story-protocol

Story Protocol is a peer-to-peer intellectual property network that creates a programmable market for knowledge and creativity. Scientific and creative assets are registered on a universal ledger with customizable usage parameters.

All assets are equipped with a composable interface that can be consumed by any software application or artificial intelligence model, allowing intellectual property to be used and monetized across the internet. A network-wide graph coordinates all intellectual property assets, with nodes representing atomic assets and edges representing the legal and economic commitments between them.

The network evaluates the uniqueness of each asset via an asynchronous and decentralized validation service driven by cryptoeconomic incentives. Participation in the protocol contributes to the growth of the only open and permissionless repository of the world’s knowledge and creativity.

Scope

The World's IP Blockchain has several layers: Layer 1 blockchain (Cosmos fork as CL, Geth fork with IPGraph precompile as EL), Proof of Creativity smart contract protocol and several apps to help users.

In-Scope Targets:

• Blockchain Layer

  • https://github.com/piplabs/story
  • https://github.com/piplabs/story/tree/main/contracts
  • https://github.com/piplabs/story-geth (Only the vulnerabilities related to our modifications to the Geth codebase))
  • Story’s modifications to Cosmos
    • https://github.com/piplabs/cosmos-sdk/tree/piplabs/v0.50.10

• Smart Contract Layer:

  • https://github.com/storyprotocol/protocol-periphery-v1
  • https://github.com/storyprotocol/protocol-core-v1

• Web Interface / Application:

  • *.storyprotocol.xyz
  • *.storyrpc.io
  • *.storyprotocol.net
  • *.story.foundation
  • *.storyapis.com
  • *.piplabs.xyz

If you discover a vulnerability in any component not explicitly listed but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. Our team will review such submissions on a case-by-case basis.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Impact Definitions:

For Blockchain Layer

• Critical Severity
  • Minting tokens violating protocol invariants (tokens per block, staked tokens)
  • Takeover smart contract admin methods.
  • Violating BFT assumptions, acquiring voting power vastly disproportionate (20x) to stake, or any other issue that can meaningfully compromise the integrity of the blockchain’s proof of stake governance.
  • User Fund Vulnerabilities: Exploits causing the permanent locking, loss, or theft of multiple user funds greater than $5M.
  • Network not being able to confirm new transactions (total network shutdown) requiring a hard fork or rollback to resolve
• High Severity
  • Temporary total network shutdown or unintended chain split (duration greater than 1 hour)
  • Non network critical loss of funds at protocol level
• Medium Severity
  • Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network
  • Moderate impact on usability, monetary losses, or integrity.
• Low Severity
  • Small impact, minor exploit that does not affect security.
• Info
  • No direct security impact, but best practice improvements.

Smart Contract Layer:

NOTE: PoC Periphery contract related issues will be considered Low.

• Critical Severity

  • Protocol critical loss of funds and/or IPAsset property
  • Total denial of service caused by errors in the protocol smart contracts
  • Governance takeovers for protocol critical roles

• High Severity

  • Non protocol-critical loss of funds and/or IPAsset property
  • Denial of service on critical modules (license, registration, royalties)

• Medium Severity

  • Moderate impact on usability, monetary losses, or integrity
  • Denial of service on non critical modules or for a single user

• Low Severity

  • Small impact, minor exploit that does not affect security
  • Most periphery related issues

• Informational

  • No direct security impact, but best practice improvements

App Layer: Website, Apps and APIs

• Critical Severity
  • Full compromise of wallets, infrastructure, or API security
  • Examples:
    • Account takeover, Private key leakage, RCE on production systems, SSRF leading to internal network access, Database dumps with sensitive data, Critical auth bypass, Takeover of Story Protocol’s cloud environment (e.g., AWS, GCP, Azure)
• High Severity
  • Major security impact but no full compromise
  • Example: High-impact IDOR, Significant authentication/authorization bypass, Stored XSS affecting admin or privileged users, SSRF leading to internal metadata exposure, High-severity API leaks
• Medium Severity
  • Moderate security impact with limited scope
  • Example:
    • Low-impact IDOR, Reflected/stored XSS affecting standard users, Moderate API misconfigurations, Rate-limiting bypasses that allow mass account enumeration, Sensitive information exposure in error messages
• Low Severity
  • Minor security misconfigurations with limited real-world impact
  • Example:
    • Self-XSS, Missing security headers, Lack of HTTP-only or secure flags on cookies, Rate-limiting bypass on non-sensitive endpoints
• Informational
  • No immediate security impact, but good security hygiene
  • Example:
    • Minor misconfigurations, DNS record leaks, Outdated libraries (with no PoC exploit), Security best-practice suggestions

Payout Guidelines

Payments will be in $IP tokens, denominated in USD at the time of submission.

