fix(smart-account): block pocket key-injection (INTERNAL-2026-04-22)

auto_register_ed25519_key only gated on authorized_keys.is_empty() —
it did NOT require that the pubkey actually derives to the target
address. For EOAs this was implicitly safe (addr = blake3(pubkey)[..20]).
For pockets, whose address is derived from (parent, label) and cannot
satisfy pubkey-derivation, any attacker could plant their own key on a
victim's pocket via SetPolicyTx / AddKeyTx / SetRecoveryTx, then spend
from the pocket in a second tx — verify_smart_transfer checks the
pocket's own config before falling back to the parent.

Same class as GHSA-9chc-gjfr-6hrq, more severe — grants arbitrary key
authorization rather than bypassing a limit.

- auto_register_ed25519_key early-returns unless
  Address::from_pubkey(pub_key) == *addr. Pockets now refuse key
  injection; the is_empty() gate stays.
- auto_register_key (pub, RPC relay path) rejects pocket addresses
  outright as defense in depth.

Regression tests in smart_account_pocket_key_injection.rs cover
SetPolicy, AddKey, SetRecovery, the full drain chain, and direct
auto_register_key pocket rejection (5/5 pass).

Found by internal review during the 5-domain security audit that
followed the GHSA-9chc-gjfr-6hrq remediation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: UltraDAGcom

crates/ultradag-coin/src/state/engine.rs

@@ -2610,6 +2610,19 @@ impl StateEngine {
     /// Called when a legacy account sends its first transaction after SmartAccount creation.
     fn auto_register_ed25519_key(&mut self, addr: &Address, pub_key: &[u8; 32], round: u64) {
         use crate::tx::smart_account::{AuthorizedKey, KeyType};
+
+        // Only auto-register a key that cryptographically belongs to this
+        // address (i.e. blake3(pub_key)[..20] == addr). Pockets and any other
+        // non-EOA addresses do NOT derive from any keypair — auto-registering
+        // an attacker-supplied key on them would grant that key authorization
+        // over the pocket's balance (verify_smart_transfer checks the pocket's
+        // own config before falling back to the parent). Pockets inherit
+        // authorization from their parent via `pocket_to_parent`, not via
+        // their own authorized_keys list, which must stay empty.
+        if Address::from_pubkey(pub_key) != *addr {
+            return;
+        }
+
         self.ensure_smart_account_at_round(addr, round);
         if let Some(config) = self.smart_accounts.get_mut(addr) {
             if config.authorized_keys.is_empty() {
@@ -2866,6 +2879,18 @@ impl StateEngine {
     /// Used by the relay endpoint. Creates the SmartAccount if it doesn't exist.
     pub fn auto_register_key(&mut self, addr: &Address, key_type: crate::tx::smart_account::KeyType, pubkey: Vec<u8>) -> Result<(), CoinError> {
         use crate::tx::smart_account::AuthorizedKey;
+
+        // Pockets must never have their own authorized_keys — they inherit
+        // from their parent via pocket_to_parent. Allowing a key to be
+        // planted here would let the caller spend from the pocket, because
+        // verify_smart_transfer checks the pocket's own config before the
+        // parent's.
+        if self.pocket_to_parent.contains_key(addr) {
+            return Err(CoinError::ValidationError(
+                "cannot register a key directly on a pocket address — pockets inherit from their parent".into(),
+            ));
+        }
+
         self.ensure_smart_account(addr);
         let config = self.smart_accounts.get_mut(addr)
             .ok_or_else(|| CoinError::ValidationError("smart account not found".into()))?;

