NEO has a fairly similar protocol to that of Ethereum’s ERC20, since it uses their tokens as a way to transact on the NEO platform. However, on May 19th, 2018, the NEO brand released a statement that indicates a major issue – a massive Storage Injections Vulnerability.
This vulnerability was discovered by Red4Sec, which is a company that routinely performs security audits. With their researched, they unveiled a vulnerability that was only located in some of the NEP-5 contracts. If it is discovered and used, then any attacker has the ability to make alterations to the contract storage, utilize any number of coins, and even change the total supply on each contact established.
A Statement on Storage Injection Vulnerability. https://t.co/CksTyaxn3I
— NEO Smart Economy (@NEO_Blockchain) May 18, 2018
If the vulnerability hadn’t been found by Red4Sec, then the costs could’ve been detrimental to the company. However, the team claims that this attack would’ve only given the attacker the ability to change the status of the total supply, rather than adjusting the actual volume of what’s available.
In reports, consumers also found that this vulnerability was only found in some of the DApps but not all of them, which means that it didn’t impact the blockchain at all. Red4Sec reviewed many different contract codes during the course of their evaluation, finding that some of the projects within NEO haven’t even been impacted at all. That redeeming quality is primarily due to finding out about the vulnerability early enough to make a change.
The most susceptible to the attacks have remained protected and haven’t been impacted at all during the correction process. However, at the moment, the projects have enough authority to take advantage of an upgrade for further protection. There was one project that wasn’t able to be reviewed, since the source code wasn’t open to view. Unfortunately, that project wasn’t listed, so traders won’t be able to see what could still be at risk.
As far as the rest of the projects, the NEO team has already provided education on the best way to take down these risks. Furthermore, they recommend the use of a “contract upgrade API on the NEO Fundamental layer,” which updates the smart contracts that have been impacted by the vulnerability.
Since the original discovery, both NEO Global Development and Red4Sec have been keeping an eye on the core and project codes to ensure that they don’t have any other vulnerable spots. According to NEO, they say,
“We remain in unified commitment to protect the NEO ecosystem from potential security threats.”
Once that announcement was released, one of the other tokens on their platform released their own statement to reassure their investors that they were not at risk. On Twitter, Isotopes said,
“Congratulations Red4Sec for successfully identifying a NEP-5 Storage Injection Vulnerability affecting some of NEO’s DApp smart contracts. Just another in a long line of potentially fatal mistakes that will continue to cost this industry billions of $$$ until taken seriously.”