
CoinDash’s ICO Website Has Been Hacked - seansoutpost
http://www.financemagnates.com/cryptocurrency/news/breaking-coindashs-token-sale-ico-website-hacked/
======
jamespitts
Important information related to this incident:

1\. CoinDash did not publish the address of the contract in advance of the
ICO:

[https://www.reddit.com/r/ethereum/comments/6nsy6x/coindash_w...](https://www.reddit.com/r/ethereum/comments/6nsy6x/coindash_website_hacked_55_mil_gone/dkbx57x/)

2\. Allegedly, CoinDash ignored issues brought up by a software contractor /
code reviewer:

[https://www.reddit.com/r/ethtrader/comments/6nrxk5/never_mis...](https://www.reddit.com/r/ethtrader/comments/6nrxk5/never_miss_an_ico_again_coindash_cdt/)

> In reviewing their crowdsale code, I found multiple bugs and many errors.
> I've been ignored since I brought up the problems with the CoinDash team
> three days ago.

~~~
_jtrig
The entire point of Cryptocurrency is to step away from institutional trust,
not dive head-first into it.

Bitcoin succeeds as a scarce and sovereign wealth management tool but once you
give away the private keys, you lose those advantages.

~~~
nosuchthing
Bitcoin is only scarce for late adopters, by design early adopters of BTC
software generated thousands of "coins" per week for running a mining-
computation node of a normal 2-3GHz CPU.

BTC's network protocol service is not unique, and thus not scarce in the
least. I.E. other protocols/network designs/token-ledgers offer the same
service as BTC in addition to fixing the vulnerability to BTC's hashing
algorithm which has led to the ASIC attacks on the Bitcoin network which just
lead to centralization by the hardware producers.

~~~
_jtrig
You don't understand how currency functions and you certainly don't understand
how bitcoin operates.

I'll leave you to consoling yourself.

~~~
nosuchthing
Please enlighten us.

Here are some facts:

As per the design of the Bitcoin software, payouts were made to users running
standard home PCs with simple ~3Ghz processors, and as a result, the software
minted thousands of BTC tokens to their accounts for the rather trivial
processor cycles. As per the design of the bitcoin protocol, running the
bitcoin software now on the same computer, would mint a fraction of a coin.
Bitcoin was designed to favor the people who created it, and the few early
users who ran the software.

The assumption that the bitcoin service is unique, rare, or scarce is just not
the case. The historical records of these ponzi payouts are public record.
Hundreds of alt coins with active 'networks' are running on the public
Internet right now, offering the same service as the BTC network, and often
improved upon features like scrypt, ZKP, or the EVM.

The divestment of digital beanie babies as I passed the hot potato of a
2.4-transaction-per-second digital message system with a horrible dev team and
censor happy community currently in a civil war, to rubes who exchanged actual
universally accepted fiat paper was enough to console me for a years to come.

Maybe we are all destined for the moon, as the legends go. Because a
distributed database message system and expansive misinformation campaign has
convinced people as much. Or maybe bubbles are temporary?

~~~
cookiecaper
I agree with you. Bitcoin was a cool prototype with many oversights and
inadequacies that got bolted to a runaway hype train. Some later
cryptocurrencies have made modest improvements, but I don't think
cryptocurrency will really be able to break through until a) the difficulty
mechanism is fixed and b) reliable transaction confirmation is practically
instantaneous.

I got into bitcoin in early 2010 right before it started to show up in
mainstream news. CPU mining was already dead but I could GPU mine on my
desktop and generate about 1 BTC/day. I ran this for the novelty for a few
days and then turned it off. Not quite enough to get a skeptic's consolation
for "years to come", but it was fun anyway. :P

------
nikolay
Where's the news?! Why do people continue to bang heads against the wall with
this madness? Unless you're a thief, how is the craptocurrency thing better
than my credit card that's insured from unauthorized use and gives me a cash
back?! Yeah, you can't speculate with credit cards, and get rich quick,
because $1 = $1 like forever, but isn't that what the real investment tools
are for?

