How I Found a Double Flag Submission Bug on Bugforge.io

Introduction of Platform

Bugforge.io is an online cybersecurity practice platform focused on web application security challenges, designed mainly for bug bounty hunters, security researchers, and penetration testers to sharpen their skills. The platform offers two types of challenges: daily challenges, worth 10 points each, and weekly challenges, where one challenge is released per week and is worth 50 points.

What I Discovered

To be honest, I was recording a walkthrough video for one of the challenges that I had already solved when I noticed something strange. I was able to get points for the same challenge twice, but only in a special case.

You can watch the video where I triggered the bug for the first time. The bug cannot be triggered normally. it requires a specific timing condition. I had to wait until the next day to reproduce the bug and gain the extra points.

Proof of Concept

I had solved 8 challenges and earned 80 points. There were only 4 minutes left before the current challenge expired and a new challenge was released (current time: 13:44 NPT). I had already solved the current challenge, but I was recording a walkthrough video.

As you can see, there were only four minutes left before the expiration of the current challenge and the release of the new one.

I restarted the lab and opened my Caido setup to solve the challenge again.

I restarted the lab at 13:40 NPT (local time) and obtained the flag at 13:44 NPT, which means the new challenge had already been released and the submission time for the old challenge should have expired.

I submitted the flag at 13:45 NPT (the usual expiry time for old challenges). The platform accepted the flag as correct and increased my streak, but it also threw an error message:

At 13:45 NPT, I had not solved the new challenge (0 solves at that time), but my daily streak was still saved because of the old challenge submission. Initially, I thought it was just luck.

The next day, February 5, I tried the same technique with the challenge “CopyPasta”, and I successfully reproduced the bug. I gained an extra 10 points from the same challenge. Even though I hadn’t solved the new challenge, my streak was still counted.

By exploiting this vulnerability, I reached Top 1 on the leaderboard.

Bug Report Submission

I reported the bug to the platform developer with a proper POC(Proof of Concept). On February 6, The issue was resolved, and I was asked to confirm whether it still existed.I attempted the same technique again, but the bug had already been fixed.

As a result, I received a new achievement called Forge Breaker for finding and responsibly disclosing a bug on the platform.

Vulnerable Workflow

As Per the Developer , Here is the Vulnerable workflow:

Finds the old lab instance (still exists in DB with the correct flag)
Tries to look up the active schedule → Returns NULL (schedule expired)
Sets `scheduleInstanceId = null` instead of rejecting
Skips the "already solved" check because there's no scheduleInstanceId
Awards points and updates streak as if it's a fresh solve
Returns success (though feedback endpoint would show the error)