story-protocol

story-protocol

@Story
Live

Maximum reward

600,000 USD (in $IP)

Severity

Max. Reward

Critical

600,000 USD (in $IP)

High

50,000 USD (in $IP)

Medium

10,000 USD (in $IP)

Low

2,000 USD (in $IP)

Informational

100 USD (in $IP)

No deposit required

Findings submitted

134

Start date

11 Feb 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Blockchain LayerSmart Contract LayerWebsite & App LayerAt risk but not listed

Severity

Min and Max Reward

CriticalDiscretionary
HighDiscretionary

If you discover a vulnerability in any component not explicitly In Scope, but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. Our team will review such submissions on a case-by-case basis.

Out of scope

General

  • Entries generated with ChatGPT/LLM tools.
  • Entries without any working POC.
  • Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
  • Previously known vulnerabilities in cometBFT, cosmos-sdk and or/any other fork of these.
  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage.
  • Impacts caused by attacks requiring access to leaked keys/credentials.
  • Impacts caused by attacks requiring access to privileged addresses (governance and other RBAC roles) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible.
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production.
  • Issues reported in the previous Cantina Competition. Report available soon.
  • Issues from our previous security audits.
  • Feature requests and best practice recommendations.
  • Social engineering and phising.

Smart Contracts/Blockchain

  • Incorrect data supplied by third party oracles.
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack).
  • Lack of liquidity impacts.
  • Impacts from Sybil attacks.
  • Impacts involving centralization risks.
  • 3rd party asset drainers that use phishing and ERC20/ERC721 approve() or other standard methods.

Websites and Apps

  • Takeovers due to social engineering are excluded from the program.
  • Domains not yet in production.
  • Any domain/subdomain related to poseidon or psnd.
  • Theoretical impacts without any proof or demonstration.
  • Impacts involving attacks requiring physical access to the victim device.
  • Impacts involving attacks requiring access to the local network of the victim.
  • Reflected plain text injection (e.g. url parameters, path, etc.).
  • This does not exclude reflected HTML injection with or without JavaScript.
  • Open ports with no proven risk (e.g., port 22 open on SSH with key-based authentication).
  • Lack of security headers (e.g., missing CSP, X-Frame-Options, HSTS, unless proven to be exploitable).
  • Stack traces & error messages (unless they leak sensitive information).
  • Captcha bypass using OCR without impact demonstration.
  • Impacts causing only the enumeration or confirmation of the existence of users or tenants.
  • Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows.
  • Lack of SSL/TLS best practices.
  • Impacts that only require DDoS.
  • UX and UI impacts that do not materially disrupt use of the platform.
  • Impacts primarily caused by browser/plugin defects.
  • Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.).
  • Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass).
  • Publicly accessible .git directories (if no sensitive files are exposed).
  • SPF/DMARC issues (unless there is active email spoofing that affects Story Protocol users).
  • Outdated software without a working proof of concept (e.g., reporting "Nginx 1.18.0" without showing an exploit).
  • Clickjacking on non-sensitive pages (e.g., informational pages).
  • Self-XSS (XSS that only affects the person reporting it).
  • CSRF (Cross-Site Request Forgery) on blockchain transactions (since blockchain transactions require explicit user signing).
  • CORS misconfigurations that do not allow credential theft or sensitive data exposure.
  • Rate-limiting issues on public, non-sensitive APIs (e.g., public block explorer APIs).
  • Missing email verification (since Web3 users often rely on wallet authentication rather than email-based login).
  • Login/logout CSRF (only relevant if authentication relies solely on cookies, which is less common in Web3).
  • Session fixation (not relevant if the system uses stateless authentication like JWTs).