{"id":13228,"date":"2019-04-30T06:47:10","date_gmt":"2019-04-30T10:47:10","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/ico-security\/13228\/"},"modified":"2019-11-15T15:22:19","modified_gmt":"2019-11-15T11:22:19","slug":"ico-security","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ico-security\/13228\/","title":{"rendered":"Why ICO security is a must"},"content":{"rendered":"<p>A rather na\u00efve belief many blockchain enthusiasts share is that code backed by blockchain fabric is self-sufficient. \u201cCode is Law,\u201d as they say. Unfortunately, reality has already proved this maxim wrong, because, well, code is written by people, and people are prone to making mistakes. Even when machines write code, it\u2019s still likely to contain flaws: For example, the <a target=\"_blank\" href=\"https:\/\/www.multichain.com\/blog\/2016\/06\/smart-contracts-the-dao-implosion\/\" rel=\"noopener noreferrer nofollow\">exploitation of the DAO smart contract<\/a> eventually led to a hard fork of Ethereum Classic from Ethereum. This sort of trouble has happened more than once and with more than one blockchain.<\/p>\n<p>https:\/\/twitter.com\/CoinbasePro\/status\/758158060355551232<\/p>\n<p>Problems are not limited to code flaws. From an information security perspective, blockchain systems \u2014 including nodes and wallets \u2014 are just software. And the people who use this software have a tendency to fall for social-engineering tricks. Some problems, such as the use of <a target=\"_blank\" href=\"https:\/\/www.kaspersky.com\/blog\/crypto-phishing\/20765\/\" rel=\"noopener noreferrer nofollow\">phishing<\/a> to steal coins from wallets , can be solved with security software on the consumer side. Others cannot, such as people believing scammers who promise ROIs of hundreds of percent and then disappear.<\/p>\n<p>Initial coin offerings (ICOs) remain popular among startups raising funds; the number of token sales <a target=\"_blank\" href=\"https:\/\/ethereumworldnews.com\/ico-market-cryptocurrency-2019\/\" rel=\"noopener noreferrer nofollow\">is higher<\/a> than it was back in 2017. At the same time, fraud did not diminish as crypto prices did. One <a target=\"_blank\" href=\"https:\/\/www.reuters.com\/article\/us-crypto-currency-crime\/cryptocurrency-thefts-scams-hit-1-7-billion-in-2018-report-idUSKCN1PN1SQ\" rel=\"noopener noreferrer nofollow\">estimate<\/a> has losses from last year totaling $1.7 billion, up 400% from 2017 \u2014 the record-setting year for amount of single-incident losses. The most notable example, vulnerabilities in the Parity Wallet, resulted first in a loss of <a target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hacker-uses-parity-wallet-vulnerability-to-steal-30-million-worth-of-ethereum\/\" rel=\"noopener noreferrer nofollow\">$30 million worth of Ethereum<\/a> and then to the locking out of <a target=\"_blank\" href=\"https:\/\/hackernoon.com\/parity-wallet-hack-2-electric-boogaloo-e493f2365303\" rel=\"noopener noreferrer nofollow\">$154 million worth of Ethereum tokens<\/a> by the removal of their data from the blockchain.<\/p>\n<p>It got worse. In 2018, about $950 million was lost to theft from crypto exchanges and wallets, and another $750 million was lost as a result of fraudulent ICOs or token sales, exchange hacks, and other schemes. It\u2019s no wonder regulators are catching up. The stance of such financial authorities as the US Securities and Exchange Commission is that tokens, especially those that assume the receipt of profits from the startup that organizes the sales of its tokens, should be treated as financial securities with all that implies, including criminal prosecution if things go south for investors (buyers of tokens). That is true as well for an STO (secondary token offering), so if you consider token sales a means to boost your business, we suggest you start thinking of selling tokens the way you would think about issuing securities. That means, stop a moment and think about security (pun intended).<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2019\/04\/30144921\/ico-security-1.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2019\/04\/30144921\/ico-security-1.png\" alt=\"\" width=\"640\" height=\"360\" class=\"aligncenter size-full wp-image-13229\"><\/a><\/p>\n<p>The four major areas of risk for token sales: smart-contract vulnerabilities, staff wrongdoings, phishing attacks on investors, and operations security.<\/p>\n<h2>Smart-contract vulnerabilities<\/h2>\n<p>The lousiness of smart-contract writers is inexplicable. <a target=\"_blank\" href=\"https:\/\/hackernoon.com\/smart-contract-vulnerabilities-remain-a-clear-and-present-danger-59acaf82213f\" rel=\"noopener noreferrer nofollow\">Estimate<\/a>s of several years ago claimed smart-contract code contained about six times as many bugs as commercial code. Based on 2018 stats, the situation seemingly has not improved.