Neo has released new audit reports for Neo X following an assessment by Red4Sec. This audit evaluated Neo X’s governance system and the bridge contracts for the native bridge between Neo X and N3.
The Neo Native Bridge is a bidirectional bridging service between the Neo N3 and Neo X blockchains. Smart contracts are implemented on each network, and a relayer service is tasked with collecting signatures from bridge validators in order to authorize cross-chain transfers.
Bridge contract (Neo N3)
Red4Sec’s audit of the bridge contracts on N3 identified one critical vulnerability, one medium, one low, and nine informational issues. The critical vulnerability involved a failure to validate that the depositor was not specified as the contract itself, potentially allowing malicious actors to drain the bridge. The Neo X team has since resolved this issue along with other identified concerns, such as input validation gaps and various informational adjustments.
Bridge contract (Neo X)
For the Neo X side of the bridge contracts, Red4Sec found one medium, one low, and nine informational issues. Notable findings included a hardcoded signature requirement and outdated dependencies. Neo addressed these issues and incorporated Red4Sec’s recommendations on best practices for enhanced security and functionality.
Neo X Governance contracts
The Neo X governance system consists of several smart contracts implemented as Solidity precompiles, which are executed without the usual EVM overhead, similar to native contract execution on N3.
The governance smart contracts for Neo X yielded one high-severity issue and nine informational items. The high-severity issue was a Denial of Service vector in the candidateList
feature, which could have allowed an attacker to deplete node resources. Neo rectified this issue and implemented further recommendations aligned with industry best practices.
Red4Sec is the third organization to complete an audit for Neo X, after BlockSec and Secure3. The full audit reports may be found here.
The original announcement may be read at the following link:
https://medium.com/neo-smart-economy/neo-receives-audit-from-red4sec-further-strengthening-neo-x-governance-and-bridge-security-02aa52843707