CVE-2026-42278 Overview
CVE-2026-42278 is a broken access control vulnerability [CWE-284] in UltraDAG, a minimal DAG-BFT blockchain written in Rust. The StateEngine implementation of SmartTransferTx fails to resolve a pocket's parent account before evaluating spending policy. Because pockets are virtual sub-addresses tracked only in the pocket_to_parent map, the check_spending_policy method defaults to an authorized result when the originator is a pocket. An attacker holding the parent key can drain every pocket on an account instantly, bypassing the 24-hour vault delay and the 1 UDAG daily limit enforced on the parent. The issue was patched in commit fb6ef59.
Critical Impact
Attackers with the parent key can bypass vault delays and daily spending limits to immediately drain all pocket balances on a SmartAccount.
Affected Products
- UltraDAG core blockchain implementation (Rust)
- ultradag-coin crate StateEngineSmartTransferTx handler
- All commits prior to fb6ef59
Discovery Timeline
- 2026-05-08 - CVE-2026-42278 published to NVD
- 2026-05-09 - Last updated in NVD database
Technical Details for CVE-2026-42278
Vulnerability Analysis
UltraDAG SmartAccounts support "pockets," which are derived sub-addresses used to organize funds under a parent account. Pockets exist exclusively as entries in the pocket_to_parent mapping and have no independent SmartAccountConfig record. When SmartTransferTx originates from a pocket address, the policy enforcement pipeline queries check_spending_policy directly against the pocket address.
Because the pocket has no configuration entry, the policy lookup returns an "authorized/no policy" result by default. The engine never resolves the pocket back to its parent account and never applies the parent's vault delay or daily spending cap. Any transaction signed with the parent key that targets a pocket sub-address therefore executes immediately and without limit.
The impact is direct fund theft. Restrictions intended to provide cold-storage style protection, such as the 24-hour vault delay or a 1 UDAG daily limit, are silently bypassed for pocket-originated transfers.
Root Cause
The root cause is a missing parent-resolution step in the policy enforcement path. The handler trusted the originator address to map directly to a SmartAccountConfig and treated the absence of a config as the absence of a policy, rather than as an indicator that parent lookup was required.
Attack Vector
An attacker in possession of a parent account key constructs a SmartTransferTx that uses a pocket address as the from field. The transaction is broadcast over the network and accepted by validators running the unpatched StateEngine. The funds move out of every pocket without triggering the vault timer or the daily limit policy.
// Patch excerpt: enforce origin-aware refunds and consistent address handling
// crates/ultradag-coin/src/address/keys.rs
#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)]
pub struct Address(pub [u8; 20]);
// crates/ultradag-coin/src/state/engine.rs
// Refund to the origin surface — pocket-originated vaults must return
// to the pocket, not the parent, or a cancel silently rehomes the
// balance across security surfaces. Zero-address (legacy records
// without the `from` field) falls back to the parent for safety.
let refund_to = if vault.from == Address::default() { tx.from } else { vault.from };
self.credit(&refund_to, vault.amount).map_err(|e| {
CoinError::ValidationError(format!("Failed to refund vault transfer: {}", e))
})?;
Source: UltraDAG patch commit fb6ef59
Detection Methods for CVE-2026-42278
Indicators of Compromise
- SmartTransferTx transactions whose from field matches an address in the pocket_to_parent map and that execute without an associated vault-delay record.
- Pocket balances draining to zero in a single block with no preceding vault creation event.
- Signed transactions from a parent key that bypass the account's configured daily limit window.
Detection Strategies
- Audit on-chain history for SmartTransferTx events sourced from pocket addresses on nodes running pre-fb6ef59 builds.
- Compare per-account aggregate outflow against the configured daily limit and vault delay parameters to surface policy violations.
- Run static analysis against deployed ultradag-coin builds to confirm the StateEngine includes the parent-resolution check.
Monitoring Recommendations
- Alert on any pocket address debit that exceeds the parent account's daily limit within a 24-hour window.
- Monitor validator logs for SmartTransferTx acceptances that skip check_spending_policy failure paths.
- Track the deployed commit hash of every validator and operator node to confirm rollout of the patched build.
How to Mitigate CVE-2026-42278
Immediate Actions Required
- Upgrade all UltraDAG validators, RPC nodes, and operator infrastructure to a build that includes commit fb6ef59 or later.
- Rotate parent keys for any SmartAccount that held pocket balances under an unpatched build, particularly accounts relying on vault delays for cold-storage assumptions.
- Reconcile pocket balances against expected vault-delay and daily-limit invariants for the period prior to the patch.
Patch Information
The vulnerability is fixed in UltraDAG commit fb6ef59. The fix enforces parent policy resolution on pocket-originated transfers and is described in GitHub Security Advisory GHSA-9chc-gjfr-6hrq.
Workarounds
- Avoid funding pockets on SmartAccounts that depend on vault delay or daily limit policies until the patched build is deployed.
- Move balances out of pockets and into the parent account, where check_spending_policy evaluates against a real SmartAccountConfig entry.
- Restrict parent key usage to offline signing workflows that gate pocket transfers behind manual review.
# Upgrade UltraDAG core to the patched commit
git fetch origin
git checkout fb6ef59d6c1385400e7acea7ae31fc6a473c3051
cargo build --release -p ultradag-coin
# Restart validator/RPC services against the patched binary
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
