How to Secure your ICO from Hackers

Lessons from past hacks and 10 critical tips to protect your ICO or blockchain project

It’s rare that a week goes by without hearing about an ICO getting hacked. Given the clear and persistent threats that exist, it’s quite surprising that there are relatively few resources on how to secure your ICO for teams in the process of launching or running a blockchain project.

When your project announces its ICO to the world, it is effectively telling everyone that it will be collecting thousands or even millions of dollars worth of cryptocurrency. You are putting a target on your back.

It’s kind of like publicly announcing that you are collecting and storing millions of dollars in your apartment. Criminals will take notice and take advantage of any vulnerability. Unless you take action, your ICO or blockchain project will likely fall victim to hackers.

Why are so many hacks occurring?

The prevalence of hacks is most likely due to several factors such as the record amounts of money pouring into the industry, the lack of security considerations taken by new projects and the security vulnerabilities inherent in this emerging ecosystem.

A quick disclaimer:

This post is not designed to provide you with an exhaustive list of attack vectors or a comprehensive cybersecurity guide. It has been developed to increase your awareness of the types of security threats out there, give you some practical tips on how to secure your ICO or blockchain project and spur you into taking action.

To achieve these ends, this post will analyze 6 well-known crypto hacks and present some key security takeaways. It will also conclude with 10 essential security tips that will help ICO teams and blockchain projects avoid becoming the next hacking statistic.


The DAO Hack

What happened?

A startup working to create a Decentralized Autonomous Organization (DAO) on the Ethereum blockchain, named ‘The DAO’ got hacked. The DAO project launched in late April 2016, with a 28-day funding period.

The project got funded through a token sale which was a big success, raising around $150 million from about 11,000 people worldwide. Shortly after the funds were raised, ‘The DAO’ was hacked by an unknown attacker who stole Ether worth approximately $55 million.

The DAO was the largest crowdfunding project in history at the time, despite reports that listed security vulnerabilities and warned people not to support the project. In the end, the hacker stopped draining The DAO of funds, and the Ethereum community took control of the situation. Luckily the funds were subject to a 28 day holding period so the hacker couldn’t use the stolen Ether.

The postmortem

In the end, the attack was made possible by a vulnerability in The DAO code, not the Ethereum platform itself. Like many developers warned, The DAO project suffered from a programming hazard or bug referred to as “recursive calls” – “where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.” [1]

This enabled the attacker to drain more than $50 million worth of ether into a “child DAO” that has the same structure as The DAO. The attacker was able to ask the smart contract (DAO) to give the ether back multiple times before the smart contract could update its balance. The code written for the DAO was flawed as it first sent the ETH funds and then updated the balance.

How to secure your ICO from hackers- Key takeaways

Smart contract programming in Ethereum is notoriously error-prone, the consequence of even a single mistake or loophole can be dire.

At a bare minimum, adhere to programming guides which contain best-practice recommendations to avoid common pitfalls.

Listen to your community and take security concerns seriously.

Think about implementing a doomsday clause in your smart contracts that restrict the conversion of any Ether into fiat money after X number of days after receiving it.

Monitoring ICO activities and the ability to act quickly is critical.

Coindash

What happened?

CoinDash is a crypto-based portfolio management platform. In July 2017, the Coindash Initial Coin Offering was hacked almost immediately after it started. The result was numerous potential buyers sending their money to a fraudulent address. A total of $7 million got lost and the sale terminated.

After realizing that hackers had changed the official wallet address to a wallet owned by the hackers, the Coindash team immediately sent out an emergency message. But it was too late.

“This is an emergency message delivered to you in order to stop you from sending your money to an unauthorized ETH address. It seems like our Token Sale page was tampered and the sending address was changed. Please stop from sending your funds to any of the addresses until we say otherwise. We are currently examining the situation and will shortly send further instructions.”

The postmortem

Like many other ICOs, Coindash had a page on its website which thousands of unique users visited with text representing an Ethereum address for buyers to send money.

Purchasers were tricked into sending money to the wrong address during the Coindash Initial Coin Offering. Within just 7 minutes, 43 thousand ETH were redirected to a malicious address. This was achieved by the hacker taking control of the official Coindash website minutes after the ICO launched and merely changing the text on the site to reflect their ether wallet address instead of Coindash’s address.

According to cyber security experts, the exploit methods indicate that it was not the act of a single person and was most likely carried out by a highly sophisticated group of people.

An investigation into the hack of the CoinDash WordPress site was ordered and is ongoing. Some initial findings are available on the Coindash blog –

“The 404.php file was modified from its original content. A malicious Webshell code, base64 encoded, was planted in the 404.php file. This webshell allows remote code execution, file upload, Dir listing, file reading and more.”

