PT-2026-38662 · Ultradag · Ultradag
Sumitshah00
·
Published
2026-05-08
·
Updated
2026-05-19
·
CVE-2026-42278
CVSS v4.0
8.8
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
UltraDAG versions prior to commit fb6ef59
Description
The StateEngine implementation of SmartTransferTx contains a logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address used to organize funds), the engine fails to resolve the pocket's parent account before verifying the spending policy. Since pockets are virtual addresses that exist only in the
pocket to parent map and lack their own SmartAccountConfig entries, the check spending policy() function defaults to an authorized result. This allows an attacker with a parent key to bypass spending restrictions, such as vault delays or daily limits, and drain all pockets associated with an account.Recommendations
Update to the version containing commit fb6ef59.
Exploit
Fix
IDOR
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ultradag