NEO-Bug: “No theft of tokens possible”


On the weekend a message of a bug at NEO-Nodes made the rounds. The NEO bug discovered by the Chinese software giant Tencent is supposed to make it potentially possible for attackers to withdraw crypto currencies from wallets of NEO node operators. NEO co-founder Erik Zhang now gave the all-clear – at least in part.

On December 1, Tencent Security on the Chinese social media platform Weibo announced the discovery of a bug in the NEO block chain. Accordingly, the operators of NEO nodes expose themselves to crypto-piracy if they use the standard configuration.

This is what the Tencent announcement says about the Bitcoin formula:

“The monitoring of the famous Bitcoin formula blockchain project NEO […] revealed the risk of remote piracy. When a user starts the Bitcoin formula with the default configuration and opens the wallet, the digital currency can be stolen remotely.”

Tencent recommends three things to the node operators:

1. update of the NEO client to the latest version

2. not using the RPC function and changing the BindAddress in the configuration file to 127.0.0.1

3. if not: change RPC port, enable HTTPS-based JSON RPC interface and adjust firewall policies accordingly

So far, so FUD. What, in contrast to the Tencent warning, did not make the round so fast was the answer from NEO co-founder Erik Zhang, who was only a few hours away.

Erik Zhang: “Normal” Bitcoin trader are not affected

Zhang is trying to reassure the mean NEO-Hodler: https://www.forexaktuell.com/en/bitcoin-trader-scam/ “Normal Bitcoin trader don’t have to worry because the RPC function is disabled by default. RPC can only be accessed via the NEO-CLI client. Since this is a command line program, technically inexperienced users do not run the risk of opening the door to hackers through careless configuration adjustments. Zhang closes:

“In summary, there is no danger of remote piracy for the conventional NEO user”.

Since Zhang does not deny the security gap, one can assume that operators of NEO nodes are in danger of being robbed. It is probably for this reason that Zhang points to the bounty program that NEO launched this year under the name “NEO Vulnerability Bounty Program”. Anyone who finds a relevant and above all unknown NEO bug is entitled to a reward from NEO.

The guidelines of the Bounty Program state:

“If vulnerabilities are published before NEO repairs or publishes them, the reward is void.”

Tencent will therefore not be able to claim a reward for discovering the NEO bug.