Security researchers have found, on average, five security flaws in each cryptocurrency ICO (Initial Coin Offering) held last year. Only one ICO held in 2017 did not contain any critical flaws.
According to Positive.com, a security firm specialized in ICO security audits, most of the vulnerabilities they found, they discovered in the smart contracts at the base of the ICO itself.
"71% of tested projects contained vulnerabilities in smart contracts, the heart and soul of an ICO," the company said. "Once an ICO starts, the contract cannot be changed and is open to everyone, meaning anyone can view it and look for flaws."
"Typically, these would consist of non compliance with the ERC20 standard (the token interface for digital wallets and cryptocurrency exchanges), incorrect random number generation and incorrect scoping amongst others," Positive.com experts say. "Generally, these vulnerabilities occur due to lack of programmer expertise and insufficient source code testing."
Researchers also say that all the mobile apps ICO organizers have launched in 2017 contained security flaws. The good news is that not all ICO organizers have released mobile apps, but those who did, did not invest in securing it against attacks.
The Positive.com team says it identified more vulnerabilities in ICO mobile apps than in ICO official web applications.
Experts say the most common flaws in mobile apps are the use of insecure data transfer methods, storage of user data in phone backups, and disclosure of session IDs that an attacker could capture and use against the user.
"These flaws may be useful in gaining details about a project, its organizers and investors, prompting use by attackers in subsequent attacks," Positive.com said.
But security researchers also found security bugs in the web apps some ICO organizers released so users could place funds and obtain ICO tokens.
These apps were vulnerable to the same types of flaws all web apps are vulnerable —code injection, web server disclosure of sensitive information, insecure data transfer, and arbitrary file reading.
Positive.com said half of the security audits they performed last year revealed vulnerabilities in ICO web applications, and a third of all ICO-related security flaws tied back to an ICO's web app.
Other places were researchers found security flaws are the ICO investors themselves and the ICO's backbone infrastructure.
Researchers argue that ICO organizers often failed to register social media accounts for their projects, and also failed to register all versions of an ICO domain, exposing users to social engineering and phishing attacks.
Last but not least, ICO organizers often failed to enable two-factor authentication for sensitive accounts, failing themselves for social engineering and phishing attacks that resulted in crooks hijacking official ICO websites or gaining control over wallets where the ICO stored its gathered funds.
With over $5 billion invested in ICOs in 2017 and with the US Securities and Exchange Commission (SEC) cracking down on ICO organizers, it's time that ICO organizers move away from their amateurish approach in their business dealings and invest more in cyber-security to prevent hackers hijacking their hard-earned funds.
Positive.com released these figures as it launched ChainWatch into public beta. ChainWatch is a platform for analyzing and monitoring ICO security and alerting ICO organizers against potential attacks.
A previous study also found that 81% of recent ICOs were scams, which might explain why most ICO organizers didn't bother with security.