Sumitshah00

**Name of the Vulnerable Software and Affected Versions** UltraDAG versions prior to commit fb6ef59 **Description** The StateEngine implementation of SmartTransferTx contains a logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address used to organize funds), the engine fails to resolve the pocket's parent account before verifying the spending policy. Since pockets are virtual addresses that exist only in the `pocket to parent` map and lack their own `SmartAccountConfig` entries, the `check spending policy()` function defaults to an authorized result. This allows an attacker with a parent key to bypass spending restrictions, such as vault delays or daily limits, and drain all pockets associated with an account. **Recommendations** Update to the version containing commit fb6ef59.

**Name of the Vulnerable Software and Affected Versions** UltraDAG version 0.1 **Description** A non-council attacker can submit a signed 'SmartOp::Vote' transaction that successfully passes signature, nonce, and balance prechecks. However, the authorization check fails only after state mutation has already occurred, potentially allowing unauthorized state changes. **Recommendations** Update UltraDAG to a version where authorization checks for 'SmartOp::Vote' transactions are performed before state mutation.