Although ICOs provide numerous advantages both to startups and investors in comparison with traditional mentors of fundraising, at times, their security leaves much to be desired. A series of major hacks that have occurred over the past few years has made companies pay better attention to securing their smart contracts and protecting investors’ funds.
The high level of risk shouldn’t be a stop factor preventing the development of new technologies, though. Following a number of security best practices can help startups not only protect their fundraising mechanisms but also contribute to the success of the whole event. Here’s what a company may do in order to strengthen its positions.
Any project should always start with a plan. Before you start working, you should carefully analyze your future ICO, set up its goals and technical milestones, specify tokenomics, describe the innovative features you are going to implement and the functionality of smart contracts to bring these features to life. When you know what you are working with, you can better estimate the future costs, including those associated with security.
Perhaps, the most tricky aspect of the blockchain is that it doesn’t forgive the mistakes. Once the code is deployed on the mainnet, the address of the smart contract gets permanently written on the blockchain and cannot be changed. Therefore, if there are any errors in the contract, there’s no way to fix them.
There are some workarounds that imply the deployment of new smart contracts on top of the old ones. But it is always better to test everything in a sandbox before your app goes live, isn’t it?
Even if your smart contract works fine on the testnet, there is no guarantee that the code doesn’t contain any hidden errors that may turn into vulnerabilities and significant fund losses. Thus, the crypto crime report released by Chainalys reveals that in 2021, the amount of funds stolen through DeFi protocols running on smart contracts spiked and significantly exceeded all the crimes of the past years.
To bring down the hacking risks to the minimum you should apply to third-party specialists who can carefully review your code, allocate its weaknesses and give advice on what you can improve before you release it to the mainchain.
Chainalysis reports that cryptocurrency theft in 2021 has grown by astonishing 516% in comparison with the previous year
Hackers will try all the gateways to break through your defenses, including your website. Therefore, implementing the best security practices for your website such as SSH, anti-malware software, firewalls, and strong passwords is just as important as securing your smart contracts.
CoinDash, a famous ICO that took place in 2017, experienced a breach that may seem really stupid at the first glance. Although their smart contracts were audited and secured, hackers managed to get into the admin panel of the website and change the ETH address where the funds were forwarded during the event. In 7 minutes, the project was drained by $7 million worth of ether.
In addition to the basic threats, there is also a risk of your website being hijacked via a Domain Name Server (DNS) attack. In this case, hackers gain access to the DNS records, replace your domain with a fake one and create a copy of your website. Neatly accomplished, such an attack may coincide with the launch of the ICO and lead to the same result that has been discussed in the paragraph above.
To stand against such attacks and improve your DNS security, you should accomplish a whole set of measures. That includes hardening of your DNS servers, constant monitoring of DNS queries, limiting admin access, implementing third-party software for preventing DNS attacks, and so on.
Finally, the human factor may become the weak link as well unless you teach your employees the best security practices. Malefactors may trick people by contacting them directly via email or other means of communication and make them download contaminated files or share sensitive information.
Apart from the basic measures like setting up strong passwords and using 2FA wherever it is possible, you should also teach them to identify such targeted attacks.
When well-known projects go public, be sure that scammers won’t miss their chance to fool investors by launching their own tokens under similar names. Services like Tokenguard provide automated tools that can help you quickly find such copycats in real-time so that you could send a warning to your investors and help them not lose money..
ICOs that have a lot of hype around them surely attract more hackers than those that have not been able to reach such a level of popularity. However, if your project doesn’t have millions of followers, that doesn’t relieve you from potential dangers.
Forewarned means forearmed, though. The required minimum of security measures may already make hackers turn away and search for easier targets.