-world action, making impact measurable, verifiable, and economically meaningful. Its ecosystem focuses on tracking real-world behavior on-chain and turning it into transparent, reward-driven outcomes.
VeChain has been listed on HackenProof since May 2018 and has consistently treated security as an ongoing process. Over the years, the project has launched three bug bounty programs and two DualDefense audits, reinforcing its approach to continuous review rather than one-off assessments.
A core pillar of VeChain’s technical roadmap is Stargate, a smart-contract suite introduced as part of the upcoming Hayabusa hard fork. Stargate defines how VET holders delegate stake to validator nodes, how delegation exits are handled, and how rewards are calculated and distributed — making it a critical component of both network security and economic fairness.
The DualDefense Finding
The VeChain Stargate smart contracts were reviewed under a DualDefense audit that ran from November 17, 2025 to December 10, 2025. During this period, an independent security researcher identified a critical logic flaw affecting delegation reward calculations.
The vulnerability allowed a delegator who had already exited staking to continue claiming VTHO rewards for future validator periods. Because delegation rewards are distributed from a fixed per-period pool, this behavior resulted in rewards being incorrectly diverted away from active delegators.
The finding was classified as critical under DualDefense’s impact criteria, as it enabled the theft of unclaimed yield from other users. VeChain promptly rewarded the researcher with $1,530, resolving the issue through responsible disclosure before any exploitation occurred.
The Delegator That Never Left: Vulnerability Mechanics
Bottom line: Due to a flaw in how claimable reward periods were calculated, a delegator who had exited staking could continue claiming rewards for future periods — effectively receiving yield they were no longer entitled to.
In Stargate, delegators stake VET and delegate through NFTs. For each validator period, a fixed amount of rewards is allocated and distributed proportionally among active delegators only. Once a delegator exits, their NFT should stop participating in future reward periods.
The vulnerability originated in the logic responsible for determining which validator periods were still claimable for a given delegation NFT. When a delegation exit occurred, the contract recorded an endPeriod to mark the last eligible reward window. However, a boundary condition caused delegations where endPeriod matched the next claimable period to be treated as if they were still active.
As validator periods continued to advance, this logic flaw caused the range of “claimable” periods for an exited NFT to keep growing over time. In practice, the system continued to recognize the delegation as eligible for rewards long after it had formally exited.
*The following section is based on the original vulnerability report submitted by the researcher.
Impacted components
- Contract:
Stargate–packages/contracts/contracts/Stargate.sol - Core functions:
_claimableDelegationPeriods(private view)_claimRewards(internal)claimableRewards(view)claimRewards(external)
Vulnerability Description
In Hayabusa Stargate, delegators stake VET and delegate via NFTs. For each validator period, the protocol computes:
- Total delegator rewards for that validator and period (in VTHO).
- Each delegator’s share, proportional to their effective stake.
Once a delegator exits, their NFT should stop participating in rewards for future periods. Only delegators who are still active in those periods should receive the yield.
However, due to a bug in the reward window calculation (_claimableDelegationPeriods), a delegator who has already exited can continue to have a growing range of “claimable periods” far after their exit. When combined with the reward calculation formula, this allows the exited NFT to keep claiming VTHO from periods where they are no longer part of the delegator set.
Because the total getDelegatorsRewards(validator, period) is fixed per period, any extra rewards granted to an exited NFT necessarily come out of the pool that belongs to active delegators. This is effectively stealing yield from other users, and fits HackenProof’s “Stealing or loss of end‑user funds” / “Theft of unclaimed yield” classification.
Root cause (code‑level)
The bug sits in _claimableDelegationPeriods, which is used by both claimableRewards (view) and _claimRewards (state‑changing).
Relevant code (simplified):
function _claimableDelegationPeriods(
StargateStorage storage $,
uint256 _tokenId
) private view returns (uint32, uint32) {
uint256 delegationId = $.delegationIdByTokenId[_tokenId];
if (delegationId == 0) return (0, 0);
(address validator, , , ) = $.protocolStakerContract.getDelegation(delegationId);
if (validator == address(0)) return (0, 0);
(uint32 startPeriod, uint32 endPeriod) =
$.protocolStakerContract.getDelegationPeriodDetails(delegationId);
(, , , uint32 completedPeriods) =
$.protocolStakerContract.getValidationPeriodDetails(validator);
uint32 currentValidatorPeriod = completedPeriods + 1;
uint32 nextClaimablePeriod = $.lastClaimedPeriod[_tokenId] + 1;
if (nextClaimablePeriod < startPeriod) {
nextClaimablePeriod = startPeriod;
}
// ended delegations
if (
endPeriod != type(uint32).max &&
endPeriod < currentValidatorPeriod &&
endPeriod > nextClaimablePeriod
) {
return (nextClaimablePeriod, endPeriod);
}
// treat as active/pending
if (nextClaimablePeriod < currentValidatorPeriod) {
return (nextClaimablePeriod, completedPeriods);
}
return (0, 0);
}
Key observations
- When a delegation exit is signalled in the mock
ProtocolStaker,endPeriodis set tocompletedPeriods + 1, i.e. the first period after the last completed period at the time of exit. - The “ended delegation” branch only triggers when
endPeriod > nextClaimablePeriod. The equality case (endPeriod == nextClaimablePeriod) is not treated as ended.
