Story / Security Assessment Completed
Strengthening Blockchain-Based IP Management
At FuzzingLabs we recently completed a comprehensive security assessment of Story, a decentralized network that aims to revolutionize intellectual property (IP) management. This audit was undertaken to ensure the security and resilience of its blockchain-based infrastructure, smart contracts, and consensus mechanisms. Below, we provide an overview of our findings, the steps taken by the Story team to address vulnerabilities, and the broader implications of this assessment.
What Is Story?
Story a decentralized Layer 1 blockchain tailored for managing IP rights. It enables creators to tokenize, program, and monetize their assets while fostering transparency and security. Core innovations include IP Assets and IP Accounts, which allow for dynamic control over royalties, licensing, and on-chain interactions. By leveraging blockchain technology, Story empowers creators and developers with tools for collaborative content creation, licensing, and dispute resolution.
Audit Overview
Our audit spanned 50 man-days, leveraging four dedicated FuzzingLabs experts who conducted in-depth reviews of the execution layer, consensus layer, and smart contract modules. The assessment included:
• Codebase Evaluation: Reviewing Solidity smart contracts, Geth modifications, and Cosmos SDK customizations.
• Threat Modeling: Identifying potential attack vectors across network layers, APIs, and consensus mechanisms.
• Chaos Testing: Stress testing the execution and consensus layers for edge cases and unexpected behavior.
Key Findings
The audit of Story uncovered a range of vulnerabilities, categorized by their severity—critical, high, medium, low, and informational. These findings represent a comprehensive examination of the protocol’s codebase, consensus mechanisms, and smart contracts.
In this section, we present some of the key findings identified during the audit. While not exhaustive, this summary highlights the most notable issues uncovered and resolved. For a full breakdown of all findings, please refer to the complete audit report.
Critical Issues
1. Network can be halted by spamming the mempool
Attackers could halt the network by exploiting the Tendermint RPC endpoint.
High Issues
2. IPAccount can steal all group rewards
A flaw in the distributeRewards() function lets a malicious IP owner duplicate their IP asset ID to claim multiple shares, effectively hijacking the group’s royalty pool.
3. createValidator can be frontrun leading to grief and loss of funds
A non-atomic createValidator process—split between execution and consensus layers—leaves an exploitable intermediate state that can cause inconsistencies and vulnerabilities.
Medium Issues
1. onERC721Received is never called when new license tokens are minted
Using _mint instead of _safeMint in mintLicenseTokens bypasses the mandatory onERC721Received callback, risking unexpected behavior and contract incompatibility.
2. onERC721Received is never called when new group nft are minted
Using _mint instead of _safeMint in mintGroupNft bypasses the mandatory onERC721Received callback, risking unexpected behavior and contract incompatibility.
Low & Informational Issues
1. Static, delegate, and callcode calls to the IpGraph precompile update the state
Performing static, delegate, or callcode calls to the IpGraph precompile unintentionally alters contract state, violating EVM specifications.
2. Casting and cropping issues in royalty calculations could lead to unexpected behavior
setRoyalty’s lack of input size validation allows a privileged user to bypass Solidity’s uint32 limit by supplying a uint256 value, due to the precompile not enforcing proper input constraints.
The Story Team’s Proactive Collaboration
The Story team demonstrated a commendable level of collaboration throughout the audit process. They were highly responsive and actively engaged with our audit repository, aiding in the triaging of findings and ensuring clear communication on each issue. Moreover, their swift action in addressing vulnerabilities, implementing fixes, and validating every finding showcased their commitment to security.
Additionally, the quality of their code stood out, reflecting a strong focus on best practices and maintainability. Their efficient responses and proactive approach reinforce their dedication to building a robust and secure platform.
Conclusion
The Story audit underscores the importance of continuous security assessments for decentralized systems. Despite several vulnerabilities, the Story team’s rapid responses and robust architectural framework highlight their dedication to building a secure, scalable, and innovative platform for IP management.
As the creative economy increasingly intersects with blockchain technology, platforms like Story will be pivotal in fostering decentralized collaboration and economic opportunities for creators worldwide.
For more details on our findings and the security recommendations for Story, you can view the full audit report.
Patrick Ventuzelo / @Pat_Ventuzelo
Nabih Benazzouz / @Raefko
About Us
Founded in 2021 and headquartered in Paris, FuzzingLabs is a cybersecurity startup specializing in vulnerability research, fuzzing, and blockchain security. We combine cutting-edge research with hands-on expertise to secure some of the most critical components in the blockchain ecosystem.
Contact us for an audit or long term partnership!
