story-protocol

story-protocol

@Story
Live

Maximum reward

600,000 USD (in $IP)

Severity

Max. Reward

Critical

600,000 USD (in $IP)

High

50,000 USD (in $IP)

Medium

10,000 USD (in $IP)

Low

2,000 USD (in $IP)

Informational

100 USD (in $IP)

No deposit required

Findings submitted

134

Start date

11 Feb 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Blockchain LayerSmart Contract LayerWebsite & App LayerAt risk but not listed

Severity

Min and Max Reward

Critical

3,001 USD (in $IP) to 30,000 USD (in $IP)

High

1,501 USD (in $IP) to 3,000 USD (in $IP)

Medium

501 USD (in $IP) to 1,500 USD (in $IP)

Low

100 USD (in $IP) to 500 USD (in $IP)

  • *.storyprotocol.xyz
  • *.storyrpc.io
  • *.storyprotocol.net
  • *.story.foundation
  • *.storyapis.com
  • *.piplabs.xyz

Impact Definition

  • Critical Severity
    • Full compromise of wallets, infrastructure, or API security
    • Examples:
      • Account takeover, Private key leakage, RCE on production systems, SSRF leading to internal network access, Database dumps with sensitive data, Critical auth bypass,
        Takeover of Story Protocol’s cloud environment (e.g., AWS, GCP, Azure)
  • High Severity
    • Major security impact but no full compromise
    • Example: High-impact IDOR, Significant authentication/authorization bypass, Stored XSS affecting admin or privileged users, SSRF leading to internal metadata exposure, High-severity API leaks
  • Medium Severity
    • Moderate security impact with limited scope
    • Example:
      • Low-impact IDOR, Reflected/stored XSS affecting standard users, Moderate API misconfigurations, Rate-limiting bypasses that allow mass account enumeration, Sensitive information exposure in error messages
  • Low Severity
    • Minor security misconfigurations with limited real-world impact
    • Example:
      • Self-XSS, Missing security headers, Lack of HTTP-only or secure flags on cookies, Rate-limiting bypass on non-sensitive endpoints
  • Informational
    • No immediate security impact, but good security hygiene
    • Example:
      • Minor misconfigurations, DNS record leaks, Outdated libraries (with no PoC exploit), Security best-practice suggestions

Out of scope

General

  • Entries generated with ChatGPT/LLM tools.
  • Entries without any working POC.
  • Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
  • Previously known vulnerabilities in cometBFT, cosmos-sdk and or/any other fork of these.
  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage.
  • Impacts caused by attacks requiring access to leaked keys/credentials.
  • Impacts caused by attacks requiring access to privileged addresses (governance and other RBAC roles) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible.
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production.
  • Issues reported in the previous Cantina Competition. Report available soon.
  • Issues from our previous security audits.
  • Feature requests and best practice recommendations.
  • Social engineering and phising.

Smart Contracts/Blockchain

  • Incorrect data supplied by third party oracles.
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack).
  • Lack of liquidity impacts.
  • Impacts from Sybil attacks.
  • Impacts involving centralization risks.
  • 3rd party asset drainers that use phishing and ERC20/ERC721 approve() or other standard methods.

Websites and Apps

  • Takeovers due to social engineering are excluded from the program.
  • Domains not yet in production.
  • Any domain/subdomain related to poseidon or psnd.
  • Theoretical impacts without any proof or demonstration.
  • Impacts involving attacks requiring physical access to the victim device.
  • Impacts involving attacks requiring access to the local network of the victim.
  • Reflected plain text injection (e.g. url parameters, path, etc.).
  • This does not exclude reflected HTML injection with or without JavaScript.
  • Open ports with no proven risk (e.g., port 22 open on SSH with key-based authentication).
  • Lack of security headers (e.g., missing CSP, X-Frame-Options, HSTS, unless proven to be exploitable).
  • Stack traces & error messages (unless they leak sensitive information).
  • Captcha bypass using OCR without impact demonstration.
  • Impacts causing only the enumeration or confirmation of the existence of users or tenants.
  • Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows.
  • Lack of SSL/TLS best practices.
  • Impacts that only require DDoS.
  • UX and UI impacts that do not materially disrupt use of the platform.
  • Impacts primarily caused by browser/plugin defects.
  • Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.).
  • Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass).
  • Publicly accessible .git directories (if no sensitive files are exposed).
  • SPF/DMARC issues (unless there is active email spoofing that affects Story Protocol users).
  • Outdated software without a working proof of concept (e.g., reporting "Nginx 1.18.0" without showing an exploit).
  • Clickjacking on non-sensitive pages (e.g., informational pages).
  • Self-XSS (XSS that only affects the person reporting it).
  • CSRF (Cross-Site Request Forgery) on blockchain transactions (since blockchain transactions require explicit user signing).
  • CORS misconfigurations that do not allow credential theft or sensitive data exposure.
  • Rate-limiting issues on public, non-sensitive APIs (e.g., public block explorer APIs).
  • Missing email verification (since Web3 users often rely on wallet authentication rather than email-based login).
  • Login/logout CSRF (only relevant if authentication relies solely on cookies, which is less common in Web3).
  • Session fixation (not relevant if the system uses stateless authentication like JWTs).