Initial coin offerings (ICOs) are fundraising events similar to initial public offerings (IPOs), in which cryptocurrencies or other tokens are offered by a company seeking capital in lieu of traditional titles. Between 2017 and 2018, billions of dollars were raised through ICOs. ICOs have lost popularity because the regulatory requirements for ICOs are as strict and costly as those for IPOs.
However, ICOs remain a legal way for a young company to seek capital from the public. The significant change from the ICO boom of 2018 is that companies must register their coins with the Securities and Exchange Commission and follow the process that all companies seeking public funding must follow.
The funds raised by an ICO may take the form of other cryptocurrencies or fiat currencies. Regardless of the medium used, funds can be stolen or lost through hacks, as demonstrated by the DAO hack that resulted in the theft of over $55 million in investor funds. Blockchain-based startups face an uphill battle to succeed, but the risks shouldn’t deter you from seeking the capital your business needs. Here are several strategies that can significantly improve the security of your ICO and ensure the safety and success of your funding round.
Key takeaways
- Blockchain technology and cryptocurrencies have created a new way for businesses to raise capital through initial coin offerings (ICOs).
- Improving the security of an ICO is essential because initial coin offerings are not foolproof and funds can be stolen or lost due to hacks.
- Strengthening security includes auditing smart contracts, as they are susceptible to hacking due to poor design and programming vulnerabilities.
- Listen to and address community concerns and implement robust policies to detect phishers.
- Protect users and their tokens, which includes establishing firewalls to protect website backdoors from hackers.
1. Audit your underlying smart contracts
Smart contracts offer an inventive solution to facilitate trustless exchanges. Smart contracts are autonomous, self-executing digital applications capable of operating on their own as programmed.
Smart contracts are often used as a means of attack by hackers due to poor design, programming errors, or unforeseen vulnerabilities. For example, the Distributed Autonomous Organization (DAO) was designed to be a decentralized and automated venture capital fund. It used a series of smart contracts on the Ethereum blockchain for proposal voting and fundraising. In June 2016, smart contracts were hacked and approximately $55 million of collected funds were stolen.
Hackers who exploit vulnerabilities in smart contract codes can create significant problems for a network. A hacked smart contract can also allow hackers to duplicate tokens or insert scripts designed to manipulate the token creation process.
Conducting a pre-ICO third-party audit of smart contracts allows projects to detect issues before they turn into disasters. These audits should ensure best practices and also focus on security and intrusion testing of blockchain applications and smart contracts.
2. Listen to community concerns and address them
One of the most unique aspects of public blockchains and related cryptocurrencies is their degree of transparency. Most companies publish all or at least part of their code, sometimes even smart contracts. Despite their growing popularity among traditional retail investors, much of the community that follows blockchain knows how to code and will take the time to review these pertinent details.
The DAO is a perfect example of why businesses need to listen to their community. The company’s open source code was available for review on major repositories, and several developers warned that the files had a major security vulnerability. Instead of fixing the code, the DAO ignored the warnings, resulting in a loss of millions of dollars.
Community members have a vested interest in an ICO being successful because it means they can benefit from the utility offered by the platform or service. So, giving them a clear channel to voice their concerns and expose issues is essential to securing an ICO.
3. Implement robust policies to detect phishers
On the non-programming side of an ICO, it is essential to always be alert for any signs of a potential scam. While programmers and other tech workers may be aware of cybersecurity trends and best practices, not everyone on the team is necessarily aware of or care about online security . In this case, the first step is education. Business development and sales team members don’t need to understand code, but they should be aware of potential exploits and recognize the signs of a hack or scam.
Businesses should always be as proactive as possible when it comes to fraud prevention. Consistent scanning of social media sites or other information hubs can help you identify suspicious activity and prepare for any eventuality. It also gives your team the ability to reliably relay critical updates, display the appropriate website for an ICO, and inform community members about potential risks.
One example of fraud to watch out for is a domain name server (DNS) attack, in which hackers access DNS records and create fraudulent copies of your site, replacing company domains with fake domains. Fake websites created by scammers look exactly like the original and are used to steal your users’ personal data or credentials. Businesses must remain vigilant to identify and report potential scams to users, investors, and law enforcement.
4. Provide enhanced security to your ICO gateway
In 2017, CoinDash, a hugely publicized ICO, was hacked, resulting in the loss of 43,000 ETH. This has become a warning to new entrants. The company’s smart contracts were secure, but its website was not. As a result, the hackers changed the wallet address on the ICO gateway, and once it was opened to the public, the hackers stole over $7 million in less than seven minutes.
Hackers gained access to the company’s website using an exploit that allowed them to modify a source file, granting them full remote control over the website. By simply changing the address of the wallet, they managed to pull off a massive heist despite some coins being returned.
The moral of the CoinDash story is that it is increasingly popular to target not just the ICO network or blockchain, but rather an easily overlooked target like a website. In this case, no major security audit is necessary, but it is essential to deploy the right tools to secure the gateways.
One of the simplest and most effective ways to achieve this is to use web application firewall (WAF) services, such as Imperva. WAFs control incoming and outgoing traffic, giving businesses greater control and monitoring of who is accessing their files and website. Firewalls protect these backdoors to website shells while providing protection against common script injection and exploitation techniques.
5. Protect your users
A successful ICO does not necessarily mean the end of the crowdfunding process. Once users receive their tokens, they also need access to the services they helped fund. Another type of attack that ICOs, cryptocurrency platforms and exchanges can fall victim to is the distributed denial of service (DDoS) attack.
Attackers use DDoS attacks by overwhelming a system with multiple connections. The large number of access requests to a server prevents legitimate users from accessing the system and disrupts service. From there, fraudsters attempt to gain access to data centers or sensitive information, allowing them to launch other attacks in the future.
For example, in early 2020, Bitfinex suffered a DDoS attack in which the attacker “attempted to simultaneously exploit multiple platform features to increase infrastructure load.” The attacker exploited an internal inefficiency by using a large number of IP addresses in an attempt to overwhelm the system, but the problem was resolved and service was restored.
Protecting a website from hacks such as DDoS attacks involves having the right tools, and WAFs can serve this function as well. Additionally, businesses should always insist on the strictest security measures for users, including two-factor authentication, constant notifications for any changes, and even keeping activity logs for security purposes. . User protection is paramount and ensuring they have access to the services they have paid for is a necessity to avoid legal repercussions.
Why are initial coin offerings not allowed in the United States?
Initial token offerings are legal in the United States. However, they are regulated and must follow a process to offer tokens and raise funds, which is costly and time-consuming.
Is Ethereum an ICO?
Ethereum initially raised funds using token offerings but was directed by the Securities and Exchange Commission to offer unregistered securities. Ethereum paid its fines and continued to grow.
Are ICOs still relevant?
Initial coin offerings are still around, but they are no longer as popular as they once were because securities regulators have cracked down on the practice.
The essentials
ICOs are an option for blockchain or tech startups looking to raise money for their businesses, but they are not risk-free, omnipotent, or cheap. To ensure success, you should always register with the appropriate agency and adhere to security best practices.
