ICO Cybersecurity Best Practices: How to protect your ICO from hackers

Security guidelines to protect your Blockchain project

Security in the blockchain industry has been gaining more attention in the last months. After a series of major hacks, it has become clear that blockchain projects around the world are finding it very difficult to secure their assets. ICO cybersecurity best practices are now required as hacks continue to have dire consequences for projects, their stakeholders, and the public’s perception of the industry.

ICO cybersecurity best practices – more than technology

Cybersecurity refers to the protection of all assets within a specific computer network. Although the primary security focus for blockchain teams will be set on the technological aspects of a project, there is much more to cybersecurity than a project’s technology.

Many vulnerabilities involve the human factor. As we will see later, cybersecurity requires a combination of expertise both on the technical and human elements within a network.

Before getting into concrete vulnerabilities, there are two main problems related to the mindset of how some teams undertake their project.

The first one is a widespread misconception that every aspect of the “traditional system” is wrong and outdated. This new paradigm attempts to override or ignore decades of IT security protocols set in place for a valid purpose. These practices were built on years of learnings, experiences, and failures, and ignoring is potentially dangerous.

The second relates to the general frenzy and bonanza that the crypto landscape is enjoying. Billions of dollars are flowing into brand new projects that have yet to prove their sometimes excessive valuations.

This may cloud reason and judgment, diverting attention from important matters and making teams prioritize money-grabbing activities such as excessive promotion and hype instead of technological development and security best practices. For a safer, reliable, and thriving ecosystem to emerge, these problems need to be overcome.

Main vulnerabilities in ICO Security

When the topic of security is brought up in the crypto space, common responses relate to code audits. While these are necessary and an elementary requisite to start security processes, they are not sufficient to mitigate the risks blockchain projects, ICOs, and smart contract developers face.

Not every security issue is the same. From flawed coding languages, basic password negligence, and social engineering to multi-factor authentication, a wide range of vulnerabilities exist.
Even if your project’s technology and code are correctly developed and implemented, over 80% of security professionals identify ‘humans’ as the biggest challenge.

Let’s take a look at a brief account of the main vulnerabilities in ICO and smart contract security:

Vulnerabilities in blockchain code

When developing blockchain projects, there are different levels where your code or the code you reuse could be flawed. One of the most important matters is to identify on what layer (or layers) you will be working on, understand the challenges, and address them correctly.

Protocol layer

If you are working on the protocol layer, developing a new blockchain, for example, you will be addressing some of the hardest challenges. Because of its immutable nature, any bug that gets found on a live chain is tough to fix. Doing so would require soft forks and software upgrades based on consensus.

When dealing with the protocol layer, it’s best to catch bugs early on. Make sure to work with experienced system programmers and don’t cut budgets here. Rigorous testing during the Testnet phase is especially important. Some well-known examples of software that operate at this layer include Geth, Parity, and Ethereum JS (Ethereum), Bitcoin Core, Daedalus (Cardano), etc.

Application layer

The application layer involves building smart contracts on top of the previously mentioned protocol layer. Even for experienced programmers, coding these applications (in say, Solidity) is like navigating a minefield of potential bugs. On this layer, the code is usually not very long but thinking of it from a security point is essential as some of these applications manage vast amounts of money. Any small bug could mean a huge loss.

To avoid this, hire programmers with an eye for detail who understand Solidity, the de-facto high-level programming language for smart contracts in Ethereum, and its best security practices as well. Two major hacks that happened at this layer include the Parity Multisig wallet and the DAO Fork incident.

External blockchain infrastructure

Although this is not a specific layer, blockchain projects heavily rely on centralized web apps or sites that connect to your blockchain. This is why you need to be aware of the security vulnerabilities as they are more prone to traditional web attacks.

The best way to avoid these risks is recruiting conventional security analysts and engineers who also understand the blockchain. Examples of these kinds of services are MyEtherWallet and Infura.

LayerExampleIssuesAdvice
ProtocolCore Clients: Geth, Parity, EthereumJS, Bitcoin Core, Litecoin Core.Highly critical infrastructure. Bugs hard to undo on live chain (requires soft forks, software upgrade based on consensus), so best to catch bugs early on.Work with experienced systems programmers, conduct rigorous testing especially during Testnet phase.
ApplicationSmart Contracts written in Solidity, SerpentIt’s like navigating a minefield of potential bugs. Code is usually not long, but thinking about each LOC from security point is important. Small bug => can lose lots of $. Eg. Parity Multisig wallet, DAO ForkHire programmers who understand Solidity best security practices.
External blockchain InfrastructureMyEtherWallet, Infura, Centralised web services that connect to your blockchainProne to traditional web attacks. Phishing.Recruit conventional security analysts/ engineers.

