Description
UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address documented in the protocol as a way to organize funds), the engine fails to resolve the pocket's parent account before checking the spending policy. Because pockets are "virtual" addresses that exist only as entries in the pocket_to_parent map and do not have their own SmartAccountConfig entries, the check_spending_policy method defaults to an "authorized/no policy" result. This allow any user (or attacker in possession of a parent key) to instantly drain every pocket on an account, even if the parent account has a strict 24-hour vault delay or a 1 UDAG daily limit. This issue has been patched via commit fb6ef59.
Published: 2026-05-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthorized spending policy check allows an attacker to bypass all limitations imposed on a parent SmartAccount when a transaction originates from a Pocket sub‑address. The flaw causes the StateEngine to default to an "authorized/no policy" result before determining the pocket’s parent, enabling any user, or any holder of a parent account key, to drain all of a pocket’s balance even when the parent account has strict daily limits or a vault delay. The vulnerability is rooted in improper authorization (CWE‑284) and privilege escalation (CWE‑639).

Affected Systems

The affected product is UltraDAGcom:core, a minimal DAG‑BFT blockchain implementation written in Rust. The bug existed in versions running the StateEngine up to, but not including, commit fb6ef59d6c1385400e7acea7ae31fc6a473c3051. No other specific version strings are supplied, but any deployment containing the unpatched logic is vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies this as a high‑severity flaw. The EPSS score is not available, and it is not listed in the CISA KEV catalog, yet the vulnerability can be exploited via any user’s ability to submit transactions from a Pocket address. The likely attack vector is the creation and broadcasting of a malicious SmartTransferTx transaction, which can instantly transfer all funds from the targeted pockets. Given the lack of a running EPSS value, the exploitation probability remains uncertain, but the functional nature of the flaw means that its impact would be devastating if leveraged.

Generated by OpenCVE AI on May 8, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update UltraDAGcore to the patched commit fb6ef59d6c1385400e7acea7ae31fc6a473c3051 or any newer revision that includes the fix.
  • Restart the node after the update to activate the corrected policy enforcement logic.
  • Review all existing pocket-to-parent mappings to confirm that only authorized parent accounts are referenced and adjust any custom configurations that may expose pockets to unauthorized keys.

Generated by OpenCVE AI on May 8, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Ultradagcom
Ultradagcom core
Vendors & Products Ultradagcom
Ultradagcom core

Fri, 08 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address documented in the protocol as a way to organize funds), the engine fails to resolve the pocket's parent account before checking the spending policy. Because pockets are "virtual" addresses that exist only as entries in the pocket_to_parent map and do not have their own SmartAccountConfig entries, the check_spending_policy method defaults to an "authorized/no policy" result. This allow any user (or attacker in possession of a parent key) to instantly drain every pocket on an account, even if the parent account has a strict 24-hour vault delay or a 1 UDAG daily limit. This issue has been patched via commit fb6ef59.
Title UltraDAG: Smart Account Spending Policy Bypass via Pockets
Weaknesses CWE-284
CWE-639
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ultradagcom Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:55:01.093Z

Reserved: 2026-04-26T11:53:27.708Z

Link: CVE-2026-42278

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T05:16:10.900

Modified: 2026-05-08T05:16:10.900

Link: CVE-2026-42278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T07:00:04Z

Weaknesses