The cryptocurrency world is subject to interesting developments at all times. In some cases, major vulnerabilities are discovered which need to be addressed. The NEP-5 smart contract storage injection vulnerability is of great concern in this regard. Some of NEO’s DApps are susceptible to this exploit, although the underlying blockchain remains unaffected.
The NEP-5 Storage Injection Issue
This particular smart contract and DApp vulnerability was originally disclosed several days ago. Red4Sec, a security auditor, came across this issue while doing some routine research. NEO Global Development has confirmed this problem exists and issued an official explanation as to what is going on exactly. It is important to keep in mind that this storage injection vulnerability does not affect the NEO blockchain itself, but rather some of the DApps making use of this technology.
It seems various NEP-5 tokens are affected by this problem. If an attacker were to take advantage of this particular exploit, they would be able to make changes to the contract storage itself. More specifically, they could burn a specific amount of tokens and change the totalSupply determined within the contract. It’s worrisome news, although things are not as dire as they seem.
That’s because while attackers can change the ‘show value’ of the totalSupply aspect of a smart contract, they cannot alter the actual supply. It is still a worrisome vulnerability which shows that NEO’s smart contracts will need proper auditing prior to being introduced to the public. Such auditing doesn’t happen often enough, which allows issues like these to occur at one point or another.
It is rather interesting to note that only a few projects are affected by this problem. It is possible that some contracts had already fixed the bug prior to it being discovered. The affected projects are not immediately threatened, although upgrading the contract code is still of the utmost importance. Perhaps the biggest concern is that more major vulnerabilities may yet be discovered.
Upgrading the smart contracts will not be that difficult. The NEO developers have made this process rather straightforward thanks to the upgrade API which is part of the project’s fundamental layer. In hindsight, this has been one of the more proactive ways of dealing with issues, although it remains up to the developers of individual projects to address such issues or leave things as is.
With all tokens remaining safe, there is no real cause for concern as of right now. It is evident that a lot of projects are closely monitoring their own DApps and smart contracts to ensure that they are safe from harm. It is good to see the community come together and address potential issues on this front.