tech security tips for ICOs 2019

ICOs have been around for only a few years, and we saw them explode only last year, in 2017. But already today, we can step back and take a look at those stories of success and failure. Precedents have been set and new teams can learn from them.
If you are thinking of starting your own ICO (or STO), you’ll do it a favor by doing everything just right from day one. No one wants their multimillion undertaking crush and leave the founder(s) with those millions of debt on hands, right?
There’s tough competition out there, too. For example, out of 200+ existing cryptocurrency exchanges, only 10–15 enjoy a large user base and liquidity. Only those make it to the top who carry out every step of the ICO journey perfectly and do it at the right time.
In preparation for this article, I’ve chatted with quite a few ICO founders and devs. Here’s what I’ve found out — use these tips to realize your ICO’s potential to the fullest in 2019.

 

1. Your ICO is your fortress

A smallest vulnerability or bug in the code can ultimately result in failure of the entire enterprise, which is why things like implementing the latest technology and strictest security are vital.
Any online banking platform requires a Swiss-grade security. Even more so an ICO campaign — here, we are talking military-grade security. If you’re running an ICO, you’re automatically being a target for hackers. There’s no question about it.
Here’s the thing: Your ICO has to withstand an attack by the best in class hacker. Otherwise, it is most certainly a game over.
If you’re building something that is really worthwhile to investors, smart contracts and security tokens are indispensable for the majority of ICOs. What else can you do?
Do not neglect to give your users the option of 2-step authentication2FA — Two-Factor Authentication. It’s still the best way to defeat cyber criminals and avoid account takeovers. Enigma ICO were persuaded to implement it only after a scam that cost Enigma supporters almost $500,000.
Use multisig. Multisignature is a security mechanism that makes sure transactions are carried out only with the participation of a certain number of the authorities. It’s similar to a bank requiring signatures from multiple people (for example, 2 of a company’s 3 designated officers) to access funds. It’s decentralization in the spirit of the blockchain itself.
Don’t stop on the above, building fortifications around your ICO is an ongoing process. The battle between white-hats and black-hats rages on, hotter than ever. Here’s what Andrew from Legal Neural Network, an ICO from LawTest, shared to me:
Security of the personal accounts and data have always been hot topics. Although there were many discussions, there were no unified answers for the users’ security and maybe never will be. In such a situation, it would be good to provide users with the maximum choice of security options and control over them. And those who have access to personal information databases, should […] remember about responsibility for users’ personal data.

 

2. Implement conditional P2P transactions

Smart conditional transactions

By design, every blockchain-based project means irreversible transactions: once a payment is sent, it’s gone, no matter if you get the promised services or goods in return, or not. That’s hardly a safe P2P deal. Unless we have guarantees that the other party keeps its promise, such payment was just a donation in exchange for soft promises.
Imagine a different scenario: Laszlo wants to buy a pizza from Mary’s Pizza, but this time he wants a secure transaction. The Mary’s Pizza’s platform allows Laszlo to set a condition: If Mary doesn’t deliver the pizza within a certain period of time, Laszlo can safely retrieve his money. The transaction happens with no intermediaries, central authorities such as DAOs, nor escrows in a true peer-to-peer manner. Wouldn’t you trust such business a lot more?
When the main goal of cryptocurrency is mass adoption, it’s the job of ICOs to make cryptocurrencies safe and real, and show what good they can do in the real world.

 

3. Send money to a @username and/or email instead of a cryptic address

Simplicity (user-friendliness) is another way to introduce the masses to new technologies.
Today, virtually all cryptocurrency projects only use cryptographic wallet addresses that look like this: k98wd ljLJncskuc77s86qegfKIYCi&wdoycb. This is while the rest of the world uses (and loves) @usernames. Medium, Facebook, Reddit, Telegram, Twitter — usernames are everywhere.
Do you want to send a payment to @maryspizza or k98wdljLJncskuc77s86qegfKIYCi&wdoycb?
It seems the blockchain world is the only place with millions of people and the lack of usernames. Of course, cryptic addresses were invented for better security and anonymity, but do we really need total anonymity when we just want to buy a pizza? I don’t know; but what’s for sure, these long, ugly wallet addresses are hurting adoption. There is a better way, while still maintaining the safety, and I have seen some ICO teams that are already using usernames.
Nearly the same goes for email addresses. Remember how PayPal started allowing us to send money to an email address of another PayPal user without the need for account numbers? Today this works even if the recipient does not have a PayPal account yet. This might partly be what propelled PayPal to mass adoption.
In the cryptocurrency world, the recipient has to be already in the system, and we need to know their wallet address. But imagine your user needs only to know another party’s email address, which they probably already memorized. The money is sent directly sender-to-recipient, peer-to-peer, in the spirit of the blockchain. If the user doesn’t have a wallet yet, they are prompted to install it in order to receive the money.
When PayPal was starting, email was the only mass-adopted P2P method. Now we have a lot more options, especially on mobile. Who knows, we may soon use such end-to-end encrypted chats as Signal, WhatsApp, and iMessage as channels for crypto payments.
The bottom line is, your users will appreciate if you make your ICO/STO platform a little more user-friendly.

 

4. Adopt Decentralized Autonomous Initial Coin Offering (DAICO)

DAICO fundraising ICOs

Image: ethresear.ch

DAICO, a novel fundraising model devised by Vitalik Buterin earlier this year, is designed to fix the trust problem between ICOs and investors. If you care to attract the best investors who can’t wait to invest millions, then consider adopting this alternative fundraising model.
As Buterin himself explained, ICOs defy the main principle of cryptocurrencies — decentralization:
“They [ICOs] also have their flaws, and I think many of these flaws arise from the fact that even though the ICOs are happening on a decentralized platform, the ICOs themselves are hardly [to a large degree] centralized; they inherently involve many people trusting a single development team with potentially over $200 mln of funding.”
Under DAICO, unlike with an ICO, the development team does not have access to investor funds, the funds are locked. The team can take out only a certain amount per second which is called “tap.” Investors control the amount of the tap and can vote to raise or lower it. In this way, DAICO will alleviate some of the investors’ stress due to the lack of regulations and control in an ICO model.
Here’s the source code.

 

5. Use a VPNVPN ICOs

Cryptocurrency is attracting more and more money, so it does hackers’ activity. As mentioned above, 2017 was a year of ICOs but also a big year for scams and hacks of cryptocurrency exchanges and investor wallets.
VPNs are a simple safety net that can easily be overlooked. For an ICO developer or owner, the value of VPNs comes in protecting your data when using public Wi-Fi. You may have a state-of-the-art security solution deployed on your platform, but if you’re using an unencrypted connection, hackers could launch a “man-in-the-middle attack” and steal what you could be transmitting.
Imagine this scenario: You are accessing your ICO wallet in public to release bounty payments to your users or team. A hacker uses a “sniffing” program to intercept your wallet ID codes or admin panel passwords you sent over a compromised network. Next thing you know is 0 on your balance. This isn’t at all difficult for an experienced hacker.
Choose a VPN that offers encrypted P2P traffic or connection over TOR network. Your IP address won’t be revealed and all data you send and receive will safely go via an encrypted channel.