Pool accounting & payout routing under stress
AmlGroup concentrates commingled deposits, anonymity-set bookkeeping, timed releases, fee sweeps, and privileged views — fertile ground for balance theft, attribution leaks, or double-spend in pool ledgers. Each critical earns $5,000.
In scope: amlgroup.top hosts, APIs, bots, signing services, staging shards.
Legal floor: financial crime, harassment — barred; bounty is for defensive security.
1️⃣ Kill chain from root cause → exploit steps → measurable loss or integrity break 2️⃣ Proof the attack succeeds (replayed APIs showing balance drift, withdraw replay, admin boundary cross). Narratives without replayable exploits stall below payout threshold.
Why probe AmlGroup?
Flat $5K critical payouts
Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.
Trading + custody blast radius
Order APIs, WS books, withdraw workers — bugs cash out as silent drift until someone scripts the replay.
No fake micro-scope list
If AmlGroup can patch it — pool math to payout workers — escalate until severity lands.
Responsible disclosure halo
Demonstrated chains earn coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel withdraw harnesses, WS replay dumps, signing traces…).
Unauthorized withdrawals or balance inflation at scale; forging signed API/withdraw intents; universal read of other users’ positions or deposit history; break-glass access to signing or treasury policy; persisted RCE in trading or custody control plane; SSRF into HSM/KMS bridges AmlGroup exposes.
- Cross-user ledger bleed, margin math desync, or duplicate settlement
- Withdraw/deposit pipeline integrity break exploitable remotely
- SSRF from AmlGroup workers to cloud signing metadata planes
Illustrative map (non-exhaustive)
Rows below do not cap surface. Anything AmlGroup hosts, signs, matches, settles, or withdraws through counts as bounty ground. “Not listed” ≠ “out-of-scope.”
| Surface | Class | Critical payout |
|---|---|---|
amlgroup.top, subdomains, web UI |
Web | $5,000 / validated bug |
| Pool / mixer APIs · deposit credentials | Backend | $5,000 / validated bug |
| Payout orchestration · signing policy | Custody | $5,000 / validated bug |
| Admin / support rails | Ops | $5,000 / validated bug |
Everything AmlGroup operates — no exclusions list
Sandbox books or pool clusters, Grafana, bot hooks for risk alerts, partner APIs fronted by AmlGroup — all eligible when critical impact reproduces.
- Vanity domains CNAME’d into AmlGroup edge — show DNS/traffic proof in your write-up.
- Wallet connector SDKs or bookmarklets AmlGroup ships
- Colocated market-making or liquidity pool containers they operate
- Bridge, on-ramp, or pool callbacks verified with AmlGroup-issued secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing fund/state impact — not paper analysis alone.
- Number your hops. Session/API primitive → escalation → treasury or book integrity break.
- Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
- Private coordination first. Use official intake on amlgroup.top before public threads.
- Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
How to submit a report
Use the security / vulnerability disclosure contact published on https://amlgroup.top/ (security@amlgroup.top is a common guess — verify on the live site before emailing). Template below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — trader/treasury impact in one paragraph
# Severity self-classification → must map to AmlGroup critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, market symbol, account ID)
2. Entry primitive — HTTP/WS line + signature headers
3. Pivot(s) → privilege/order/withdraw escalation
4. Final hop → balance theft / forged payout / infra takeover equivalent
## Successful exploitation evidence
• Scripted replay showing ledger/withdraw impact
• Parallel request traces (race/double-spend)
• Custody or admin log lines proving attacker-forged intent accepted
## Reproduction package
Commands + fixtures + commit/patch SHAs
## Disclosure ack
Private channel only until AmlGroup clears publicationWithdraw race vignette · pair with parallel request logs
Illustrative race on debit + enqueue — worthless without captures on amlgroup.top.
// BUGGY: non-atomic balance check + debit — parallel wins double payout
async function requestWithdraw(userId, amount) {
const bal = await db.getBalance(userId);
if (bal < amount) throw new Error('insufficient');
await db.debit(userId, amount);
await queue.enqueuePayout(userId, amount);
}Frequently asked questions
Is anything “out of scope” besides crime?
No discretionary product carve-outs — only legal/ethical bases. If AmlGroup routes traffic there, document the chain until triage rejects specifics.
Theory-only reports?
No payout. $5K demands reproducible success proof.
Staging fair game?
Yes when AmlGroup operates and labels it; mirror production auth & routing semantics.
Duplicates?
Fastest fully valid PoC wins treasury.
Lower severities?
Not under the $5K critical rubric — escalate impact or accept non-cash acknowledgement.
Critical chain + working exploit = $5,000
No narrow scope appendix — document the attack, prove it lands, file privately.