ICO Security Playbook: 5 Steps to Ensure Best Practice

Blockchain technology and cryptocurrencies have revolutionized the way companies raise capital. Instead of pitching venture capital firms and sacrificing equity, control, and autonomy during the fundraising process, startups can now access the financing needed to develop and succeed without ceding more than some financial incentives. Even so, initial coin offerings aren’t always foolproof. 

Despite cryptocurrencies’ highly touted security advantages and blockchain’s own defenses, several highly publicized cases show even the toughest walls are not impregnable. For prospective ICO launchers, this paints a hostile and potentially alarming landscape.

Since funds raised by ICOs can be stolen or lost due to hacks, blockchain-based startups face an uphill battle for success. However, the risks shouldn’t deter a company from seeking the capital they need to thrive. Instead, several strategies can significantly enhance an ICO’s security and ensure your round of crowdfunding is not just safe but successful as well. 

Key Takeaways

  • Blockchain technology and cryptocurrencies have revolutionized the way companies raise capital through initial coin offerings (ICOs).
  • However, enhancing an ICO's security is critical since initial coin offerings are not foolproof, and funds can be stolen or lost due to hacks.
  • Boosting security includes auditing smart contracts since they're susceptible to hacks due to poor design and programming vulnerabilities.
  • Listen and resolve community concerns and implement robust policies to detect phishers.
  • Protect users and their tokens, which includes establishing firewalls to protect website backdoors from hackers.

1. Audit Your Underlying Smart Contracts

Smart contracts offer an inventive solution to facilitate trustless exchanges as rules for executing agreements are completely automated and hard-coded into algorithms. Smart contracts are autonomous, self-executing digital applications capable of running on their own as programmed.

However, smart contracts have been hacked as a result of poor design or vulnerabilities in their programming. The distributed autonomous organization (DAO) was a series of smart contracts that ran off the Ethereum blockchain. The DAO was an organization designed to be a venture capital fund that was decentralized and automated. In June 2016, the Ethereum blockchain was hacked, and approximately $50 million worth of funds were stolen. The hackers had exploited vulnerabilities in the code of the contracts.

Smart contract and blockchain expert Frank Bonnet emphasizes the importance of getting a professional audit for Smart Contracts. 

"It's almost impossible to code a 100% airtight smart contract," Bonnet said. "Even the best programmers make mistakes, and therefore it's an absolute must to have a third-party review and audit your contract, even if just for your investors' peace of mind."

Hackers that exploit vulnerabilities in smart contract codes can create significant issues for a network. A poorly coded smart contract can create other problems, such as disappearing funds, duplicated tokens, and even scripts designed to manipulate the token minting process.

Performing a pre-ICO audit of smart contracts, focusing on security and penetration testing for blockchain applications and smart contracts, allows projects to detect problems before they turn into catastrophes.

2. Listen to Community Concerns and Resolve Them

One of the most unique aspects of public blockchains and associated cryptocurrencies is their degree of transparency. Most companies release all or at least part of their code, and in some cases, even the smart contracts for the ICO. Despite their growing popularity with mainstream retail investors, a large portion of the community following blockchain closely knows coding and will take time to examine these pertinent details. This is more a formality than an actual step for some businesses, but it may be an incorrect way of viewing it.

The DAO is a perfect example of why companies must listen to their community. The company's open-source code was available for review on major repositories, and several developers warned that the files had a major security vulnerability. Instead of patching the code, the DAO ignored the warnings, and millions of dollars were lost as a result.

Community members have a vested interest in a successful ICO as it means they will be able to benefit from the utility being offered by the platform or service. Thus, giving them a clear channel to express concerns and expose issues is vital in securing an ICO.

3. Implement Robust Policies to Detect Phishers

On the non-programming side of an ICO, it's vital to always be alert for any signs of potential scams. Although programmers and other tech-side employees may be privy to cybersecurity trends and best practices, not every team member is aware of, or necessarily cares, about safety online. The first step, in this case, is education. Business development and sales team members don't need to understand code, but they do need to know about potential exploits and signs of a hack or scam being perpetrated.

