Arkham Intelligence
On-chain intelligence platform that deanonymizes blockchain addresses and tracks entities, wallets, and funds across all major chains. Powers the ARKM token economy and Intel Exchange marketplace.
https://intel.arkm.comMax Reward
$100,000
Total Paid
$380,000
Resolved
62
Avg Response
2 days
In-Scope Assets
*
Full pentest — all assets, APIs, smart contracts, Intel Exchange, ARKM token infrastructure, and backend services are in scope
Out of Scope
None — everything is in scope.
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (9)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| ARKM-001 | IDOR on Intel Exchange — access rival analyst's private intel reports | Critical | Open | $20,000–$100,000 | 0 |
| ARKM-002 | API key leakage via GraphQL introspection on entity resolution endpoint | High | Open | $5,000–$20,000 | 1 |
| ARKM-003 | SSRF via webhook URL parameter in alert subscription flow | Critical | In Review | $20,000–$100,000 | 2 |
| ARKM-004 | Address labeling spoofing via crafted ENS metadata injection | High | Open | $5,000–$20,000 | 0 |
| ARKM-005 | Stored XSS in custom dashboard widget via unsanitized token name | High | Open | $5,000–$20,000 | 0 |
| ARKM-006 | ARKM token transfer bypass via signature replay on Intel Exchange | Critical | Open | $20,000–$100,000 | 0 |
| ARKM-007 | Rate limit bypass on bulk address lookup API | Medium | Open | $1,000–$5,000 | 0 |
| ARKM-008 | Authentication bypass via JWT algorithm confusion on /api/v2/user | Critical | Open | $20,000–$100,000 | 0 |
| ARKM-009 | Private entity attribution data exposed via misconfigured S3 bucket | Critical | In Review | $20,000–$100,000 | 3 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.