Vulnerabilities in external web infrastructure

All blockchain projects make use of basic peripheral structures that we use to browse the internet. These include websites, web browsers, apps, extensions, DNS resolutions, etc. Although these are not directly connected to your blockchain or application, they can easily become victims of traditional attacks and put your project at risk.

Many teams can become so focused on making their decentralized product unbreachable that they may miss securing some peripheral aspects such as their website or chat apps. Hackers have taken down ICO sites and switched them with their fake domains tricking users into sending their funds or sensitive data to the wrong address. Some attackers have even gained access to official ICO websites and replaced the ICO contract addresses with their own.

Social engineering hacks

Social engineering attacks encompass a broad spectrum of malicious activities where hackers seek to exploit the weaknesses of human psychology. By tricking people to share sensitive information, hackers can gain access to a projects systems or customers. There are numerous ways to do this, among which the most widely used is phishing.

Recently, South Korean Bithumb exchange got hacked when the thieves gained access to a personal computer belonging to an employee. The hacker then posed as an executive of the exchange to users, managing to get their passwords and gain access to US$870,000 in funds.

Lack of basic security practices

In an industry developing some of the most innovative technologies and projects, it is almost absurd to see how some projects get hacked in the most trivial manner! Some projects are unaware of basic security practices like not using complex passwords and using the same password for different services.

Enigma, a decentralized platform created by MIT graduates and researchers, had their ICO hacked because the founders’ email and password were originally stolen during a hack of an unrelated company in 2015. These passwords were never changed after this unrelated hack, and the same passwords were being used for the company’s Slack page, and Google accounts for hosting the presale. Hackers gained access and simply changed the ICO contract address securing the funds for themselves.

Building security best practices into your platform

A more transparent and secure landscape is paramount to the future of ICOs and blockchain projects. It is the only way to increase buyer confidence, increase adoption and drive the development of the technology on a larger scale.

Whether you’re just starting a blockchain project or currently preparing for an ICO, security should be your first concern before you build anything and a consideration throughout the entire process as well. Emphasizing security reduces publicly embarrassing security flaws and course corrections in the future, saving you money and time.

Some of the most relevant elements required to build security best practices into your platform and organization include:

Build a team with the right skills and proactive attitude

This is the most important aspect of a company’s success. Not having a team with the right skills and knowledge is the single biggest cause of security vulnerabilities. This not only means having proper technical leads responsible for the code but also being mindful of short-sighted business approaches that prioritize larger budgets for promotion and hype instead of project security.

Re-use tested libraries and code

Just because the technology is new, does not mean you have to reinvent the wheel every single time. You can reduce the risk of vulnerabilities by reusing tested code that has gone through revisions and reviews from professionals and open communities in the industry.

Two of the most widely used tools for Ethereum are Truffle and OpenZeppelin.
Disclaimer: Although this community-reviewed code reduces your vulnerability risk you should do your own revision also to be sure of what you are building.

Peer review

Making your code public is a double-edged sword. While you are exposing your project, having your work subject to the scrutiny of multiple experts can ensure a higher level of security that you otherwise wouldn’t have been able to achieve. Consider dedicating a portion of your budget to a bug bounty program as per industry standards.

Code simplicity

Statistics show that there are up to 15–50 bugs per 1000 lines of code (LOC). Testing, audits, and public revision can help bring these numbers down, but they will not fix everything.
It’s important to spend time upfront on simple code design to keep the LOC low and reduce the potential for bugs.

Establish security processes for internal stakeholders

Make sure that your employees, vendors, contractors are aware of how important security is. Educate and require standardized practices like the use of multi-factor authentication, password managers, regular password changes, securing devices, etc. Having a proper onboarding with stakeholders and keeping periodic training on security matters can help minimize risks.

Prioritize security in your roadmap

It’s common practice for blockchain projects, particularly those that are in the process of launching an ICO, to leave security for last. This may be because they think there is nothing to secure before any funds come in, or because they expect to pay for more security with token sale proceeds. This is the wrong approach and could lead to the loss of any funds. It is therefore vital to establish best practices from the beginning.

What to do now to protect your project

There is a lot you can do to start securing your project right now. Some of these actions are basic and apply to any of your accounts whether it’s your bank, your mail or your PayPal. Remember that on the internet all your information can be cross-referenced and you might be putting yourself at more risk than you can imagine.

