Ark Ecosystem's goal is to give everyone the power to easily create, customize and scale their own blockchain networks. By combining innovative network design with accessible & extensible software, Ark Ecosystem allows for maximum developer productivity. We prioritize builders and doers from every walk of life by building blockchain software that balances power and ease of use.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$2,000 - $3,500|
|p2 Severe||$1,000 - $2,000|
|p3 Moderate||$500 - $1,000|
|p4 Low||$150 - $500|
Any domain/property of Ark Ecosystem not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
ARK CORE V2 blockchain ecosystem - The target for this engagement is the new ARK CORE API (V2). ARK has provided a great deal of documentation, as well as a suggestion on how to test the API for vulnerabilities. Please see: https://docs.ark.io as a starting point for getting all relevant information, and ARKs github page: https://github.com/ArkEcosystem/core where the source code can be found.
https://docs.ark.io/api/public/v2/ - The main starting point for v2 documentation.
https://docs.ark.io - General documentation site with all information available
https://docs.ark.io/guidebook - Guidebooks on various topic from node securing to dev environment
https://docs.ark.io/guidebook/core/node-lifecycle.html#starting-our-node - Running a node
https://docs.ark.io/guidebook/core/transaction-lifecycle.html#inside-a-transaction-lifecycle-from-client-to-blockchain - Transaction Lifecycle
https://github.com/arkecosystem/core - Source code on github
https://github.com/ArkEcosystem/core/tree/develop/packages/core-blockchain - Blockchain plugin/module
https://github.com/ArkEcosystem/core/tree/develop/packages/core-p2p - P2P layer network module
https://github.com/ArkEcosystem/core/tree/develop/packages/crypto - The crypto module used for verify/sign
https://github.com/ArkEcosystem/core/tree/develop/packages/core-transaction-pool-mem - Transaction pool
https://github.com/ArkEcosystem/core/tree/develop/packages/core-transaction-pool - Transaction pool
https://docs.ark.io/introduction/ark/understanding-transactions-and-block-propagation.html#fees-for-transactions - Understanding transactions and consensus layer
Documentation for packages in general https://docs.ark.io/guidebook/core/plugins - General information about plugins
Suggested Testing Approach:
We recommend that you start where the transaction starts. Transactions in the ARK network are signed and processed within the mobile and desktop wallets or REST client applications.
You can learn more about the transaction lifecycle in our guidebook here: https://docs.ark.io/guidebook/core/transaction-lifecycle.html#inside-a-transaction-lifecycle-from-client-to-blockchain
In analyzing for vulnerabilities, follow the transaction and observe as it is relayed to the network and validated.
Think outside of the box. Search for flawed parsing and insufficient checks and monitor how the transactions are forged and included in a block.
Thank you for participating and good luck!
- try to bypass any crypto/balance or other spending points - enabling you to spend or double spend (look at wallet-manager and pool-wallet-manager logic) via post/transaction endpoint or other means
- take down nodes via public API (not just simple DDoS)
- take down nodes via P2P API (not just simple DDoS)
- take down nodes via transaction pool (not just simple DDoS)
- take down nodes by sneaking in invalid blocks
- take down nodes by sneaking in invalid transactions
- forge invalid data and get it accepted by others
- trigger a rebuild from outside of a node
- get around IP whitelisting on P2P and public API
- hack the serialization/deserialization process of blocks and transactions
- check how block are forged/included in the chain and hack it :)
- check the p2p layer and try to hack it, or broadcast bad blocks
- consensus layer (ARK uses DPOS consensus) - find a way to trick the majority or consensus calculations
Use devnet as testing environment or start your own local test node (local testnet can be started with 51 delegates on a single server). For more info check: https://docs.ark.io/guidebook/core/development.html#introduction.
ARK Slack Channel
ARK has a very active Slack community. We'd love to have all researchers join. Please request access here: https://ark.io/slack.
List of known and closed security vulnerabilities
A list of known and closed security vulnerabilities can be found here: https://github.com/ArkEcosystem/security-vulnerabilities/
- ARK Mobile and Desktop Applications
- Focus on code issues and topics stated above. Issues related to system admin stuff are not included.