ARK Ecosystem

  • $150 – $3,500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

2 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Ark Ecosystem's goal is to give everyone the power to easily create, customize and scale their own blockchain networks. By combining innovative network design with accessible & extensible software, Ark Ecosystem allows for maximum developer productivity. We prioritize builders and doers from every walk of life by building blockchain software that balances power and ease of use.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $2,000 - $3,500
p2 Severe $1,000 - $2,000
p3 Moderate $500 - $1,000
p4 Low $150 - $500
P5 submissions do not receive any rewards for this program.


In scope

Target name Type
Public API V2 API
P2P Network API API
Crypto layer (verification and validation of payloads (blocks, transactions)) API
Transaction Pool (accessible via Public API) API

Any domain/property of Ark Ecosystem not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target Info:

ARK CORE V2 blockchain ecosystem - The target for this engagement is the new ARK CORE API (V2). ARK has provided a great deal of documentation, as well as a suggestion on how to test the API for vulnerabilities. Please see: as a starting point for getting all relevant information, and ARKs github page: where the source code can be found.

Documentation: - The main starting point for v2 documentation. - General documentation site with all information available - Guidebooks on various topic from node securing to dev environment - Running a node - Transaction Lifecycle - Source code on github - Blockchain plugin/module - P2P layer network module - The crypto module used for verify/sign - Transaction pool - Transaction pool - Understanding transactions and consensus layer
Documentation for packages in general - General information about plugins

Suggested Testing Approach:

We recommend that you start where the transaction starts. Transactions in the ARK network are signed and processed within the mobile and desktop wallets or REST client applications.

You can learn more about the transaction lifecycle in our guidebook here:

In analyzing for vulnerabilities, follow the transaction and observe as it is relayed to the network and validated.

Think outside of the box. Search for flawed parsing and insufficient checks and monitor how the transactions are forged and included in a block.

Thank you for participating and good luck!

Focus Areas:

  • try to bypass any crypto/balance or other spending points - enabling you to spend or double spend (look at wallet-manager and pool-wallet-manager logic) via post/transaction endpoint or other means
  • take down nodes via public API (not just simple DDoS)
  • take down nodes via P2P API (not just simple DDoS)
  • take down nodes via transaction pool (not just simple DDoS)
  • take down nodes by sneaking in invalid blocks
  • take down nodes by sneaking in invalid transactions
  • forge invalid data and get it accepted by others
  • trigger a rebuild from outside of a node
  • get around IP whitelisting on P2P and public API
  • hack the serialization/deserialization process of blocks and transactions
  • check how block are forged/included in the chain and hack it :)
  • check the p2p layer and try to hack it, or broadcast bad blocks
  • consensus layer (ARK uses DPOS consensus) - find a way to trick the majority or consensus calculations


Use devnet as testing environment or start your own local test node (local testnet can be started with 51 delegates on a single server). For more info check:

ARK Slack Channel

ARK has a very active Slack community. We'd love to have all researchers join. Please request access here:

List of known and closed security vulnerabilities

A list of known and closed security vulnerabilities can be found here:


  • ARK Mobile and Desktop Applications
  • Focus on code issues and topics stated above. Issues related to system admin stuff are not included.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.