TRUST Summit | Nov 3, 2025 | NYCWhere decision-makers define the next chapter of secure blockchain adoption.
Learn more

Vechain Foundation

Audit name:

[SCA] VeChain | Stargate | May2025

Date:

Jun 30, 2025

Table of Content

Introduction
Audit Summary
System Overview
Potential Risks
Findings
Appendix 1. Definitions
Appendix 2. Scope
Appendix 3. Additional Valuables
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Vechain Foundation team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

The VeChain Stargate smart-contracts suite is a key pillar of the upcoming Hayabusa hard fork in VeChain network, supplying the on-chain framework for delegating stake to validator nodes and for managing exist and future rewards.

Document

NameSmart Contract Code Review and Security Analysis Report for Vechain Foundation
Audited ByStepan Chekhovskoi, Bohdan Hrytsak
Approved ByAtaberk Yavuzer, Seher Saylik
Websitehttps://www.vechain.org
Changelog09/06/2025 - Preliminary Report
26/06/2025 - Remediation Report
22/07/2025 - Final Report
PlatformVeChain
LanguageSolidity
TagsLiquid Staking, Non-Fungible Token, Staking
Methodologyhttps://hackenio.cc/sc_methodology

  • Document

    Name
    Smart Contract Code Review and Security Analysis Report for Vechain Foundation
    Audited By
    Stepan Chekhovskoi, Bohdan Hrytsak
    Approved By
    Ataberk Yavuzer, Seher Saylik
    Website
    https://www.vechain.org
    Changelog
    09/06/2025 - Preliminary Report
    26/06/2025 - Remediation Report
    22/07/2025 - Final Report
    Platform
    VeChain
    Language
    Solidity
    Tags
    Liquid Staking, Non-Fungible Token, Staking
    Methodology
    https://hackenio.cc/sc_methodology

Review Scope

Initial Repositoryhttps://github.com/vechain/stargate
Initial Commitc49487aedc30830feca8f208bd7bdbfa70246c4d
Remediation Commit86296662f1c7f10f7844fc7bb90e59a84d615fcd
Remediation Commitf14509e12d407f725a7a57b1e6f071cc072d714b
Final Repositoryhttps://github.com/vechain/stargate-contracts
Final Commite083f7e8097a16ca2cfed04a507f6d4103ec8063

Audit Summary

13Total Findings
11Resolved
2Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Functional requirements are shared internally.

    • Project overview is detailed.

    • Use-cases are provided.

  • Technical description is provided.

    • Run instructions are provided.

    • Technical specification is provided.

    • The NatSpec documentation is partially inaccurate.

Code quality

  • The code mostly follows best practices.

  • The development environment is configured.

  • Several redundant code patterns were found.

  • Few TODO comments are identified.

  • Missing events emit for certain configuration functions (setVthoRewardPerBlockForAllLevels, setVthoRewardPerBlockForLevel).

  • Partial missing some input validation in critical functions.

Test coverage

Code coverage of the project is 92.9% (branch coverage, without NodeManagementV1 and NodeManagementV2).

  • Deployment and user interactions are covered with tests.

  • Some negative and edge cases coverage is missed.

System Overview

The VeChain Stargate is an upgradeable system implementing special NFT Staking contains following contracts

StargateNFT - upgradeable ERC721 with pauseable functionality and governed by role-based access control. It is a continuation of the legacy Token Auction (X-Node and Eco Nodes) collection. This contract allows users to stake VET and receive an NFT in exchange, which represents a betting position. It also supports the claim of VTHO rewards for user stakes generated by the balance of the VET contract by the VeChain energy growth mechanism and the issuance of this reward to users.

  • Uses AccessControlUpgradeable to manage roles.

  • Inherit contracts from OpenZeppelin library:

    • AccessControlUpgradeable: Access control roles base system.

    • ERC721Upgradeable: Core ERC-721 implementation.

    • ERC721EnumerableUpgradeable: ERC-721 enumeration helpers.

    • ERC721PausableUpgradeable: Allows NFT transfers to be disabled while paused.

