Stale Validator Schedule in claim2EVM Allows Retired Validators to Forge Claims and Drain the Bridge
The claim2EVM() function in UltraBridge.sol accepts claim signatures from any historical validator schedule, including schedules whose validators have been explicitly removed through rotation. There is no mechanism to expire, invalidate, or time-bound old schedules. If threshold validator keys from any retired schedule are compromised after rotation, an attacker can forge arbitrary claim transactions with fabricated counter values and drain all bridged tokens. The bridge currently holds 477,562 UOS (~$17,800) and has undergone 4 schedule rotations. The original 3 validators from Schedule 1 were removed in Schedule 4, yet they can still sign valid claims using schedule_id=1.
The UltraBridge contract implements a validator-signed bridge between Ultra blockchain and Ethereum. Validators sign ultra2evmData payloads that encode swap details (counter, amount, token,