An increasing number of companies are raising capital through an initial coin offering (ICO), with some $5 billion raised in 2017. Through an ICO a business can sell its digital currency and can more easily raise capital with little regulatory oversight though this is starting to change. Besides Bitcoin, Ethereum and Litecoin, there are now over 1,000 cryptocurrencies in circulation, with a bunch currently being offered.
There are however significant security considerations to account for as part of an ICO and the underlying digital currency. Here are some of the phases in the currency lifecycle that can be exposed to attacks.
- Coin Offering – The offering site can be targeted to modify the offering as in the recent attack on the Coindash ICO.
- Coin trading – The website and mobile application serving the cryptocurrency is rendered unavailable as in the recent DDoS attack on Electroneum, with investors unable to access their accounts.
- Currency exchanges — These areas are vulnerable to DDoS attacks and to account takeover attacks.
- Wallets – The wallet that is used to store, receive and send your digital currency is also vulnerable as in the recent theft from the Tether wallet.
Now let’s look into the details of digital currency attacks and see how the associated assets can be protected from such attacks.
What Is an ICO?
When a company issues an ICO to raise capital, the company sells its cryptocurrency to investors in exchange for physical currency or another cryptocurrency, usually Bitcoin or Ether. The coins that are issued are referred to as tokens, which can be used to purchase the services that will be offered by the company, and are also traded on digital security exchanges.
The ICO is like crowdfunding in that it is open to any investor without much regulation. Companies have been able to raise large amounts of capital in the ICO, such as the over $250 million raised by the blockchain data storage network Filecoin.
The new currency is issued on an existing platform such as Ethereum, following the ERC-20 standard, obviating the need to master the complex underlying blockchain technology of the currency. Now is the time to ensure that your offering and then the resulting cryptocurrency is secure.
Attacks on ICOs
With the recent explosion of cryptocurrency interest and value, it is hardly surprising that an increasing number of vulnerabilities are being exploited. With the decentralized nature and cryptographic security of blockchain technology, hacking attacks are inherently difficult, yet vulnerable points have been exposed and exploited.
Security for Your ICO
Let’s start at the source and discuss how your offering website must be protected. A recent example of an attack is the hack on the ICO for CoinDash, a startup focusing on building a portfolio management platform and providing cryptocurrency social trading.
The Token Sale is done, do not send any ETH to any address. Official statement regarding the hack will be released soon.
— CoinDash.io (@coindashio) July 17, 2017
As reported in a CoinDash blog, when the offering went public with the Ethereum smart contract contribution address, an attacker switched the official contribution address to the attacker’s own anonymous address. Due to the high demand, 43,000 Ether was redirected to that address for seven whole minutes, until the hack was detected and the site was shut down by the CoinDash team. The attack, which cost Coindash $7 million, would have been prevented by using an enterprise web application firewall such the Incapsula WAF.
Another recent example is the DDoS attack on the site of Bitcoin Gold during the currency’s launch. The attack prevented the site from being available for a period of time. While this did not impact the currency directly it harmed confidence in the entire project.
Massive DDoS attack on our cloud site. 10M requests per minute. We are working with the providers to ban all the IPs. We will be up soon!
— Bitcoin Gold [BTG] (@bitcoingold) October 24, 2017
Security for your Account
Once the currency offering is completed, the new token holders must have access to the site’s services. After a recent DDoS attack on Electroneum, access was closed to the 140,000 investors who held its tokens until the site was made available securely. Electroneum, which offers a digital currency that can be mined using smartphones, had to announce the delay of its website and mobile mining app launch. The attack would have been prevented by using an enterprise DDoS protection such as that provided by Incapsula.
How Incapsula Protects ICOs
Creating a new currency and building a business is complex. Incapsula website protection and DDoS mitigation can protect your website from attacks, account takeover and availability issues.
Web Application Firewall
Incapsula Web Application Firewall (WAF), named by Gartner as a leading WAF for four consecutive years, analyzes all user access to your web application and protects your application from cyber attacks. It protects against all web application attacks including OWASP top 10 threats and blocks malicious bots. It controls which visitors can access your application with traffic filtering based on a variety of factors.
The WAF profiles all aspects of the web application to detect attacks, such as preventing a site defacing attack that relies on cross site scripting. With this protection, your site can avoid the annoying validation requests, such as a CAPTCHA, that are prevalent on many sites.
To protect cryptocurrency exchange and foundation sites, such as Electroneum and Bitcoin Gold, Incapsula DDoS protection automatically detects and mitigates attacks targeting websites and web applications. Incapsula is the only service to offer an SLA-backed guarantee to detect and block attacks in under 10 seconds. Our new Behemoth 2 platform blocked a 650 Gbps (Gigabits per second) DDoS flood with more than 150 Mpps (million packets per second), with capacity to spare. We expect that capacity will be tested further as the size of attacks continues to increase.
Besides handling large volumetric attacks, Incapsula specializes in protection against complex application layer attacks, and a unique capability of filtering API traffic with minimal false positives.
Account Takeover Protection
Incapsula provides protection against account takeover attempts, including those initiated with large scale credential stuffing attacks. Custom IncapRules can be defined to protect the login page against such attacks.
After you’ve securely completed your coin offering, there are other vulnerabilities that have been exploited in the cryptocurrency lifecycle you need to be aware of. These include DDoS attacks on cryptocurrency exchanges and exploits on digital wallets. We will delve more deeply into these areas and look at how your assets can be protected in an upcoming article.