Cybersecurity experts have discovered a vulnerability in the NEO client, with which attackers can steal cryptocurrency from user wallets. Clients were assured that their funds are safe.
The vulnerability was discovered by Tencent employees in the NEO-CLI client. As reported by Blockmanity, users are in the risk zone when they start the node on the network with a standard configuration. All operators of nodes in the NEO blockchain and GAS holders were advised to update clients and not to use remote procedure calls.
The founder of the NEO cryptocurrency startup, Eric Zhang stated that the vulnerability does not threaten regular users since for its operation the RPC function must be activated in the NEO-CLI client, the access to which is excluded for such users.
He also draws attention to the fact that RPC is activated not by default, but only under certain conditions and through the command line. The same applies to the “BindAddress” option, which by default corresponds to the value “127.0.0.1”. If the user does not attempt to change the configuration manually, the likelihood of associated risks may be excluded, the publication says.
To those users who decide to change the configuration manually, Zhang cannot guarantee anything.
In mid-June, a Chinese antivirus software developer Qihoo 360 reported that the incorrect configuration of certain applications and farms in the ethereum network resulted in their users losing over $20 million at the exchange rate at that time.