ICO’s and the security of their contributors and investors.
There have been 2 events in recent months which could probably have been avoided. Both of them involved contributors / investors to ICO’s losing their Ether.
The first concerns Etherparty, who during their ICO, had their website hacked. The hackers changed the hexidecimal wallet address that Etherparty had displayed on their website and directed a large amount of Ether to their own wallet (the exact Ether figure hasn’t been released and those affected still received tokens).
The second and most recent event was regarding Experty. They had a data breach and emails were subsequently sent out to people, seemingly looking genuine (spoofing from addresses is an old game), and it’s estimated that circa $150,000 worth of Ether was sent to a fraudulent Ethereum wallet.
Could this have been prevented? Well there’s a few steps that could and probably should have been taken. Firstly, it should be clearly stated when signing up to participate in an ICO, that no wallet address shall ever be communicated via email. This should be reiterated in every single email contact with prospective contributors / investors.
Secondly, it should also be stated that wallet addresses to send Ether to during an ICO will be published across all social media channels (I purposely exclude Telegram from this) that the ICO is using and that it is upon the contributor / investor to cross check these and make sure they are all the same, and therefore correct. A website may be hacked, but it would be nigh on impossible for them to successfully target and alter posts on Facebook and Reddit for example.
One other method that for some reason seems to be being overlooked by most ICO’s at present (apart from ours) is the use of a .eth address. These are extremely easy to set up and can be done via the ENS tab on myetherwallet.
The process involves a 5 day auction to secure an alphabetical wallet name, which can then be resolved to a hexidecimal wallet address. So instead of sending your Ether to 0xjh6645j….., the contributor / investor would actually send it to “OurIcoSale.eth” or whatever the ICO is called. To do this, ICO’s would simply have to enforce that all Ether sent to the smart contract is sent via myertherwallet or MetaMask as they are able to send to .eth addresses (the cypher wallet for iOs is also capable of sending to .eth addresses). The contributor / investor, after typing the .eth address in the “to” field, see’s zero difference in the rest of their transaction.
Taking this simple step would increase the security of the ICO and for their potential investors. An alphabetical .eth wallet is much easier to check and cross confirm across social media platforms and malicious parties have no chance of changing the resolved address, as they have no chance of changing the ENS registration details without access to the hexidecimal wallet’s private key /JSON file.
.eth addresses have been available for quite some time now so why aren’t ICO’s taking advantage of it? For the sake of 0.01 Ether, which is the typical price to win a .eth auction, it seems quite slack that most of them fail to use them. It also enables them to further brand their ICO, as well as giving them the opportunity at a future date, should they be required, to have sub domain wallet names, for example “peter.OurIcoSale.eth”. These could be particularly useful for onsite wallets.
As mentioned, we shall be utilising a .eth address in our forthcoming ICO sale and contribution to it can ONLY be sent from myetherwallet or Metamask. We take the security of our contributors / investors seriously and we hope that other ICO’s will, by taking 5 days to secure a .eth name, do the same.