“The malicious Webshell was originally published in an underground polish IT website called devilteam.pl, an IT security website in which people publish exploits, vulnerabilities, information about companies getting hacked and other cyber security related topics.”

How to secure your ICO from hackers- Key takeaways

Platforms that serve as gateways are just as vulnerable to attack as anything else. Don’t forget about website security!

Your project will likely need to fight off dozens of highly sophisticated scammers who will try to con your community into sending crypto to their accounts. Preventing them is a massive undertaking which requires planning.

Minutes matter. It took just 7 minutes for 43 thousand ETH to get redirected to a malicious address.

Parity

What happened?

Hack 1

Parity has fallen victim to hackers not once but twice! The first time – July 2017, an unknown attacker exploited a flaw in the Parity multi-signature wallet on the Ethereum network, stealing over $31 million worth of Ether. Things could have turned even worse if it were not for some diligent white-hat hackers from the Ethereum community who stopped the attackers from stealing over $180 million from vulnerable wallets.

The white hat hackers exploited the same vulnerability the hackers used. They hacked all of the remaining at-risk wallets and drained their accounts before the hacker could get to them. All of the money was returned.

Hack 2

This hack may be more accurately described as accidental or non-malicious freezing of funds. It occurred in November the same year, just a few months after the first hack. A code vulnerability was accidentally exploited by user devops199 who was doing some experimenting. Approximately 513 thousand ETH equal to $154 million was frozen and made inaccessible.

The postmortem

Hack 1

Hackers exploited a deficiency in the multi-sig wallet “init” code and drained over 153,000 ETH from three high-profile multi-signature contracts used to store funds from past token sales.

The hack was carried out by initiating two separate transactions. Hackers first took advantage, of the “init” code not having a defined scope which allowed them to make themselves the owners of the contracts. The second transaction drained the targeted accounts of all their ETH.

Hack 2

In this case, a vulnerability in the code deployed in a particular multi-signature wallet smart contract was exploited, not the Ethereum protocol itself. The exploited code resided in the ‘init’ wallet function, used to set up a wallets initial state and the kill function, a call to self-destruct.

Parity used a library contract (a smart contract used to save gas) to deploy the common logic for their multi-signature wallets. An anonymous user was able to gain control of this library contract by invoking the ‘init’ wallet function and use their address in place of the owner. This effectively turned the library contract into a wallet contract of which they were the single owner. After gaining ownership of the contract, the user then used the kill function to destroy the library contract rendering all connected wallets and their funds unusable. More detail here

How to secure your ICO from hackers- Key Takeaways

Check and recheck your code, and then audit it again. This will involve designing and implementing a code review process.

Pay careful attention to the functionalities provided in your library contracts. In Parity’s case, if the kill function had not been included, hack two could not have occurred.

Code separation can save gas costs but should a library contract be broken in some way; it will impact every contract that depends on it.

Enigma

What happened?

Enigma is a decentralized platform created by MIT graduates and researchers. The project’s website, slack channel, mailing list, and some social media accounts were all compromised. After the incident, it took the Enigma team a while to announce that they had been hacked, posting a warning on Twitter several hours after other members of the crypto community had noticed and responded.

The postmortem

The hacker was able to trick people into sending approximately $500,000 to a fake Ether address instead of to the Enigma address.

According to some sources, the reason the attack was able to take place was that the founder’s email and password were initially stolen during a hack of an unrelated company in 2015. These passwords never got changed after this unrelated hack, and the same passwords got used for the company’s Slack page, and Google accounts for hosting the presale.

How to secure your ICO from hackers- Key Takeaways

Team members should continuously change passwords for all of their digital accounts and make sure that no password gets used for more than one account/site. It’s also critical to use more complex randomized passwords across all platforms.

Requiring two-factor authentication for all employee email accounts should be a minimum requirement along with the implementation of access control procedures.

For critical sites and project infrastructure ensure that passwords only get shared on a need to know basis.

Tether

What happened?

Tether, the company behind Tether tokens which are pegged to US dollars, had funds improperly removed from the treasury Tether wallet through malicious action taken by a hacker. Altogether, over $30 million worth of USD tokens were stolen, shaking crypto markets and putting the company’s future in serious jeopardy.

The postmortem

Although details remain unclear, it appears the hack was pretty straightforward. According to an announcement on the company’s official website an unknown hacker stole the tokens from the Tether Treasury wallet on November 19th and sent them to an unauthorized Bitcoin address.

The company responded by flagging the tokens. A move designed to prevent the hacker from exchanging them through its service. While the company is not disclosing more details about ongoing investigations into the hack, the breach occurred to the Tether hot wallet. The company is in the process of developing and building a new platform which will result in a hard fork to cut off the funds.

