Bitcoin

Control of Majority Hashing Power (51_PERCENT_ATTACK)

Threat actors:

• MALICIOUS_MINERS

Threat Description

An attacker accumulates more than 50% of the total mining power and uses this control to create a longer blockchain fork, thereby rewriting transaction history or blocking new transactions.

Impact

Allows an attacker to rewrite transaction history, double-spend, or block transactions.
TRANSACTION_INTEGRITY
NETWORK_RESILIENCE

CVSS

Base score: 6.6 (Medium)
Vector:CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Counter-measures for 51_PERCENT_ATTACK

DIVERSE_HASHPOWER Encourage diverse miner participation

Promote geographic and organizational decentralization of miners to reduce the likelihood of any single entity achieving majority hash power.

Countermeasure in place? ❌ Public and disclosable? ✔

Double Spending (DOUBLE_SPENDING)

Threat actors:

• SYBIL_ACTORS

Threat Description

The attacker broadcasts two conflicting transactions to the network, one to make a purchase and another to send the same funds back to their own wallet, exploiting timing and confirmation delays.

Impact

Compromise of transaction validity by spending the same Bitcoin multiple times.
TRANSACTION_INTEGRITY

CVSS

Base score: 5.9 (Medium)
Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Counter-measures for DOUBLE_SPENDING

LONGER_CONFIRMATION Increase block confirmations

Encourage waiting for multiple block confirmations to ensure transaction permanence.

Countermeasure in place? ✔ Public and disclosable? ✔

Network Partitioning (Eclipse Attack) (NETWORK_PARTITION)

Threat actors:

• SYBIL_ACTORS

Threat Description

By controlling a node’s peers, the attacker isolates the target node from the rest of the network, feeding it incorrect blockchain data or preventing it from receiving updates.

Impact

Isolate nodes from the main network, manipulating their view of the blockchain.
NETWORK_RESILIENCE

CVSS

Base score: 5.9 (Medium)
Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Counter-measures for NETWORK_PARTITION

PEER_DIVERSITY Peer Diversity

Nodes should maintain diverse peer connections to prevent isolation.

Countermeasure in place? ❌ Public and disclosable? ❌

Blockchain Reorganizations (MINING_REORG)

Threat actors:

• MALICIOUS_MINERS

Threat Description

Malicious miners use their hashing power to create an alternate chain that invalidates recent blocks, causing a reorganization of the blockchain.

Impact

Reverse transactions by introducing a longer fork.
TRANSACTION_INTEGRITY

CVSS

Base score: 0.0 (None)
Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N

Counter-measures for MINING_REORG

TIMESTAMP_MONITORING Monitor blockchain timestamps

Use timestamps and multiple confirmations to minimize reorganization threats.

Countermeasure in place? ✔ Public and disclosable? ✔

Loss of Hash Power Due to Incentives (HASH_POWER_DECREASE)

Threat actors:

• ECONOMIC_ACTORS

Threat Description

If the prevailing market conditions lead to low Bitcoin prices, miners may exit the market as profitability decreases. This reduction in mining activity could create a downward spiral where the network becomes less secure due to lower hash power, leading to longer confirmation times and increased vulnerability to attacks.

Impact

A significant decrease in hash power can lead to a drop in Bitcoin's price, reducing miner incentives, and potentially causing a negative feedback loop of further decreases in hash power before the next difficulty adjustment occurs. This creates a risk to the stability and security of the network, potentially making it more susceptible to attacks.
AVAILABILITY
NETWORK_RESILIENCE

CVSS

Base score: 7.5 (High)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Counter-measures for HASH_POWER_DECREASE

MINER_SUBSIDY Maintain Miner Subsidies to Support Hash Power

Implement strategies to support miners during low price periods, such as temporarily lowering the mining difficulty adjustment period or providing incentives for miners to remain active in the ecosystem.

