CVE-2026-42278
UltraDAG StateEngine SmartTransferTx Policy Bypass
Publication date: 2026-05-08
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ultradag | ultradag | to fb6ef59 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in UltraDAG's StateEngine allows attackers to bypass spending policies on Pocket addresses, enabling unauthorized draining of funds despite strict security measures like daily limits and vault delays.
This improper access control and authorization bypass (classified under CWE-284 and CWE-639) could lead to significant financial losses and unauthorized transactions, which may impact compliance with regulations that require strong access controls and transaction auditing, such as GDPR and HIPAA.
Specifically, failure to enforce spending policies properly could violate principles of data integrity, confidentiality, and accountability mandated by these standards, potentially resulting in regulatory penalties or loss of trust.
Can you explain this vulnerability to me?
CVE-2026-42278 is a critical vulnerability in the UltraDAG blockchain's StateEngine implementation of SmartTransferTx. The flaw arises because when a transaction originates from a "Pocket"βa virtual sub-address used to organize fundsβthe system fails to resolve the Pocket's parent account before enforcing spending policies.
Since Pockets do not have their own policy configurations, the spending policy check defaults to an "authorized/no policy" result. This means that any user or attacker with access to the parent account's key can bypass spending restrictions such as daily limits or vault delays and drain all funds from any Pocket under that account.
The root cause is that the policy enforcement checks only the Pocket address instead of its parent account, allowing unauthorized spending. This issue has been fixed by updating the policy check to resolve the parent account from the Pocket before enforcing policies.
How can this vulnerability impact me? :
This vulnerability can have severe financial impacts if you use UltraDAG and organize funds using Pocket addresses. An attacker or unauthorized user with access to the parent account's key can bypass all spending policies, including strict daily limits and vault time-locks.
As a result, they can instantly drain all funds from every Pocket associated with that parent account, potentially transferring far more than allowed by configured limits in a single transaction.
This could lead to significant loss of funds and undermine the security controls you rely on to protect your assets.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a logic flaw in the UltraDAG StateEngine's SmartTransferTx where spending policies are bypassed for Pocket addresses due to failure to resolve the parent account before policy enforcement.
Detection would involve monitoring transactions originating from Pocket addresses and verifying if spending policies such as daily limits or vault delays are being enforced correctly on these transactions.
Since the vulnerability allows unauthorized draining of funds from Pocket addresses, commands or scripts that analyze transaction logs for unusually large transfers from Pocket addresses, especially those exceeding configured limits on the parent account, could help detect exploitation.
Specific commands are not provided in the resources, but a recommended approach is to query the blockchain or transaction logs for transfers where the source address is a Pocket and check if the transfer amount violates the parent account's spending policies.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch provided in commit fb6ef59 which fixes the policy enforcement logic by resolving Pocket addresses to their parent accounts before checking spending policies.
- Update the UltraDAG StateEngine implementation to include the fix that enforces spending policies on parent accounts rather than on Pocket addresses directly.
- Ensure that the `check_spending_policy` method uses the `pocket_to_parent` mapping to resolve the parent account during policy checks.
- Verify that vault cancellation logic correctly refunds to the originating Pocket or parent account as appropriate.
Until the patch is applied, restrict or monitor transactions from Pocket addresses closely to prevent unauthorized fund transfers.