Consider this timeline for a delegator A on a validator:
startPeriod = 1- Delegation exit is signalled at some point, and
endPeriodis set (e.g.endPeriod = 10). - A has already called
claimRewardsenough times so thatlastClaimedPeriod = endPeriod, i.e. they are fully caught up until the last active period. - Time passes and the validator keeps producing blocks. Now
completedPeriods = 20andcurrentValidatorPeriod = 21.
At this point:
nextClaimablePeriod = lastClaimedPeriod + 1 = endPeriod + 1 = 11.endPeriod < currentValidatorPeriodis true (10 < 21), so the delegation is in the “ended” region.- But
endPeriod > nextClaimablePeriodis false (10 > 11 is false), so the “ended” branch is not taken. - Control falls through to the “active/pending” branch:
if (nextClaimablePeriod < currentValidatorPeriod) {
// 11 < 21 is true
return (nextClaimablePeriod, completedPeriods); // returns (11, 20)
}
This effectively treats the delegation as if it were still active up to completedPeriods, even though the user exited at endPeriod. As completedPeriods grows over time, the lastClaimablePeriod for this exited NFT also keeps growing.
Later, _claimRewards uses this window:
(uint32 firstClaimablePeriod, uint32 lastClaimablePeriod) =
_claimableDelegationPeriods($, _tokenId);
uint256 claimableAmount = _claimableRewards($, _tokenId, 0);
...
$.lastClaimedPeriod[_tokenId] = lastClaimablePeriod;
VTHO_TOKEN.safeTransfer(tokenOwner, claimableAmount);
The actual per‑period reward for a token is computed as:
uint256 delegationPeriodRewards =
$.protocolStakerContract.getDelegatorsRewards(validator, _period);
uint256 effectiveStake = _calculateEffectiveStake($, _tokenId);
uint256 delegatorsEffectiveStake =
$.delegatorsEffectiveStake[validator].upperLookup(_period);
if (delegatorsEffectiveStake == 0) return 0;
return (effectiveStake * delegationPeriodRewards) / delegatorsEffectiveStake;
Important detail:
- When the delegation is ended, the token’s effective stake is removed from
delegatorsEffectiveStake[validator]for future periods (via_updatePeriodEffectiveStake(..., false)inrequestDelegationExit). - However,
_calculateEffectiveStake($, _tokenId)still returns a non‑zero effective stake for the NFT (based on its level and staked VET) even when it has exited.
As a result:
- For a period after the exit, delegatorsEffectiveStake only includes the stake of active delegators.
- When the exited NFT calls
claimRewards, it computes a numerator using its full effective stake, divided by the sum of active delegators’ stake. - This yields a positive reward for the exited NFT from periods where it is no longer part of the delegator set.
Since the underlying delegatorsRewards(validator, period) pool is fixed, these extra rewards must be funded by diluting the rewards that active delegators should receive.
Validation steps
The following steps can be reproduced using the existing Hardhat test setup and mocks.
I. Environment
- Use Hardhat in‑memory network.
- Deploy contracts via
getOrDeployContracts({ forceDeploy: true, config }), withconfigcoming fromcreateLocalConfig(). - Use
ProtocolStakerMockas the staking backend, where:getDelegatorsRewards(validator, period)returns a fixed non‑zero amount for each period up tocompletedPeriods + 1.
II. Actors
- User A (“exiting delegator”).
- User B (“remaining active delegator”).
- A single validator address, configured as ACTIVE.
III. Initial staking & delegation
- Both A and B stake the same level (same
vetAmountRequiredToStakeandscaledRewardFactor) and delegate to the same validator. - Their effective stakes are identical.
IV. Advance validator periods and claim up to a checkpoint
- Advance
completedPeriodsinProtocolStakerMockto a valueCviahelper__setValidationCompletedPeriods. - Have both A and B call
claimRewardsonce, solastClaimedPeriodfor both NFTs is approximatelyC(they are fully caught up).
V. User A requests exit
- A calls
requestDelegationExit(tokenIdA). - In the mock, this sets
endPeriodfor A’s delegation and marks it as exiting. After enough periods, A’s status becomes EXITED.
VI. Advance additional periods with B still active
- Advance
completedPeriodsseveral more steps while B remains delegated to the validator. - At this point, B is the only active delegator on that validator for new periods.
VII. Observe claimable rewards for A (exited) and B (active)
- Query
claimableRewards(tokenIdA)andclaimableRewards(tokenIdB)after the extra periods. - Because of the bug:
- A (who has exited) still has a strictly positive
claimableRewards. - B (still active) also has strictly positive
claimableRewards.
- A (who has exited) still has a strictly positive
VIII. Interpretation
- For each post‑exit period, the total pool of delegator rewards is fixed
- Yet over these periods, both:
- A claims a non‑zero amount, and
- B also claims a non‑zero amount.
- Since A should have no stake during these periods, any rewards paid to A are effectively taken from the pool that should belong exclusively to active delegators like B.
Turning Threats into Lessons
The VeChain Stargate case highlights why DualDefense plays a critical role in securing complex, long-running protocol logic. By combining traditional audits with community-driven security research and a staking-backed reward pool, DualDefense helps projects identify subtle vulnerabilities before they impact users.
If your protocol relies on staking, reward distribution, or evolving on-chain state, book a call with a HackenProof security expert to explore how DualDefense can strengthen your security posture. Together, we help build safer and more resilient decentralized systems — one DualDefense program at a time.
