An audit by Positive.com has revealed that the average ICO has no fewer than five security flaws. In fact, vulnerabilities are so common than only a single ICO in their study was free of security issues.
It should be noted that Positive, which describes itself as “security platform that aims to protect ICOs against cyber-attacks” is in the business of selling services to ICOs. Still, its findings, even if exaggerated, make for alarming reading.
Almost half of all flaws uncovered were rated medium to severe. As the company says, “just one vulnerability is enough for attackers to steal investors’ money and do irreparable damage to corporate reputation.”
The ICO Honeypot
So much money has flowed into ICOs that attacking them is a natural and productive task for cybercriminals. It has been estimated that in 2017, 7% of all raised funds raised by ICOs were ultimately stolen, amounting to some $300 million.
Leigh-Anne Galloway, Positive.com’s “Cyber Security Resilience Lead” points out that, “the second a company goes public with an intention to do an ICO” it is alerting cybercriminals that it is “both valuable and also in a very vulnerable phase of its company growth.”
The most common vulnerabilities occurred in token smart contracts. Positive.com reports that 71% of the projects it tested had a flaw at this stage, and identifies developer inexperience and insufficient testing as the main cause of such problems.
Half of surveyed projects had issues with their web applications, leaving them open to unauthorized control, while failings within mobile apps were reported to be even more vulnerable. Every single mobile app looked at by the company contained security flaws, notably exploitable weaknesses in data transfer or storage.
Don’t use “Password1”
Another major source of concern was ICOs’ weak security procedures around email accounts and social media. If compromised then hackers are able to take control of the public face of the company. Even more concerning, if email accounts are accessed it may be possible to reset website passwords and change displayed wallet addresses, as occurred in the CoinDash hack.
The report is a damning indictment of ICO security, but as a newly emerging industry and fund-raising model it would be foolish to expect everything to be done perfectly straight away. Still, as Galloway says, “ICO teams have a responsibility to ensure their security posture is as robust as possible,” which means everything from smart contracts to Twitter log-ins.