story-protocol

story-protocol

@Story
Live

Maximum reward

600,000 USD (in $IP)

Severity

Max. Reward

Critical

600,000 USD (in $IP)

High

50,000 USD (in $IP)

Medium

10,000 USD (in $IP)

Low

2,000 USD (in $IP)

Informational

100 USD (in $IP)

No deposit required

Findings submitted

134

Start date

11 Feb 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Blockchain LayerSmart Contract LayerWebsite & App LayerAt risk but not listed

Severity

Min and Max Reward

Critical

30,001 USD (in $IP) to 600,000 USD (in $IP)

High

10,002 USD (in $IP) to 30,000 USD (in $IP)

Medium

2,001 USD (in $IP) to 10,000 USD (in $IP)

Low

500 USD (in $IP) to 2,000 USD (in $IP)

Informational

Up to 100 USD (in $IP)

Only latest release branches are covered.

Impact definition

  • Critical Severity
    • Minting tokens violating protocol invariants (tokens per block, staked tokens)
    • Takeover smart contract admin methods.
    • Violating BFT assumptions, acquiring voting power vastly disproportionate (20x) to stake, or any other issue that can meaningfully compromise the integrity of the blockchain’s proof of stake governance.
    • User Fund Vulnerabilities: Exploits causing the permanent locking, loss, or theft of multiple user funds greater than $5M.
    • Network not being able to confirm new transactions (total network shutdown) requiring a hard fork or rollback to resolve
  • High Severity
    • Temporary total network shutdown or unintended chain split (duration greater than 1 hour)
    • Non network critical loss of funds at protocol level
  • Medium Severity
    • Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network
    • Moderate impact on usability, monetary losses, or integrity.
  • Low Severity
    • Small impact, minor exploit that does not affect security.
  • Info
    • No direct security impact, but best practice improvements.

Out of scope

General

  • Entries generated with ChatGPT/LLM tools.
  • Entries without any working POC.
  • Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
  • Previously known vulnerabilities in cometBFT, cosmos-sdk and or/any other fork of these.
  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage.
  • Impacts caused by attacks requiring access to leaked keys/credentials.
  • Impacts caused by attacks requiring access to privileged addresses (governance and other RBAC roles) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible.
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production.
  • Issues reported in the previous Cantina Competition. Report available soon.
  • Issues from our previous security audits.
  • Feature requests and best practice recommendations.
  • Social engineering and phising.

Smart Contracts/Blockchain

  • Incorrect data supplied by third party oracles.
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack).
  • Lack of liquidity impacts.
  • Impacts from Sybil attacks.
  • Impacts involving centralization risks.
  • 3rd party asset drainers that use phishing and ERC20/ERC721 approve() or other standard methods.

Websites and Apps

  • Takeovers due to social engineering are excluded from the program.
  • Domains not yet in production.
  • Any domain/subdomain related to poseidon or psnd.
  • Theoretical impacts without any proof or demonstration.
  • Impacts involving attacks requiring physical access to the victim device.
  • Impacts involving attacks requiring access to the local network of the victim.
  • Reflected plain text injection (e.g. url parameters, path, etc.).
  • This does not exclude reflected HTML injection with or without JavaScript.
  • Open ports with no proven risk (e.g., port 22 open on SSH with key-based authentication).
  • Lack of security headers (e.g., missing CSP, X-Frame-Options, HSTS, unless proven to be exploitable).
  • Stack traces & error messages (unless they leak sensitive information).
  • Captcha bypass using OCR without impact demonstration.
  • Impacts causing only the enumeration or confirmation of the existence of users or tenants.
  • Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows.
  • Lack of SSL/TLS best practices.
  • Impacts that only require DDoS.
  • UX and UI impacts that do not materially disrupt use of the platform.
  • Impacts primarily caused by browser/plugin defects.
  • Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.).
  • Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass).
  • Publicly accessible .git directories (if no sensitive files are exposed).
  • SPF/DMARC issues (unless there is active email spoofing that affects Story Protocol users).
  • Outdated software without a working proof of concept (e.g., reporting "Nginx 1.18.0" without showing an exploit).
  • Clickjacking on non-sensitive pages (e.g., informational pages).
  • Self-XSS (XSS that only affects the person reporting it).
  • CSRF (Cross-Site Request Forgery) on blockchain transactions (since blockchain transactions require explicit user signing).
  • CORS misconfigurations that do not allow credential theft or sensitive data exposure.
  • Rate-limiting issues on public, non-sensitive APIs (e.g., public block explorer APIs).
  • Missing email verification (since Web3 users often rely on wallet authentication rather than email-based login).
  • Login/logout CSRF (only relevant if authentication relies solely on cookies, which is less common in Web3).
  • Session fixation (not relevant if the system uses stateless authentication like JWTs).