Company Positive.com engaged in review of security measures in conducting the ICO, found an average of five vulnerabilities every licensee, which were held last year. Only one of last year’s draft was not critical flaws. Most of the problems they found in the smart contracts:
71% of the projects reviewed contained vulnerabilities in smart contracts is the heart and soul of ICO. As soon as the ICO is launched, the contract can not be changed. It is open to all, which means anyone can view it and find vulnerabilities. They are — in compliance with standard tokens ERC20, wrong generating random numbers and improper definition of scope. Typically, they arise from lack of knowledge of programmers and insufficient testing of the source code.
The researchers also noted that security problems were all mobile apps released in 2017. The good news: not all ICO has released a mobile app, but those who did not invest in security. The most common flaws in mobile applications — the use of insecure methods of data transmission, storing user data in backups of the phone and the disclosure of session IDs, which attackers can intercept and apply against users.
The researchers found vulnerabilities in web applications released by some of the organizers of the ICO (they were given the opportunity to invest and receive a token). These vulnerabilities are typical for all web applications: activation code, disclosure of sensitive information on web servers, unsafe data transmission. One-third of all ICO vulnerabilities associated with web applications.
Threat to the security of tomenselo is and the infrastructure. The researchers argue that the organizers often have not verified the accounts in social networks and did not register all versions of the domain ICO, being exposed because of this, phishing attacks, and the methods of social engineering. Organizers often done without two-factor authentication for their accounts, which led to hacking the official websites of the ICO or to gain access to the wallets of investors.
In a previous study it was claimed that 81% of the latter. ICO fraudulent. This partly explains why most of the organizers were not worried about security.