How To Win A Token Sale In 10 Ways
Unsolicited Advice For Those Holding Token Sales
If you are having a token sale you are now the proud owner of fiduciary and moral responsibility to your users (who are now your investors).
Building a product is easy…dealing with people is hard. If you are not prepared to support, educate, and set your users up for success, do not have a token sale.
- Publish your token sale address ahead of time (at least 24 hours)
- Make sure you have secured all platforms — website, social media, everything. There will be very diligent attempts to hack you. Do not take this lightly and do not think you cannot be hacked. A light pentest on your web security would be in everyones best interest. Check hackerone or upwork.
- Your website, blog posts (every single one), etc. should contain a big red warning at the top about phishing and staying safe. Drill it into peoples’ heads that they are at risk. Great example from @0xProject — https://blog.0xproject.com/0x-token-sale-and-registration-details-75d84af11c60
- Learn from those who came before, like 0xProject’s Philippe https://www.youtube.com/watch?v=pFKFSlfdWeM
- Use existing tools, like:
AGP 5: Migration to Open Source Messaging Platform
Status — Gone Phishing
- If you are on Slack, send a channel-wide message to your #general channel to warn people about phishing every 8 hours or so. This will annoy people and make them turn off email notifications (so they won’t get slack phishing DMs in their email) and… it warns them!
- Around the week of your token sale, make sure you have at least one person monitoring all social media channels 24/7 to gain trust, report scams, and ensure phishing links, fake addresses, and misinformation are quickly called out and removed. Report to etherscamdb.info.
- Make sure you provide customer support before, during, and after your token sale. Scammers get away with more if you aren’t accessible.
- Encourage use of hardware wallets, MetaMask, cold storage, and EtherAddressLookup. Additionally, you can run your own node!
- Focus on making Ethereum better and contributing to the larger ecosystem. If you do this, you will go places as most people are too self-centered at this point. If Ethereum is not easy-to-use, secure, and improving, your product and users will fail too.
We said 10 ways but fuck it, there’s always more to learn.
11. Get all contracts verified on Etherscan beforehand. Teach users how to check if it is verified, and how to check comments, and how to tell if they are sending to a normal account or contract (sending to a normal account would indicate a scam)
12. Get your token on MEW & provide custom message when users enter your address: https://myetherwallet.github.io/knowledge-base/tokens/token-creators-add-your-token-to-myetherwallet.html
13. Educate users on the importance of not sending to any random address and properly securing their account. e.g. PRIVATE KEYS ARE PRIVATE! PROTECT THEM!
You are free to use, modify, or shamelessly steal any information in our knowledge base. A shoutout is nice, but not required. Take advantage of this. https://myetherwallet.github.io/knowledge-base/
From a random reddit comment:
Token sale holders, take note:
- YOUR SITE WILL NOT HOLD UP TO A FOMO F5 ATTACK BY YOUR “INVESTORS”
- There is no excuse not to release the address for the token sale beforehand. If someone sends too early, that’s their fault and they lose ~0.20 cents in gas. Instead you chose: release at start of sale with shitty infrastructure & let your users send ETH to a scammer? ?
- It is your fault for ignoring all previous experiences from token sales and laying the same trap. It is not your fault that they sent. It is your fault for not setting your investors up for success.
- This has been a thing since the DAO, 365+ days ago. Sure, the user should have known better. But you have the ability to prevent it and keep scammers from stealing! I guess when you are about to get millions of dollars, regardless of the number of scammers, it doesn’t actually matter?
- At the very least take the time to set up something on AWS or use a free public service that can handle traffic like Medium, Reddit, Twitter, Facebook. You should be able to sustain 1000+ requests/second. Peak times for ICOs are ~30 minutes before hand and skyrocket quickly.
Investors take note:
- You are encouraging this sort of laziness and greed by buying into token sales with lazy teams who refuse to take the time and effort necessary to protect you. You should demand more from a team about to take $10M+ in 10 minutes. You have the power. You don’t have to give them money unless they do what you want, when you want it. Utilize that power.
- Ask hard questions BEFORE the token sale. Ask on reddit. And twitter. And slack. And every blog and forum that they post in. Demand answers BEFORE the token sale. Upvote and encourage others doing the same. Once you give them $10M+, your questions will go unanswered. Why? Because why should they answer you once you have already given them all the money? You put the reward before the work and now expect something from them? Good freaking luck.
- Report Scams / Phishes: https://etherscamdb.info/
- Encourage people to install EtherAddressLookup or MetaMask (uses above to block malicious sites)
- Encourage people to be secure: https://myetherwallet.github.io/knowledge-base/getting-started/protecting-yourself-and-your-funds.html
- Look over how 0x did things to prevent scams. Philippe is like the best ever, touch base with him for the code for Slack if you need it (blacklists and auto-deletes malicious messages). https://blog.0xproject.com/a-note-on-scams-and-phishing-attempts-e2d72577a470
- MetaCert also provides similar functionality. Paul (Founder) is on Twitter and loves helping ICO’s protect their investors. Get in touch with him.
- Starter template on what to tell people who get phished: https://myetherwallet.github.io/knowledge-base/security/phish-hacks-thefts-and-stolen-funds-due-to-phishing.html
- Suggestions in this discussion to move to other platforms with better anti-spam tools https://github.com/aragon/governance/issues/7.
- Install and encourage others to install Harry’s EtherAddressLookup extension which blocks known bad addresses and sites: https://chrome.google.com/webstore/detail/etheraddresslookup/pdknmigbbbhmllnmgdfalmedcmcefdfn
- Read Harry’s blog on EAL: https://steemit.com/ethereum/@sniko/my-attempt-to-prevent-private-key-phishing
- Status.im built a slack bot that auto-adds everyone to a Scam alert channel so when scammers come in they can be reported and everyone can be alerted. I think it is this https://github.com/status-im/gone-phishing
- ummjackson http://phishbert.com/
- Phillippe / 0x: https://www.youtube.com/watch?v=pFKFSlfdWeM
- Harry / 409H: https://safeslack.harrydenley.com/
- Paul / Metacert: https://metacert.com/
Insights from Hudson regarding the Slack issues:
Here is an overview of what has been done and what is currently underway:
- Slack has not been very receptive to our requests for better anti-spam solutions because Slack is designed for groups of people/businesses where everyone knows each other. They don’t build anti-spam tools because they did not anticipate their platform would be used in this way.
- Swarm City added a short form in lieu of the Slack Invite, with 2 questions. 1. A way to contact them. 2. Someone in our community who can vouch for them. We’ve had no issues since. http://slackinvite.swarm.city/