Countermeasure in place? ❌ Public and disclosable? ✔

DIVERSIFIED_REVENUE_MODELS Encourage Diversified Revenue Streams for Miners

Promote diversified revenue opportunities for miners, such as participating in transaction fee markets or providing ancillary services to the network to maintain viability even during low block reward phases.

Countermeasure in place? ❌ Public and disclosable? ✔

Tampering with Channel States (CHANNEL_STATE_TAMPERING)

Threat actors:

• CHANNEL_PARTNER

Threat Description

A malicious channel partner broadcasts an outdated channel state to reclaim funds already spent. For example, Alice and Bob open a channel with 1 BTC each. Alice pays Bob 0.5 BTC off-chain, but later broadcasts the original channel state to reclaim her initial 1 BTC.

Impact

Attackers tamper with channel states, leading to disputes or financial loss for participants.
CHANNEL_INTEGRITY

CVSS

Base score: 5.5 (Medium)
Vector:CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L

Counter-measures for CHANNEL_STATE_TAMPERING

PENALTY_MECHANISM Enforce Penalty Mechanisms

Use penalty transactions to ensure that any attempt to broadcast an outdated state results in a financial penalty for the attacker. Watchtowers monitor the blockchain for outdated states and broadcast penalty transactions on behalf of the victim.

Countermeasure in place? ✔ Public and disclosable? ✔

Denial of Service on Routing Nodes (ROUTING_NODE_DOS)

Threat actors:

• NETWORK_ADVERSARY

Threat Description

A network adversary floods routing nodes with fake or excessive requests, causing them to exhaust resources. For instance, an attacker could repeatedly attempt to route payments through a specific node, forcing it to handle an unsustainable load.

Impact

Attackers overwhelm routing nodes, disrupting payment processing and reducing network availability.
ROUTING_NODE_RESILIENCE

CVSS

Base score: 7.5 (High)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Counter-measures for ROUTING_NODE_DOS

RATE_LIMITING Implement Rate Limiting

Use rate limiting and request validation to mitigate denial-of-service attacks on routing nodes. Monitor traffic patterns and reject requests from nodes exhibiting suspicious behavior.

Countermeasure in place? ✔ Public and disclosable? ✔

Delayed Channel Closure (CHANNEL_CLOSURE_DELAY)

Threat actors:

• CHANNEL_PARTNER

Threat Description

The attacker refuses to cooperate during the channel closure process or uses the dispute mechanism maliciously. For example, Bob delays closing a channel with Alice, preventing her from accessing her locked funds during a time-sensitive event.

Impact

A malicious channel partner delays the closure of a channel, locking funds and causing financial loss.
TIMELY_CLOSURE

CVSS

Base score: 4.9 (Medium)
Vector:CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Counter-measures for CHANNEL_CLOSURE_DELAY

FORCE_CLOSURE Support Force Closures

Allow participants to unilaterally close a channel after a timeout to recover locked funds. Watchtowers can assist by ensuring the closure process is secure and detecting malicious delays.

Countermeasure in place? ✔ Public and disclosable? ✔

Privacy Leak in Payment Routing (PRIVACY_LEAK)

Threat actors:

• MALICIOUS_ROUTING_NODE

• NETWORK_ADVERSARY

Threat Description

Malicious routing nodes or external adversaries analyze payment routes to infer transaction amounts and participants. For example, a routing node could monitor the flow of payments to deduce Alice is paying Charlie 0.2 BTC via Bob.

Impact

Sensitive transaction details are exposed to unauthorized entities, compromising user privacy.
CHANNEL_CONFIDENTIALITY

CVSS

Base score: 5.3 (Medium)
Vector:CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Counter-measures for PRIVACY_LEAK

ROUTE_ENCRYPTION Encrypt Payment Routes

Use onion routing to encrypt payment routes and protect transaction details from unauthorized disclosure. Ensure each hop only knows the adjacent nodes, preventing end-to-end correlation.

