BLOG May 19, 2018
A Statement on Storage Injection Vulnerability
The security audit company, Red4Sec, has recently discovered a storage injection vulnerability in the code of some NEP-5 smart contracts.
NEO Global Development (NGD), together with Red4Sec, state the following:
The vulnerability exists within the smart contract code of some dApps. The NEO blockchain is not affected by the vulnerability.
There are several NEP-5 tokens affected by this issue. By exploiting this vulnerability, an attacker could make changes to the contract storage. An attacker can burn a certain amount of tokens and change the status of totalSupply within the contract. However, such an attack can only change the show value of totalSupply. It will not change the actual supply volume. In addition, the cost of this attack would be very high. Therefore, we consider the risk of damage from this attack very limited.
After reviewing a huge amount of contract codes, we came to the following conclusion:
- Some projects are not affected by this vulnerability, or they had already fixed the bug before we discovered the issue. These projects do not need to take any action.
- Some affected projects are exposed to the attack. Their users’ assets are confirmed as safe. These projects can decide whether to perform contract upgrades based on their own considerations.
- There is only one project whose source code is not open. For this project we are unable to detect if it has any (other) serious vulnerabilities.
NGD has already reached out to all concerned projects and informed them of the issue, along with releasing development guidance on how to address this vulnerability. NGD suggests project teams to use the contract upgrade API on the NEO fundamental layer to upgrade the affected smart contract. Projects will handle the implementation based on their own considerations.
NGD has provided development guidance which can be found here:
https://github.com/neo-project/proposals/blob/master/nep-5.mediawiki
NEO Global Development together with Red4Sec are continuously monitoring the NEO core and project codes for vulnerabilities. This issue was discovered and action taken as a result of these efforts, and we remain in unified commitment to protect the NEO ecosystem from potential security threats.
NEO Global Development (NGD)
Updated from NEO ecosystem projectsregarding vulnerability status can be found here:
https://neonewstoday.com/general/neo-ecosystem-vulnerability-updates/