fix(bridge): enforce validator-count and quorum floors on release path

Closes GHSA-6gwf-frh8-ppw7. A sole active validator (n=1) could drain
the bridge_reserve in a single transaction: ceil(2n/3) degrades to 1,
and apply_bridge_release_tx had no size floor on the active set and
no proof binding for deposit_nonce (a fabricated nonce was accepted).

Two new constants close the exploit:

  - MIN_BRIDGE_VALIDATORS = 4: releases rejected if active set is
    smaller (matches BFT_MIN_ACTIVE_VALIDATORS, tolerates 1 Byzantine
    fault).
  - MIN_BRIDGE_QUORUM = 3: hard floor on distinct votes, independent
    of active-set size. Threshold is now max(ceil(2n/3), 3).

Deposit-nonce ↔ source-chain proof binding (reporter's rec #2) is a
larger design change (SPV / on-chain deposit registry) and is tracked
as a separate hardening item. Fixes #1 + #3 here are sufficient to
block the demonstrated drain.

Regression tests in tests/bridge_release_quorum.rs:
  - single_validator_cannot_drain_bridge — mirrors reporter PoC, now
    fails to drain
  - releases_blocked_just_below_min_bridge_validators
  - healthy_set_requires_min_quorum_votes

Ledger: BB-2026-0002, 10,000 UDAG (Critical floor) to Sumitshah00.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: UltraDAGcom

crates/ultradag-coin/src/constants.rs

@@ -257,6 +257,19 @@ pub const MAX_ACTIVE_VALIDATORS: usize = 100;
 /// With fewer than 7 validators, the system cannot guarantee safety.
 pub const MIN_ACTIVE_VALIDATORS: usize = 7;
 
+/// Minimum active validator set size required to process a bridge release.
+/// Prevents a single or small group of validators from unilaterally draining
+/// the bridge reserve if the active set degrades (e.g., after slashing or
+/// inactivity). A 4-validator floor tolerates 1 Byzantine fault (3f+1, f=1)
+/// and matches BFT_MIN_ACTIVE_VALIDATORS.
+pub const MIN_BRIDGE_VALIDATORS: usize = 4;
+
+/// Absolute floor on the bridge release quorum, independent of active-set size.
+/// The dynamic threshold is `ceil(2n/3)`; this floor guarantees a minimum
+/// number of independent votes even if the dynamic threshold is lower.
+/// Together with MIN_BRIDGE_VALIDATORS this makes unilateral release impossible.
+pub const MIN_BRIDGE_QUORUM: usize = 3;
+
 /// Epoch length in rounds. Validator set recalculated at epoch boundaries.
 /// Matches halving interval for clean alignment.
 pub const EPOCH_LENGTH_ROUNDS: u64 = 210_000;

crates/ultradag-coin/src/state/engine.rs

@@ -2262,6 +2262,19 @@ impl StateEngine {
             return Err(CoinError::ValidationError("only active validators can submit bridge releases".into()));
         }
 
+        // SECURITY (GHSA-6gwf-frh8-ppw7): Refuse to process bridge releases when the
+        // active validator set is too small. Without this, an attacker who becomes the
+        // sole active validator (e.g., after mass slashing / inactivity / fresh genesis)
+        // would hit ceil(2n/3) = 1 quorum and drain the bridge reserve in a single tx.
+        let active_n = self.active_validator_set.len();
+        if active_n < crate::constants::MIN_BRIDGE_VALIDATORS {
+            return Err(CoinError::ValidationError(format!(
+                "bridge releases require at least {} active validators, have {}",
+                crate::constants::MIN_BRIDGE_VALIDATORS,
+                active_n
+            )));
+        }
+
         // Validate amount range
         if tx.amount < crate::constants::MIN_BRIDGE_AMOUNT_SATS {
             return Err(CoinError::ValidationError("below minimum bridge amount".into()));
@@ -2337,9 +2350,12 @@ impl StateEngine {
         voters.insert(tx.from);
         let vote_count = voters.len();
 
-        // Calculate threshold: ceil(2n/3) where n = active validator count
+        // Calculate threshold: max(ceil(2n/3), MIN_BRIDGE_QUORUM).
+        // The MIN_BRIDGE_QUORUM floor prevents the dynamic threshold from collapsing
+        // to 1 or 2 when the active set is small, which — combined with the
+        // MIN_BRIDGE_VALIDATORS gate above — closes GHSA-6gwf-frh8-ppw7.
         let n = self.active_validator_set.len();
-        let threshold = (2 * n).div_ceil(3);
+        let threshold = (2 * n).div_ceil(3).max(crate::constants::MIN_BRIDGE_QUORUM);
 