Countermeasure in place? ✔ Public and disclosable? ✔

Watchtower Unavailability (WATCHTOWER_FAILURE)

Threat actors:

• NETWORK_ADVERSARY

Threat Description

A network adversary targets watchtowers with a DoS attack, preventing them from monitoring channel state broadcasts. For example, an attacker floods a watchtower with traffic to render it non-functional during a critical dispute.

Impact

Unavailable watchtowers fail to detect and penalize malicious behavior, weakening channel security.
WATCHTOWER_RELIABILITY

CVSS

Base score: 10.0 (Critical)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

Counter-measures for WATCHTOWER_FAILURE

DISTRIBUTED_WATCHTOWERS Use Distributed Watchtowers

Encourage the use of multiple, geographically distributed watchtowers to ensure redundancy and availability during disputes.

Countermeasure in place? ❌ Public and disclosable? ✔

Privacy Leakage (PRIVACY_LEAK)

Threat actors:

• NETWORK_OBSERVER

Threat Description

A network observer analyzes mixing transaction patterns and timings to correlate addresses, revealing user identities.

Impact

Users' Bitcoin addresses and transaction history may be linked due to weaknesses in the mixing process.
TRANSACTION_PRIVACY

CVSS

Base score: 7.5 (High)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Counter-measures for PRIVACY_LEAK

COIN_JOIN Use CoinJoin Techniques

Utilize CoinJoin-based mixing that combines multiple users' transactions to break address linkability.

Countermeasure in place? ✔ Public and disclosable? ✔

Mixer Exit Scam (MIXER_EXIT_SCAM)

Threat actors:

• MALICIOUS_MIXER

Threat Description

A malicious mixer operator collects deposits and disappears without processing the mixing, resulting in financial loss for users.

Impact

A mixing service may abscond with users' Bitcoin instead of returning mixed outputs.
MIXING_INTEGRITY

CVSS

Base score: 6.5 (Medium)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Counter-measures for MIXER_EXIT_SCAM

TRUSTED_SERVICES Use Trusted and Audited Mixing Services

Prefer decentralized, open-source mixers with a proven track record of transparency.

Countermeasure in place? ❌ Public and disclosable? ✔

Participant Linkage Attack (PARTICIPANT_LINKAGE)

Threat actors:

• PARTICIPANT_COLLUSION

Threat Description

Malicious participants join mixing transactions with the intent of analyzing inputs and outputs to deanonymize other users.

Impact

Participants within a mixing process collude to track inputs and outputs, reducing anonymity.
PARTICIPANT_ANONYMITY

CVSS

Base score: 5.9 (Medium)
Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Counter-measures for PARTICIPANT_LINKAGE

RANDOMIZED_INPUTS Randomize Input and Output Patterns

Use randomized transaction structures and delays to reduce linkability between participants.

Countermeasure in place? ✔ Public and disclosable? ✔

Network-Level Transaction Analysis (NETWORK_LEVEL_ANALYSIS)

Threat actors:

• NETWORK_OBSERVER

Threat Description

An attacker monitors Bitcoin network traffic and uses timing analysis to correlate mixed transactions.

Impact

Adversaries analyze network traffic to uncover the relationships between mixed transactions.
TRANSACTION_PRIVACY

CVSS

Base score: 5.9 (Medium)
Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Counter-measures for NETWORK_LEVEL_ANALYSIS

TOR_VPN_USAGE Use Privacy-Enhancing Technologies

Users should leverage Tor or VPN services to obfuscate their network traffic and enhance anonymity.

Countermeasure in place? ❌ Public and disclosable? ✔

Bitcoin Layer 1 (system in scope - ID: BITCOIN_LAYER1)

The base layer of Bitcoin blockchain used for anchoring Layer 2 transactions.

ARK Off-chain Transactions (dataflow in scope - ID: ARK_TRANSACTIONS)

Transactions processed off-chain within the ARK network before final settlement on Bitcoin L1.

