Developers of the NEO blockchain-platform in their blog reported on the observations of Red4Sec, a company engaged in solutions in the field of cybersecurity, which recently discovered a vulnerability in the code of some smart contracts on the basis of which cryptocurrency tokens of the NEP-5 standard work.
Using the vulnerability, an attacker can burn a certain number of tokens or increase the displayed number of tokens by changing the total Supply parameter inside the smart contract. As noted by the authors of the message, the total Supply parameter is responsible only for the displayed number of tokens in circulation, while it has no relation to the change in the real volume of the offer.
Thus, the authors argue that this vulnerability has a limited degree of risk, and the cost of the attack with its application will be very high.
Some projects have not yet fixed the vulnerability in their contracts, but their users are not exposed to any risk. The authors do not call the names of projects that can still be attacked, although without serious consequences.
A separate report on this issue was released by the developers of the project Red Pulse, which is also based on the NEO blockchain. They report that in theory an attacker can change the total Supply parameter, but this does not lead to a real increase in the number of tokens RPX, and, accordingly, will not bring any profit to the attacker, while in order to realize his plan, he will have to spend anyway custom tokens RPX.