    • ReentrancyGuardUpgradeable: Helper for prevent reentrant calls to the stake / unstake / migrate / claim functionality.

    • UUPSUpgradeable: Support UUPS proxy mechanism.

  • Uses the following protocol libraries to implement the main functionality:

    • Clock: Current block/timestamp/clock mode helper.

    • DataTypes: Data structures.

    • Errors: Custom errors definitions.

    • Levels: Levels management.

    • MintingLogic: Core stake/unstake & migration flow.

    • Settings: Contract-parameter management.

    • Token: Get tokens/users tokens data helper.

    • VetGeneratedVtho: Support dual-token VeChain economic model. Distribution generated VTH0 rewards.

StargateDelegation - upgradeable contract allows user that owns a StargateNFT start delegating, accumulate VTHO rewards with governed by role-based access control.

  • Uses AccessControlUpgradeable to manage roles.

  • Inherit contracts from OpenZeppelin library:

    • AccessControlUpgradeable: Access control roles base system.

    • ReentrancyGuardUpgradeable: Helper for prevent reentrant calls to the delegate / exit delegation / claim functionalities.

    • UUPSUpgradeable: Support UUPS proxy mechanism.

NodeManagementV1 - upgradeable contract to manage node ownership and delegation within the VeBetter DAO ecosystem.

  • Uses AccessControlUpgradeable to manage roles.

  • Inherit contracts from OpenZeppelin library:

    • AccessControlUpgradeable: Provides access control roles base system.

    • UUPSUpgradeable: Provides functionality for support UUPS proxy mechanism.

NodeManagementV2.sol - Update for NodeManagementV1 version, which includes new helper functions to review delegator and node state.

NodeManagementV3.sol - Update for NodeManagementV2 version, which also includes support for StargateNFT node holders.

Privileged roles

StargateNFT

  • DEFAULT_ADMIN_ROLE:

    • Super admin role that can grant / revoke other roles and manage the overall access control system.

    • Can configure the addresses of other contracts that are used, such as: stargateDelegation (Stargate Delegation), legacyNodes (Token Auction), vthoToken (VTH0 token).

    • Can set VTHO rewards generation end timestamp (estimated Hayabusa hard fork in VeChain timestamp).

  • UPGRADER_ROLE:

    • Can change proxy implementation.

  • PAUSER_ROLE:

    • Can change the pause state of the contract, to disallow next actions from user during pause: stake, stakeAndDelegate, migrate, migrateAndDelegate, unstake, claimVetGeneratedVtho.

  • LEVEL_OPERATOR_ROLE:

    • Can add / update / deactivate / activate the NFT levels (tiers) and their parameters.

  • MANAGER_ROLE:

    • Can change base URI for token collection metadata.

StargateDelegation

  • DEFAULT_ADMIN_ROLE:

    • Super admin role that can grant / revoke other roles and manage the overall access control system.

    • Inherit the permissions of other roles:

      • Can change current proxy implementation.

      • Can change the value of the block reward for NFT levels.

      • Can set the rewards accumulation end block.

  • UPGRADER_ROLE:

    • Can change proxy implementation.

  • OPERATOR_ROLE:

    • Can change the value of the block reward for NFT levels.

    • Can set the rewards accumulation end block.

NodeMaangementV

  • DEFAULT_ADMIN_ROLE:

    • Super admin role that can grant / revoke other roles and manage the overall access control system.

    • Can configure the address of VeChain Nodes contract.

  • UPGRADER_ROLE:

    • Can change proxy implementation.

NodeMaangementV

  • DEFAULT_ADMIN_ROLE:

    • Super admin role that can grant / revoke other roles and manage the overall access control system.

    • Can configure the address of VeChain Nodes contract.

  • UPGRADER_ROLE:

    • Can change proxy implementation.

NodeMaangementV

  • DEFAULT_ADMIN_ROLE:

    • Super admin role that can grant / revoke other roles and manage the overall access control system.

    • Can configure the address of VeChain Nodes contract.

    • Can configure the address of StargateNFT contract.

