Best Practices for securing your ICO

In any ICO, security is of paramount importance because any weak link is like a key in the hands of hackers to the safe deposit box which has your funds.

ICOs have lost more than $400 MM to hackers till date because of underemphasis on security. It has been observed that an ICO faces at least 100 hundred attacks in a month on average and these attacks range from exploiting vulnerabilities in Smart Contract code to phishing scams to social engineering. Upcoming ICOs can learn from the mistakes of those before them. They can ensure that they take all the necessary steps to safeguard their funds and fulfill their responsibility towards the community from which they have raised these funds with the promise that they will give them a great product in return.

Here are some best practices that an ICO team can follow to fortify their ICO against attacks

Get your Smart Contracts code Audited - The Smart Contracts are built on top of the protocol layer, and more than often, the code has holes in it. Since this piece of code is responsible for handling large amounts of money, it becomes the target of hackers who exploit it to swipe the funds. Recently, researchers from the National University of Singapore (NUS), Singapore's Yale-NUS College and the UK's University College London (UCL) discovered 34,200 smart contracts which fell short of robustness and were vulnerable to being exploited. Since Smart Contracts are only as smart as the coders who create them, it would be wise to get them audited by other parties. Take the audit reports seriously and work on fixing the weaknesses. The DAO lost millions of dollars because the team ignored the warnings about the flaws in their open source code from other developers. Make sure that the code is free from major security vulnerabilities, before deploying it on the blockchain.

Secure your ICO website -One of the most common way for hackers to break into an ICO by gaining control of the website. The CoinDash hackers changed the wallet address on the website and made away with nearly $7 million in less than 7 minutes. Get your website assessed for vulnerabilities with the help of external penetration testing, and continue testing until no vulnerabilities are detected on comprehensive testing. Fix the issue and get the penetration testing done again to look for other exploitable vulnerabilities which did not surface at the first instance.

Be Vigilant about Social Engineering - Social engineering includes a broad spectrum of activities in which hackers seek to exploit the weaknesses of human psychology and extract sensitive data such as personally identifiable information, banking and credit card details, and passwords from their targets. Phishing, in the world of ICOs, entails hackers creating fraudulent copies of ICO websites, fake Telegram, Twitter, Facebook & Linkedin accounts to target ICO participants. ICO teams can ensure the safety of their investors by being vigilant about suspicious activities around their ICO on the internet. Team members need to perform regular audits of their community channels to remove phishing posts and ban suspicious members. A simple practice to avoid fake copies of the ICO website would be to buy all similar domain names, and not leave them available for scammers. For community channels and website, ICO team members can ask the supporters to bookmark them, and visit them only through those bookmarks.

Ensure Password Security - Sometimes, small things such as not changing passwords regularly can cost an ICO heavily. Enigma, a decentralized platform which was looking to raise funds through a tokensale, got hacked because the email passwords of some of the team members got compromised. Apparently, the CEO’s email had been a part of another, entirely unrelated hacking attempt years ago, and had been dumped on the internet. The CEO had not bothered changing his email password after that. Hackers took over the ICO website’s landing page and Slack, and swindled the Enigma community out of $500,000. The lessons to be learned from this are that ICO security cannot be trivialized. Passwords need to be complex, and they should not be the same as those used for accessing other services. Two-factor authentication needs to be established to ensure that anyone with a password cannot gain access to the ICO accounts. Also, passwords should be changed regularly as an added security measure.

Use Hardware Wallets - Hardware wallets store your private keys on a piece of hardware which can be plugged into the USB port of the computer when a transaction needs to be made. Private keys are generated and stored on the physical device itself, and thus, even in the event of a cyber-attack, your cryptocurrency holding is safe. Trezor and Ledger Nano S are the most widely used hardware wallets in the market today.

While these practices might not make your ICO 100% foolproof, they significantly bolster ICO security and reduce the probability of it being compromised by attacks. To know more about securing your ICOs and getting them audited, get in touch with us at [email protected].