How My Exploit Was Rejected in a Bug Bounty (and What I Learned)

How My Exploit Was Rejected in a Bug Bounty (and What I Learned)

In March 2025, I submitted what I believed was a critical smart contract vulnerability to a bug bounty program. I had everything lined up, clear analysis, a reproducible Proof of Concept (PoC), and a detailed understanding of the exploit mechanics.

But the report was rejected.

This post isn't just about the rejection, it's about the journey that led there, the valuable technical and strategic lessons I gained, and why I'm now more prepared than ever for the next hunt.

The Exploit I Discovered

The vulnerability centered on a replayable token approval mechanism involving a contract that allowed the setting of an external router. Here’s how the issue unfolded:

1. A user approved a contract (Zapper-like) to transfer tokens for a deposit or action.

2. The attacker having permission to set the router swaps in a malicious FakeRouter.

3. This FakeRouter’s swap() function issues an approve() to the attacker.

4. The attacker then calls the token’s transferFrom() via the main contract.

5. Tokens are moved without the user’s consent—a classic approval misuse.

It was clean, logical, and demonstrated in a passing test case that confirmed the balance had been drained.

Why It Was Rejected

The core reason: the attacker needed owner privileges to carry out the exploit.

Even though the logic was exploitable in a technical sense, the bug required an action only a trusted party (owner) could perform. Under most bounty programs, this places it out-of-scope, since trusted roles are assumed to act responsibly unless specifically compromised.

That was the turning point.

What I Learned

1. Technical feasibility isn’t always enough.
   Bounty programs also judge based on threat model and trust boundaries.

2. Trusted roles = trusted behavior (unless stated otherwise).
   If an exploit hinges on the owner behaving maliciously, it’s usually not valid.

3. Your test suite can be sharp even if the report fails.
   I improved my Foundry test structure, proof formatting, and gained deeper knowledge of ERC20 behavior, router integrations, and replay attack vectors.

Final Thoughts

This wasn’t a waste of time, it was one of the most insightful learning experiences I’ve had in Web3 security. I now approach bounties with sharper threat modeling awareness and an improved PoC workflow.