Bitcoin Forum
December 17, 2017, 11:45:51 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Protecting an Ethereum token from possible attacks  (Read 221 times)
johnsm79
Full Member
***
Offline Offline

Activity: 168


trade.io - Join the Trading Revolution


View Profile WWW
September 17, 2017, 06:41:24 AM
 #1

I was reading an article from Kickico ICO, about all the troubles they had to face (btw they still sold out). They wrote a very honest from my point of view blog post, and explained the three different attacks they had.

1st Attack was nothing more than a DDOS attack.. ok lets forget this one
2nd Attack it was a phishing attack which was on a different domain name.. again lets forget about this one (just remember don't trust Slack)
3rd Attack was the real thing!

Kickico says "We conducted 5 or even 6 audits of our smart contracts and the server, but there was a hole somewhere."

My 1st question: On the server? what server? I thought the only reason the tokens were secure where because they were running on the Ethereum blockchain.

Kickico continues saying: "As a result, the script responsible for processing bitcoin payments was compromised and send a smart contract operation that completed the collection of funds and transferred some 600 million of our coins to an unknown purse."

Their outcome is:
"What to do? Check the smart contract very, very carefully and maximize the server protection. Close all ports, create IP whitelists, which can be accessed by them. Order audits of smart contracts and test, test and test. Order penetration tests, hire hackers to try to break everything: from the server to smart contracts. During the audits, we closed more than twenty vulnerabilities, including serious ones, but still missed one. We bring our sincere apologies."

So from my conclusion the token is on a server and requires penetrations tests.

My 2nd question: So are all these newly developed ICO's hack-able?

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
  TRADE.IO       ║     WHITEPAPER  •  ANN THREAD  •  TELEGRAM     ║     JOIN THE TRADING REVOLUTION
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
1513554351
Hero Member
*
Offline Offline

Posts: 1513554351

View Profile Personal Message (Offline)

Ignore
1513554351
Reply with quote  #2

1513554351
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
James_CanYa
Jr. Member
*
Offline Offline

Activity: 45


View Profile
September 17, 2017, 06:50:28 AM
 #2

I'm confused by this post but I'll give it a go.

1. DDOS protection is a must for any ICO.
2. Phishing attacks are an unfortunate part of the crypto community right now.
3. Was only a problem with their system architecture/security.

It doesn't matter if a project is old or new, poor systems will be exploited. The DAO was one of the first (and the biggest ICO) in history - yet there was major exploits in their code.
Za1n
Hero Member
*****
Offline Offline

Activity: 770


View Profile
September 17, 2017, 07:41:13 AM
 #3

Unfortunately there is a lot of outright fraud in the crypto space currently. Their hack could have been nothing more than an exit scam, meaning they stole the money and are blaming it on being hacked by someone else. Since it is difficulty to trace cryptocurrencies as they could send it to a newly created wallet, then use a mixer and various exchanges to further hide, it can be hard to ultimately trace were the funds end up and who owns them.

The other possibility is could just be one rogue employee who ran off with the funds, leaving the rest of the team thinking they were hacked. Also, if they are using a hosted service, the admins of the hosting company could also hack in to their server using administrative privileges and run off with the coins. Finally it could be a outside third party, or legitimate hack, but as is the case the team is still responsible for not having the know-how to properly secure it.

To answer you last question, yes all ICOs and even all cryptocurrency exchanges are susceptible to hacking. That is why you hear people saying over and over do not leave your money in an exchange or any platform where you do not personally control the private keys. If you don't control the private keys the money is not yours, it is whoever does control the private key and they simply give you some form of IOU until you actually withdraw to your own wallet. Even once the coins are in your own wallet, you also need to be proactive in securing your funds. encrypt your wallet, do not run it on a machine you use for other things, etc.
johnsm79
Full Member
***
Offline Offline

Activity: 168


trade.io - Join the Trading Revolution


View Profile WWW
September 17, 2017, 10:11:14 AM
 #4

Unfortunately there is a lot of outright fraud in the crypto space currently. Their hack could have been nothing more than an exit scam, meaning they stole the money and are blaming it on being hacked by someone else. Since it is difficulty to trace cryptocurrencies as they could send it to a newly created wallet, then use a mixer and various exchanges to further hide, it can be hard to ultimately trace were the funds end up and who owns them.


Ok this is one way of scamming people.

...if they are using a hosted service, the admins of the hosting company could also hack in to their server using administrative privileges and run off with the coins.

So basically they are not hacking the blockchain or the token it self, but their website and the address they generate for users to send the tokens. Is this statement correct?


▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
  TRADE.IO       ║     WHITEPAPER  •  ANN THREAD  •  TELEGRAM     ║     JOIN THE TRADING REVOLUTION
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
johnsm79
Full Member
***
Offline Offline

Activity: 168


trade.io - Join the Trading Revolution


View Profile WWW
September 17, 2017, 12:39:45 PM
 #5

Also what type of volnurability tests does a token require? am thinking that the smart contract to be created it must be protected by Ethereum.

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
  TRADE.IO       ║     WHITEPAPER  •  ANN THREAD  •  TELEGRAM     ║     JOIN THE TRADING REVOLUTION
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!