UltraDAG Pocket Transfer Policy Bypass Vulnerability

A critical vulnerability exists in the UltraDAG blockchain's StateEngine implementation, specifically within the SmartTransferTx policy enforcement. Prior to the fix in commit fb6ef59, transactions originating from 'Pockets' (virtual sub-addresses) bypassed essential spending policies. This oversight allowed users or attackers with parent keys to drain pocket funds, disregarding any associated daily limits or vault delays. The root cause was a failure to properly resolve pocket addresses to their parent accounts before applying policy checks, enabling a full bypass of security constraints for pocket-held funds.

Impact

Exploitation of this vulnerability led to a complete bypass of all spending policies for funds in Pocket addresses, allowing for unauthorized transfers that drained pocket balances without regard for established limits or restrictions.

Reproduction

The vulnerability can be reproduced by creating a Pocket under a SmartAccount with active spending policies. Once the Pocket is funded, a transfer can be initiated from it, bypassing all policy checks that would normally apply to such a transaction. This can be done using a simple script that automates the process of creating the Pocket, funding it, and then transferring the funds to another address, all while exploiting the oversight in policy enforcement.

Remediation

Users should ensure that their SmartAccount policies are properly configured to account for Pocket transfers, and be cautious of the potential for unauthorized drainage of funds from Pockets.