~~~
davnicwil
Just to pick up on this one small point: as I understand it, the cashback you
get with a credit card is more or less taken straight from the card processing
fee charged to the vendor, which of course, raises prices overall and is
therefore not really cashback at all. Without the fee, you would likely have
just paid a lower price in the first place.

The only party benefitting from the cashback scheme is, of course, the
middleman. By offering it, they give you an incentive to use the card more,
which in turn gives the vendors more incentive to accept it. More card use
equates directly to more money for them.

One of the hugely compelling benefits of cryptocurrencies is they entirely
eliminate the necessity for such middlemen taking a cut and driving up costs
for the parties actually partaking in the transaction.

~~~
simias
That's the definition of insurance. The problem with bitcoin, if you think
that's a problem, is that there's no obvious way to implement this scheme.
You'd have to insure your coins to a third party but then you'd probably have
to give them some control over your wallet so that you can't just "steal" your
own coins and make a claim.

But clearly people want this type of guarantee so I think the cryptopunk dream
of having every human being owning a bitcoin wallet aligns poorly with what
real world human beings want.

Everytime I read about long term adoption of cryptocurrency by the masses I
always end up asking myself the same question: "Why would a random person for
whom money is not a political statement care about any of that? What's the
added value?" As far as I'm concerned I still haven't found a satisfactory
answer to this question.

~~~
kcanini
I can think of at least two real-world uses where cryptocurrency is a better
choice than fiat: (1) sending money overseas with very low transaction fee,
and (2) transacting on the black market.

~~~
root_axis
> _sending money overseas with very low transaction fee_

Except that fluctuations in the conversion rate make this very touchy,
especially if you're talking about a significant sum of money. Also, sending
crypto anywhere outside of a handful of developed nations is fraught with
difficulty because recipients need to be able to convert bitcoin into
spendable money which often involves risky in-person meetups and gigantic
markups on the conversion rate.

~~~
vinceguidry
These are market problems that are especially suited for developing nations to
be able to solve themselves. I am forever impressed by the ability of local
populations to work out collective solutions to scaling and trust problems.

Also, having options is better than not having them. Sure, there's the
international wire system, but it wouldn't hurt to give it some competition.

~~~
root_axis
I'm not saying cryptocurrencies shouldn't exist, only that they are not at
this time a serious or practical alternative except for very unique scenarios
that are generally outside the scope of the average citizen, especially in the
developing world. In the developing world, very often, even access to
computers, electricity, and internet are serious obstacles, not to mention a
gap in technical literacy compared to the developed world.

------
fokinsean
That's a bummer since Coindash appears to have an MVP and a reasonable funding
cap of $12MM. I wouldn't wish this on anyone, but it's unfortunate it didn't
happen to one of the scammy ICO's instead.

On a side note showcasing the ridiculousness of some of these ICOs,
[1]"Useless Ether Token" (UET) raised around $45k and literally doesn't do
anything.

[1]: [https://coinmarketcap.com/assets/useless-ethereum-
token/](https://coinmarketcap.com/assets/useless-ethereum-token/)

[https://uetoken.com/](https://uetoken.com/)

~~~
trophycase
You do realize that everyone knows UET is a joke right?

~~~
TeMPOraL
DogeCoin was a joke too, right? I think it earned some people some money.

I actually like this about the Internet. A good joke deserves some profits.

------
albertgoeswoof
No problem, just hardfork and start again

~~~
dvcc
That only works when the money is tied to one of the core developers. Don't
worry though, blockchains are immutable and safe from centralization.

~~~
542458
Wait what? I'm not up to date on all the cryptocurrency going-ons. What's this
referring to?

