BlockSec has unveiled the findings of a recent audit for Neo X, the EVM-compatible sidechain recently launched by Neo. The audit identified three potential vulnerabilities, all of which have been rectified.

Methodology

The audit focused on the Neo X node implementation, particularly the modifications made to Geth (go-ethereum), from which the Neo X node is forked. The dBFT consensus protocol was not included in the audit scope.

BlockSec utilized a combination of automated code analyzers, fuzzers, and semantic analysis to detect vulnerabilities. It also cross-checked potential attack vectors with independent audits to confirm its findings before providing fix recommendations.

Findings

The audit identified one high-risk and two medium-risk issues, all of which have been addressed by the Neo X team.

The most critical issue was the lack of sufficient validation for addresses making P2P network messages, integral to the dBFT protocol. This vulnerability has been mitigated by implementing checks within the governance contract to ensure proper permissions.

Both medium-risk issues were found within the governance system. The first pertained to a potential Denial of Service vector within the governance contract. The contract allowed any user to pay a registration fee to become a validator candidate up to a maximum capacity.

Malicious actors could exploit this by using the exitCandidate function to get the full registration fee refunded, minus transaction fees, effectively allowing them to occupy the candidate slots without long-term cost. The Neo X team resolved this by ensuring the full fee is no longer refundable, making such attacks prohibitively expensive.

The second medium-risk issue involved the absence of a timelock in the voting mechanism used for privileged operations within the governance contract. This could have enabled a hostile takeover of the currentConsensus validator list. The introduction of a timelock now provides a critical rescue window to thwart potential attacks from malicious proposals.

The original announcement and audit report can be viewed at the following link:
https://blocksec.com/audit-report/audit-report-neo-x