Banner object (1)

Hack and Take the Cash !

791 bounties in database
  Back Link to program      
26/03/2019
ARK Ecosystem logo
Thanks
Gift
Hall of Fame
Reward

Reward

150 $ 

In Scope

Scope Type Scope Name
api Public API V2
api P2P Network API
api Crypto layer (verification and validation of payloads (blocks, transactions))
api Transaction Pool (accessible via Public API)

ARK Ecosystem

Ark Ecosystem's goal is to give everyone the power to easily create, customize and scale their own blockchain networks. By combining innovative network design with accessible & extensible software, Ark Ecosystem allows for maximum developer productivity. We prioritize builders and doers from every walk of life by building blockchain software that balances power and ease of use.


Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated 20 Mar 2019 20:33:59 UTC

Technical severity | Reward range
---|---
p1 Critical | $2,000 - $3,500
p2 Severe | $1,000 - $2,000
p3 Moderate | $500 - $1,000
p4 Low | $150 - $500

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
Public API V2 | API
P2P Network API | API
Crypto layer (verification and validation of payloads (blocks, transactions)) | API
Transaction Pool (accessible via Public API) | API

Any domain/property of Ark Ecosystem not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Target Info:

ARK CORE V2 blockchain ecosystem - The target for this engagement is the new ARK CORE API (V2). ARK has provided a great deal of documentation, as well as a suggestion on how to test the API for vulnerabilities. Please see: https://docs.ark.io as a starting point for getting all relevant information, and ARKs github page: https://github.com/ArkEcosystem/core where the source code can be found.

Documentation:

https://docs.ark.io/api/public/v2/ - The main starting point for v2 documentation.
https://docs.ark.io - General documentation site with all information available
https://docs.ark.io/guidebook - Guidebooks on various topic from node securing to dev environment
https://docs.ark.io/guidebook/core/node-lifecycle.html#starting-our-node - Running a node
https://docs.ark.io/guidebook/core/transaction-lifecycle.html#inside-a- transaction-lifecycle-from-client-to-blockchain - Transaction Lifecycle
https://github.com/arkecosystem/core - Source code on github
https://github.com/ArkEcosystem/core/tree/develop/packages/core-blockchain - Blockchain plugin/module
https://github.com/ArkEcosystem/core/tree/develop/packages/core-p2p - P2P layer network module
https://github.com/ArkEcosystem/core/tree/develop/packages/crypto - The crypto module used for verify/sign
https://github.com/ArkEcosystem/core/tree/develop/packages/core-transaction- pool-mem - Transaction pool
https://github.com/ArkEcosystem/core/tree/develop/packages/core-transaction- pool - Transaction pool
https://docs.ark.io/introduction/ark/understanding-transactions-and-block- propagation.html#fees-for-transactions - Understanding transactions and consensus layer
Documentation for packages in general https://docs.ark.io/guidebook/core/plugins - General information about plugins


Suggested Testing Approach:

We recommend that you start where the transaction starts. Transactions in the ARK network are signed and processed within the mobile and desktop wallets or REST client applications.

You can learn more about the transaction lifecycle in our guidebook here: https://docs.ark.io/guidebook/core/transaction-lifecycle.html#inside-a- transaction-lifecycle-from-client-to-blockchain

In analyzing for vulnerabilities, follow the transaction and observe as it is relayed to the network and validated.

Think outside of the box. Search for flawed parsing and insufficient checks and monitor how the transactions are forged and included in a block.

Thank you for participating and good luck!

Focus Areas:

  • try to bypass any crypto/balance or other spending points - enabling you to spend or double spend (look at wallet-manager and pool-wallet-manager logic) via post/transaction endpoint or other means
  • take down nodes via public API (not just simple DDoS)
  • take down nodes via P2P API (not just simple DDoS)
  • take down nodes via transaction pool (not just simple DDoS)
  • take down nodes by sneaking in invalid blocks
  • take down nodes by sneaking in invalid transactions
  • forge invalid data and get it accepted by others
  • trigger a rebuild from outside of a node
  • get around IP whitelisting on P2P and public API
  • hack the serialization/deserialization process of blocks and transactions
  • check how block are forged/included in the chain and hack it :)
  • check the p2p layer and try to hack it, or broadcast bad blocks
  • consensus layer (ARK uses DPOS consensus) - find a way to trick the majority or consensus calculations

Environment

Use devnet as testing environment or start your own local test node (local testnet can be started with 51 delegates on a single server). For more info check: https://docs.ark.io/guidebook/core/development.html#introduction.

ARK Slack Channel

ARK has a very active Slack community. We'd love to have all researchers join. Please request access here: https://ark.io/slack.

List of known and closed security vulnerabilities

A list of known and closed security vulnerabilities can be found here: https://github.com/ArkEcosystem/security-vulnerabilities/


Out-of-Scope

  • ARK Mobile and Desktop Applications
  • Focus on code issues and topics stated above. Issues related to system admin stuff are not included.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices