Story / story-protocol

Story is making the legal system for creative Intellectual Property (IP) more efficient by turning IP "programmable" on the blockchain. To do this, we have created Story Network: a purpose-built layer 1 blockchain where people or programs alike can license, remix, and monetize IP according to transparent terms set by creators themselves.

Prize distribution and scoring

• Total Prize Pool: $1,000,000

• Primary Prize Pool: $975,000

• The prize distribution has 2 possible triggers:

  • If one or more valid medium severity findings are found, the total pot size is $300,000
  • If one or more valid high severity findings are found, the total pot size is $1,000,000

• $25,000 of the prize pot is reserved for Low Severity findings. Please note only the findings that add value to the protocol would be considered. Reviewers are then ranked from 1st to 5th for the purpose of prize allocation.

  • 1st: $10k
  • 2nd: $7.5k
  • 3rd: $5k
  • 4th: $1.25k
  • 5th: $1.25k

Early Submission Incentive

To make sure the Story Protocol launch is completed on schedule, researchers are incentivized to submit High/Medium severity findings early, ie: as soon as one is found. The first valid submission will be rewarded an additional 20% reward, in comparison to its subsequent duplicates.

• The finding must identify the root cause, highest valid impact and describe the finding with all the necessary details to consider it valid.
• Please note that low quality or vague submissions or submissions that could be subject to interpretations will not be considered for the additional reward.
• The escalation process will not apply for these rewards and there will be no discussion for these rewards. The decision made by the Judges/Story protocol team on these rewards will be final.
• Example: If a finding has 5 duplicates.
  • Using regular each of the duplicates would get $2000 each
  • With the current incentive of 20%. The earliest valid submission gets $2307.72, and the rest of the duplicates get $1923.07 each.

Note:

Given that this is a public competition, all fixes will either be implemented after the competition ends or handled privately.

However, since many protocols are currently being built on top of Story, in the extremely rare case that a critical finding requires an immediate public fix to minimize the impact on all protocols relying on Story, all findings submitted up until the time of public disclosure or the fix will be considered valid.

Please note that this is a highly unlikely scenario, and this rule is in place only for such unavoidable situations.

• Scoring described in the competition scoring page.
• Findings Severities described in detail on our docs page.

Documentation

• https://docs.story.foundation

• L1

  • story-network
  • tokenomics-staking
  • network-faq

• PoC

  • https://docs.story.foundation/docs/quickstart
  • https://docs.story.foundation/docs/overview

Scope

• Repository (Consensus Client and predeploys): https://github.com/piplabs/story

  • Commit: 17eaf993cfc6dea113f2f25639115a5e3eed50ae
  • Files:
    • /contracts/src/protocol
    • /client/x
    • /client/app (except rollback.go)
    • /client/collections
    • /contracts/script/GenerateAlloc.s.sol

• Repository (Cosmos SDK Fork): https://github.com/piplabs/cosmos-sdk/tree/piplabs/v0.50.10

  • Commit: 38b778fd588cf8a86b562a816be90a7b2dca9ee9
  • Files:
    • diff between cosmos-sdk/tree/release/v0.50.x and piplabs/v0.50.10

• Repository (Execution client precompiles): https://github.com/piplabs/story-geth/

  • Commit: f8f011802e48958767fba607c3a0c6bd86d3b9c5
  • Files:
    • /core/vm/ipgraph.go
    • /core/vm/contracts.go
    • /crypto/secp256r1/verifier.go

• Repository (Proof Of Creativity Protocol): https://github.com/storyprotocol/protocol-core-v1

• Commit: 1505d7952bbd248ecaceb7427768dda2ebc75ad3

  • Files:
    • /contracts/
    • /script/foundry/deployment/Main.s.sol

Build Instructions

• For L1, use the localnet repo
  • https://github.com/piplabs/story-localnet
• For POC:
  • https://github.com/storyprotocol/protocol-core-v1/blob/main/README.md

Basic POC test

• For smart contract related issues, create a foundry script in the related repo to be able to import related contracts (protocol-contract-v1 or story)

• Protocol-contract-v1 uses a mock for ip-graph, in order to interact with our precompile you can deploy protocol-contract-v1 on localnet, instructions are in protocol-contract-v1 README

POC Rule

• For smart contracts: The mandatory POC rule applies and must be included during submission.
• For go/node related: As there is sufficient tooling present for this, The mandatory POC rule applies and must be included during submission.

Out of scope

• Previous Security Reports

• Active issues and unmerged PRs such as:
• https://github.com/piplabs/story/issues/438
• Malleability in secp256r1 precompile https://github.com/piplabs/story-geth/pull/76
• Security issues in base geth and cosmos-sdk that were not introduced by us

• Automated findings by Lightchaser

• Piplabs Story Lightchaser Report
• Proof of Creativity Protocol Report

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.