$7 million KICKICO hack: Smart contracts continue to be weak points

Posted: 30 July 2018 1:51 pm
News

Where there's a will, there's a way in.

The KICKICO (KICK) platform was hacked and about 7.7 million dollars' worth of user tokens were stolen on 26 July.

In this case, the thieves managed to get their hands on the private keys of the KickCoin smart contract owner and used their access to destroy tokens in about 40 different wallets and to make the same amount reappear in other locations.

Once alerted to the theft, KICKICO changed the old smart contract private key to the same private key as is being used for cold storage.

The ever-present risk of hack-attacks coupled with the absence of formal crypto-cybersecurity requirements has seen a series of best practices evolve. But new projects will be exposed to new risks, and smart contracts in particular open up a new set of potential issues.

The problem might have been avoided at several stages:

  • The hack would have been stopped if the thieves hadn't been able to get the smart contract owner's private keys. It's still not clear how they did, but spear phishing can be a remarkably effective way to target a specific individual with malware like a keylogger.
  • The hack would also have been stopped if the thieves hadn't been able to access the smart contract, even with the owner's private keys. Utilising 2-factor authentication might have prevented or at least made the hack much more difficult.
  • The hack could have been stopped if the contract itself hadn't been able to perform any functions which could be used for theft. In this case, the contracts should not have had the ability to destroy and create tokens. Assuming the functionality wasn't deliberate, this might have been prevented with thorough smart contract auditing.

"Similar to the other ICO breaches we've seen recently like Bancor, this could have been prevented if the smart contracts were audited," says Yo Kwon, CEO and founder of the Hosho blockchain cybersecurity firm. "KICKICO’s hack exploits a weakness that always existed with their smart contracts and ICOs need to give those who interact with them confidence in their security practices.

"In addition to discovering security vulnerabilities, Hosho’s smart contract audits indicate whether or not a risk such as this exists as it is a liability to investors and exchanges. Any large source of funds or access to powerful smart contracts should at the minimum be using multi-signature verification."

In the aftermath, KICKICO has said the problem is solved and has promised to refund all affected users.

Wherever there's more than one step to potentially prevent or reduce the chance of theft, it might be worth taking all of them.


Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Crypto explained


Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site