With ten percent of all funds raised by ICOs thought to be lost – according to Ernst and Young – to hackers, thieves and scammers, we outline below some real-life cases of such incidents to highlight the pitfalls faced by retail investors.
CoinDash – Crypto assets management platform
When: July 2017
Loss: c $7 mln worth of ETH
The launch of the CoinDash ICO last summer was overshadowed by an attack which resulted in the loss of $7.3m. Hackers replaced the official Ethereum address appearing on the website with their own. The startup had to suspend its activities as project organisers realised that funds were being re-directed to an unknown address.
The take-away is simple – always ask for confirmation (and re-confirmation) of the destination address. Ideally, an ICO should be using an address verification service such as Clearify.
Veritaseum – P2P financial markets platform
When: July 2017
Method: Exploiting Poor Wallet Management
Loss: $8,4 mln
The project team – led by famous American entrepreneur and founder of Boom Bust Blog, Reggie Middleton, faced an attack during its initial offering of VERI ERC-20 tokens.
Wallets belonging to a number of project leads were compromised, with the tokens then transferred out to an unknown address and then sold back to unsuspecting investors.
This was, then, a rare case of where project organisers’ lack of due diligence ended up only hurting themselves and not investors.
Seele – a Blockchain 4.0 Technology
When: April 2018
Method: the Telegram Doppelganger approach
Loss: over $2 mln (though amount remains unconfirmed)
Hackers don’t always have to be computer geniuses. Here, the scam artists simply conducted a “private sale” for the ICO in advance of its official launch. Mimicking the identities of project administrators on Telegram, they approached investors with promises of large bonuses on the ICO price.
They were able to do so by acquiring admin status on the Telegram channel itself, simply by registing an account under the name of one of the real-life project leads and requesting administrative rights from another administrator.
To avoid these kind of traps, simply conduct such conversations over more transparent channels, and check the verify the identity of the person you are talking to with several others in his or her entourage.
KICKICO – ICO Launchpad
When: July 2018
Methods: Website imitation, smart-contract manipulation
There have been two successful hacking attempts on the unfortunate team behind the KICKICO platform. The first had been prosecuted through imitation websites – hackers had erected an almost identical website with an almost identical URL. The lesson for ICOs is simply to squat popular domain name extensions that carry the name of their own site before others do.
In the second incident, however, the breach arose from hackers gaining direct access to KickCoin smart contracts. The attackers took possession of 40 accounts, which they subsequently destroyed and replaced with 40 almost identical accounts.
The platform owners were unaware of the breach until several victims filed complaints, with a subsequent audit finding that users had lost tokens totaling $800,000.
Fortunately, a few hours after the incident, the KICKICO team managed to restore access to its smart contract and replace the compromised private key with the key in its cold wallet to preserve the remaining assets.
In addition, the platform reimbursed and restored the 40 wallets that had formed the object of the attack. But, despite a relatively successful outcome, the problem of smart contracts auditing remains sensitive for token issuers and requires true professional expertise in both their development and auditing – something that is all too often found to be missing in the ICO space.
COINAdmin, who aim to provide pre-packaged software solutions for ICOs, now offer the ability to assemble audit-approved smart contracts without the need for any knowledge of the Solidity programming language – the language used to create smart contracts on the Ethereum blockchain.
And having raised over $70m on its platform from 130k contributors during its own ICO, the outfit applied a series of security measures to its own ICO – including DDoS protection and Google 2-factor Authentication – that it is now pushing as a model for security management in the rest of the industry.