• For Blockchain Layer

Severity	Reward
Critical	$30,000 - $600,000
High	$10,000 - $30,000
Medium	$2,000 - $10,000
Low	$500 - $2,000
Informational	$0 - $100

• Smart Contract Layer

Severity	Reward
Critical	$50,000 - $150,000
High	$10,000 - $50,000
Medium	$2,000 - $10,000
Low	$500 - $2,000
Informational	$0 - $100

• App Layer: Website, Apps and APIs

Severity	Reward
Critical	$3000 - $30000
High	$1500 - $3000
Medium	$500 - $1500
Low	$100 - $500
Informational	$0

Note: Actual reward amounts are determined at Story Protocol’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.

Out of Scope:

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Entries generated with ChatGPT/LLM tools.
• Entries without any working POC.
• Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
• Previously known vulnerabilities in Tendermint, cosmos-sdk and or/any other fork of these.
• Impacts requiring attacks that the reporter has already exploited themselves, leading to damage.
• Impacts caused by attacks requiring access to leaked keys/credentials.
• Impacts caused by attacks requiring access to privileged addresses (governance and other RBAC roles) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible.
• Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production.
• Issues reported in the previous Cantina Competition. Report available soon.
• Issues from our previous security audits.
• Feature requests and best practice recommendations.
• Social engineering and phising.

Smart Contracts/Blockchain

• Incorrect data supplied by third party oracles.
• Impacts requiring basic economic and governance attacks (e.g. 51% attack).
• Lack of liquidity impacts.
• Impacts from Sybil attacks.
• Impacts involving centralization risks.
• 3rd party asset drainers that use phishing and ERC20/ERC721 approve() or other standard methods.

Website and Apps

• Theoretical impacts without any proof or demonstration.
• Impacts involving attacks requiring physical access to the victim device.
• Impacts involving attacks requiring access to the local network of the victim.
• Reflected plain text injection (e.g. url parameters, path, etc.).
• This does not exclude reflected HTML injection with or without JavaScript.
• Open ports with no proven risk (e.g., port 22 open on SSH with key-based authentication).
• Lack of security headers (e.g., missing CSP, X-Frame-Options, HSTS, unless proven to be exploitable).
• Stack traces & error messages (unless they leak sensitive information).
• Captcha bypass using OCR without impact demonstration.
• Impacts causing only the enumeration or confirmation of the existence of users or tenants.
• Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows.
• Lack of SSL/TLS best practices.
• Impacts that only require DDoS.
• UX and UI impacts that do not materially disrupt use of the platform.
• Impacts primarily caused by browser/plugin defects.
• Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.).
• Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass).
• Publicly accessible .git directories (if no sensitive files are exposed).
• SPF/DMARC issues (unless there is active email spoofing that affects Story Protocol users).
• Outdated software without a working proof of concept (e.g., reporting "Nginx 1.18.0" without showing an exploit).
• Clickjacking on non-sensitive pages (e.g., informational pages).
• Self-XSS (XSS that only affects the person reporting it).
• CSRF (Cross-Site Request Forgery) on blockchain transactions (since blockchain transactions require explicit user signing).
• CORS misconfigurations that do not allow credential theft or sensitive data exposure.
• Rate-limiting issues on public, non-sensitive APIs (e.g., public block explorer APIs).
• Missing email verification (since Web3 users often rely on wallet authentication rather than email-based login).
• Login/logout CSRF (only relevant if authentication relies solely on cookies, which is less common in Web3).
• Session fixation (not relevant if the system uses stateless authentication like JWTs).

Program Rules

• Theoretical entries, entries without any working POC and ones generated with ChatGPT/LLM tools will be discarded. Any medium or higher severity vulnerabilities should come with a working POC that can be demonstrated on a local test environment that can be reproduced with the instructions in the appendix.
• You must send a clear and concise textual description of vulnerability, along with steps to reproduce the issue and/or a Proof of Concept, include attachments such as screenshots or proof of concept code as necessary.
• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic.
• Make every effort not to damage or restrict the availability of products, services, or infrastructure.
• Avoid compromising any personal data, interruption, or degradation of any service.
• Don't access or modify other user data, localize all tests to your accounts.
• Perform testing only within the scope.
• Don't exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam.
• Don't spam forms or account creation flows using automated scanners.
• Don't break any law and stay in the defined scope.
• Any details of found vulnerabilities must not be communicated to anyone who is not Cantina Team or an authorized employee of Piplabs or Story Foundation without appropriate permission.
• In case that your findings is valid you will be asked for KYC verification to proceed with payments.

Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• Current employees ,vendors (auditors), partners and contractors of Story Protocol and Story Foundation are not eligible to participate in the bug bounty program.
• Former employees and contractors of Piplabs and Story Foundation, who ceased working with the aforementioned entities must wait 6 months before they are eligible to participate in the bug bounty program.
• Sanctioned individuals and/or organizations are not eligible to participate in the bug bounty program. These restrictions are put in place to ensure the objectivity of the bug bounty program and to prevent any potential conflicts of interest.
• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through Cantina.

Disclosure Guidelines

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• No vulnerability disclosure, including partial is allowed for the moment. The team will disclose the vulnerability publicly when safe, thanking the researcher if they choose to.

Response Times

• Critical: Response within 24 hours.
• High: Response within 48 hours.
• Medium and Low: Response within 72 hours.