‘Funds are safe’: how to grant the security during your ICO
In a techno-financial world which was already affected by credit card and bank account frauds, crypto-currencies seems to have opened a whole new set of possibilities for cybercriminals. Irreversible transactions and anonymous wallet ownership, although presented as interesting features for those who want to go by cryptos, seemed like an oasis for digital crooks.
Examples aren’t just a few. MyBitcoin, the first Bitcoin e-wallet provider, made history when it suddenly disappeared from the cyberspace in 2011, claiming that all the funds were lost due to a hacker invasion.
Almost one year later, hackers exploited a vulnerability in a shared hosting service, leading to the theft of more than 46,000 bitcoins, at that time, worth US$ 200,000 from an exchange named Bitcoinica. Just two months later, Bitcoinica suffered a new hacker invasion, losing then 18,000 bitcoins, and could not survive to this succession of events.
Over the years, more and more cases appeared. Bitfloor (24,000 bitcoins), MtGox (850,000 bitcoins), Bitstamp (19,000 bitcoins), and Bitfinex (120,000 bitcoins), huge players in crypto-market (although only the two latter have survived), proved that security flaws were putting customers’ funds in risk, and weakening the market as a whole.
In ICO, things weren’t different. Projects like Cypherium and Taylor had the unfortunate experience of waking up and dropping an entire coffee cup on the keyboard after realizing that the funds from the crowd-selling were gone.
How do ICO start-ups get hacked?
Many are the reasons why ICO campaigns can be hacked. Below, we will list and study some recent cases, seeking the origin of the breach and, then, we will discuss about ways to protect against it.
The project that aimed to create a Decentralized Anonymous Organization model raised $150 million during their ICO. As soon as the amount - the biggest, on its time - was raised, an attacker was able to steal $55 million worth of Ethereum from their smart contract.
The flaw: the DAO’s smart contract contained a special function for creating child DAOs. This code contained a vulnerability that allowed the attacker to call this function recursively, before having his balance updated.
The project that hosts a website to list ICO fundraising campaigns and promote discussions and token purchases has ever suffered a US$ 7.7 million loss from a hacker attack.
The flaw: the hacker managed to get access to the private key of the wallet that was used by the developers to manage the token contract on Ethereum blockchain.
The tokens exchange lost US$ 12.5 million from its funds after a hacker attack in July 2018.
The flaw: “A wallet used to upgrade some smart contracts was compromised. This compromised wallet was then used to withdraw ETH from the BNT smart contract in the amount of $12.5 million”
The tokens exchange service saw its crowdfunding website hacked a few hours after the campaign started. The receiving wallet address had been changed to a static wallet owned by the attacker, who stole US$ 250,000.
The flaw: the attacker created a fake version of the website, which showed his wallet address instead of the campaign’s one. Then he managed to hack the campaign’s DNS provider (although the way he did it was not published), pointing the official domain name to his server.
The crypto-based portfolio management service saw its crowdfunding website hacked a few hours after the campaign started, and the address had been changed to the hacker’s wallet.
The flaw: according to the developers, their website, powered by WordPress, suffered an attack and a web shell (script used to obtain access to the server’s files) was used to edit the wallet address.
The alternative blockchain project managed by MIT students had their website hacked, and their wallet replaced with the attacker’s wallet, leading to a US$ 500,000. Additionally, their Slack channel, mailing news and even social network accounts were all hacked as well (which might be the reason why the team delayed to inform investors about the hack).
The flaw: a staff member who had administrative access to the website, Slack and social networks used the very same password for different platforms. One of the platforms where this staff member had an account, unrelated to crypto-currencies, was victim on an earlier hack and had its members’ passwords published. The attacker fished the password on that list and got access to all the staff members’ accounts linked to the ICO.
So, how to protect?
If you do not want to be part of the previous list, there are a few security measures you can follow.
Grant a safe contract
Blockchain does not forgive. Developing a vulnerable smart contract is as dangerous a developing any other kind of vulnerable application. Do not dispense thirdy-parties’ code auditing and penetration testing. Do as many tests as possible against your contract. Follow Solidity Security Considerations, available here.