crates/ultradag-coin/tests/smart_account_pocket_key_injection.rs

@@ -0,0 +1,226 @@
+//! Regression tests for the pocket key-injection attack chain.
+//!
+//! A pocket's address is derived from `(parent_address, label)` and does NOT
+//! derive from any keypair — so `Address::from_pubkey(pub_key) == pocket_addr`
+//! is impossible. Before the fix, `auto_register_ed25519_key` only guarded on
+//! `authorized_keys.is_empty()`, which meant any attacker could submit a
+//! policy/key/recovery tx targeting a pocket and plant their own key on the
+//! pocket's SmartAccountConfig. Because `verify_smart_transfer` checks the
+//! pocket's own config before falling back to the parent, the planted key
+//! then authorized SmartTransferTx → pocket drain.
+//!
+//! These tests replay each link in the attack chain and assert the
+//! authorization check rejects it.
+
+use ultradag_coin::address::{Address, SecretKey, Signature};
+use ultradag_coin::state::StateEngine;
+use ultradag_coin::tx::name_registry::derive_pocket_address;
+use ultradag_coin::tx::smart_account::*;
+
+fn setup_victim_with_pocket(
+    alice: &SecretKey, pocket_label: &str, pocket_balance: u64,
+) -> (StateEngine, Address) {
+    let mut engine = StateEngine::new_with_genesis();
+    engine.faucet_credit(&alice.address(), 20_000_000_000).unwrap();
+    engine.ensure_smart_account(&alice.address());
+
+    // Seed Alice's key so auto-registration on the parent doesn't mask the test.
+    let alice_pub = alice.verifying_key().to_bytes();
+    let alice_kid = AuthorizedKey::compute_key_id(KeyType::Ed25519, &alice_pub);
+    let cfg = engine.smart_account_mut_for_test(&alice.address()).unwrap();
+    if !cfg.authorized_keys.iter().any(|k| k.key_id == alice_kid) {
+        cfg.authorized_keys.push(AuthorizedKey {
+            key_id: alice_kid,
+            key_type: KeyType::Ed25519,
+            pubkey: alice_pub.to_vec(),
+            label: "owner".to_string(),
+            daily_limit: None,
+            daily_spent: (0, 0),
+        });
+    }
+
+    // Alice creates a pocket and funds it.
+    let pocket_op = SmartOpTx {
+        from: alice.address(),
+        operation: SmartOpType::CreatePocket { label: pocket_label.to_string() },
+        fee: 0, nonce: 0,
+        signing_key_id: [0u8; 8],
+        signature: vec![],
+        webauthn: None,
+        p256_pubkey: None,
+    };
+    engine.apply_smart_op_tx(&pocket_op, 100).unwrap();
+    let pocket = derive_pocket_address(&alice.address(), pocket_label);
+    engine.credit(&pocket, pocket_balance).unwrap();
+
+    (engine, pocket)
+}
+
+#[test]
+fn set_policy_cannot_plant_attacker_key_on_pocket() {
+    let alice = SecretKey::from_bytes([0xA1; 32]);
+    let mallory = SecretKey::from_bytes([0xEE; 32]);
+    let (mut engine, pocket) = setup_victim_with_pocket(&alice, "savings", 5_000_000_000);
+
+    // Mallory forges a SetPolicyTx targeting Alice's pocket with Mallory's own key.
+    let mallory_pub = mallory.verifying_key().to_bytes();
+    let mut tx = SetPolicyTx {
+        from: pocket,
+        instant_limit: u64::MAX,
+        vault_threshold: 0,
+        vault_delay_rounds: 0,
+        whitelisted_recipients: vec![],
+        daily_limit: None,
+        fee: 0, nonce: 0,
+        pub_key: mallory_pub,
+        signature: Signature([0u8; 64]),
+    };
+    tx.signature = mallory.sign(&tx.signable_bytes());
+
+    let err = engine.apply_set_policy_tx(&tx, 100).unwrap_err();
+    assert!(
+        err.to_string().contains("not authorized"),
+        "expected authorization failure, got: {err}"
+    );
+
+    // Pocket's authorized_keys must remain empty.
+    if let Some(cfg) = engine.smart_account(&pocket) {
+        assert!(
+            cfg.authorized_keys.is_empty(),
+            "pocket must never accept an auto-registered key"
+        );
+    }
+}
+
+#[test]
+fn add_key_cannot_plant_attacker_key_on_pocket() {
+    let alice = SecretKey::from_bytes([0xA2; 32]);
+    let mallory = SecretKey::from_bytes([0xED; 32]);
+    let (mut engine, pocket) = setup_victim_with_pocket(&alice, "savings", 5_000_000_000);
+
+    let mallory_pub = mallory.verifying_key().to_bytes();
+    let mallory_kid = AuthorizedKey::compute_key_id(KeyType::Ed25519, &mallory_pub);
+    let mut tx = AddKeyTx {
+        from: pocket,
+        new_key: AuthorizedKey {
+            key_id: mallory_kid,
+            key_type: KeyType::Ed25519,
