How to loose $7 million before you even open your Initial Coin Offering
Originally posted on Dailyfintech.com
CoinDash, an Israeli startup, opened its planned Initial Coin Offering on June 17, in order to raise capital by selling its own tokens. The site was hacked minutes before the ICO opened to the public and around $7 million in Ethereum was stolen. The hackers broke into the Coindash website befoe the ICO even opened and replaced the Ethereum address that was posted on the site with their own address, so instead of money going to Coindash, the funds ended up going directly to the hackers.
While CoinDash ICO still managed to raise $6.4 million in a pre-sale to early investors, the hackers stole 43,488 Ether, around $7 million at the time of the theft, before the company discovered what was going on and was forced to shutdown their token sale. When Coindash realized what happened, they took down their website and posted announcements on the site and social media, alerting investors of the hack and urging them to stop sending money to the fraudulent address. After the hack, in an announcement posted on their website, Coindash said they would give tokens to the investors that participated in the ICO, before it was shutdown.
The CoinDash hack was not the only one this week. On a smaller scale, the InsureXICO suffered from a similar type of hack, which caused people to send around 1,100 ETH to a bogus Ethereum address. Also hackers discovered a vulnerability in Parity’s Wallet and exploiting the vulnerability they were able to steal approximately 153,000 Ether, estimated at $32 million. With the cryptocurrency market estimated at $100 billion, the concept of anonymous wealth is raising questions about the right to anonymous identity.
These hacks certainly raise a lot of questions about the state of readiness and security measures these companies are taking with their ICOs. The most important question they raise is how can you trust unknown companies to build the product they are claiming, when they cannot secure their website? Governance and trust are issues that are coming up more and more lately, when people talk about ICOs.
The CoinDash hack was very simple to execute and could of been easily prevented.
While rumors have surfaced and angry investors expressed that CoinDash ICO theft was an inside job (1, 2, 3, 4), it will be interesting to see how the CoinDash team handles credibility from this point forward, by reimbursing investors and not only, as CoinDash’s image is significantly damaged. I don’t know and I don’t really care if the rumors are true. The CoinDash hack could have been prevented or minimized if investors knew in advance the address where they were going to send funds to. Startups planning ICOs should publish their funding address in advance on multiple platforms, including news outlets and social media. Even if hackers mess with one site, it becomes hard for them to hack all of them.
I also read some posts about the Insurex hack, that questioned the use of a WordPress template for an ICO: “Hacks like these demonstrate why using a basic WordPress template for a company website -especially one with ICO plans- is absolutely unacceptable right now”. Why? WordPress or WordPress templates are not the problem with these hacks. Its the people running them and using these technologies. They are the ones that need to make sure they plan their ICOs correctly. Sometimes when people start to see dollar signs, their vision gets blurred. Technology was not the problem with the CoinDash and InsureX ICOs hacks, instead it was blatant mismanagement and lack of proper planning. And that’s why people are talking about governance, regulation and trust when it comes to ICOs. These kinds of attacks will occur more often and are proof of the lack of diligence behind some ICO projects.
Hopefully one of the items on future ICO planing checklists, will be the use of ENS. For most people, using 160 bit hexadecimal encoded hash string is not ideal. The Ethereum Name Service(ENS), brings human readable names to Ethereum, just like DNS addresses did for the Internet. ENS eliminates the need to copy or worse type, long hexadecimal addresses. With ENS, users can send money to someone at “someone.eth” instead of “0x4cbe58c50480…”, and interact with a smart contract at “smartcontract.eth”.
The Achilles’ heel of cryptocurrencies has been the protection of private keys, that control someone’s cryptocoins. Bitcoin and Ether transactions are completely transparent, and all transactions are recorded on the blockchain, a global, public and immutable ledger. On the other hand, blockchain wallets are completely anonymous. Until someone turns their cryptocurrency into fiat currency, it’s almost impossible to know who actually owns the digital wallet. Unlike fiat currencies, cryptocurrency theft is instantaneous, irreversible, and typically anonymous.
Yet, hackers have already found workarounds for turning cryptocurrencies to fiat currencies. For example, the hackers involved in the Petya/NotPetya ransomware attack used a bitcoin tumbler to basically launder the money through high-volume addresses, mixing stolen bitcoins in with legitimate transactions, making the stolen funds nearly impossible to trace.
Hacks like these make us question the security and legitimacy of ICOs and trusting unknown startups with our money. It remains to be seen if these hacks will curb the enthusiasm for ICOs, but certainly public perception is not improved by hacks like these.