ARK Hub (system in scope - ID: ARK_HUB)

Centralized or semi-centralized hubs that facilitate batching and processing of ARK transactions.

User Wallets (system in scope - ID: USER_WALLETS)

Wallets used by end-users to interact with the ARK network and execute transactions.

Double Spending in Off-chain Transactions (ARK_DOUBLE_SPENDING)

Assets (IDs) involved in this threat:

• ARK_TRANSACTIONS - ARK Off-chain Transactions

Threat Description

The attacker attempts to make multiple payments before the finalization of off-chain transactions.

Impact

A malicious user may attempt to spend funds multiple times by exploiting delays in settlement finality.
DOUBLE_SPENDING_PREVENTION

CVSS

Base score: 9.1 (Critical)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Counter-measures for ARK_DOUBLE_SPENDING

TIMELOCKS Timelocks on Transactions

Implement timelocks to prevent double-spending attempts.

Countermeasure in place? ✔ Public and disclosable? ✔ Is operational?✔ (operated by UNDEFINED)

Hub Collusion Attack (HUB_COLLUSION)

Assets (IDs) involved in this threat:

• ARK_HUB - ARK Hub

Threat actors:

• MALICIOUS_HUB

Threat Description

Multiple hubs conspire to delay or censor transactions to gain an unfair advantage.

Impact

Colluding hub operators could manipulate transaction processing or withhold transactions.
AVAILABILITY

CVSS

Base score: 9.0 (Critical)
Vector:CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H

Counter-measures for HUB_COLLUSION

HUB_DECENTRALIZATION Distributed Hub Network

Encourage a decentralized set of hubs to reduce collusion risks.

Countermeasure in place? ❌ Public and disclosable? ✔ Is operational?✔ (operated by UNDEFINED)

User Privacy Leakage (PRIVACY_LEAK)

Assets (IDs) involved in this threat:

• USER_WALLETS - User Wallets

Threat actors:

• NETWORK_ATTACKER

Threat Description

An attacker monitors transaction flow to de-anonymize users.

Impact

User transaction data could be leaked due to weak privacy mechanisms.
CONFIDENTIALITY

CVSS

Base score: 6.5 (Medium)
Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Counter-measures for PRIVACY_LEAK

COINJOIN_INTEGRATION CoinJoin Integration

Use privacy-enhancing techniques like CoinJoin to obfuscate transactions.

Countermeasure in place? ❌ Public and disclosable? ✔

Funds Locked Due to Hub Unresponsiveness (FUND_LOCKUP)

Assets (IDs) involved in this threat:

• ARK_TRANSACTIONS - ARK Off-chain Transactions

Threat actors:

• MALICIOUS_HUB

Threat Description

The hub operator ceases operations or withholds processing transactions, leading to user funds being locked.

Impact

If a hub becomes unresponsive, user funds may become locked and inaccessible.
AVAILABILITY

CVSS

Base score: 9.1 (Critical)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Counter-measures for FUND_LOCKUP

REFUND_TRANSACTION Refund Transactions After 4 Weeks

Implement automatic refund transactions to return locked funds to the original owners after a pre-defined timeout period (e.g., 4 weeks).

Countermeasure in place? ❌ Public and disclosable? ✔ Is operational?✔ (operated by UNDEFINED)

Denial of Service Attack on Hubs (DOS_ATTACK)

Assets (IDs) involved in this threat:

• ARK_HUB - ARK Hub

Threat actors:

• NETWORK_ATTACKER

Threat Description

An attacker sends a large volume of requests to overload the network.

Impact

A flood of transactions could overwhelm ARK hubs and degrade service.
AVAILABILITY

CVSS

Base score: 7.5 (High)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Counter-measures for DOS_ATTACK

RATE_LIMITING Rate Limiting on Hubs

Implement rate limiting and anomaly detection to mitigate attacks.

Countermeasure in place? ❌ Public and disclosable? ✔ Is operational?✔ (operated by UNDEFINED)