Running your crypto project or ICO? Be prepared in advance that your startup may not only attract investors but also hunters for their money and data. According to the Ernst and Young report, which analyzed more than 370 tokens sales, every tenth dollar earned or invested in ICOs becomes prey to hackers. The authors also point to even more significant losses of crypto exchanges, which are deprived of two million dollars every month due to hacker attacks.
In addition, you can become a victim of DDoS-attack, extortion, phishing attack or malicious program due to vulnerabilities that you did not even suspect, neglecting the security audit. Meanwhile, your colleagues and competitors are already set for spend the budget on an independent security assessment.
The weak protection of projects – especially ones originating from the CIS and Asia – provoked a downturn in the market, says Dmitry Budorin, CEO of Hacken and HackIT 4.0, the annual forum on cybersecurity held in Ukraine.
Apart from the sensational collapse of The DAO in 2016, when a promising project lost $ 60 mln, there’s a mass of less memorable attacks, in which millions were also stolen.
In 2017, a New York-based blockchain startup Veritaseum (p2p-platform, focused on financial markets) lost more than $8 million, which were injected by investors during the ICO. An unknown attacker (or group) stole tokens and immediately managed to sell them. Fortunately for investors, the tokens belonged to the project, so none of the users suffered financial losses.
In the same year, KICKICO platform underwent DDoS attacks twice while conducting its pre-sale. The website received a lot of requests which it couldn’t cope with and was forced to suspend service to all users. Later, the KICKICO team received a letter from the scammers with a proposal to provide security against similar DDoS-attacks. However, the developers connected a service that protected the site.
Later, in July 2018, hackers gained direct access to KickCoin smart contracts and took possession of 40 accounts, destroying them and creating 40 identical accounts. The platform’s team didn’t know about the breach until several victims turned to complaints. Users discovered the loss of tokens totaling $ 800,000 in their wallets.
“To prevent such situations, which puts the reputation of your project at stake, it’s worth to spend on assessing security and implementing compensation measures than to lose reputation or even business in the future”, Dmitry says.
An independent audit by specialists is much preferable to self-testing, at least when it comes to the application and infrastructure pen test, the social and technical testing of the development team. But ideally, those going to launch their product have to use the bug bounty and vulnerability reward platform.
Typically, the security assessment consists of:
- collecting information: obtaining data from the client or other open resources,
- use of the threat model – a plan for entering the system,
- performing the manual and automatic analysis to identify vulnerabilities,
- exploiting vulnerabilities to understand how the attackers can use them and whether they are able to damage the system and the company as a whole.
Consequently, a report should appear, where all actions at each stage are documented, as well as recommendations for eliminating the vulnerabilities.
In accordance with safety assessment standards, the auditor must validate the source code of the contract, confirm that it operates in accordance with the specified public specification and confirm that there are no errors and “backdoor” for the developer.
“Today, after experiencing the consequences of the Wild West in crypto, many projects understand the need for an audit. A project dealing with their security in the long term can already be considered half-valid”, Dmitry adds.
In order to better understand the weaknesses of your project, arrange its “white” hack. The closest opportunity to look at how controlled hacking of crypto projects takes place is HackIT cybersecurity forum which will be held from October 8 to 11 in Kiev. In addition to the two-day conference and exhibition area, the program includes CTF (Capture the Flag) competition and the guided tour to the Chernobyl nuclear power plant to illustrate the consequences of man-made disasters.