Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Investing > Positive.com: ICO Projects Contain Five Security Vulnerabilities On Average

Positive.com: ICO Projects Contain Five Security Vulnerabilities On Average

Published by Gbaf News

Posted on June 27, 2018

10 min read

Last updated: January 21, 2026

Lawmaker Kim Leadbeater discusses UK's assisted dying law changes - Global Banking & Finance Review — Image of Kim Leadbeater addressing the media about proposed changes to the UK's assisted dying law, emphasizing the removal of High Court judge sign-off to enhance the legislative process.

ICO security company launches Chainwatch, a real time monitoring product for ICOs

Positive.com’s specialist anti-fraud team found an average of five separate vulnerabilities in each project they examined in 2017, revealing the extent of risk for ICO management teams and investors alike. 47% of ICO vulnerabilities uncovered by Positive.com’s anti-fraud team were medium to high severity. Just one vulnerability is enough for attackers to steal investors’ money and do irreparable damage to corporate reputation.

According to various estimates, total investments in ICOs exceeded $5 billion in 2017, with the first quarter of 2018 showing no sign of slowdown.

With large sums of money available, incentives for cybercriminals are high, and in fact, we saw 7% of all funds raised in ICOs last year stolen, to the value of $300 million. Of all the security audits conducted for Positive.com clients active in ICOs and blockchain deployment in the banking industry in 2017, only one did not contain any critical flaws.

Positive.com has today launched the open beta phase of its unique Chainwatch product, which provides real-time monitoring and detection of attacks on ICO smart contracts and wallets. Currently in trial with customers, and the open beta phase making it open to the public, Chainwatch allows timely response to suspicious activity through predefined rules (blockchain metrics), which alert when a threshold is reached and an anomaly detected – such as abnormal money withdrawal. Early alerts to potentially fraudulent activity allow ICO organizers to take evasive action, such as withdrawing funds or warning investors to hold money transfer.

Chainwatch is the only product that can monitor all Ethereum smart contracts in real-time, with automated alerts to owners and investors, meaning ICO organizers can take a proactive approach to security and monitor the load on the service. New checks are being added daily, but Chainwatch already detects key attack types, including Transaction Ordering Dependence (TOD), Reentrancy, Short Address Attacks and anomalous attacks.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive.com said “In an ICO, time is of the essence, and short time frames mean that anticipating attacks well in advance is critical for avoiding financial losses. The latest figures have shown the rapidly increasing rate of crime and fraud on the cryptocurrency market, with cybercriminals recognizing the opportunity presented by the dramatic rise of the cryptocurrency market in recent months. However, none of the ICOs protected by Positive.com fell victim to cyberattacks and all successfully completed their ICOs without incident.”

Positive.com found that 71% of tested projects contained vulnerabilities in smart contracts, the heart and soul of an ICO. Once an ICO starts, the contract cannot be changed and is open to everyone, meaning anyone can view it and look for flaws. Typically, vulnerabilities in smart contracts occur due to lack of programmer expertise and insufficient source code testing, with high-profile incidents, including the recent BatchOverFlow bug and the Parity Wallet vulnerability in late 2017. And one third of all ICO vulnerabilities detected by Positive.com experts were in smart contracts.

Half of audits revealed vulnerabilities in ICO web applications, a huge risk with unauthorised control of a website and its contents potentially causing multi-million dollar losses in just minutes.

The team found vulnerabilities were divided into five groups;

Vulnerabilities allowing attacks against ICO organizers– in fact, Positive.com found that 1 out of 3 ICOs had flaws that enabled attacks against organizers. Attack strategies can include hijacking the email account of the ICO organizer, using information on social networks, gaining text message information from darknet merchants or social engineering techniques to bypass two-factor authentication, for example. Once the email account has been hijacked, attackers can reset the password for the ICO domain or web host, and subsequently replace the wallet address, for example as in an attack against Coindash.io, resulting in a $7 million loss.
Vulnerabilities in smart contracts– typically, these would consist of non compliance with the ERC20 standard (the token interface for digital wallets and cryptocurrency exchanges), incorrect random number generation and incorrect scoping amongst others. Generally these vulnerabilities occur due to lack of programmer expertise and insufficient source code testing.
Vulnerabilities in web applications– some of these involved the security of the blockchain itself and its backend implementation (for example with web3.js), whilst others are more general, including code injection, web server disclosure of sensitive information, insecure data transfer and arbitrary file reading.
Vulnerabilities allowing attacks against investors– the risk of social engineering-based attacks can be mitigated by smart pre-planning by ICO teams, registering all possible versions of the project domain name, misspellings and signing up/registering names on social media accounts. And ICO teams should take notice of this — 23% of projects tested by Positive.com experts contained flaws that allow attacks against investors.
Vulnerabilities in mobile applications– created by some ICO teams for investor convenience, the Positive.com team identified 2.5 times more vulnerabilities in ICO mobile apps than in ICO web applications. And alarmingly, vulnerabilities were detected in 100% of ICO mobile applications. The most common flaws found include insecure data transfer, storage of user data in backups and session ID disclosure. These flaws may be useful in gaining details about a project, its organizers and investors, prompting use by attackers in subsequent attacks.