  • UPGRADER_ROLE:

    • Can change proxy implementation.

    • Can initialize v3 parameters (StargateNFT contract address).

Potential Risks

Single Points of Failure and Control: The project is fully or partially centralized, introducing single points of failure and control. Owner is able to change various parameters including critical configuration which may cause denial of the system. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.

Flexibility and Risk in Contract Upgrades: The project contracts are upgradeable, allowing the administrator to update the contract logic at any time. While this provides flexibility in addressing issues and evolving the project, it also introduces risks if upgrade processes are not properly managed or secured, potentially allowing for unauthorized changes that could compromise the project's integrity and security.

Dynamic Array Iteration Gas Limit Risks: The project iterates over large dynamic arrays, which leads to excessive gas costs, risking denial of service due to out-of-gas errors, directly impacting contract usability and reliability.

Absence of Emergency Withdraw Functionality: The contract is designed in a centralized way leaving all the controls to the system management team. In case of emergency situation, the team is expected to pause the contract and manage the situation. The users are not provided with emergency mechanism to act independently in critical situations.

System Reliance on External Contracts: The functioning of the system relies on Token Auction contract external contract. The contract is responsible for Legacy NFT generation and further creation of Legacy NFTs may cause various system inconsistencies including system DoS requiring contract upgrade. Any flaws or vulnerabilities in these contracts adversely affect the audited project, potentially leading to security breaches or loss of funds.

Findings

Code
Title
Status
Severity
F-2025-1084Claim Process DoS due to Reentrancy Protection
fixed

High
F-2025-1080Estimated VTHO Reward Stop Timestamp May Miss Actual VeChain Network Fork Time
fixed

Medium
F-2025-1065Delegation on Behalf of Another User due to Ownership Check Bypass
fixed

Medium
F-2025-1064Initializers Could Be Front-Run
accepted

Low
F-2025-1052Token URI ERC-721 Metadata Incompliance
fixed

Low
F-2025-1081Possible disabling the isActive flag for migrate tiers may cause false expectations
fixed

Low
F-2025-1075Inconsistent and Always-True Boolean Return Pattern
fixed

Low
F-2025-1064Unexpected Return Values Caused by EIP-150 63/64 Gas-Rule in try/catch
fixed

Low
F-2025-1084Unimplemented Scaled Rewards Functionality
accepted

Observation
F-2025-1063Lack of Upgradeable Contracts Initialization
fixed

Observation
1-10 of 13 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Definitions

Severities

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

Potential Risks

The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details

Initial Repositoryhttps://github.com/vechain/stargate
Initial Commitc49487aedc30830feca8f208bd7bdbfa70246c4d
Remediation Commit86296662f1c7f10f7844fc7bb90e59a84d615fcd
Remediation Commitf14509e12d407f725a7a57b1e6f071cc072d714b
Final Repositoryhttps://github.com/vechain/stargate-contracts
Final Commite083f7e8097a16ca2cfed04a507f6d4103ec8063
Whitepaperhttps://www.vechain.org/assets/whitepaper/whitepaper-3-0.pdf
RequirementsGitBook space shares internally
Technical RequirementsREADME.md

Assets in Scope

NodeManagement
libraries
VechainNodesDataTypes.sol - NodeManagement › libraries › VechainNodesDataTypes.sol
NodeManagementV1.sol - NodeManagement › NodeManagementV1.sol
NodeManagementV2.sol - NodeManagement › NodeManagementV2.sol
NodeManagementV3.sol - NodeManagement › NodeManagementV3.sol
StargateDelegation
StargateDelegation.sol - StargateDelegation › StargateDelegation.sol
StargateNFT
libraries
Clock.sol - StargateNFT › libraries › Clock.sol
DataTypes.sol - StargateNFT › libraries › DataTypes.sol
Errors.sol - StargateNFT › libraries › Errors.sol
Levels.sol - StargateNFT › libraries › Levels.sol
MintingLogic.sol - StargateNFT › libraries › MintingLogic.sol
Settings.sol - StargateNFT › libraries › Settings.sol
Token.sol - StargateNFT › libraries › Token.sol
VetGeneratedVtho.sol - StargateNFT › libraries › VetGeneratedVtho.sol
StargateNFT.sol - StargateNFT › StargateNFT.sol
StargateProxy.sol - StargateProxy.sol