How to secure your ICO from hackers- Key Takeaways

Storing crypto online is asking for trouble. Your project should consider offline ‘cold storage’ wallet options along with old fashion solutions like safe deposit boxes and vaults.

EtherDelta

What happened?

Decentralized cryptocurrency exchange EtherDelta, recently announced it suffered a security breach. At least 308 ETH (over $250 thousand) were stolen, as well as a large number of tokens potentially worth hundreds of thousands of dollars. Thefts continued to be reported a week after the hack was first discovered.

The postmortem

The smart contracts that govern EtherDelta didn’t get compromised in the attack. Instead, an attacker managed to access the EtherDelta site DNS records and replace the domain with a very impressive fake. This led many users to unknowingly sending their tokens to the hacker not the official exchange site. The hackers set up several different phishing scam websites all over the web, mostly in Google searches.

How to secure your ICO from hackers- Key Takeaways

Sophisticated phishing attacks where an attacker sets up a fake site are becoming more common. Think about buying similar domains in Godaddy. For example, if your site address is www.abcd.com, purchase www.abcd.co, www.abcd.io, etc. Scammers will try to use similar addresses.

Scammers can access HTTPS certificates to make scam sites look more legitimate. The green lock icon near the address bar is not worth much.

Implement phishing protection best practices and communicate with your users. Tell them to bookmark your official website link and only visit the site through the bookmark.

Phishing attacks are challenging to prevent, so vigilance, quick reaction times and contingency plans are critical. There have also been notable phishing attacks that start with a DDOS attack, waiting for the project site to crash and then providing a link to phishing site in all communities and chat rooms, etc.

Learning lessons from past hacks

This post outlines some common hacker tactics and underscores the vulnerability of the cryptocurrency sector to cyber attacks. If you are the founder of an ICO project, understanding past hacks can help shine a light on some of the security vulnerabilities that exist.

The bad news is that hackers are getting smarter. They understand that breaking into the Ethereum or Bitcoin blockchain network is virtually impossible, so they are targeting points of weakness – mainly entry points for transferring funds into and out of wallets, project sites and exchanges.

Here are 10 tips to keep your ICO or blockchain project more secure-

1. Lock down your crypto! Use a diverse array of cold storage options such as hardware wallets and lock them up in a vault!

2. Project leaders must educate their team on cybersecurity risks before the ICO. Don’t expect your employees to understand cybersecurity or know what attack vectors to look for.

3. Many ICOs give precise instructions on how to place tokens on the site for the ICO. To increase security, collect the email addresses for those interested in funding the ICO. When the pre-sale starts, provide funding instructions only to those who signed up. Displaying the funding instructions on your website invites hackers to attack your site.

4. Use different passwords for important accounts so that even if one of your accounts gets hacked, the rest are safe. Implement 2-Factor Authentication wherever possible as well.

5. For critical sites and project infrastructure, ensure passwords only get shared on a need to know basis.

6. Buy similar domains to help make website phishing attacks a little bit harder.

7. Dedicate several employees to monitor your ICO channels like Facebook and telegram chats 24/7.Get them to perform regular audits to remove phishing posts and ban suspicious members. It’s also important to specify the correct website on all official sites, continuously post to relay critical updates and educate your followers to ignore phishing messages sent by non-admin users. Keep a close eye on google searches as well for any suspicious activity.

8. Don’t get Slack. The platform is full of vulnerabilities. Hackers can, for example, create an account like a moderator and write personal messages with fake addresses.

9. Audit your code again, and again and then again. Conduct penetration tests, hire trusted parties to find weaknesses.

10. Building a strong community is not only an asset that will drive your project’s long-term success. A powerful community can protect and help you in times of crisis. The more allies looking out for your project, the better!

Cybersecurity is a vital part of business operations across all industries. The emerging blockchain and cryptocurrency space is no exception. Don’t let your project become the next victim.

Remember – It’s not a matter of “if” but “when” your project will come under attack from hackers.

God Speed.

Planning your ICO? Check out Tokendeck, our Initial Coin Offering solution that makes crowdfunding your business simple and easy. We customize your solution so that your ICO Coin Offering is successful, safe, and compliant.

Read our How to Launch an Initial Coin Offering guide.

Anthony is the head of content and research at Intrepid Ventures. He has spent the past several years researching and analyzing technologies and working with a diverse mix of blockchain companies to help them gain insight and develop authoritative content.

Realizing the revolutionary nature of blockchain technology and the existence of a significant knowledge gap among entrepreneurs, industry, and government, Anthony now concentrates his time on creating educational content, researching potential use cases and analyzing the impact of the technology on global industries.


Also published on Medium.