~~~
JoshTriplett
One of the main Ethereum code-contracts, the DAO (
[https://en.wikipedia.org/wiki/The_DAO_(organization)](https://en.wikipedia.org/wiki/The_DAO_\(organization\))
) had a bug in its code, and someone exploited that bug to extract the value
from it. Rather than accept that as consistent with their view of "the code is
the contract", the Ethereum developers hard-forked the currency to reverse
that result and give everyone their money back.

~~~
qyv
Oh good, so they should be able to do that now and give everyone there money
back again. Thank goodness for decentralization! /s

------
buryat
I tend to believe that it was a scam because they refused to disclose the
contract beforehand and there were some people claiming that it's a scam few
months before [1].

[1]
[https://bitcointalk.org/index.php?topic=1905500.0](https://bitcointalk.org/index.php?topic=1905500.0)

~~~
Obi_Juan_Kenobi
I say this without an ounce of hyperbole: I assume all ICOs are a scam until
convinced otherwise.

The majority aren't outright scams (willful intent to defraud), but most are
capital grabs with virtually no chance of being successful businesses.

------
mcherm
Where does the amount in the title ("45k ether") come from? I didn't see that
in the article.

EDIT: Apparently from
[https://etherscan.io/address/0x6a164122d5cf7c840D26e829b46dC...](https://etherscan.io/address/0x6a164122d5cf7c840D26e829b46dCc4ED6C0ae48)
, which is something I don't have the depth of knowledge to assess for myself.

~~~
ericfrederich
wow... 6 minutes ago, 1 minute ago... people are still sending this address
money?

~~~
forthefuture
This sentiment is how normal people feel about all cryptocurrency.

------
option_greek
I don't understand how any of these ICO companies are valued so high. If they
had to raise this 12mil from VC/PE would they still be valued the same ?

~~~
sharemywin
Because it's not real money, most of it is just bitcoins that got converted to
ethereum that got converted to coin dejur. Can you cash it out in small
quantities sure, but unless something tangible comes of it you have nothing
but worthless tokens.

~~~
hn_throwaway_99
I think that is key. It's similar to the .com boom (and bust) in the early
2000s. You had lots of examples where super-inflated company A bought company
B, and paid for it with their super inflated stock. While the "values"
reported won and lost where in the billions (trillions?), the fact is that
relatively little of it was actually converted back and forth to real dollars.

------
free_everybody
Please please PLEASE do not buy into these ICO's. Nothing but vapor, I promise
you. Crypto is going to crash SO hard if people keep giving these ICO scammers
millions of dollars for each slick marketing campaign they can spin up.

------
ty_a
For anyone wondering, 45k ETH is about 7.65M USD.

~~~
option_greek
I wonder what happens if someone wants to liquidate this amount to USD
immediately. Has ether got enough liquidity to handle it :)

~~~
arcaster
Yep, there's more than enough liquidity. People clearing more than $70k USD
worth of ETH are usually going through OTC channels, not through exchanges
like Poloniex and Coinbase. OTC fees are generally higher than exchanges, but
offer the advantage of legally guaranteed finality and no chance of slippage
affecting your transaction (exactly what happened with GDAX when the price of
ETH briefly dropped to $0.10).

When deals are large enough, sometimes they are even executed as a set of
"tranches" (large set of smaller transactions over time) so the transfer isn't
easily traceable and counter-parties remain largely unknown.

~~~
smnplk
OTC ?

~~~
jkaljundi
Over-The-Counter eg not via exchanges, but directly.

------
discombobulate
Token sales are risky. What do people expect? _Guaranteed_ thousands-of-
percent returns.

At this point, it probably takes good judgement to make money in crypto. You
can't just throw fiat at anything & expect to walk away rich.

One of the reasons criminals are all over crypto is because they're valuable.

When Willie Sutton was asked why he robbed banks he replied: 'Because that's
where the money is'.

I'd say _caveat emptor_.

------
SirensOfTitan
The full title on the link is: "Breaking: CoinDash’s Token Sale (ICO) Website
Has Been Hacked." This submission is disingenuous at best, as it implies the
ICO contract was hacked: someone hacked the webpage and changed the token
sending address.