         // Always increment the submitting validator's nonce (vote recorded)
         self.increment_nonce(&tx.from);

crates/ultradag-coin/tests/bridge_release_quorum.rs

@@ -0,0 +1,194 @@
+//! Regression tests for GHSA-6gwf-frh8-ppw7.
+//!
+//! Before the fix, a single validator (n=1) could drain the bridge reserve
+//! because the dynamic quorum `ceil(2n/3)` collapses to 1 when n=1. These
+//! tests lock in the two floors that close the exploit:
+//!
+//!   - `MIN_BRIDGE_VALIDATORS`: refuse releases when the active set is too small.
+//!   - `MIN_BRIDGE_QUORUM`: floor on the number of distinct validator votes
+//!     required, independent of active-set size.
+
+use ultradag_coin::{
+    StateEngine, SecretKey,
+    tx::{BridgeDepositTx, StakeTx, MIN_STAKE_SATS},
+    tx::bridge::BridgeReleaseTx,
+    address::Signature,
+    constants::{COIN, MIN_BRIDGE_QUORUM, MIN_BRIDGE_VALIDATORS, SUPPORTED_BRIDGE_CHAIN_IDS},
+};
+
+fn signed_stake(sk: &SecretKey, amount: u64, nonce: u64) -> StakeTx {
+    let mut tx = StakeTx {
+        from: sk.address(),
+        amount,
+        nonce,
+        pub_key: sk.verifying_key().to_bytes(),
+        signature: Signature([0u8; 64]),
+    };
+    tx.signature = sk.sign(&tx.signable_bytes());
+    tx
+}
+
+fn signed_bridge_deposit(sk: &SecretKey, amount: u64, nonce: u64, fee: u64) -> BridgeDepositTx {
+    let mut tx = BridgeDepositTx {
+        from: sk.address(),
+        recipient: [0x11u8; 20],
+        amount,
+        destination_chain_id: SUPPORTED_BRIDGE_CHAIN_IDS[0],
+        nonce,
+        fee,
+        pub_key: sk.verifying_key().to_bytes(),
+        signature: Signature([0u8; 64]),
+    };
+    tx.signature = sk.sign(&tx.signable_bytes());
+    tx
+}
+
+fn signed_bridge_release(
+    sk: &SecretKey,
+    recipient: ultradag_coin::address::Address,
+    amount: u64,
+    deposit_nonce: u64,
+    nonce: u64,
+) -> BridgeReleaseTx {
+    let mut tx = BridgeReleaseTx {
+        from: sk.address(),
+        recipient,
+        amount,
+        source_chain_id: SUPPORTED_BRIDGE_CHAIN_IDS[0],
+        deposit_nonce,
+        nonce,
+        pub_key: sk.verifying_key().to_bytes(),
+        signature: Signature([0u8; 64]),
+    };
+    tx.signature = sk.sign(&tx.signable_bytes());
+    tx
+}
+
+/// Regression: GHSA-6gwf-frh8-ppw7.
+/// A sole active validator must NOT be able to release funds from the bridge reserve.
+#[test]
+fn single_validator_cannot_drain_bridge() {
+    let mut state = StateEngine::new_with_genesis();
+
+    let attacker = SecretKey::generate();
+    let victim = SecretKey::generate();
+
+    state.faucet_credit(&attacker.address(), MIN_STAKE_SATS).unwrap();
+    state.faucet_credit(&victim.address(), 5 * COIN).unwrap();
+
+    // Attacker becomes sole active validator (n = 1).
+    let stake_tx = signed_stake(&attacker, MIN_STAKE_SATS, 0);
+    state.apply_stake_tx(&stake_tx).unwrap();
+    state.recalculate_active_set();
+    assert!(state.is_active_validator(&attacker.address()));
+    assert_eq!(state.active_validators().len(), 1);
+
+    // Legit deposit seeds the bridge reserve.
+    let deposit_amount = 3 * COIN;
+    let deposit_fee = 10_000;
+    let dep = signed_bridge_deposit(&victim, deposit_amount, 0, deposit_fee);
+    state.apply_bridge_lock_tx(&dep, None, None).unwrap();
+    assert_eq!(state.bridge_reserve(), deposit_amount);
+
+    // Attempted drain: fabricated deposit_nonce, self-recipient.
+    let attacker_addr = attacker.address();
+    let reserve_before = state.bridge_reserve();
+    let attacker_before = state.balance(&attacker_addr);
+    let rel = signed_bridge_release(&attacker, attacker_addr, deposit_amount, 999_999, 1);
+    let result = state.apply_bridge_release_tx(&rel);
+
+    // Must be rejected by the MIN_BRIDGE_VALIDATORS gate.
+    assert!(result.is_err(), "drain attempt with n=1 must be rejected, got: {:?}", result);
+    let err_msg = format!("{:?}", result.err().unwrap());
