Getting Your ICO Right: A Five-Step Guide to Avoiding Security Nightmares

There’s so much buzz around initial coin offerings (ICO) right now, but there’s also a lot of fear. With regular headlines about funds being cleared-out by hackers attacking smart contracts and cryptocurrency wallets, it’s no wonder investors are nervous. Some estimates suggest as much as $225 million has already been lost to cybercriminals in under a year.

But ICOs don’t have to fall victim, and there is plenty that offering companies can do to reassure their investors that this fledgling industry isn’t dead before it’s even started.

Between them, our experts have decades of experience in enterprise-level application security and vulnerability management. That’s how we know that hackers CAN be stopped. If you know the weaknesses these attackers exploit, you can find them and fix them before they become a threat.

Now, we are bringing that experience to the unique worlds of ICOs and Token Generation Events (TGEs). Here’s our five-step plan to beefing-up your security levels without slowing-down your launch schedule.

Ready? Secure? Launch!

Don’t even think about going live with your ICO website until you’ve followed these first four steps to secure both the site and the infrastructure that supports it: servers, smart contracts, mobile applications, etc. All this infrastructure can be vulnerable, so you need to:

1. Find and fix vulnerabilities in your smart contract source code. If you don’t find them, hackers will, and they’ll exploit them to divert funds. And because of the nature of smart contracts, you have to fix them before you launch or it’s too late!

2. Get your server infrastructure audited. The ICO web application itself needs a full security audit, but so do the related web and mobile applications, servers, and your network infrastructure. Ensure your auditors prioritize the most critical vulnerabilities for you, and provide recommendations on how to fix them. If possible, get follow-up verification testing after you’ve fixed the flaws, so you have independent confirmation they’ve been eliminated.

3. Beware employees who could be your weakest link. Social engineering attacks like phishing are a favorite place for hackers to start and can give them the foothold they need for a total breach. Consider security awareness training for your employees so they can avoid falling victim.

4. Remember the only constant is change. It would be great if you could deal with security up front and then forget about it, but your infrastructure will be constantly changing both during and after your ICO launch. Make sure you keep looking for new flaws, admin errors, and unwanted configuration changes so you can take action quickly to reduce risk.

ICOs in orbit: Get your post-launch security planning right

So that’s four steps, and your project has gone live. Great! But what’s the fifth step? It’s easily forgotten in the rush to launch, you can’t afford to skimp on post-launch security planning if you’re going to not just GO live but STAY live.

5. Monitor your systems 24/7. You can’t block attacks you can’t see, so get expert eyes to keep watch over your application and infrastructure to provide early-warning of anomalies. You’ll also need a plan in the event that the worst does happen. Put a qualified team in place to provide rapid response and shut-down any unfolding threats.

Getting by with a little help from your friends

Our five-step plan may appear time-consuming, but you can’t put a price on the security of your investors’ money. And you may be surprised how fast you can accomplish all five steps with the right kind of expert help. In a recent project, it took us just a couple of days to revolutionize the security of one ICO. We had no choice but to work fast as their launch date was already set and couldn’t be moved. Our detailed security assessment covered their infrastructure, website, and smart contract which was written in Solidity. We also provided guidance on fixing all the security flaws we’d found and performed follow-up verification testing to confirm they’d followed the recommendations properly.

Every ICO is different, which is why we customize our security services for every client. Contact us at to find out more about what we can do to help your ICO succeed.