Edit: Looks like the title was updated. :)

~~~
discombobulate
1) Watch out for the website. And here's another tip from Vitalik,

'Reminder: if someone makes a token sale that gives discounts to large buyers,
this can be circumvented via collective-buying smart contract.'[0]

I think people are going to start understanding how to navigate the new
investment waters. It's going to take time. I still don't have as many sources
of info in the area as I'd like. That too -- if the market continues to
develop -- will change in time.

[0]:
[https://twitter.com/VitalikButerin/status/886191450727297024](https://twitter.com/VitalikButerin/status/886191450727297024)

~~~
joosters
The 'tip' can be summarised to just 'avoid token sales, you mug'

~~~
discombobulate
Can it? I understood it as more nuanced.

~~~
joosters
IMO, not Vitalik's

~~~
discombobulate
Vitalik was talking about token sales that give discounts to large buyers. And
that they can be circumvented via collective-buying smart contracts.

I got that information by reading his tweet.

Frankly, I don't know what you're talking about. I would imagine if he was
trying to convey one should avoid all token sales he would have said something
similar to that. Not something _specific_ to a specific situation.

The trick I'm employing involves reading comprehension.

------
AsyncAwait
This seems to be the same problem that many open-source projects have, where
the md5 hash to verify your download is at a single, (often the same)
location.

One possible solution would be to use Twitter pinned tweet to also announce
the address, however it's questionable how many people would actually cross
check.

~~~
ericfrederich
I always found that fascinating myself, serving the download and checksum from
the same source.

Doesn't http have enough redundancy checks built in to make this pointless?
The only time to really do a checksum isn't on a browser download, it's when
you push it over some serial connection, or android adb or something else.

~~~
sjbase
I suppose the "Here's the MD5 for your download" concept is useful if the file
is being served from a different host than the website itself. Someone could
tamper with the file server, but may not have access to the HTML rendering a
link to that file server.

But you're right about serving the data & checksum from the same source. I
don't see what extra layer of security or integrity it adds. Someone tampering
with server file system, or the data transfer (MitM) inherently has the access
they need to inject their own MD5 into the HTML.

------
SomeStupidPoint
So it was their website that got hacked, not their cryptocurrency widget (or
whatever the appropriate term is)?

I mean, not unexpected: hit the softest part of the chain, which in this case
seems to be a webserver rather than the crypto/contract. Just trying to make
sure my understanding is correct.

~~~
proto-n
The webserver, or you know, their wordpress website (at least according to
reddit).

------
dvcc
'Hacked' \- or just stolen. Who could ever know in crypto-land? I am sure the
ICO contract had something about lost coins in it as well.

~~~
dullgiulio
Neither. They hacked the webpage and wrote a different address to send money
to. Similar to me sending you a letter that I am Oxfam, please send me money.

If only the crypto-currency world had laws and the institution of justice...

~~~
lightbyte
>If only the crypto-currency world had laws

A law isn't going to magic peoples coins back if they hit send to the wrong
address.

~~~
cyphar
It won't magic anything, the person gets caught and court makes a ruling like
every other criminal action. That's like saying that laws can't magic a stolen
bag of cash in a getaway car back to it's rightful owner. You're right that
it's not magic, it's the justice system. And if they don't have the coins,
they have to sell assets or go bankrupt.

------
lin_lin
The freedom of unregulated money!

------
ganonm
Either the average blockchain startup is unbelievably amateurish re. security
or this was an inside job. I suspect the latter but the former does not
surprise me one bit.

~~~
kalleboo
Isn't most of the IT field unbelievably amateurish re. security? Just look at
the bi-monthly releases of user lists from major companies.

This is why I think wide adoption of cryptocurrency is a bad idea. Complete
computer security is nearly impossible (I want to say completely impossible
but I'll end up in an endless debate about single use offline computers
printing out paper wallets).

~~~
ganonm
I think this is a disingenuous argument. Yes the vast majority of the IT field
are not experts but if you don't hire one of these experts to secure your
system, a system which is aiming to raise $12m, then you shouldn't be
surprised when you get hacked.

Also, just because you're not an expert does not mean that you have any excuse
to be completely clueless and make stupid mistakes.

------
kin
Does Ethereum not have an escrow like Bitcoin where a 3rd party can confirm a
transaction first?

But also, if it's really as easy as replacing some arbitrary address with
another I'm surprised Coindash wasn't more careful.

