Producing software inherently comes with risks. All software, especially new releases and large code re-writes, have a higher probability of producing bugs during production and initial release. To combat this, the ARK team has introduced modern testing methods, higher test coverage, a custom developed e2e testing framework and increased the availability for testing on our Development Network prior to release. Despite all of that, no one can catch every potential issue. This new reporting series will serve as a public disclosure of any discovered and patched vulnerabilities within the ARK Blockchain Platform (Core, Desktop Wallet, Mobile Wallet, ARK Pay & Deployer).

During our internal and public Development Network testing phase a LOT of bugs were found and patched. While the ARK team does considerable testing, a fresh pair of eyes can often discern issues that we may have overlooked. That is why we value community feedback and put a lot of effort into our bounty programs (which we recently updated).

But, as already said by Edsger W. Dijkstra:

”Program testing can be used to show the presence of bugs, but never to show their absence!”

After the successful launch of ARK Core v2 by the ARK Team and the public migration of the network by the ARK Network Delegates, several critical security vulnerabilities were disclosed to our team by ARK community members & Delegates. Due to the critical nature of these disclosures and the impact they could have had on the network, we would like to thank those responsible for their hard work and efforts to report these issues responsibly. The security vulnerabilities are disclosed below with additional explanations and details on the associated patches. Due to the professionalism of our community security researchers, at no point was anything tested or abused on the Public Network and the integrity of the ARK blockchain remains intact.

After the disclosures, it became increasingly important for Ark to notify those utilizing the ARK Blockchain Platform (ARK Forks) of the identified critical bugs to allow them to mitigate any potential vulnerabilities in a timely manner. Sharing known vulnerabilities and the associated patches benefits all parties involved and keeps the lines of communication open between projects, which can help on other aspects of development as well (avoiding duplication of effort). That is why we have improved our steps related to our security vulnerability disclosure process. If you are running a project based on the ARK Platform, we highly recommend appointing a dedicated team member to check the parent repository and follow any changes.

New Disclosure Process

The whole security vulnerability disclosure process is being standardized on our end. From now on this process will be streamlined. Public critical disclosure information will be released after said vulnerability has been patched on Ark’s Public Network. We will also notify all the related forks (that we are aware of) in an automated manner after patches are closed so they have every opportunity to patch critical vulnerabilities in a timely manner.

List of Closed Security Vulnerabilities

This section lists the security vulnerabilities that were identified and patched since the release of ARK Core v2.

1. Invalid block received

Cause: The lastDownloadedBlock variable was not reset when discarding invalid blocks. This caused network nodes to continually attempt to download new blocks from the wrong height, effectively halting the network. This issue would have allowed a malicious user to disrupt network nodes and the network itself.

Reported by: delegate fun

Solution: Reset last downloaded block after discarding an invalid block.

Patch PR: https://github.com/ArkEcosystem/core/pull/1692