NeoGo v0.120.0 patches vulnerabilities, delivers VM performance gains

Neo SPCC released NeoGo v0.120.0 “Amortization” on June 15 as an urgent update patching multiple security vulnerabilities while also delivering VM performance improvements. The release is fully compatible with Neo-CLI v3.10.0, which was recently deployed to MainNet. No blockchain resynchronization is required to upgrade.

Neo SPCC characterized the release as urgent, stating that it “fixes a set of vulnerabilities that may affect the process of node functioning.”

Security hardening across RPC, Oracle, and VM

The release addresses five vulnerability patches spanning several components of the node stack. Most were ported from fixes already applied to the C# reference node, reflecting ongoing cross-client security collaboration within the Neo ecosystem.

The patches cover RPC payload hardening, which enforces stricter limits on block and transaction deserialization to prevent abuse via oversized payloads. Oracle service IP filtering has been expanded to block additional private address ranges, closing a potential vector for SSRF-style attacks against internal network infrastructure. Witness deserialization now enforces script length limits for SignerWithWitness objects submitted through the RPC API. Merkle Patricia Trie node deserialization has been given a maximum depth limit to prevent excessive recursion from malicious structures. Finally, the VM’s gasConsumed counter has been corrected to prevent overflow, which could previously cause incorrect execution behavior.

VM performance optimizations

Two VM performance improvements were contributed by community developer @Turalchik. The first eliminates redundant deep copying in the DUP opcode when operating on primitive types such as integers, booleans, and byte strings. Because these types are immutable and passed by value, copying them is unnecessary. The second applies the same logic to the NEWARRAYT and NEWSTRUCT opcodes, removing per-element copying when creating arrays of immutable types.

Both changes align NeoGo’s behavior with the C# VM reference implementation and are expected to improve execution speed for scripts that make heavy use of these opcodes.

C# node compatibility fixes

NeoGo v0.120.0 resolves several behavioral discrepancies with the C# reference node. Most notably, a TestNet discrepancy at block 3,164,129 where a candidate registration transaction HALTed on the C# node but FAULTed on NeoGo has been corrected. The issue stemmed from premature removal of Echidna-era compatibility code from registerCandidate handling.

Additional fixes address duplicate Conflicts attributes now being properly prohibited within transactions, transaction mocking behavior in invokefunction and invokescript RPC calls matching C# output, incorrect byte endianness in the util canceltx CLI command, a wrong return type in the storage.LocalGet interop wrapper, and a WebSocket shutdown race condition in the RPC server.

Operator action required

As part of the RPC payload hardening, the default value for MaxRequestBodyBytes has been reduced. Node operators who previously relied on the higher default and require larger request bodies must manually update their node configuration to set a custom value.

Additional improvements

The release also introduces a distinct ErrTxNotYetValid error for transactions that fall outside their valid window, improving diagnostics for developers who previously could not distinguish these from expired transactions. Documentation across 18 files has been updated to conform with Go 1.19 structured doc comment format, and several flaky unit tests have been addressed to improve CI reliability.

The full release notes can be found at the link below: