UltraDAG Blockchain Governance SmartOp Vulnerability Causes Fatal Node Halt

A critical vulnerability exists in UltraDAG version 0.1, where a non-council attacker can exploit the SmartOp::Vote transaction. The issue arises because the transaction bypasses initial authorization checks, leading to unauthorized actions that disrupt the blockchain's supply integrity. This vulnerability allows attackers to manipulate governance processes, causing significant disruptions in network operations.

Impact

Exploitation of this vulnerability leads to a complete denial-of-service, where the affected node halts due to a fatal supply invariant violation. This requires a manual restart and can cause network-wide consensus failures if multiple validators are targeted.

Reproduction

The vulnerability can be reproduced by sending a SmartOp::Vote transaction from a non-council account. This transaction must pass the initial checks for signature, nonce, and balance, but will fail authorization after the transaction has already modified the state by debiting fees and incrementing the nonce. This can be done by creating a transaction that meets all these criteria and submitting it through the network.

Remediation

Users are advised to upgrade to the patched version of UltraDAG, which is available on the UltraDAG GitHub repository.