ICO Smart-contracts vulnerability
Initial Coin Offering Models of fundraising still have a lot of loops which makes the money fraud and steal quite often and large-scaled.
According to the latest security researchers made by Positive last year as stated by the Bleeping Computer an average number of vulnerabilities in ICOs stands at number of 5.
The results had shown the very negative trends and outcomes. According to researchers, only one draft of the original offer of coins did not contain bugs.
The study found that 71% of the projects contained vulnerabilities in smart contracts. Among the common problems, analysts pointed out the inconsistency with the ERC-20 standard, the incorrect generation of random numbers and other significant shortcomings.
Experts said that such vulnerabilities appear due to lack of proper qualification of programmers and insufficient testing of the source code.
Most of the security breaches analysts found in ICO-projects to develop mobile applications. Among the common vulnerabilities were named the following: unsafe data transmission, unreliable storage of user data in phone backups and disclosure of the session identifier.
Some vulnerabilities in web applications were aimed at attacking investor funds. For example, because of a lack of proper security, hackers could register a domain similar to ICO, create phishing sites, thereby deceiving investors.
According to the research, every third project contained vulnerabilities that allowed hackers to access data and savings of companies-organizers. Analysts also noted that many initiators of ICO did not use two-factor authentication for important accounts.
Speaking about the background of the this research and former industry vulnerability issues, other things should also be remembered.
Currently, there are hundreds of thousands of smart contracts in the Ethereum blockchain that manage wallets, tokens, applications or are used to store funds. A group of some British researchers alone was able to identify 34,200 vulnerable smart contracts according to the Motherboard data.
An assistant professor from University College London Ilya Sergey and his colleagues conducted a large-scale study to detect all possible vulnerabilities of smart contracts on the Ethereum blockchain. To do this, they downloaded the Ethereum, in effect creating its fork for personal use, and began to launch a variety of scenarios, trying to achieve undesirable consequences. When these consequences came, they marked a smart contract “with a tracked vulnerability.”
Having analyzed about a million smart contracts in this way, the researchers found that 34,200 of them contained critical vulnerabilities. They tested their assumptions on 3,000 smart contracts, and in 89% of cases, they caused the most undesirable consequences. In theory, this could allow them to steal $ 6 million in Ethereum.
According to experts, early detection of vulnerabilities prevents
possible negative consequences. So, for example, in November 2017, a user under the pseudonym DevOps19 found a vulnerability in the code of the Ethereum-purity library Parity and accidentally blocked $ 150 million.
“We are working with applications that have two very unpleasant features: they are used to manage your money and can not be fixed,” Ilya explained.
Attempts to find the creators of vulnerable, smart contracts were in vain. However, since researchers do not say which vulnerabilities were found in smart contracts, they can be considered as safe.
“If someone wants to take advantage of our idea, he, at least, will have to do as much work as we did,” the researcher summed up.
Recall, in January, the Cisco unit detected many vulnerabilities in the Ethereum-client Parity. First of all, it was about the creation of operating code, the incorrect operation of which could lead to a large-scale DoS-attack on its supporting nodes. Moreover, some “loopholes” in the purse software allowed access to private information.
A few days later, representatives of Parity Technologies said that the vulnerabilities were corrected in new versions of the software Ethereum-client.
As we see, the ICO suffers from numerous vulnerabilities, and the further develops the market the points of hacker intrusion also appears.
Read the similar material about how to ensure safety from Ddos-attacks in our official blog