Follow On Google News

What is an IDO? How can IDO be attacked?

02 Aug 2022 By : Rohit Khandelwal
Southeast Asia’s Lar

The IDO is portrayed as the replacement for fundraising models like ICO, STO, and IEO as it provides greater liquidity for crypto assets and more fast, transparent, and equitable trading. IDO is one of many inventive ways for raising funds.  However,the Initial Coin Offering (ICO), was the first method of raising funds in the cryptocurrency industry and it caused a lot of controversy in 2017.

Just about any ICO project could offer huge returns, and many did. Many ICO ventures turned out to be illusions or, worse, scams in an effort to make easy money. They also damaged the reputation of the cryptocurrency market and discouraged many potential new investors from joining.

To know more about ICO read-Evaluating ICOs: Importance of Soft Cap and Hard Cap

Decentralized finance (DeFi) uses several fundraising strategies to try to solve this issue. The IDO model is one such example. Crypto investors now have access to a different, more inclusive crowdfunding model due to DEXs.

However, hacking assaults can cause significant financial and reputational harm during the Initial Dex Offerings (IDOs). This is why token issuers should prioritize protection against these sorts of assaults. Preventative interventions allow for the reduction of the hazards associated with these assaults.

In order to understand how these hacking attacks pose a risk to an IDO's reputation, we must first understand how an IDO works.

How does an IDO work?

The decentralized exchange is used by an IDO to carry out the token sale. The DEX receives tokens from a cryptocurrency project, customers deposit money through the platform, and DEX handles the ultimate distribution and transfer. The blockchain's smart contracts enable this automated operation.

The IDO regulations follow these standard methods.

  • After the screening process, they approve a project to run on an IDO, and after they issue a supply of tokens for a fixed price, the users can lock their money in exchange for these tokens.

  • To be included in the investor whitelist, you must do marketing activities, or you can provide your wallet address.

  • The remainder of the funds are handed to the team, and some are utilized to build a liquidity pool. After the TGE(Token Generation Event), investors trade the token, and typically, the liquidity is locked for a specific amount of time.

  • Tokens are given to users at the TGE, after which the liquidity provider is made available for trading.

Types of Attacks

Smart Contract Manipulation

Given that the rules for carrying out agreements are entirely automated and hard-coded into algorithms, smart contracts provide a creative way to promote trustless exchanges. Smart contracts are like digital programs that can operate independently and according to a set of instructions.

However, inadequate design or programming flaws have led to hacks of smart contracts. In 2018, hackers got direct access to an ICO launchpad KickCoin’s smart contracts. The hackers acquired control of 40 accounts, which they afterward deleted and recreated with another 40 very similar ones.

When multiple victims complained, the platform owners were made aware of the hack, and an audit later revealed that customers had lost tokens. Fortunately, the KICKICO team recovered access to its smart contract a short time after the attack and replaced the compromised private key with the key from its cold wallet to protect the remaining funds. The site also paid out and replaced the 40 wallets that had been the target of the hack. 

Smart contract code flaws can lead to serious problems for a network from hackers. Other issues can arise from a badly built smart contract, like missing money, duplicate tokens, and even scripts intended to control the token creation process.

Bot attacks

A bot attack uses automated online requests to trick, deceive, or interfere with a website, app, API, or end users. Bot assaults began as straightforward spamming operations but have now developed into sophisticated, global criminal organizations with independent economies and infrastructures. These assaults can be categorized into three groups. Sniping bots, Front-running bots, and Combined attacks fall under these categories.

Using Sniping bots

If you have ever traded in Defi, you have probably witnessed coins being sniped at the very moment of their debut and the prices inflating. These bots are script(written in js) and use web3 and other blockchain APIs to interact with smart contracts. These bots look for new listings on multiple or oneautomated market maker (AMM).

Simply, the algorithm essentially purchases the newly launched coins with the most gas, and since it is an algorithm, it does this faster than any human could. Based on their respective liquidity levels, the attacks vary. The bots have an unfair edge over the token price when they respond to changes in liquidity levels. The bot now has the option to inflate the price. This causes an oversupply in the market and a domino effect on sales.

