What will you do and what will be your approach if you were given a website with these security measures in a private program to pentest

Soo, I was invited to a private program by a company to pen test. The company uses Cloudflare, encrypted the body of their requests with a custom encryption algorithm and blocked all direct access to the Ip address of their server with cloudflare. Encrypting the body of their request means i can’t view the content of the main request content i need.

If you were promised a million dollars to find a security bug in their infrastructure, what will be your approach, what are the things you will look out for considering that all request bodies from their website to their server is encrypted.

If you are interested in joining me and get a cut of my payment if we find a valid security bug please let me know.