About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

#1 Bug Bounty: How I made my first $10,000 on a not supported FoT token bug- 1245

BeiraoPosted 2 Years Ago
  • The author of this post decided to look into DFX after only looking into smart contract security for a month. This is a decentralized exchange specifically for stablecoin swaps.
  • Fee on Transfer (FoT) are a specific type of ERC20 token that is diminished as they are spent. This breaks the math in many protocols, making it a common (yet well known finding).
  • First, they reported that FoT tokens can break the protocol. This is because a fee is paid by the liquidity providers, gradually losing their investment in the trading pair. Over time, all of the FoT token will be gone.
  • The second finding is a little weird to me that is was accepted. The repo assumes that 1 USDC = 1 USD in fiat currency. Everything revolves around USDC being stable and normal. Even a previous audit from Trail of Bits mentioned this.
  • The author tried to find a way to break the protocol using the knowledge of USDC. Since USDC is upgradable, a change to it could break the entire protocol. In particular, from the previous finding, changing it to a FoT token really breaks it.
  • They tried reporting these bugs as critical severity issues, which is completely ludicrous. Instead, they put these two bugs are mediums and paid out 5K a piece. To me, this is crazy to payout for since both are extremely theoretial issues.
  • Personally, I'm a little offended at this getting paid out. I felt like they over reported the issues and tried reporting something that was theoretical in nature yet still got paid. Typically, I think about what an attacker can completely control. In this case, it was USDC updating the implementation or usage of an FoT token that caused an issue; something completely out of an attackers control.
  • They did include a PoC for each bug and an explanation of the impact. So, I do believe this helps a bunch. Should I change my perspective on what is reportable? In my mind, I should probably think about actors besides myself in the game. Additionally, potential usability, such as FoT tokens in this case, can be useful for saving the protocol from a hack prior to it occurring.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed