NEO’s NEP5 protocol, similar to Ethereum’s ERC20, supports tokens to run on the NEO platform. Based on the statement provided by the NEO team today, the platform had a huge Storage Injection Vulnerability.
Red4Sec, a Security Audit Company recently discovered that there was a vulnerability in the code of some of the NEP-5 contracts which if exploited, an attacker could make changes to the Contract storage, burn a certain amount of coins and hamper with the total supply status within the contract.
The team claims that the cost of the attack would’ve been high and attackers could’ve been able to only change the status of the total supply and not the actual supply volume.
According to the statement provided by the NEO team, the Storage Injection Vulnerability exists within the smart contract code of some dApps but the vulnerability hasn’t affected the blockchain.
In addition, the team has reviewed a huge amount of contract codes and based on the review, some of the projects are not affected by the vulnerability probably because they already had fixed the bug before its discovery. The ones that are prone to the attack haven’t lost any of the users’ assets and the projects are given the authority to decide whether to upgrade.
But, the team is unable to figure out if any other serious vulnerability was discovered for one project [not mentioned which one] as the source code was not open.
The NEO team has informed all the projects and provided them with guidance on how to tackle the vulnerability. They have also suggested them to use the ‘contract upgrade API on the NEO Fundamental layer’ in order to upgrade the affected smart contracts.
NEO Global Development [NGD] along with Red4Sec have been continuously monitoring the NEO core and project codes in look for vulnerabilities.
The NGD team says:
“We remain in unified commitment to protect the NEO ecosystem from potential security threats.”
After the announcement, few tokens based on the platform have given a statement of their own saying that they have not been affected by the storage injection vulnerability.
Isotopes, a Twitterati says:
“Congratulations Red4Sec for successfully identifying a NEP-5 Storage Injection Vulnerability affecting some of NEO’s Dapp smart contracts. Just another in a long line of potentially fatal mistakes that will continue to cost this industry billions of $$$ until taken seriously.”