In 2017 projects attracted more than $5 billion via ICOs, but most of them have a lot of vulnerabilities that can lead to loss of investors' funds, a research claims.

ICO attracts the attention not only of investors but also of scammers and hackers. Cybersecurity experts of Positive Technologies examined various ICO projects for their resistance to hacker attacks and found that on average each of them contains five vulnerabilities.

Every third project demonstrated vulnerabilities that allow attacking its organizers, stealing access to their e-mails, or bugs in their smart contracts.



Having access to social networks accounts of the organizers, scammers can get access to the domain or hosting of ICO project, and then change the wallet address on the website to receive money from investors. It is the way the attack on Coindash, when $ 7 million was stolen, was carried out.

“It is noteworthy that information from social networks is often enough to determine the login to email, and then recover from it the password, guessing right answers to control questions,” the report says.

In smart contracts, the most often revealed bugs are related to non-compliance with the ERC20 standard, incorrect generation of random numbers and errors in business logic.

“Vulnerabilities in smart contracts arise because of a lack of knowledge among programmers and not enough thorough testing of the source code.”

In 23% of the projects, there were revealed vulnerabilities that allow attacking investors. The most popular method in this category are methods of social engineering, that is, using social networks and phishing links.



The specialists of the company working in the field of cybersecurity analyzed the most popular reasons why ICO projects lose depositors' money and defined four categories:

  • mistakes made when writing smart contracts due to insufficient knowledge of the principles of safe development by programmers;
  • errors made during the configuration of the infrastructure and the deployment of blockchain platforms;
  • an ill-conceived threat model that does not take into account actual threats and real methods of cybercrime attacks;
  • lack of monitoring of suspicious transactions.