+            pubkey: mallory_pub.to_vec(),
+            label: "attacker".to_string(),
+            daily_limit: None,
+            daily_spent: (0, 0),
+        },
+        fee: 0, nonce: 0,
+        pub_key: mallory_pub,
+        signature: Signature([0u8; 64]),
+    };
+    tx.signature = mallory.sign(&tx.signable_bytes());
+
+    let err = engine.apply_add_key_tx(&tx).unwrap_err();
+    assert!(
+        err.to_string().contains("not authorized"),
+        "expected authorization failure, got: {err}"
+    );
+
+    if let Some(cfg) = engine.smart_account(&pocket) {
+        assert!(cfg.authorized_keys.is_empty());
+    }
+}
+
+#[test]
+fn set_recovery_cannot_plant_attacker_key_on_pocket() {
+    let alice = SecretKey::from_bytes([0xA3; 32]);
+    let mallory = SecretKey::from_bytes([0xEC; 32]);
+    let (mut engine, pocket) = setup_victim_with_pocket(&alice, "savings", 5_000_000_000);
+
+    let mallory_pub = mallory.verifying_key().to_bytes();
+    let mut tx = SetRecoveryTx {
+        from: pocket,
+        guardians: vec![mallory.address()],
+        threshold: 1,
+        delay_rounds: 100,
+        fee: 0, nonce: 0,
+        pub_key: mallory_pub,
+        signature: Signature([0u8; 64]),
+    };
+    tx.signature = mallory.sign(&tx.signable_bytes());
+
+    let err = engine.apply_set_recovery_tx(&tx).unwrap_err();
+    assert!(
+        err.to_string().contains("not authorized"),
+        "expected authorization failure, got: {err}"
+    );
+
+    if let Some(cfg) = engine.smart_account(&pocket) {
+        assert!(cfg.authorized_keys.is_empty());
+    }
+}
+
+#[test]
+fn full_drain_attack_chain_fails() {
+    let alice = SecretKey::from_bytes([0xA4; 32]);
+    let mallory = SecretKey::from_bytes([0xEB; 32]);
+    let (mut engine, pocket) = setup_victim_with_pocket(&alice, "savings", 5_000_000_000);
+    let initial_pocket_balance = engine.balance(&pocket);
+
+    // Step 1: Mallory tries to plant her key on the pocket via SetPolicyTx.
+    // (Before the fix, this would succeed and register mallory_pub on the pocket.)
+    let mallory_pub = mallory.verifying_key().to_bytes();
+    let mut set_policy = SetPolicyTx {
+        from: pocket,
+        instant_limit: u64::MAX,
+        vault_threshold: 0,
+        vault_delay_rounds: 0,
+        whitelisted_recipients: vec![],
+        daily_limit: None,
+        fee: 0, nonce: 0,
+        pub_key: mallory_pub,
+        signature: Signature([0u8; 64]),
+    };
+    set_policy.signature = mallory.sign(&set_policy.signable_bytes());
+    let _ = engine.apply_set_policy_tx(&set_policy, 100);
+
+    // Step 2: Mallory attempts the drain. Even if step 1 had silently no-op'd
+    // on the authorization side, a subsequent SmartTransferTx must fail at
+    // verify_smart_transfer because Mallory's key is neither on the pocket
+    // (the fix) nor on Alice's parent config.
+    let mallory_kid = AuthorizedKey::compute_key_id(KeyType::Ed25519, &mallory_pub);
+    let mut transfer = SmartTransferTx {
+        from: pocket,
+        to: mallory.address(),
+        amount: initial_pocket_balance,
+        fee: 0, nonce: 0,
+        signing_key_id: mallory_kid,
+        signature: vec![],
+        memo: None,
+        webauthn: None,
+    };
+    transfer.signature = mallory.sign(&transfer.signable_bytes()).0.to_vec();
+
+    assert!(
+        !engine.verify_smart_transfer(&transfer),
+        "Mallory's signature must not verify against the pocket or its parent"
+    );
+
+    // Pocket balance must be untouched.
+    assert_eq!(engine.balance(&pocket), initial_pocket_balance);
+}
+
+#[test]
+fn auto_register_key_rejects_pocket_address() {
+    let alice = SecretKey::from_bytes([0xA5; 32]);
+    let mallory = SecretKey::from_bytes([0xEA; 32]);
+    let (mut engine, pocket) = setup_victim_with_pocket(&alice, "savings", 1_000_000_000);
+
+    // The RPC relay-endpoint path. Even though this path is currently
+    // called with a p256-derived address in production, the function must
+    // refuse to register a key directly on a pocket as defense in depth.
+    let mallory_pub = mallory.verifying_key().to_bytes();
+    let err = engine
+        .auto_register_key(&pocket, KeyType::Ed25519, mallory_pub.to_vec())
+        .unwrap_err();
+    assert!(
+        err.to_string().contains("pocket"),
+        "expected pocket-specific rejection, got: {err}"
+    );
+}

