Protecting an Ethereum token from possible attacks

[johnsm79]

I was reading an article from Kickico ICO, about all the troubles they had to face (btw they still sold out). They wrote a very honest from my point of view blog post, and explained the three different attacks they had.

1st Attack was nothing more than a DDOS attack.. ok lets forget this one
2nd Attack it was a phishing attack which was on a different domain name.. again lets forget about this one (just remember don't trust Slack)
3rd Attack was the real thing!

Kickico says "We conducted 5 or even 6 audits of our smart contracts and the server, but there was a hole somewhere."

My 1st question: On the server? what server? I thought the only reason the tokens were secure where because they were running on the Ethereum blockchain.

Kickico continues saying: "As a result, the script responsible for processing bitcoin payments was compromised and send a smart contract operation that completed the collection of funds and transferred some 600 million of our coins to an unknown purse."

Their outcome is:
"What to do? Check the smart contract very, very carefully and maximize the server protection. Close all ports, create IP whitelists, which can be accessed by them. Order audits of smart contracts and test, test and test. Order penetration tests, hire hackers to try to break everything: from the server to smart contracts. During the audits, we closed more than twenty vulnerabilities, including serious ones, but still missed one. We bring our sincere apologies."

So from my conclusion the token is on a server and requires penetrations tests.

My 2nd question: So are all these newly developed ICO's hack-able?

[1713923971]

1713923971

[James_CanYa]

I'm confused by this post but I'll give it a go.

1. DDOS protection is a must for any ICO.
2. Phishing attacks are an unfortunate part of the crypto community right now.
3. Was only a problem with their system architecture/security.

It doesn't matter if a project is old or new, poor systems will be exploited. The DAO was one of the first (and the biggest ICO) in history - yet there was major exploits in their code.

[Za1n]

Unfortunately there is a lot of outright fraud in the crypto space currently. Their hack could have been nothing more than an exit scam, meaning they stole the money and are blaming it on being hacked by someone else. Since it is difficulty to trace cryptocurrencies as they could send it to a newly created wallet, then use a mixer and various exchanges to further hide, it can be hard to ultimately trace were the funds end up and who owns them.

The other possibility is could just be one rogue employee who ran off with the funds, leaving the rest of the team thinking they were hacked. Also, if they are using a hosted service, the admins of the hosting company could also hack in to their server using administrative privileges and run off with the coins. Finally it could be a outside third party, or legitimate hack, but as is the case the team is still responsible for not having the know-how to properly secure it.

To answer you last question, yes all ICOs and even all cryptocurrency exchanges are susceptible to hacking. That is why you hear people saying over and over do not leave your money in an exchange or any platform where you do not personally control the private keys. If you don't control the private keys the money is not yours, it is whoever does control the private key and they simply give you some form of IOU until you actually withdraw to your own wallet. Even once the coins are in your own wallet, you also need to be proactive in securing your funds. encrypt your wallet, do not run it on a machine you use for other things, etc.

[johnsm79]

Unfortunately there is a lot of outright fraud in the crypto space currently. Their hack could have been nothing more than an exit scam, meaning they stole the money and are blaming it on being hacked by someone else. Since it is difficulty to trace cryptocurrencies as they could send it to a newly created wallet, then use a mixer and various exchanges to further hide, it can be hard to ultimately trace were the funds end up and who owns them.

Ok this is one way of scamming people.

...if they are using a hosted service, the admins of the hosting company could also hack in to their server using administrative privileges and run off with the coins.

So basically they are not hacking the blockchain or the token it self, but their website and the address they generate for users to send the tokens. Is this statement correct?

[johnsm79]

Also what type of volnurability tests does a token require? am thinking that the smart contract to be created it must be protected by Ethereum.