This article will guide ICO members through the elements that make up a secure ICO project. It’s also intended for investors as a form of checklist to verify how secure a project actually is. Any project should at least consider the elements listed in this article.
Key guiding principles
According to Liraz Siri, a professional white hat hacker who earned his reputation in the famous Israeli cyber-unit 8200, risks can be tremendously reduced by applying the 80/20 rule (80 percent benefit and 20 percent effort). Here are his four key principles:
- Base rule: keep it simple! Security issues pop up when complex systems are developed. A system that hosts a lower level of complexity, is less prone to finding critical security vulnerabilities.
- Don’t underestimate safety: It is easy to think that your system is secure, however, people are clever and try to find security loopholes. Don’t forget that the ICO industry is full of persistent hackers - over 10 percent of ICO proceeds are gone and crypto exchanges lost an average of $2 billion due to succeeded hacks.
- Tolerate failures: Failures can happen and will happen. Don’t expect that nothing will ever go wrong. Make sure you have a fallback mechanism in place to compensate for the worst failures and reduce the damage.
- Use a permissioned system: It’s important to put a permissioned system in place and give every member the bare minimum set of rights he needs to perform his task. In case one of your employees is compromised, the attacker will only be able to carry out a handful of malicious action as he is restricted by the system.
1. Configure dedicated devices
Network enabled mobile devices and laptops owned by team members are common security Achilles heels. Team members are the main target for attackers as they are the weak link and are vulnerable to phishing or social engineering. Therefore, it’s a recommended option to set up dedicated devices for your team members but also for your token sale to minimize the risk that an attacker gains access to this device.
2. Avoid phone-based authentication
It’s crucial to use two-factor authentication, however, it’s not recommended to use phone-based authentication like SMS or phone calls. Security expert Liraz Siri explained that phone calls can be intercepted via SS7 attacks - SS7 is a set of protocols allowing phone networks to exchange the information needed for passing calls and text messages between each other.
However, SS7 is known for having serious vulnerabilities in its protocols. Hackers can read text messages, listen to phone calls, and track mobile phone users’ locations with just the knowledge of their phone number using a vulnerability in the worldwide mobile phone network infrastructure. It’s therefore recommended to avoid SMS and instead use encrypted messages.
Liraz Siri recommends using hardware tokens such as Gemalto or YubiKey as an attacker would need to have physical access to retrieve this code. These hardware tokens should be used in combination with Google Authenticator as an alternative to phone-based authentication. YubiKey provides a mobile application that saves one-time password (OTP) seeds and transfers these OTPs to Google Authenticator via NFC sensors.
3. Use Ethereum Name Service (ENS)
Every Ethereum ICO should set up an Ethereum Name Service that points to their smart contract. A best practice here is to use the exact same name as your official website’s domain name. In the past, it has happened that a website got hacked and the Ethereum address got changed. By providing your users with a foolproof pointer to your sale contract, you can prevent this kind of hack. In order to reduce the risk of phishing, make sure to register variants on your domain name as well.
4. Smart contract auditing
ICO smart contracts hold digital assets worth millions of dollars and according to security audit firm QuillAudits’ research around 3.4% of smart contracts are found faulty by only checking via an algorithm for the most common exploit possibilities.
Once a smart contract has been published on Ethereum, it’s immutable and therefore it’s essential the contract has been audited carefully before actually releasing it on the main network.
QuillAudits, a company specialized in auditing smart contracts provided us with insights. Rajat Gahlot, auditor at QuillAudits, talks about the needed steps to ensure the highest quality of smart contracts. First of all, it’s all-important to know that a smart contract can never be 100% secured as there are cases where even bugs in the programming language or hardware caused serious security vulnerabilities. So, bear in mind the following security practices:
1/ Write tests and manually review code. Test cases are programmed to verify the smart contract functioning when facing edge cases like unexpected input. The smart contract should be able to handle these edge cases by rejecting or throwing an error. Besides writing these tests, the code is also manually reviewed enhancing the efficiency and structure of the code.
2/ Automated Auditing. Many tools exist that search for specific vulnerabilities in your Solidity code. However, auditing a contract with only automated tools doesn’t cover a full audit as they only check for specific known vulnerabilities.
3/ Bug Bounty. A bug bounty allows experts to participate in a legal agreement in which they can penetration-test the smart contracts. In the event that they find a bug, they are generally offered a high reward for finding a critical bug. It’s an efficient way of auditing your smart contract as many experienced coders try to break the contract in return for a reward.
5. Multisignature wallet
As a crypto ICO project, it’s crucial to store the funds you have collected safely. First of all, use a multisignature wallet. Next, it’s a best practice to store the funds on multiple hardware wallets like Trezor or Ledger which are controlled by dedicated laptops. As said in the key elements section, it’s better to prepare for failure: if one of the hardware wallets is corrupted or hacked for some reason, you still have a large portion of the funds spread over the other wallets.
6. Search engine optimization (SEO)
Probably, an ICO already spends a huge portion of their marketing budget on SEO in order to rank higher in Google. However, by doing this, you are also reducing the risk that investors end up on the wrong website (phishing websites).
7. Secure communication
Nowadays, Telegram and Slack are not the most secure means of communication you can use for internal communication. The most important requirement is the availability of secure peer-to-peer encryption of messages. WhatsApp does offer encrypted messages, however, there are better projects available which are also open source.
The first option is Keybase - Keybase allows for the creation of teams and secure group chats with encrypted file sharing. Keybase relies on the principle of a keypair that is used for signing and validating messages.
On Keybase’s website, we can find a short summary of how the project establishes trust between accounts: "Keybase creates trust by connecting to a person’s social accounts. It will require him to post a unique message on each of his accounts in order to claim the accounts actually belong to him and linking them back to his Keybase account. So now, others can get to verify his identity and know with certainty that the person claiming to be him on Twitter is actually the correct person (as with Facebook, Github, etc). This reinforces people’s conviction in this person’s public key."
Besides that, Keybase has a fallback mechanism in place in case one of your devices is hacked. As Keybase associates each device with a unique encryption key, you can log in with another device attached to your account to remove the malicious device from your device list. By doing this, people in your trust circle will be alerted that one of your devices was compromised by a hacker and they can’t send messages to that device anymore.
Another option is to use the open source project Signal which is focused on simplicity and encryption. It looks like a regular messaging app with added encryption features to keep your chats private. It’s also possible to create private group chats with Signal.
Bonus: website protection
It is key for an ICO to remain online during the sale process. Yet, it’s not an easy task when the internet is plagued with distributed denial of service attacks on a daily basis. A DDoS attack is capable of taking websites down, which has happened before in the crypto space.
The moment the sale goes live is the most vulnerable time. When the APEX ICO went live, malicious actors defaced their website, and as a result, they were forced to take down the website to protect potential investors. The CEO of APEX was forced to use their social media to post a selfie holding the correct sale address. Unfortunately, ICO websites are one of the main points of attack during a crowd sale.
Therefore, services like Cloudbric or Cloudflare help you to mitigate and block DDoS attacks and help your project’s website to stay online. For example, Cloudbric has web application security technology features in place that can detect the potential threat of a DDoS attack and block clients that request the sale page too often.
The bottom line
There’s more to look out when trying to structure a secure ICO project and protect your team members from phishing attacks. However, a mistake can be easily made, make sure to have fallback mechanisms in place as faults are part of the journey. The information above can also be used by investors to verify the security of a new project. Any new project should first start by putting proper security mechanisms in place before starting to work on the token sale itself.