Where are ICOs most vulnerable to hackers?

Positive.com ICO risks

Where are ICOs most vulnerable to hackers?

Set up your BitMEX trading account in 30-seconds


Positive.com provides ICO securityA new report from Positive.com says ICOs have an average of five or more vulnerabilities to hackers.

Positive Cyber Security Resilience Lead Leigh-Anne Galloway said an estimated 7% or $300 million of ICO funds raised last year were stolen.

Leigh-Anne Galloway, security lead at Positive.com

Galloway said, “In an ICO, time is of the essence, and short time frames mean that anticipating attacks well in advance is critical for avoiding financial losses. The latest figures have shown the rapidly increasing rate of crime and fraud on the cryptocurrency market, with cybercriminals recognizing the opportunity presented by the dramatic rise of the cryptocurrency market in recent months.”

71% of ICOs had smart contract vulnerabilities

In recent testing by Positive.com, 71% of ICOs had vulnerabilities in their smart contracts. Most problems were caused by a lack of programmer expertise and insufficient source code testing.

Research also showed half of ICOs had vulnerabilities in their web applications leading to a pronounced risk of unauthorized control of the website and the potential loss of millions of dollars in funds in just minutes.

Five key groups of vulnerabilities

ICO vulnerabilities were most common in five key areas:

  1. ICO security riskICO organizer vulnerability: one-third of ICOs had flaws allowing attacks on organizers by hijacking email accounts, social media account, text message or social engineering risks.
  2. Smart contract risks: noncompliance with the ERC20 standards, incorrect random number generation and incorrect scoping created 71% of vulnerability mostly due to inexperience programming and poor source code testing.
  3. Web application threats: one half had vulnerabilities in their blockchain implementation including web3.js, code injection, web server disclosure of sensitive information, insecure data transfer and arbitrary file reading.
  4. Investor risk: 23% of sites contained flaws that increase the risk of social engineering attacks on investors.
  5. Mobile application vulnerability: ICO mobile apps had 2.5 times more vulnerabilities than web applications. All (100%) ICO mobile apps tested were vulnerable. Most common flaws found included insecure data transfer, storage of user data in backups and session ID disclosure. These flaws could allow hackers to gain details about a project, its organizers, and investors for use in subsequent attacks.

ICO  security risk is immediate

ICO red flags

“The second a company goes public with an intention to do an ICO, it’s waving a huge flag to cybercriminals that it’s both valuable and also in a very vulnerable phase of its company growth. ICO teams have a responsibility to ensure their security posture is as robust as possible, from the development of the smart contract and web applications, to monitoring load once the ICO has begun and helping investors avoid phishing attacks,” Galloway added.

Clearly, ICOs have a long way to go when it comes to correcting obvious security flaws let alone raising their overall security levels to protect investors and founders.

You can read the Positive.com news release and view more ICO vulnerability stats here.

Author: Jeff Domansky,  Managing Editor

Visual: Chart via Positive.com