On July 17th, CoinDash, a startup whose platform combines a social network with a marketplace for crypto-asset traders, was hacked during their initial coin offering (ICO), or token sale, with the theft now exceeding $10 million of ether, the cryptocurrency of the Ethereum network.
The growing frequency of these crowdsales along with the incredible amounts raised is sure to attract the attention of hackers and thieves, so how did this happen?
Initial coin offerings are facilitated with the use of a smart contract that programmatically sets the conditions of what goes in (incoming transactions) and what goes out (outgoing transactions.) Using a smart contract, a project can exchange one digital asset or currency for another (ETH in this case.)
In a paper titled, “Formalizing and Securing Relationships on Public Networks,” Nick Szabo, who first conceptualized the notion of smart contracts in 1994, compares the smart contract to its simplest analog in the real world, the vending machine:
“…the machine takes in coins, and via a simple mechanism, which makes a freshman computer science problem in design with finite automata, dispense change and product according to the displayed price. The vending machine is a contract with bearer: anybody with coins can participate in an exchange with the vendor. The lockbox and other security mechanisms protect the stored coins and contents from attackers, sufficiently to allow profitable deployment of vending machines in a wide variety of areas.”
Someone replaced CoinDash’s vending machine with another, except this vending machine does not dispense with the expected refreshments.
CoinDash responded swiftly and is currently working to honor the contributions of their supporters around the unfortunate hack.
Cases such as these show how vigilant projects using these funding mechanisms must be to avoid severe loss, for themselves and for their supporters.
Since every smart contract has a verifiable address, it is important for investors to check the authenticity of the vending machine.
Hack image via Adobe Stock