On December 1st, Tencent published a warning on its Weibo regarding a supposed security flaw on the NEO blockchain. NEO Global Development (NGD) quickly responded pointing out inaccuracies in the report.
The Tencent Security Lab claimed that NEO holders were at risk of having tokens remotely stolen from their wallets. It was posited that the theft could occur if users started the NEO-CLI with the default settings, with the attack vector coming in via Remote Procedure Call (RPC). RPC is a function that allows one computer to call a procedure on another computer.
Tencent advised users to upgrade to the latest NEO-CLI program, avoid using the RPC function, and modify the bind address to the localhost (127.0.0.1). If users had to use the RPC function, Tencent suggested using a https-based port of JSON-PRC, or putting up a firewall.
NEO co-founder, Erik Zhang, refuted the Tencent findings on NEO’s own Weibo. Erik corrected the report by stating that the RPC function is not enabled by default upon launching the NEO-CLI program, and can only be activated with “an additional command line parameter.” Furthermore, the RPC address is already bound to “127.0.0.1” by default, and can only be changed by manually updating the configuration file.
In addition the NEO-CLI is only used by developers and node runners, who do not have a reason to open a wallet or hold funds on the program. Port/firewall usage is also documented in the installation details for NEO-CLI in the event that a wallet is to be used.
These claims can be easily verified by using the latest version of the NEO-CLI found on the NEO GitHub at the link below:
There is no risk to regular users of the NEO blockchain.
Genuine issues are encouraged to be reported through NEO’s Vulnerability Bounty Program.