Story / Security Assessment Completed
Strengthening Blockchain-Based IP Management
At FuzzingLabs we recently completed a comprehensive security assessment of Story, a decentralized network that aims to revolutionize intellectual property (IP) management. This audit was undertaken to ensure the security and resilience of its blockchain-based infrastructure, smart contracts, and consensus mechanisms. Below, we provide an overview of our findings, the steps taken by the Story team to address vulnerabilities, and the broader implications of this assessment.
What Is Story?
Story a decentralized Layer 1 blockchain tailored for managing IP rights. It enables creators to tokenize, program, and monetize their assets while fostering transparency and security. Core innovations include IP Assets and IP Accounts, which allow for dynamic control over royalties, licensing, and on-chain interactions. By leveraging blockchain technology, Story empowers creators and developers with tools for collaborative content creation, licensing, and dispute resolution.
Audit Overview
Our audit spanned 50 man-days, leveraging four dedicated FuzzingLabs experts who conducted in-depth reviews of the execution layer, consensus layer, and smart contract modules. The assessment included:
• Codebase Evaluation: Reviewing Solidity smart contracts, Geth modifications, and Cosmos SDK customizations.
• Threat Modeling: Identifying potential attack vectors across network layers, APIs, and consensus mechanisms.
• Invariant Testing: Stress testing the execution and consensus layers for edge cases and unexpected behavior.
Key Findings
The audit of Story uncovered a range of vulnerabilities, categorized by their severity—critical, high, medium, low, and informational. These findings represent a comprehensive examination of the protocol’s codebase, consensus mechanisms, and smart contracts.
In this section, we present some of the key findings identified during the audit. While not exhaustive, this summary highlights the most notable issues uncovered and resolved. For a full breakdown of all findings, please refer to the complete audit report.
Critical Issues
1. Network Halting via Mempool Spamming
Attackers could halt the network by exploiting the Tendermint RPC endpoint configuration. This was resolved by disabling unnecessary broadcast features and implementing stricter checks.
2. IPAccount Reward Theft
Malicious actors could exploit a duplication flaw in reward distribution, siphoning all group rewards. The Story team addressed this by verifying unique identifiers in the reward function.
3. Front-Running in Validator Creation
The non-atomic nature of the createValidator process allowed potential frontrunning attacks. The issue was resolved by removing redundant functions that caused vulnerabilities.
Medium Issues
1. ERC721 Callback Omission
Both the mintLicenseTokens and mintGroupNFT functions failed to call onERC721Received, violating ERC721 standards. This was fixed by replacing _mint with _safeMint.
2. Gas Cost Optimization
The IPGraph module relied on fixed gas values, leading to inefficiencies. Story is currently working on a dynamic gas cost model for accurate calculations.
Informational Issues
1. Improper Parent IP Management
Adding new parent IPs overwrote existing relationships without validation. While this behavior was documented, improvements were suggested for future updates.
2. Noncompliant ABI Decoding
Some functions did not adhere to ABI standards, which could lead to data misinterpretation. This issue is set to be addressed in a future release.
The Story Team’s Proactive Collaboration
The Story team demonstrated a commendable level of collaboration throughout the audit process. They were highly responsive and actively engaged with our audit repository, aiding in the triaging of findings and ensuring clear communication on each issue. Moreover, their swift action in addressing vulnerabilities, implementing fixes, and validating every finding showcased their commitment to security.
Additionally, the quality of their code stood out, reflecting a strong focus on best practices and maintainability. Their efficient responses and proactive approach reinforce their dedication to building a robust and secure platform.
Conclusion
The Story audit underscores the importance of continuous security assessments for decentralized systems. Despite several vulnerabilities, the Story team’s rapid responses and robust architectural framework highlight their dedication to building a secure, scalable, and innovative platform for IP management.
As the creative economy increasingly intersects with blockchain technology, platforms like Story will be pivotal in fostering decentralized collaboration and economic opportunities for creators worldwide.
For more details on our findings and the security recommendations for Story, you can view the full audit report.
Patrick Ventuzelo / @Pat_Ventuzelo
Nabih Benazzouz / @Raefko
About Us
Founded in 2021 and headquartered in Paris, FuzzingLabs is a cybersecurity startup specializing in vulnerability research, fuzzing, and blockchain security. We combine cutting-edge research with hands-on expertise to secure some of the most critical components in the blockchain ecosystem.
Contact us for an audit or long term partnership!
