Ark Ecosystem's goal is to give everyone the power to easily create, customize and scale their own blockchain networks. By combining innovative network design with accessible & extensible software, Ark Ecosystem allows for maximum developer productivity. We prioritize builders and doers from every walk of life by building blockchain software that balances power and ease of use.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Last updated 20 Mar 2019 20:33:59 UTC
Technical severity | Reward range
p1 Critical | $2,000 - $3,500
p2 Severe | $1,000 - $2,000
p3 Moderate | $500 - $1,000
p4 Low | $150 - $500
P5 submissions do not receive any rewards for this program.
Target name | Type
Public API V2 | API
P2P Network API | API
Crypto layer (verification and validation of payloads (blocks,
transactions)) | API
Transaction Pool (accessible via Public API) | API
Any domain/property of Ark Ecosystem not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
ARK CORE V2 blockchain ecosystem - The target for this engagement is the
new ARK CORE API (V2). ARK has provided a great deal of documentation, as well
as a suggestion on how to test the API for vulnerabilities. Please see:
https://docs.ark.io as a starting point for getting all relevant
information, and ARKs github page: https://github.com/ArkEcosystem/core
where the source code can be found.
https://docs.ark.io/api/public/v2/ - The main starting point for v2
https://docs.ark.io - General documentation site with all information available
https://docs.ark.io/guidebook - Guidebooks on various topic from node securing to dev environment
https://docs.ark.io/guidebook/core/node-lifecycle.html#starting-our-node - Running a node
https://docs.ark.io/guidebook/core/transaction-lifecycle.html#inside-a- transaction-lifecycle-from-client-to-blockchain - Transaction Lifecycle
https://github.com/arkecosystem/core - Source code on github
https://github.com/ArkEcosystem/core/tree/develop/packages/core-blockchain - Blockchain plugin/module
https://github.com/ArkEcosystem/core/tree/develop/packages/core-p2p - P2P layer network module
https://github.com/ArkEcosystem/core/tree/develop/packages/crypto - The crypto module used for verify/sign
https://github.com/ArkEcosystem/core/tree/develop/packages/core-transaction- pool-mem - Transaction pool
https://github.com/ArkEcosystem/core/tree/develop/packages/core-transaction- pool - Transaction pool
https://docs.ark.io/introduction/ark/understanding-transactions-and-block- propagation.html#fees-for-transactions - Understanding transactions and consensus layer
Documentation for packages in general https://docs.ark.io/guidebook/core/plugins - General information about plugins
We recommend that you start where the transaction starts. Transactions in the ARK network are signed and processed within the mobile and desktop wallets or REST client applications.
You can learn more about the transaction lifecycle in our guidebook here: https://docs.ark.io/guidebook/core/transaction-lifecycle.html#inside-a- transaction-lifecycle-from-client-to-blockchain
In analyzing for vulnerabilities, follow the transaction and observe as it is relayed to the network and validated.
Think outside of the box. Search for flawed parsing and insufficient checks and monitor how the transactions are forged and included in a block.
Thank you for participating and good luck!
Use devnet as testing environment or start your own local test node (local testnet can be started with 51 delegates on a single server). For more info check: https://docs.ark.io/guidebook/core/development.html#introduction.
ARK has a very active Slack community. We'd love to have all researchers join. Please request access here: https://ark.io/slack.
A list of known and closed security vulnerabilities can be found here: https://github.com/ArkEcosystem/security-vulnerabilities/
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.