On the weekend news of a bug at NEO-Nodes made the rounds. The NEO bug discovered by the Chinese software giant Tencent is supposed to make it potentially possible for attackers to withdraw crypto currencies from wallets of NEO node operators. NEO co-founder Erik Zhang now gave the all-clear – at least in part.
On December 1, Tencent Security on the Chinese social media platform Weibo announced the discovery of a bug in the NEO block chain. Accordingly, the operators of NEO nodes expose themselves to crypto-piracy if they use the standard configuration. This is what the Tencent announcement says:
“The monitoring of the famous blockchain project NEO […] revealed the risk of remote piracy. When a user starts the NEO node with the default configuration and opens the wallet, the digital currency can be stolen remotely.”
Tencent recommends three things to the node operators:
1. update of the NEO client to the latest version
2. not using the RPC function and changing the BindAddress in the configuration file to 127.0.0.1
3. if not: change RPC port, enable HTTPS-based JSON RPC interface and adjust firewall policies accordingly
So far, so FUD. What, in contrast to the Tencent warning, did not make the round so fast was the answer from NEO co-founder Erik Zhang, who refuted the claims only a few hours later.
What you'll learn 👉
Erik Zhang: “Normal” users not affected
Zhang swiftly reacted to reassure the NEO-Hodler community. “Normal users” don’t have to worry because the RPC function is disabled by default. RPC can only be accessed via the NEO-CLI client. Since this is a command line program, technically inexperienced users do not run the risk of opening the door to hackers through careless configuration adjustments. Zhang closes:
“In summary, there is no danger of remote piracy for the conventional NEO user”.
Since Zhang does not deny the security gap, one can assume that operators of NEO nodes are in danger of being robbed. It is probably for this reason that Zhang points to the bounty program that NEO launched this year under the name “NEO Vulnerability Bounty Program”. Anyone who finds a relevant and above all unknown NEO bug is entitled to a reward from NEO.
The guidelines of the Bounty Program state:
“If vulnerabilities are published before NEO repairs or publishes them, the reward is void.”
Tencent will therefore not be able to claim a reward for discovering the NEO bug.
TL;DR
This post summarize is succintly:
“No vulnerability exists and there is nothing to fix.
- Normal users do not use neo-cli
- Neo-cli does not have RPC activate by default
- Neo-cli does not have wallets active by default
- Users that need neo-cli with RPC and wallet enabled are advised to set a firewall in the installation docs for obvious reasons (putting your private key on an accessible server is pretty dumb)”
Was this FUD by Tencent?
No, because bug clearly exists. However, Tencent did, purposefully or not, mislead their readers by claiming this was a default configuration which is proven to be false. It is important to note that bugs and software errors are the most common thing in any company and with any technology. NEO team is clearly aware of that and puts a lot of focus and resources into their bug bounty campaigns and should be applauded for that.