+    assert!(
+        err_msg.contains("active validators"),
+        "expected rejection to cite active-validator floor, got: {err_msg}"
+    );
+
+    // No state mutation on the reserve or attacker balance.
+    assert_eq!(state.bridge_reserve(), reserve_before);
+    assert_eq!(state.balance(&attacker_addr), attacker_before);
+}
+
+/// With exactly `MIN_BRIDGE_VALIDATORS - 1` active validators, releases are still blocked.
+#[test]
+fn releases_blocked_just_below_min_bridge_validators() {
+    let mut state = StateEngine::new_with_genesis();
+
+    let validators: Vec<SecretKey> = (0..MIN_BRIDGE_VALIDATORS - 1)
+        .map(|_| SecretKey::generate())
+        .collect();
+
+    for sk in &validators {
+        state.faucet_credit(&sk.address(), MIN_STAKE_SATS).unwrap();
+        let stake_tx = signed_stake(sk, MIN_STAKE_SATS, 0);
+        state.apply_stake_tx(&stake_tx).unwrap();
+    }
+    state.recalculate_active_set();
+    assert_eq!(state.active_validators().len(), MIN_BRIDGE_VALIDATORS - 1);
+
+    // Seed the reserve.
+    let donor = SecretKey::generate();
+    state.faucet_credit(&donor.address(), 10 * COIN).unwrap();
+    let dep = signed_bridge_deposit(&donor, 5 * COIN, 0, 10_000);
+    state.apply_bridge_lock_tx(&dep, None, None).unwrap();
+
+    let v0 = &validators[0];
+    let rel = signed_bridge_release(v0, v0.address(), 1 * COIN, 42, 1);
+    let result = state.apply_bridge_release_tx(&rel);
+    assert!(result.is_err(), "release must be blocked below MIN_BRIDGE_VALIDATORS");
+}
+
+/// Normal path: with a healthy set, a single vote is not enough (MIN_BRIDGE_QUORUM floor)
+/// but quorum is reachable once enough independent validators attest.
+#[test]
+fn healthy_set_requires_min_quorum_votes() {
+    let mut state = StateEngine::new_with_genesis();
+
+    // Use MIN_BRIDGE_VALIDATORS validators — small enough that ceil(2n/3) <= MIN_BRIDGE_QUORUM,
+    // so the MIN_BRIDGE_QUORUM floor is the effective threshold.
+    let n = MIN_BRIDGE_VALIDATORS;
+    let validators: Vec<SecretKey> = (0..n).map(|_| SecretKey::generate()).collect();
+    for sk in &validators {
+        state.faucet_credit(&sk.address(), MIN_STAKE_SATS).unwrap();
+        let stake_tx = signed_stake(sk, MIN_STAKE_SATS, 0);
+        state.apply_stake_tx(&stake_tx).unwrap();
+    }
+    state.recalculate_active_set();
+    assert_eq!(state.active_validators().len(), n);
+
+    // Seed the reserve.
+    let donor = SecretKey::generate();
+    state.faucet_credit(&donor.address(), 10 * COIN).unwrap();
+    let dep = signed_bridge_deposit(&donor, 5 * COIN, 0, 10_000);
+    state.apply_bridge_lock_tx(&dep, None, None).unwrap();
+
+    let recipient = SecretKey::generate().address();
+    let release_amount = 1 * COIN;
+    let deposit_nonce = 777;
+
+    // First (MIN_BRIDGE_QUORUM - 1) validators vote: release must NOT execute yet.
+    // Each validator's account nonce is 1 after their StakeTx, so bridge vote uses nonce 1.
+    let reserve_before = state.bridge_reserve();
+    for sk in validators.iter().take(MIN_BRIDGE_QUORUM - 1) {
+        let rel = signed_bridge_release(sk, recipient, release_amount, deposit_nonce, 1);
+        state.apply_bridge_release_tx(&rel).unwrap();
+    }
+    assert_eq!(
+        state.bridge_reserve(),
+        reserve_before,
+        "reserve must be untouched before MIN_BRIDGE_QUORUM votes"
+    );
+
+    // The MIN_BRIDGE_QUORUM-th vote crosses the floor: release executes.
+    let crossing_voter = &validators[MIN_BRIDGE_QUORUM - 1];
+    let rel_cross = signed_bridge_release(crossing_voter, recipient, release_amount, deposit_nonce, 1);
+    state.apply_bridge_release_tx(&rel_cross).unwrap();
+
+    assert_eq!(
+        state.bridge_reserve(),
+        reserve_before - release_amount,
+        "reserve must decrement once MIN_BRIDGE_QUORUM is reached"
+    );
+    assert_eq!(state.balance(&recipient), release_amount);
+}

