ICOs: No Credibility Without Better Security

Initial Coin Offerings, or ICOs, are gaining popularity so fast they’ve already raised more than $150 billion this year. However, there’s not nearly enough awareness of either the potential or the danger, and there’s plenty of both to go around.

Think of ICOs as a bridge between two different approaches: Initial Public Offerings (IPOs) and crowdfunding. IPOs, the selling of shares in a company to the general public, has been around since the Roman Republic, and the process is both respected and regulated. Crowdfunding is much newer, especially in the internet version, and it involves supporting a venture by raising small amounts of money from many donors.

In the ICO scenario, there are typically three entities: the project seeking money; the individuals giving support, and the ‘platform’ that brings those parties together. Most importantly, IPOs require diligence and compliance, while ICOs are mostly unregulated. 

This makes it easier for startups to get backing, but also leaves room for scams galore. ICOs gain stability by building on cryptocurrency, particularly blockchain, through which financial backers buy ‘tokens’ that offer access to other resources down the road. This is where we need more attention—and more innovation. 

Think of a routine procedure like bank payments. Let’s say you want to send money to someone in the UK. If that other party has signed up with an entity like Faster Payments Service (FPS), it takes only minutes. FPS keeps a ledger of ongoing transactions, and each bank settles its accounts at the end of the day. Without this arrangement, the bank debits your account for the right amount, communicates with the recipient’s bank, which validates the recipient’s information and credits the amount to that account. That takes time and money. 

Blockchain was created to move funds between different parties without needing a third party to validate the process. It relies on a kind of ‘open’ ledger that everyone in the network can access. The process is fast, cost-effective and well suited to nimble startups.

At its core is the virtual money. Bitcoin is a worldwide cryptocurrency and the best-known application in the blockchain infrastructure, but it’s not the only one. Consider Ethereum, a general-purpose platform that allows people to build whatever they want on top of it. In an Ethereum network, the open ledger is a ‘state’ that maps the metadata of accounts - where the money is, who has it, and whether or not the transaction is valid. The Ethereum environment is more complex than Bitcoin’s, and it deserves greater public awareness. 

Ethereum features two types of accounts: user and contract. User accounts are controlled by private keys, while contract accounts (built with a programing language like Solidity or Serpent) are controlled by code. A communication between accounts in the network is a ‘transaction,’ and executing these requires computational power, so Ethereum charges a fee. It also relies on ‘miners’ who compete to take an invalidated transaction (or ‘Incomplete’) and add it to the ledger. They group transactions into blocks; when complete, it’s broadcast to the network. 

It all sounds attractive and cutting-edge, but here’s the reality: Earlier this year, it was reported that almost 10% of the money invested in ICOs using Ethereum has been stolen. 

We all know hackers exploit vulnerabilities in a web application. ICO smart contracts are even harder to secure. A bug in an enterprise app can be fixed with a patch, but the code in smart contracts can’t be changed: Developers must identify all vulnerabilities before the ICO goes live. This requires a comprehensive source code review, even a test run in a private blockchain. 

Worse, smart contracts are not the only targets. Consider the domain with which the ICO is registered. Domain lists are publicly available, and hackers can take control by brute-forcing passwords through the registration panel. They can also register similar domains and use a phishing approach to lure potential backers. Even the website of an ICO can be targeted with a denial of service attack, and of course there are traditional weak points—vulnerabilities in the site itself or with the hosting provider, employees’ email accounts, etc. 

We all see the potential for ICOs—they represent a major tech-enabled advance, boost the kind of innovation that comes only from startups, and blend the best of two very different industries, technology and financial services. But one vital component is still missing.

What’s Hot on Infosecurity Magazine?