Appendix 3. Additional Valuables

Verification of System Invariants

During the audit of VeChain / Stargate, Hacken followed its methodology by performing fuzz-testing on the project's main functions. Foundry , a tool used in the Solidity testing framework, was employed to check how the protocol behaves under various input conditions. Due to the complex and dynamic interactions within the protocol, unexpected edge cases might arise. Therefore, it was important to use invariant testing to ensure that several system invariants hold true in all situations.

Fuzz-testing allows the input of many random data points into the system, helping to identify issues that regular testing might miss. A specific Foundry fuzzing suite was prepared for this task, and throughout the assessment, 16 invariants were tested over >16M runs. This thorough testing ensured that the system works correctly even with unexpected or unusual inputs.

Invariant

Test Result

Run Count

Total NFT token supply must never exceed the sum of all level capsPassed1M
X-Level tokens can never be deactivatedFailed1M
Recorded level (isX & maturityBlocks) parameters must remain immutableFailed1M
String contract parameters must be not empty (BaseURI, Name, Symbol)Failed1M
Core contract parameters addresses must never be zeroPassed1M
Circulating supply for each level must stay within its capPassed1M
NFT Total supply must equal the sum of all NFT holder balancesPassed1M
Every minted token must belong to a valid levelPassed1M
Total staked VET always eq VET deposited via stakePassed1M
NFT Token state match level requirement after mint, during nft liveFailed1M
Level identifiers must never include zeroPassed1M
Level identifiers must be in right order without duplicatePassed1M
NFT never in both can trasnfer and in delegated statePassed1M
Normal NFT count never exceed total supplyFailed1M
xToken NFT count never exceed total supplyFailed1M
Sum Normal and xToken equal total supplyFailed1M

  • Invariant

    Total NFT token supply must never exceed the sum of all level caps

    Test Result

    Passed

    Run Count

    1M

    Invariant

    X-Level tokens can never be deactivated

    Test Result

    Failed

    Run Count

    1M

    Invariant

    Recorded level (isX & maturityBlocks) parameters must remain immutable

    Test Result

    Failed

    Run Count

    1M

    Invariant

    String contract parameters must be not empty (BaseURI, Name, Symbol)

    Test Result

    Failed

    Run Count

    1M

    Invariant

    Core contract parameters addresses must never be zero

    Test Result

    Passed

    Run Count

    1M

    Invariant

    Circulating supply for each level must stay within its cap

    Test Result

    Passed

    Run Count

    1M

    Invariant

    NFT Total supply must equal the sum of all NFT holder balances

    Test Result

    Passed

    Run Count

    1M

    Invariant

    Every minted token must belong to a valid level

    Test Result

    Passed

    Run Count

    1M

    Invariant

    Total staked VET always eq VET deposited via stake

    Test Result

    Passed

    Run Count

    1M

    Invariant

    NFT Token state match level requirement after mint, during nft live

    Test Result

    Failed

    Run Count

    1M

    Invariant

    Level identifiers must never include zero

    Test Result

    Passed

    Run Count

    1M

    Invariant

    Level identifiers must be in right order without duplicate

    Test Result

    Passed

    Run Count

    1M

    Invariant

    NFT never in both can trasnfer and in delegated state

    Test Result

    Passed

    Run Count

    1M

    Invariant

    Normal NFT count never exceed total supply

    Test Result

    Failed

    Run Count

    1M

    Invariant

    xToken NFT count never exceed total supply

    Test Result

    Failed

    Run Count

    1M

    Invariant

    Sum Normal and xToken equal total supply

    Test Result

    Failed

    Run Count

    1M

Additional Recommendations

The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.

To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:

  • Detecting changes to ownership or critical permissions.

  • Monitoring large or unexpected transactions and minting events.

  • Pausing operations when irregularities are identified.

These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.

Disclaimer