~~~
DennisP
That's a simple contract, but...

If the ICO implements that, there's no protection from someone replacing the
ICO address.

If buyers use escrow contracts, they have to confirm their transactions before
the ICO closes, so for typical hard-capped ICOs you don't have much time to
verify things. When the crowdsale's website is displaying wrong information,
there's no other source, and the sale is rapidly approaching a hard cap on
contributions, there's not much you can do.

A better defense against this type of attack is to use the Ethereum Name
Service, and publish the address well in advance. It would also help to use
crowdsale structures that don't incentivize a mad rush, such as:

[http://www.blunderingcode.com/fairtokensales/](http://www.blunderingcode.com/fairtokensales/)

------
sharemywin
I wonder if a block chain could certify websites:

1\. someone writes a url to the chain

2\. others post a (url/hash/date time) of the output of the url

3\. then people could post an image with their face and a blockchain address.
could be a form of ID.

~~~
52-6F-62
There are various groups working toward a blockchain id system including
Thomson Reuters[0], and a Microsoft/Phillips-backed company Tierion[1] -- both
on the Ethereum public chain.

[0]
[https://blockoneid.thomsonreuters.com/](https://blockoneid.thomsonreuters.com/)

[1] [https://tierion.com/](https://tierion.com/)

------
sna1l
This underscores the need for legitimacy and best practices around ICOs. I
think CoinList (angellist company) will end up killing it in this space.

------
icoicoico
Waiting for their announcement, but this would be a great way to pull a quick
scam. Make a decent looking site promising a random piece of software that
seems legit, promote an ICO, setup a fake wallet, then when the ICO goes live
claim your site was "hacked" and points to a fake wallet you control. Grab a
few million and never have to actually write said piece of software.

------
arcaster
This was bound to happen at some point... It'll be interesting to see how low
the dip goes as a result of this ICO failure.

------
lloydde
> CoinDash's Token Sale page was tempered...

Now reads "tampered", but "tempered [sic]" would seem to have been appropriate
if really was the message sent to investors. Funny how the subheadline had the
typo before as well.

~~~
LyndsySimon
This is the sort of email you don't spend a lot of time spellchecking.

~~~
lloydde
Right, I was thinking more of the news site.

------
Dolores12
So you just got robbed. What law enforcement agency will you complain? Gold
rush & Wild wild west.

------
handzhiev
Has anyone here played with "HYIPs" few years ago? Stories with many ICO are
so similar.

------
justusw
Could HTTP public key pinning have prevented this at least partially?

~~~
williamscales
Not necessarily, because the issue here is that the website containing the
address itself was altered. If an attacker can get access to the web server
then HTTP public key pinning does nothing to protect you.

What would have worked, however, would have been to pin the ICO address to the
blockchain in advance. Same concept.

------
imron
I should launch an ICO.

~~~
eugeneionesco
Yep

[https://motherboard.vice.com/en_us/article/evd5je/an-
ethereu...](https://motherboard.vice.com/en_us/article/evd5je/an-ethereum-
token-called-fuck-raised-dollar30000-in-30-minutes)

------
dsun176
Running a P2P-ICO over a centralised server. Good job coindash. That's exactly
what you deserved.

~~~
detaro
Do other ICOs do a better job distributing instructions?

EDIT: so, apart from posting the address across as many channels as possible,
and telling people to cross-check, what options are there? You could announce
addresses way beforehand and have them send ETH to the final address once you
release it, using that as a signal.

~~~
arcaster
Usually, companies conducting ICO's only release the block number in advance,
the smart contract address is generally released last sometimes just hours
before the ICO start time.

------
imron
'hacked'