General rules for online security

Use strong passwords and change them at least once per year.
Don’t repeat passwords across different websites, especially across sites where you hold any money and “causal” accounts such as social media.
Use multi-factor authentication, but avoid phone verification if possible.
Limit what you do over public Wi-Fi.
When available, enable notification services that inform you of suspicious activity on your accounts.
Have a firewall or basic antivirus program installed.
Keep software up to date.
HTTPS Everywhere 🙂
Consider learning how to use a password manager – to manage multiple passwords, generate strong passwords.

Team practices and requirements

Just like on personal accounts, team members should constantly change passwords for all of their digital accounts and make sure that no password is used for more than one account/site.

Perform and access sensitive data on a secure device only. Be aware of phishing attempts and never click on untrusted links or download files from dubious sources.

Require two-factor authentication for any accounts employees have where they represent the company.This includes email, social media, chat platforms, etc.

For critical project infrastructure ensure that passwords only get shared on a need to know basis.

ICO and project rules

Buy a human-readable address on ENS where your buyers can send their funds to. This way you have less chance of your address being hacked and replaced by a phishing attack.

When possible buy similar domains to your project websites so as to not leave them free for scammers. For example, if your site address is www.abcd.com, purchase www.abcd.co, www.abcd.io.

Educate your supporters to bookmark your official website link and only visit the site through the bookmark.

Provide specific and detailed instructions on how to place tokens on the site for the ICO.

Whitelist interested buyers by asking for their emails before the ICO starts and only contact them with sensitive information through this accounts.

Make sure that passwords are changed and secured close to the opening time of the fundraising.

Running your ICO in a shorter period of time might provide less time for malicious actors to attack

Dedicate several employees to monitor your ICO slack, telegram chats and google searches (24/7). Get them to perform regular audits to remove phishing posts and ban suspicious members.

Audit your code again and again and then again. Conduct penetration tests, hire trusted parties to find weaknesses.

Lock down your crypto funds. Use a diverse array of cold storage options such as hardware wallets and paper wallets.

Educate your team and supporters to use tools such as EtherAddressLookup, MetaMask, and Cryptonite by MetaCert to secure your browser navigation and avoid phishing scams. Let your buyers/mailing list know that you will communicate with them in a consistent protocol and to ignore any other communication.

How to prepare for future contingencies

As mentioned earlier, considering security early in your company’s lifecycle can help avoid a lot of headaches in the future. However, once you optimize and secure your project’s current state you also need to think about how you will face future risks.

According to Horangi, an international cybersecurity firm, the general technology space, including the cryptocurrency industry, is currently in a reactive mode towards security threats. This posture forces a constant need to respond to vulnerabilities, usually after the damage is done.

The whole industry needs to adopt a proactive posture towards identifying vulnerabilities and managing risks, operating in anticipation of potential attacks on the network. This approach requires consistent testing, surveillance, and upgrading of your security processes to deter future threats.

Below is a list of some processes you should have in place to secure possible future scenarios and prepare you for future contingencies:

Stakeholders onboarding and offboarding

As your company grows, new stakeholders will join, and others will leave. Having specific onboarding and offboarding processes in place will ensure appropriate access and tie any loose ends.

Transitioning for a change in management positions

Aligned with the previous point. It’s common to see changes in managerial positions. Whether it’s a multisig wallet private key or hosting services accounts, top-level employees usually have important access codes. Make sure to have transition processes in place in your company.

Crisis management & response plan

Preemptive measures are the best way to secure your blockchain project and ICO. There will, however, always be a risk that you will get hacked. Should this unfortunate event take place, having a crisis management process ready in a moment of high anxiety will be immensely helpful.
A proper plan includes communication messages, back-ups, information access to the support centers of the services you use, direct communication to all your employees, multiple communication channels with your buyers, etc.

System monitoring & alerting

Keep an eye on the ecosystem and infrastructure around your blockchain project. Make specific employees responsible for this and be sure to clear your communication channels from bots or suspicious individuals.

Product rollout security upgrades

The different phases of your product roadmap will expose you to different threats. Releasing software updates, launching an ICO, or publishing code for revision, will open new doors for hackers to get into your system. Before you implement any of these milestones, make sure you do a security audit.

There is no way to create a bulletproof shield around your project. Remember that when dealing with security it is better to be highly pessimistic and paranoid. This will help ensure the absolute best practices and mitigate as many risks as possible.

Like they say, better safe than sorry.

Learn more about How to Launch an Initial Coin Offering by downloading our comprehensive guide here.

If your planning your ICO, Check out Tokendeck, our Initial Coin Offering solution that makes crowdfunding your business simple and easy.

If you have any questions or would like to connect you can find me on Twitter or email me at [email protected] I’m always interested in meeting people working in the blockchain space at any level.


Also published on Medium.