Research

10% of ICO Funding Stolen by Hackers

Written by Reflare Research Team | Jan 26, 2018 11:19:00 AM

The question of investor protection and the lack of a safety net for contributors was recently brought to light when hackers managed to steal more than 10% of the Ether created in a crowd sale.

First Published 26th January 2018

Investment Banker? Hacker? When it comes to going public, is there even a difference?

An Exciting Time For All

The term ICO is derived from the stock market term “Initial Public Offering” (IPO).

When a private company goes public, it performs an initial sale of shares (the IPO) before regular trading begins. This process raises large amounts of capital for the company.

Likewise, companies working with blockchain technology in one form or another increasingly opt to offer coins on their own blockchain to the public to raise money. Coins can then be traded on cryptocurrency marketplaces in a fashion resembling stock trading.

The practice appeals to investors looking for a high-risk-high-reward investment and companies looking to raise cash without the hassle of complying with IPO regulations and requirements.

We see an emerging trend of smaller companies/startups engaging with ICOs to raise funding that would traditionally have been provided through a series A funding round.

Why are ICOs so prone to attack?

There are two main problems ICOs face in terms of cyber security: Lack of oversight and lack of preparation.

Let’s look at them in turn.

Lack of Oversight

One of the features making ICOs attractive to companies is simultaneously what makes them vulnerable: As of yet, there are no regulations governing ICOs. While the exact requirements differ between legislations, a company wishing to go public must meet certain minimal criteria and comply with rigorous regulations to ensure it is ready to accept public shareholder money.

ICOs do not face any of these requirements, meaning that smaller and more poorly prepared companies can perform them. Likewise, buying coins does entitle investors to any of the other privileges shareholders enjoy such as government oversight, protection against insider trading, shareholder voting rights or public reporting.

This leads to many ICOs being (intentionally or unintentionally) badly laid out by their creators.

Lack of Preparedness

While amounts vary significantly, many ICOs raise millions of US Dollars. As we have pointed out above, companies commonly use ICOs to provide early-stage funding. They are thus often not set up to handle such amounts of cashflow; especially because operating their own blockchain basically means that they have to operate their own banking system. A startup raising series A funding does not need to provide its own banking system - it can rely on existing banking infrastructure. Furthermore, the underlying cryptographic algorithms backing blockchains are extremely hard to fully understand. While actual cryptography experts have become very expensive over the past years, charlatans pretending to understand the technology are abundant - and many non-technical CEO cannot tell the difference between the two.

This means that many companies attempting an ICO face a comparatively large risk surface while handling comparatively large amounts of money and being comparatively badly prepared.

Summary

When combining the lack of oversight and lack of preparedness that many current ICOs face, the 10% theft figure begins to make sense. We predict that investors will grow more weary as the current gold rush on cryptocurrencies begins to fade and more and more hacks of ICOs are covered in the news. This will likely lead to a reduction of ICOs as companies figure out how to perform them while providing safeguards to win investor trust.

Until then, we recommend that anyone interested in investing in an ICO exercise extreme caution and research the company and its security policy thoroughly beforehand.

Likewise, companies wishing to perform an ICO are recommended to seek professional assistance from reputable sources to make sure they do not become the next victim of an ICO hack.