Store your funds offline
Unless you have a very good reason to keep the invested funds in an online wallet (if you do, please share it with us), take it down! It’s better to transfer every fund to a cold wallet, such as an offline machine with restricted access and encrypted hard disk, a hardware wallet or even a paper wallet (you can even set up an online watching-only wallet). Make sure your off-line wallet is also safe: control access to it and ensure you have backups in safe places.
NEVER use the same password for different platforms
This is what you usually hear in television when those security specialists are interviewed to give basic security tips. Yeah, this is pretty basic, but it looks like the re-warning is valid. You are not sure if the service correctly encrypts their password and will not suffer any data leakage.
Use 2-factors authentication whenever possible
Two-factors authentication is a mechanism that requires an additional step during the login process, of taking a token generated in a separate device (such as a smartphone) and inserting it, to prove that it’s really you - and not someone else who got your password - who is trying to access. Use it in every platform that has it available.
Choose wisely hosting & domain providers
Many DNS hacks have origin on domain registrars. Ensure your registrar is reliable and reputable. Seek other clients’ opinions and make sure their support team is fast enough to help during an emergency. Avoid shared hosting, but make sure your team is able to create a safe production setup in your server. If you are going to use CMS solutions, only use plugins from reputable developers and search its security history on websites like Exploit-DB and WPVulnDB.
Control privileges & network structure
There is zero reason for the social media manager to have access to the wallet. If possible (and we know it is), create a separate network where your online wallet will stay (if you need it, for example, for sending tokens to investors after they invest - if you’re not doing it through a crowdfunding contract). Never set this machine visible to the public network (prefer polling an online server instead of opening an API on the server which stores the funds). Protect it physically, if you are going to maintain it by yourself in your office, with alarms, cameras and keys. Avoid putting staff members (office workflow computers) on the same network.
Educate your team and community against phishing
Take time to write security guidelines and enforce them with your teammates. Warn them about phishing and create rules about what to do when emails from hosting providers and other key contacts are received. Attachments should never be allowed. If you want to require files from user (such as personal documents), do it online and give your team a dashboard where they can access these items without leaving the browser.
Constantly warn your community about how the token sales will happen and who they have to contact in case of questions. Buy similar domains and redirect them to your website.
Do not share passwords when it’s not needed
Password sharing should be avoided as much as possible. Sharing social network accounts’ passwords is not needed, as today we have plenty of services for a better social media management than directly accessing the social network website (i.e. Hootsuite for posting/commenting and Zendesk for messaging).
In Git and Docker times, developers should not need SSH or FTP credentials. Additionally, any code submission should be verified by an authority from the team before it goes live.
Keep permissions set correctly on a per-user basis (although you may trust your teammates completely, it is not possible to grant that their computer will not be hacked during your ICO). Store passwords in a safe environment and ensure that access to them is given only in essential cases.
Ensure passwords aren’t trashed away in small pieces of paper and sticky notes. You do not imagine where hackers go to fingerprint your startup.
After your ICO campaign, when it’s needed to take some funds from the wallet, we’d recommend keeping the remaining funds on an offline storage. In this case, create a transaction that moves the required amount to another wallet in an offline machine and sign the transaction. Use a clean flash disk to move the hex code from your cold storage to an internet connected machine, where you will be able to use any wallet software or “push tx” action.
It’s needed to keep in mind that hackers do target ICO campaigns as soon as they are alive, as they see ICOs as newly-launched startups who have just got good amounts in investments. When launching your ICO campaign, hackers will try to hack you (take our word on that). And since Blockchain does not forgive, lost funds may lead to serious headaches, refunds and the total fail of your project. Make sure your team is ready to deal avoiding such emergencies, but keep also a emergency plan, in order to protect your funds even after an attack. Ensure your community is aware of the official sources of informations, and teach’em how to recognize whether a specified domain is real or fake. Security is a teamwork, accomplished by layers and shall never be neglected.
We at Forteras can help you if you want a custom secure smart contract for your idea. We can also help with code auditing as well as consulting to give you ways to develop a bullet-proof setup for your ICO campaign. Don’t hesitate in contacting us!