How I Discovered a $50,000 Web3 Vulnerability That Exposed Thousands

Assalamualaikum everyone! It's been a while since I shared any of my bug bounty findings. I've been diving deep into new technologies…

Mohaseen

~5 min read · December 4, 2025 (Updated: December 4, 2025) · Free: Yes

Assalamualaikum everyone! It's been a while since I shared any of my bug bounty findings. I've been diving deep into new technologies, learning, experimenting, and of course… hacking! 😄

Today, I'm excited to finally write about one of the most critical vulnerabilities I've discovered in a Web3 platform. This flaw had the potential to expose thousands of users' personal information, breaking the very privacy principles that Web3 is built on.

In this write-up, I'll take you through:

How I identified this high-impact vulnerability
What sensitive data was exposed
How easily it could be exploited
Why this could have resulted in serious real-world consequences

Before we dive into the bug, here's a quick introduction about who I am:

My name is Mohaseen, and I'm a Cybersecurity Researcher & Bug Bounty Hunter with a strong passion for Web, Cloud, and Web3 security. I started exploring ethical hacking and bug bounty in 2019, and since then, I've been continuously learning, experimenting, and pushing my limits in the security space.

Over the years, my work has earned me multiple acknowledgments including:

4× Apple Hall of Fame
Recognitions from leading global organizations
Certifications like BSCP, EWPTX, eJPT, CRTA, CCSP-AWS, and more

Cybersecurity isn't just a profession for me. It's what I enjoy the most. I love identifying loopholes that others overlook and helping companies secure what matters.

Now, with that said… Let's jump right into how I uncovered a $50,000 Web3 security issue hidden in plain sight.

The Bug -How It All Began

Once I locked onto this Web3 target, I did what every bug bounty hunter does first started my recon. I fired up my custom reconnaissance script, the one I've been improving over time, and let it enumerate subdomains and endpoints quietly in the background. But instead of sitting idle, I opened Burp Suite and began manually browsing the target. I've learned that automation helps you scale, but manual analysis is where the real magic happens.

While crawling through the target tab in Burp, one particular subdomain stood out to me something like payment.redacted.com. The word payment immediately triggered my curiosity. Where there are payments, there are users. And where there are users, there is always a chance of sensitive data exposure.

I opened the subdomain to explore further and quickly noticed requests pointing to a GraphQL endpoint.

Now, for those who are new to GraphQL: It's a modern query language for APIs, designed so clients can request exactly the data they need. But with great flexibility comes great potential for misconfiguration. If developers forget proper access control or leave introspection open in production, an attacker can map the entire backend structure like a blueprint to the kingdom.

So I did the first thing any security researcher would do. I tested for introspection.

And guess what? It was wide open.

In a matter of seconds, I was staring at the full schema tables, fields, data relationships and everything. It felt like I had found their internal database documentation served directly through the browser.

At this point, I loaded the schema into Burp's InQL extension, which is built exactly for hunting GraphQL misconfigurations. I started enumerating every query and mutation, one by one. Initially, most of it looked harmless. But bug hunting teaches you patience. So I kept digging.

Then, after filtering out some unnecessary fields and fine-tuning a query request…

I finally found it.

A single unauthenticated query that returned everything: User identities, personal emails, phone numbers, physical locations, payment information, transaction history, and even JWT tokens and all exposed to anyone who knew how to ask.

No login No token No restrictions Just… wide open access.

This was not just a bug. It was a privacy disaster waiting to happen.

Why This Was a Web3 Nightmare

What made this even more critical was the nature of the platform. Web3 is built on anonymity. When you make a blockchain transaction, the world only sees a wallet address, not the person behind it.

But with this exposure, anonymity evaporated.

I could connect real human identities to their blockchain wallets:

Who paid whom
How many transactions they made
Where they were located
Which emails and phone numbers belonged to which wallet

This completely breaks one of the foundational promises of decentralized finance.

For attackers, this would be a goldmine:

Targeted phishing and scams
Wallet takeover attempts using linked accounts
Identity theft
Extortion linked to transaction history

And even worse manipulating or stealing JWTs could allow account takeover.

This was a critical vulnerability in every sense.

The High-Stakes Reality Check

I compiled a clean Proof-of-Concept:

Screenshots of exposed data

Automated exploit script that fetched over 8000+ user emails in minutes

Full impact explanation and recommendations

Then I submitted it to the program and waited…

Web3 bounty programs are known for high payouts and for this company, critical severity bugs were listed at $50,000. I won't lie, I started dreaming a little. New setup? Travel? Save half… maybe?

After almost a week, the reply finally arrived.

They agreed: ✔ Severity: Critical ✔ Impact: High ✔ Exposure: Severe

But then came the twist:

The subdomain was considered out of scope.

So the classification was downgraded. And the reward dropped from $50,000…

…to $200.

And just like that the dream collapsed.

But that's bug bounty. One minute you're calculating life-changing numbers, the next you're receiving a "Thanks for your contribution!" email with an amount that barely covers a fancy dinner.

The Lesson

Disappointments happen. Big expectations sometimes lead to small payouts. But every valid report teaches something new and every new skill gets us closer to that one game-changing bounty.

This was one of those experiences. High impact. High learning. High hopes. Low payout. But I walked away better than before and that matters more than the money.

And with that, this chapter ends for now. We'll return next week with a fresh write-up and another story from the hunt.

Linkedln: http://linkedin.com/in/mohaseen-katika/

Website: http://mohaseen.live