Companies should always be as safe and proactive in avoiding fraud. Consistent scanning of web platforms like Facebook, Telegram, and other hubs can help point out suspicious activity and stay prepared for any eventuality. This also gives your team the opportunity to reliably relay critical updates, display the correct website for an ICO, and educate community members on potential risks.

In the case of a Domain Name Server (DNS) attack, hackers gain access to DNS records and create fraudulent copies of the site, replacing the company's domains with fake domains. The fake websites established by the fraudsters appear like the original. The hackers hijack the traffic to steal personal data or a user's credentials. Companies must remain vigilant to identify and report potential scams.

4. Provide Strong Security for Your ICO Gateway

In 2017, CoinDash, an enormously hyped ICO, was hacked, resulting in the loss of 43,000 ETH and has become a cautionary tale for new entrants. The company’s smart contracts were secured, but its website was not. As a result, hackers changed the wallet address on the ICO gateway, and once it was opened to the public, hackers stole over $7 million in under seven minutes.

Hackers were able to gain access to the company’s website through an exploit that let them alter a source file, granting them full remote control over the website. By simply changing the wallet address, they were able to get away with a massive heist despite the return of some coins.

The moral of CoinDash’s story is that it is increasingly popular to target not just the infrastructure of most ICOs, which have been upgrading their security, but rather an easily overlooked target like a website. In this case, there’s no need for a major security audit, but it is vital to deploy the right tools to secure gateways.

One of the easiest and most effective ways to accomplish this is by implementing a powerful web-application firewall (WAF), such as Incapsula’s. WAFs control inbound and outbound traffic, granting companies, improved control and oversight of who is accessing their files and website. Firewalls protect these backdoors to website shells while delivering protection against common script injection and exploit techniques.

5. Protect Your Users

A successful ICO isn't necessarily the end of the crowdfunding process. Once users have received their tokens, they also need access to the services they helped fund. Another type of attack that ICOs and cryptocurrency platforms and exchanges can fall victim to is a distributed denial of service (DDoS) attack.

Fraudsters employ DDoS attacks as a distraction by overwhelming a system, attacking it with multiple devices. Overcrowding the system prevents legitimate users from accessing the system, disrupting the service, or making it unavailable. From there, the fraudsters attempt to access data centers or sensitive information that allows them to launch more attacks in the future.

For example, in early 2020, Bitfinex suffered a DDoS attack in which the attacker "tried to exploit concurrently several platform features to increase the load in the infrastructure." The attacker exploited an internal inefficiency by using a large number of IP addresses to try to overwhelm the system, but the problem was resolved and service restored.

Protecting a website from hacks like DDoS attacks involves having the right tools in place to do so, and WAFs can also serve this function. Moreover, companies should always push for the most stringent security measures for users, including two-factor authentication, constant notifications for any changes, and even maintaining logs of activity for security purposes. Protecting users is paramount, and ensuring they have access to services they paid for is a necessity to avoid legal repercussions.

The Bottom Line

ICOs are a highly effective tool for startups seeking to maintain control of their businesses but are not risk-free and omnipotent. To ensure success, you should always adhere to best security practices, expending the effort to guarantee you are as safe as possible and your users are also protected.

Investing in cryptocurrencies and other Initial Coin Offerings ("ICOs") is highly risky and speculative, and this article is not a recommendation by Investopedia or the writer to invest in cryptocurrencies or other ICOs. Since each individual's situation is unique, a qualified professional should always be consulted before making any financial decisions. Investopedia makes no representations or warranties as to the accuracy or timeliness of the information contained herein.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. The New York Times. "A Hacking of More Than $50 Million Dashes Hopes in the World of Virtual Currency."

  2. Medium. "CoinDash TGE Hack findings report 15.11.17."

  3. Reciprocity. "What is a DDoS Attack & How to Protect Your Site."

  4. Cryptonews.com. "OKEx and Bitfinex Suffer a DDoS Attack."

Take the Next Step to Invest
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.