Within three months since the hacking incident of the CoinDash initial coin offering (ICO) in June that led to the loss of $7 million in funds, hackers hijacked the ICO of Etherparty’s native token FUEL, redirecting investor funds to an alternative address by hacking the website of Etherparty.
On October 2, Etherparty officially began its ICO for its application which enables individuals and businesses to create multichain smart contracts without programming or coding. But, a few hours after the FUEL ICO was initiated, an unknown group of hackers gained access to the website of Etherparty and changed the deposit address, allocating ICO funds to a separate Ethereum wallet address.
According to BleepingComputer, the Etherparty development team detected the hack in less than 15 minutes and immediately shut down their website. Subsequent to a brief investigation and analysis of the hack, Etherparty developers restored the website after 95 minutes.
Kevin Hobbs, the CEO of Etherparty, reassured investors that investors would be fully compensated for the stolen funds. Hobbs stated, “We have received overwhelming support from our investors, partners and the community throughout the fine-tuning process for Etherparty. Unfortunately, this also means unwanted attention in the form of phishing and hacking attempts despite the vigilance of our tech and support team.”
Lisa Cheng, the founder of Etherparty, further emphasized that necessary security measures and infrastructures have been integrated to prevent potential security issues and escalation. Cheng added:
“Our team has been consistently and successfully thwarting potential security issues to avoid further escalation. However, we do acknowledge and apologize for the temporary disruption to our otherwise successful launch day. Etherparty is eager and committed to compensating all affected contributors for the inconvenience.”
Security Issues of ICOs and Publicly Distributed Ethereum Address
In June, prior to the security breach of the CoinDash website that led to the theft of $7 million, an investor in the project by the name of MJ Dillon informed the CoinDash team in its public Slack channel of its poor security practice. Dillon wrote:
“Has anyone mentioned how bad an idea it is that you have a whitelist of people you’ll be emailing a contract address to with a ‘send money now!’ message before the address is public? Isn’t that just asking someone to try to hijack that process?”
In response, the CoinDash development team put out a rather irresponsible and arrogant statement, writing:
“MJ Dillon, if you don’t know how it will be done why are you making false assumptions then?”
But, the security breach occurred in the way Dillon described, as hackers gained access to the website and altered the ether address. The whitelisting process, which was condemned by Dillon, was explained by the CoinDash team in its official statement after the hack occurred:
“It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event. During the attack, $7 mln were stolen by a currently unknown perpetrator. The CoinDash Token Sale secured $6.4 mln from our early contributors and whitelist participants, and we are grateful for your support and contribution.”
It is vital for blockchain startups to prevent hackers from hijacking ICOs and the fundraising process for the benefit of both developers of the projects and investors. If the hacking attack surpasses an amount the project cannot reimburse, it could lead to a major issue and potential legal conflicts.