<\/p>\n<p>From our perspective dealing with software flaws for more than two decades, studying smart contracts is actually quite similar to conducting application security testing. Sometimes it\u2019s even simpler, because smart contracts are written in script language before compilation. There\u2019s nothing new under the sun, really \u2014 you can see for yourself that most of the <a target=\"_blank\" href=\"https:\/\/www.dasp.co\/\" rel=\"noopener noreferrer nofollow\">top mistakes<\/a> people make have been long known in the \u201cregular\u201d software world. For example, recursive empty calls that led to DAO heist and subsequent Ethereum hard fork, or improper access control, as with Parity Wallet, are considered rookie mistakes in the world of information security.<\/p>\n<p>It takes an attentive (and experienced) eye to look at the code sometimes, so don\u2019t be too proud to ask an expert for a smart-contract review before you commit the code to blockchain \u2014 you will not be able to roll back any subsequent changes.<\/p>\n<h2>Staff wrongdoings<\/h2>\n<p>You might be expecting a traditional rant about humans being the weakest link in cybersecurity, but that\u2019s not my point here. Instead, I want to focus on a goal of transforming employees into a \u201c<a target=\"_blank\" href=\"https:\/\/go.kaspersky.com\/KL-forrester.html\" rel=\"noopener noreferrer nofollow\">human firewall<\/a>\u201d\u00a0 through effort and dedication to improving cyberhygiene. In fact, we\u2019ve seen that in some organizations the number of incidents dropped 90% after our training.<\/p>\n<h2>Phishing attacks<\/h2>\n<p>Fame never comes alone, and once your ICO gains traction, you can assume phishing scammers will follow. Sometimes, as <a target=\"_blank\" href=\"https:\/\/securelist.com\/spam-and-phishing-in-q2-2018\/87368\/\" rel=\"noopener noreferrer\">our analysis has shown<\/a>, phishing sites pop up even before the official ones do. While it\u2019s hard to take down phishing sites that target the buyers of tokens, you can still detect them and notify your current and potential investors. It\u2019s better to have good fame than bad, right?<\/p>\n<h2>Operations security<\/h2>\n<p>For companies operating in the financial securities market, incident response capability and employee training are not luxuries; they\u2019re absolute necessities. You may push the tasks off, figuring you\u2019ll deal with them later, if regulators ever impose more restrictions. Well, in cybersecurity, you have to think \u201cwhen,\u201d not \u201cif\u201d \u2014 and add one important consideration: Assume an incident has already happened. That mindset will pay off in more ways than one, and what helps your reputation among investors today (you are helping them prevent losses, remember?) will save you from being slapped with fines \u2014 and, possibly, criminal charges \u2014 tomorrow.<\/p>\n<p>You can learn more about solutions for ICOs and STOs <a target=\"_blank\" href=\"https:\/\/www.kaspersky.com\/advert\/enterprise-security\/ico-sto-security?redef=1&amp;THRU&amp;reseller=gl_icosec_acq_ona_smm__onl_b2b__lnk_______\" rel=\"noopener noreferrer nofollow\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Major areas of risk for initial coin offerings that you can and should address before selling a single token.<\/p>\n","protected":false},"author":2454,"featured_media":13231,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917],"tags":[1308,1507,1506,2093],"class_list":{"0":"post-13228","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-blockchain","10":"tag-ico","11":"tag-smart-contracts","12":"tag-sto"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ico-security\/13228\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/ico-security\/15692\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/ico-security\/17608\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ico-security\/15752\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ico-security\/28683\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ico-security\/26811\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ico-security\/22559\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ico-security\/22535\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ico-security\/22470\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/blockchain\/","name":"BlockChain"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2454"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=13228"}],"version-history":[{"count":6,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13228\/revisions"}],"predecessor-version":[{"id":14446,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13228\/revisions\/14446"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/13231"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=13228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=13228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=13228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}