docs/security/bug-bounty/LEDGER.md

@@ -2,7 +2,7 @@
 
 **Program Start:** March 8, 2026  
 **Total Allocated:** 500,000 UDAG (mainnet)  
-**Total Awarded:** 15,000 UDAG  
+**Total Awarded:** 25,000 UDAG  
 **Total Paid (Testnet):** 0 UDAG (pending — faucet rate-limited)  
 **UDAG Mainnet Token:** [`0x9cFD2011DF13d9E394B5Bb59f0f7e7A5C512155b`](https://arbiscan.io/token/0x9cFD2011DF13d9E394B5Bb59f0f7e7A5C512155b) (Arbitrum One, deployed 2026-04-12)  
 **Bounty Payment Source:** Genesis allocation holder `0x9aEcb515361af7980eaa16fE40c064f69738EbF9` (to be reimbursed from treasury post-emission)  
@@ -48,6 +48,38 @@ Fix: 45bcf706, 2f5a3a23
 Status: Validated / Fixed / Testnet Paid / Pending Mainnet
 ```
 
+### BB-2026-0002
+```
+ID: BB-2026-0002
+Date: 2026-04-14
+Hunter: Sumitshah00 (tudg17lzd76ue95ht07hxzna8mzey4tkpk85jtjns2d)
+Severity: Critical
+Reward: 10,000 UDAG (mainnet promise)
+Testnet Paid: Pending (faucet rate-limited; will send via validator key)
+Source: Treasury (paid from treasury emission post-launch)
+Issue: Bridge release path enforced quorum as ceil(2n/3) of the active
+       validator set with no floor on set size or vote count. When the
+       active set degrades to n=1, the threshold collapses to 1 — a sole
+       active validator can self-sign a BridgeReleaseTx with a fabricated
+       deposit_nonce and drain the entire bridge_reserve in one tx. Report
+       included a complete self-contained Rust PoC demonstrating the drain.
+       Rated at the Critical floor because the bridge relayer is not yet
+       live, bridge_reserve is currently 0, and mainnet P2P is closed to
+       external staking — so no funds are at risk today. The bug would
+       detonate the instant the bridge ships if left unpatched.
+Fix: Added two new constants (MIN_BRIDGE_VALIDATORS=4, MIN_BRIDGE_QUORUM=3)
+     and wired both into apply_bridge_release_tx: releases are now rejected
+     when active_validator_set.len() < MIN_BRIDGE_VALIDATORS, and the
+     dynamic threshold is clamped to max(ceil(2n/3), MIN_BRIDGE_QUORUM).
+     Regression test: crates/ultradag-coin/tests/bridge_release_quorum.rs
+     (3 tests covering n=1 drain, below-floor set, and normal quorum path).
+     Deposit-nonce → source-chain proof binding (reporter's recommendation
+     #2) remains open as a separate design-level issue; tracked for a future
+     bridge-hardening pass.
+Advisory: GHSA-6gwf-frh8-ppw7
+Status: Validated / Fixed / Pending Testnet Payout / Pending Mainnet
+```
+
 ---
 
 ## Pending Validation
@@ -65,9 +97,9 @@ Status: Validated / Fixed / Testnet Paid / Pending Mainnet
 - Unique hunters: 0
 
 ### April 2026
-- Submissions: 1 valid (GHSA-q8wx-2crx-c7pp)
-- Validated: 1
-- Rewards: 15,000 UDAG
+- Submissions: 2 valid (GHSA-q8wx-2crx-c7pp, GHSA-6gwf-frh8-ppw7)
+- Validated: 2
+- Rewards: 25,000 UDAG
 - Unique hunters: 1 (Sumitshah00)
 
 ### Mainnet launched: 2026-04-10