Security learnings from a $30,000,000 token sale

Those who follow ICOs closely will know that Blackmoon recently held a successful token sale which generated $30,000,000. Being an investment platform based on Blockchain, Blackmoon knew the token sale would raise capital, but also awareness and the overall value of their company. But it was that second part — raising awareness — that made them wary, and led them to

Having seen some of the attacks that have taken place in recent times, with a lot of value making its way into hackers’ pockets, Blackmoon was keen to avoid becoming a target. The level of potential exposure they faced from an ICO was far from their usual experience in the investment world. And, of course, they knew that any cyber-attack would deal a severe blow to investor trust, with dire consequences for the success of their token sale.

What brought to Blackmoon

Blackmoon had done their homework and were already very aware that too many poorly protected wallets, websites and other technical infrastructure had caused significant problems for organizations undergoing previous ICOs. Our team were able to extend that knowledge by demonstrating the very real dangers from vulnerabilities in smart contracts themselves. The last thing Blackmoon wanted was wallet information being spoofed, their site being taken offline or having damaging material posted on it.

So Blackmoon trusted’s expert team to perform a full smart contract source code audit. We’re not at liberty to share the full details for obvious privacy reasons, but the audit was certainly a worthwhile exercise, allowing Blackmoon to see and fix smart contract flaws and ensure they had truly robust security measures in place.

Here’s a summary of the key lessons learned from this exercise for other companies planning to emulate Blackmoon’s success:

1. The security of the code contained in your smart contract effectively dictates how some very valuable company assets are shared with the outside world. Getting an independent opinion from a security expert will allow you to proceed with confidence that this will remain correctly apportioned.

2. Don’t make the mistake of thinking your token sale is just a website and a smart contract. There are a wealth of connected touch points which could be vulnerable — everything from servers to mobile applications are a target. Hackers are infinitely more creative and adaptable than you think, so test these points again and again before any ICO.

3. There is no “cutting corners” when it comes to security, even under the pressure of running an ICO, and it is recommended to always get fresh perspective on all fronts. Having a refresher course in the multitude of social engineering techniques hackers use just makes them start thinking in a more secure manner.

4. Avoid a “set and forget mentality”. Technical infrastructure is like a living organism and change is inevitable. You need to keep looking for new flaws, such as admin errors and unwanted configuration changes, which throw open the doors of safe infrastructure to attackers. For this reason, 24/7 monitoring in the run-up period, and during the ICO itself, is important.

It’s OK to ask for help

Most likely, if you’re planning an ICO it’s because you have expertise in platforms that tokenize investment funds, but not necessarily a specialty in security. With so much at stake, it makes sense to ask for specialist expertise. Blackmoon’s token sale was just one additional business event, on top of their core offering. Trying to add security into the mix to do their own smart contract audit would have been distracting and the results wouldn’t have given them the kind of confidence they got from

The detailed security assessment of Blackmoon’s smart contract helped them find and fix flaws. This helped keep their funds safe from attack from the moment of launch. More importantly, it was instrumental in keeping their token sale on schedule. For anyone who has run a high growth tech company, you’ll know that’s a really big deal! Well done and congratulations to our friends at Blackmoon on a successful ICO.

Security learnings from a $30,000,000 token sale was originally published in ICO Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ICO Security - Medium authored by Positive ICO. Read the original post at: