Arc Opens Its Code, Its Nodes, and a Formal Path to Break It Before Mainnet
# bug-bounty
# rpc providers
# developer updates
Arc code is now open-source. A dedicated bug bounty is live on HackerOne. Anyone can run an Arc node. External scrutiny scales up before capital is at risk.
Tim Baker
As Arc moves toward mainnet, broader external scrutiny matters more than internal confidence. Today three things are live: Arc testnet code is open-source, the Arc bug bounty is live on HackerOne, and anyone can run an Arc node.
Together, these changes expand how Arc can be inspected, tested, and challenged before capital is at risk.
What is now live
Open-source testnet code
The Arc testnet codebase is publicly available https://github.com/circlefin/arc-node. Researchers and builders can read the implementation, compile it, and work directly from the code.
Bug bounty on HackerOne
What is it: A dedicated Bug Bounty Campaign scoped specifically to Arc, within Circle’s broader HackerOne program.
When is it: April 9, 2026 through June 1, 2026
What to know: Submissions can only be eligible for a prize under one of the initiatives) This bounty targets reproducible, security-relevant findings that materially affect network safety, liveness, correctness, or reliability. Defined scope, triage, and payouts for valid findings.
Anyone can run an Arc node. A node verifies every block by checking validator signatures, executes every transaction locally through the EVM, maintains its own copy of chain state, and exposes a local Ethereum JSON-RPC API at localhost:8545 for querying blocks, balances, transactions, and submitting calls against verified state. No rate limits or third-party dependencies. Lower latency. Full data sovereignty.
The node is a full node, not a validator. It does not participate in consensus or observe consensus gossip messages. The execution layer is built on Reth. The consensus layer is built on Malachite.
Why this matters before mainnet
Researchers, audit firms, infrastructure teams, and builders now have a structured path to evaluate Arc in practice: read the code, run a node, probe for issues, and report through a formal disclosure channel. Open-source code and independent node operations widen the review surface. A formal bounty program gives that review a defined place to land.
This complements internal review and external audits, adding the kind of scrutiny that only comes from giving outside parties the tools to inspect Arc closely and test it under controlled conditions.
The testing model: local only, realistic conditions
One important constraint: bug bounty testing must happen locally. Researchers must not test against Arc Public Testnet.
The attacker model is intentionally narrow, consistent with standard Layer-1 threat models. Arc is looking for vulnerabilities where an external party runs a crafted node or sends crafted transactions or messages to attempt to break, slow, trick, or leak information from correct, unmodified Arc nodes. That keeps the program focused on findings that matter under realistic production conditions.
Findings must reproduce against correct, unmodified Arc nodes in a controlled local environment. Reports should include:
A working proof of concept
Environment and version details
Clear reproduction steps
A concise explanation of impact
Reports that rely on vague theory, modified attacker-controlled nodes alone, or behavior that cannot be reproduced fall outside scope. While these are the guidelines, you should also review <official rules on HackerOne>.
How to participate in bug bounty
Start with the HackerOne program page for scope, eligibility, and submission requirements. Use the Arc documentation to set up a local environment, review the repositories in scope, reproduce findings locally, and submit complete reports through HackerOne with the required proof of concept and supporting documentation. Official rules are found on the HackerOne page.
For teams evaluating Arc operationally rather than through bounty work, running a node is now part of that path, offering independent verification and local API access.
