A story about @blast — or how you could’ve been drained to zero. While building on Blast, I stumbled onto something big. The Blast wallet supports transaction batching (EIP‑5792). But here’s the catch: If you batch transactions in a certain order, only the first transaction in the batch is shown to the user. Everything after that? Auto‑signed. Zero visibility. This means a malicious dApp could slip in unlimited token approvals behind an innocent‑looking “mint NFT” click. The user thinks they minted a free NFT (because that’s the only transaction the Blast wallet showed them). In reality, they just gave an attacker the right to drain every ERC‑20 they own. For context, I recently deployed an app on Blast and checked some stats using their API: • 148 installs for unblur in just 4 days • $665,843 sitting in the wallets of just 19 users who interacted Scale that up (think “free mint” for an upcoming hyped project) and you’re staring at a multi‑million dollar risk. Even if users’ funds were staked somewhere, the moment they withdraw, the attacker could sweep everything instantly. I disclosed the bug. Blast patched it in 7 days, labeled it “medium” severity, and sent me a $10k bounty. Here’s the question, though: with the potential to drain $1M+, is a $10k bounty really enough to incentivize reporting vs exploiting?