These bots' creators may use them themselves or sell them to other people. The bots require regular upgrades that concentrate on the appropriate measures. While a single sniper bot can be controlled, hackers deploy hundreds of them. A centralized reaction to the attack is necessary. Hackers start social media campaigns targeting users. The bots charge initiatives operating via IDOs with defrauding the users. The combined result hurts the reputation of companies.

Using Front running bots

A front-running bot checks pending transactions and pays a higher gas charge so that miners execute its transaction first, to front-run a large deal that will have an impact on market price. 

They modify the sequence of transactions within a block while paying out more money for gas and the transactions are given priority status by the exchange when it comes to processing their transactions. 

Front-running bots are more complex to manage as compared to snipping bots. The primary cause is the complexity of the algorithms themselves. Additionally, the operations take place more quickly. The degree of automation is what causes these bots' natural complexity. It enables instantaneous determination of the ideal transaction size.

Front running is legal since data is available on a digital ledger. The activity is also prohibited in the financial markets. While enhancing security and safety is the responsibility of the projects undertaking IDOs, the front-running bots should be the focus of these measures.

Phishing and Wallet exploitation

Over 50% of the money stolen is still lost to this kind of fraud, making it the most significant threat during launching IDOs too. Criminals create intricate, multi-step plans using all conceivable community influence channels. They can use various phishing techniques and disguise users to steal tokens from their wallets.

It's critical to remain alert at all times for any indications of potential fraud on the non-programming side of an IDO. Not every team member is aware of, or necessarily cares about, online safety, even though programmers and other tech-side staff may be sensitive to cybersecurity trends and best practices.

Criminals who used banking Trojans to finance their unlawful operations are now changing their tools to concentrate on cryptocurrency, which makes this market appealing to them. They pose a threat to traders, cryptocurrency users, and owners in addition to IDO ventures.

An IDO needs to use an address verification service as hackers can also change the official wallet address with their own and can steal tokens. project wallets can be stolen, and the tokens can be moved to an unauthorized address.

Consequences of these attacks

Projects and businesses conducting IDOs can suffer reputational harm, which leads to losing future funding opportunities and other significant operational difficulties. A company's engagement with its customers can become worse.

Hackers can manipulate the prices of tokens, and increase gas fees which will hurt the sentiments of the issuers and investors. So, Companies and developers should focus on removing these possible dangers for their project’s IDO to be successful.

The blockchain industry suffers reputational harm as a result of these attacks. Millions have been spent on safeguarding a project's IDO from these threats. The financial element of cyber security during IDOs focuses on removing or avoiding possible danger. The parties concerned are better protected with such a strategy.

For example, during the project's IDO on PancakeSwap, 111PG was asked to provide protection. Recently, the security mechanisms offered by 111PG prevented sniping bot assaults.

Making basic preparations is necessary to stop these attacks. Each step should handle a certain attack type.

Protective Measures

Companies use a variety of preventative and security measures to support the projects throughout the IDOs. These strategies concentrate on identifying liquidity peaks and responding to these alterations. 

Protective measures also rely on algorithms, similar to the scripts that bots use, the timing of the response is backed by these algorithms. Avoiding damage to the IDO is the key problem in putting these measures and solutions into action. Maintaining the ease and speed of the transactions is crucial at the same time.

Projects can identify issues before they become major crises by doing a pre-IDO audit of smart contracts with a focus on security and penetration testing for blockchain apps and smart contracts.

The current state of the industry presents another significant challenge: widespread awareness of the issue. Ironically, many token project creators aren't even aware of the risks they may face during an IDO. Knowledge is a crucial element of our total security. Therefore, it is necessary to talk about the issue of hackers and their effects on the market more frequently. Establishing cybersecurity in crypto as a standard practice rather than an exception will assist in enlisting more specialists in the cybersecurity solution.

Conclusion

Any technological advancement, especially one involving the internet, is always accompanied by an increase in fraud. And they frequently achieve success far more quickly than anyone else. Therefore, being aware of an issue already leads to its solution.

IDO is unarguably the next phase in blockchain finance (DeFi). Still, we must wait to see how it will evolve and align when several lessons are learned. Companies should focus to prevent these attacks from harming their reputation and investing in the security of these IDOs. 

WHAT'S YOUR OPINION?