docs/security/advisories/INTERNAL-2026-04-22-pocket-keyreg.md

@@ -0,0 +1,74 @@
+# INTERNAL-2026-04-22 — Pocket key-injection enables pocket drain
+
+**Severity:** Critical
+**Component:** `ultradag-coin` — `StateEngine` key auto-registration
+**Disclosure:** Internal review (not externally reported; no bounty payout)
+**Status:** Fixed
+
+## Summary
+
+`auto_register_ed25519_key` gated key registration on
+`authorized_keys.is_empty()` but did NOT require that the supplied pubkey
+actually derives to the target address. For regular EOAs (`addr =
+blake3(pubkey)[..20]`) this was implicitly safe because only the legitimate
+keyholder can produce a pubkey that derives to the address. Pockets broke
+the assumption: a pocket's address is computed from `(parent_address,
+label)` and no pubkey can satisfy the derivation, so the implicit trust was
+never crosschecked.
+
+Any attacker could submit a policy, key, or recovery tx targeting a
+victim's pocket with their own pubkey as the signer. The auto-registration
+path would plant the attacker's key on the pocket's `SmartAccountConfig`;
+the subsequent authorization check (`is_key_authorized`) would then find
+the just-added key and pass. Because `verify_smart_transfer` checks the
+pocket's own config before falling back to the parent, the attacker's
+planted key then authorized `SmartTransferTx` from the pocket — draining
+the balance in a second tx.
+
+Sister path: `auto_register_key` (pub; used by the relay endpoint)
+unconditionally pushed a key to any target. The one live caller passes a
+pubkey-derived address so there was no exploitable site today, but the
+function itself offered no defense-in-depth.
+
+## Impact
+
+Same attack class as GHSA-9chc-gjfr-6hrq but more severe — grants
+arbitrary attacker-key authorization on a victim's pocket rather than
+merely bypassing a limit. Every pocket on the network with any balance
+was drainable by any funded address in two txs (one to plant the key,
+one to spend).
+
+## Root cause
+
+`auto_register_ed25519_key` did not enforce the invariant that a key can
+only be auto-registered on an address that cryptographically derives from
+it. The guard `authorized_keys.is_empty()` only prevented overwriting an
+already-owned account — not hostile first-time registration on a non-EOA
+address.
+
+## Fix
+
+- `auto_register_ed25519_key`: early-return unless `Address::from_pubkey(pub_key)
+  == *addr`. Non-EOA addresses (pockets today, any future non-derived
+  address type) now refuse arbitrary key injection. The existing
+  `is_empty()` gate stays in place.
+- `auto_register_key` (pub): rejects pocket addresses outright with a
+  ValidationError. Defense in depth — ensures the RPC relay path can't be
+  weaponized if a future code path passes a pocket address by accident.
+
+The fix restores the correct invariant: **pockets never hold their own
+authorized keys**. Authorization for pocket-originated transfers flows
+exclusively through `pocket_to_parent` → parent config →
+`verify_smart_transfer` fallback.
+
+Five regression tests in
+`crates/ultradag-coin/tests/smart_account_pocket_key_injection.rs` cover
+each attack surface (`SetPolicyTx`, `AddKeyTx`, `SetRecoveryTx`, full
+drain chain, and direct `auto_register_key` rejection).
+
+## Credits
+
+Internal review during a 5-domain parallel audit (consensus / state /
+network / economic / crypto). Found by the state-engine review which
+flagged the unguarded pocket surface immediately after the
+GHSA-9chc-gjfr-6hrq remediation.

docs/security/advisories/README.md

@@ -5,6 +5,7 @@ This directory contains published security advisories for vulnerabilities that h
 ## Published Advisories
 
 - [GHSA-9chc-gjfr-6hrq](GHSA-9chc-gjfr-6hrq.md) — Critical — Spending-policy bypass via pockets. SmartAccount policies (daily limit, vault threshold, whitelist, per-key limit) were not enforced on transfers originating from pocket sub-addresses. Reported by Sumitshah00, fixed 2026-04-21.
+- [INTERNAL-2026-04-22-pocket-keyreg](INTERNAL-2026-04-22-pocket-keyreg.md) — Critical — Pocket key-injection enables pocket drain. `auto_register_ed25519_key` did not require the pubkey to derive to the target address, so any attacker could plant their key on a victim's pocket and then spend from it. Found by internal review, fixed 2026-04-22.
 
 ## Disclosure Timeline