Galloway continued: “The second a company goes public with an intention to do an ICO, it’s waving a huge flag to cyber criminals that it’s both valuable and also in a very vulnerable phase of its company growth. ICO teams have a responsibility to ensure their security posture is as robust as possible, from the development of the smart contract and web applications, to monitoring load once the ICO has begun and helping investors avoid phishing attacks.”

State Of The ICO

ICO security company launches Chainwatch, a real time monitoring product for ICOs

Positive.com’s specialist anti-fraud team found an average of five separate vulnerabilities in each project they examined in 2017, revealing the extent of risk for ICO management teams and investors alike. 47% of ICO vulnerabilities uncovered by Positive.com’s anti-fraud team were medium to high severity. Just one vulnerability is enough for attackers to steal investors’ money and do irreparable damage to corporate reputation.

According to various estimates, total investments in ICOs exceeded $5 billion in 2017, with the first quarter of 2018 showing no sign of slowdown.

With large sums of money available, incentives for cybercriminals are high, and in fact, we saw 7% of all funds raised in ICOs last year stolen, to the value of $300 million. Of all the security audits conducted for Positive.com clients active in ICOs and blockchain deployment in the banking industry in 2017, only one did not contain any critical flaws.

Positive.com has today launched the open beta phase of its unique Chainwatch product, which provides real-time monitoring and detection of attacks on ICO smart contracts and wallets. Currently in trial with customers, and the open beta phase making it open to the public, Chainwatch allows timely response to suspicious activity through predefined rules (blockchain metrics), which alert when a threshold is reached and an anomaly detected – such as abnormal money withdrawal. Early alerts to potentially fraudulent activity allow ICO organizers to take evasive action, such as withdrawing funds or warning investors to hold money transfer.

Chainwatch is the only product that can monitor all Ethereum smart contracts in real-time, with automated alerts to owners and investors, meaning ICO organizers can take a proactive approach to security and monitor the load on the service. New checks are being added daily, but Chainwatch already detects key attack types, including Transaction Ordering Dependence (TOD), Reentrancy, Short Address Attacks and anomalous attacks.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive.com said “In an ICO, time is of the essence, and short time frames mean that anticipating attacks well in advance is critical for avoiding financial losses. The latest figures have shown the rapidly increasing rate of crime and fraud on the cryptocurrency market, with cybercriminals recognizing the opportunity presented by the dramatic rise of the cryptocurrency market in recent months. However, none of the ICOs protected by Positive.com fell victim to cyberattacks and all successfully completed their ICOs without incident.”

Positive.com found that 71% of tested projects contained vulnerabilities in smart contracts, the heart and soul of an ICO. Once an ICO starts, the contract cannot be changed and is open to everyone, meaning anyone can view it and look for flaws. Typically, vulnerabilities in smart contracts occur due to lack of programmer expertise and insufficient source code testing, with high-profile incidents, including the recent BatchOverFlow bug and the Parity Wallet vulnerability in late 2017. And one third of all ICO vulnerabilities detected by Positive.com experts were in smart contracts.

Half of audits revealed vulnerabilities in ICO web applications, a huge risk with unauthorised control of a website and its contents potentially causing multi-million dollar losses in just minutes.

The team found vulnerabilities were divided into five groups;

Vulnerabilities allowing attacks against ICO organizers– in fact, Positive.com found that 1 out of 3 ICOs had flaws that enabled attacks against organizers. Attack strategies can include hijacking the email account of the ICO organizer, using information on social networks, gaining text message information from darknet merchants or social engineering techniques to bypass two-factor authentication, for example. Once the email account has been hijacked, attackers can reset the password for the ICO domain or web host, and subsequently replace the wallet address, for example as in an attack against Coindash.io, resulting in a $7 million loss.
Vulnerabilities in smart contracts– typically, these would consist of non compliance with the ERC20 standard (the token interface for digital wallets and cryptocurrency exchanges), incorrect random number generation and incorrect scoping amongst others. Generally these vulnerabilities occur due to lack of programmer expertise and insufficient source code testing.
Vulnerabilities in web applications– some of these involved the security of the blockchain itself and its backend implementation (for example with web3.js), whilst others are more general, including code injection, web server disclosure of sensitive information, insecure data transfer and arbitrary file reading.
Vulnerabilities allowing attacks against investors– the risk of social engineering-based attacks can be mitigated by smart pre-planning by ICO teams, registering all possible versions of the project domain name, misspellings and signing up/registering names on social media accounts. And ICO teams should take notice of this — 23% of projects tested by Positive.com experts contained flaws that allow attacks against investors.
Vulnerabilities in mobile applications– created by some ICO teams for investor convenience, the Positive.com team identified 2.5 times more vulnerabilities in ICO mobile apps than in ICO web applications. And alarmingly, vulnerabilities were detected in 100% of ICO mobile applications. The most common flaws found include insecure data transfer, storage of user data in backups and session ID disclosure. These flaws may be useful in gaining details about a project, its organizers and investors, prompting use by attackers in subsequent attacks.

Galloway continued: “The second a company goes public with an intention to do an ICO, it’s waving a huge flag to cyber criminals that it’s both valuable and also in a very vulnerable phase of its company growth. ICO teams have a responsibility to ensure their security posture is as robust as possible, from the development of the smart contract and web applications, to monitoring load once the ICO has begun and helping investors avoid phishing attacks.”

State Of The ICO