Security has always been a huge interest of mine and when I dove into Web3 that interest was further amplified when it seemed like every week there were protocols being hacked for millions of dollars. The nature of smart contracts being open and possibly containing huge amounts of tokens makes it lucrative for black hats to scan every line of code to see if they can somehow drain the contract. In response, a lot of these protocols will have huge public bug bounties for white hats, or really any user, to report bugs that would be damaging to the protocol. These bounties can get into the multiple of millions. A few NFT projects have also implemented bug bounties and to my surprise, the one NFT project whose discord I used to hang around in a lot started one for their next phase.
https://medium.com/@AugmintedLabs/kaijukingz-p2e-bug-bounty-864f7fe9e9c
There are three categories of potential bugs, with scaling rewards according to their severity (rewards may be claimed as the NFT or its floor value equivalent in ETH):
Minor Bug: this would cause the contract to be less gas efficient, less scalable, or less interoperable. Reward: Mutant Kaiju
Major Bug: this may cause the contract to need to be redeployed, it may have a workaround, but would likely have potential to cause users to lose some assets. Reward: Baby Kaiju
Critical Bug: this category of bug would result in a total failure of the contract, would cause users to lose assets or for the overall ecosystem to collapse. Reward: Genesis Kaiju
With the scope (and rewards) in mind, I went and did a deep dive into the new ecosystem that they were developing. I read the whitepaper and tried to understand what they were trying to achieve from the code without reading a single line of code yet. This is important in an audit to make sure that everything is functioning as intended. Next, I played around with their interactive example of their tokenomics system to understand how the new tokens, $SCALES, was to be used. Finally, it was time to dig into the Smart Contracts.
During the time this bug bounty was live, I was still very new to bug hunting. My approach was always to look at every single line of code multiple times to make sure there are no bugs and that I was sure that the code was safe. As I looked at more contracts, it has become more apparent that this is not always necessary. There are certain parts of contracts that will have the highest likeliness of a critical/medium/low vulnerabilities. I wish I used this approach when looking at these contracts because even for protocols that are not super complex or have a huge codebase, looking at every line is time consuming. It’s a good for thorough audits, bad if there are tight time constraints. It was two days before the ecosystem was set to launch on mainnet when I finally found something in one of the last solidity files.
The main purpose of the new smart contracts was to have users stake their NFT’s into the contract, which would then generate $SCALES. KaijuKingz has two main types of NFT’s in their main collection: Genesis Kaiju (the first 3333 minted) and Baby Kaiju, which are created from burning a certain amount of $RWASTE that Genesis Kaiju passively generate. Naturally, Genesis Kaiju are worth a lot more than their counter part.
I realized that although the staking function kept track of who’s token belonged to who, the unstaking function did not check it before transferring the token back to the user.


This meant that anyone could stake one token and unstake any token. The main attack vector would be to deposit a Baby Kaiju and then unstake a Genesis Kaiju, swapping out one NFT and stealing another user’s NFT that would be quadruple or even more than the original NFT that was staked. An attacker could also swap out one Genesis Kaiju for another that had rarer traits, and therefore more valuable. I quickly submitted my report and anxiously watched the time tick closer to launch.
I woke up the next morning with a confirmation of the bug report and was soon awarded a Genesis Kaiju!
https://github.com/augmintedlabs/kaiju-p2e-bug-bounty/issues/1

