One of the problems with an Initial Coin Offering is scammers are everywhere trying to steal money from potential contributors. It is very important that you keep well informed about these nefarious acts and this guide will show you how we keep you safe, and as a guide for other ICO’s.
There are two main avenues to stealing ICO funds:
- Exploit flaws in Solidity smart-contracts, or
- Trick users into sending money to fake Ethereum smart-contract addresses.
The best way to defeat #1 is to have solid, simple and well tested smart-contracts. The contracts must be audited by a third party. One of the main priorities is to ensure the integrity of the ICO is maintained above all else.
What security measures has CanYa utilised to prevent unwanted access?
Lock down EVERYTHING!
The most prudent way is to create a totally new server environment, from scratch, only for the ICO. A single person will manage the entire scenario. Every password will be long and unique. Here are some specifics about the CanYaCoin ICO:
Create an entirely new environment. Single point of access. 2-factor (2FA) using Google Authenticator. Do not use SMS 2-factor as scammers can socially engineer phone companies to change sim cards and receive your 2-factor codes. Disable phone security options (see above). Add recovery questions but make them completely random (e.g. not your mothers name questions) and write them down in a secure offline location. Enable AMI access for all external services, and use the contract editor to assign the least number of permissions required to make it work.
We host a static site straight from S3 bucket using CloudFront CDN: make sure it is public read-only! If you configure AWS CLI tools and a separate limited-permission AMI profile to update the bucket, you should configure AWS to send automated emails & SMS whenever a file changes (e.g. index.html) so you have awareness if index.html is modified without your knowledge.
Transfer to a single point such as AWS, or if domain is in lockdown (i.e. unable to transfer just yet), manage from a separate site but change your password to enable only a single point of access. Lock transfers. Enable 2-factor with Google Authenticator. Write down recovery codes.
Buy every other similar domain name, including ones with similar words (for example if you have an ‘I’ in your domain, buy all the combinations swapping with ‘l’).
Enable 2-factor and harden your personal Apple accounts. Never save any account passwords in Safari/Google Chrome.
Enable 2-factor using Google Authenticator. To do this, add 2-factor SMS, then in the 2-factor menu, enable Google Authenticator, then disable SMS. Write down recovery codes. If you are admin, enforce 2-factor. Properly setup SPF and DKIM DNS records for your custom domain(s).
Enable 2-factor (bonus: you get a 10% discount!). Enforce 2-factor for all users. Only give out low-level user permissions such as ‘Author’ to those who need it — this prevents them being able to send mail or export your email list if they get hacked.
Setup proper SPF and DKIM TXT records for properly authenticated mail (don’t use the default Mailchimp or Sendgrid ones). Use SPF “-all” for a hard policy to ensure the mail is rejected (a lot of online guides are wimpy and use “~all” for soft fail. Don’t be a wimp!
"v=spf1 include:servers.mcsv.net include:_spf.google.com -all"
Bonus Points: add a default “reject all” SPF record on all the domains you bought up that you don’t use for sending mail:
Not many people have heard about this, but if you add a DMARC TXT record to your domain, you can tell email clients how to treat unauthenticated email. You can start with p=none (just report) up to p=reject. This will ensure Gmail and others send phishing mail straight to spam more easily.
If you enforce full reject policy you may even see a golden key show up next to your mail (like you see with PayPal etc) once they get enough emails to work out you’re legit. It’s best to start with p=none then gradually go higher until reject. Not all mail clients will support DMARC but Gmail and other big ones do. Example of canya.io TXT entry at time of writing this:
"v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org"
Google more details on how to do this — make sure you test it thoroughly using some fake email senders online to check that your legit mail works and fake ones are binned.
CanYa decided not to use this as it’s a scammers paradise.
Set up a channel for announcements. For an active community, set up a group, then convert to supergroup. Add other admins but only with limited permissions. 2-factor your login. We created a cool anti-scam bot to add to the group. It detects the regular-expression for an Ethereum contract address and warns users if somebody posts a fake address.
The Scam Bot was created by:
- Create a bot using the Telegram BotFather. Disable privacy mode so it can read all messages. Give it a name, description and image.
- Creating an AWS Lambda script in Python to read an incoming Telegram webhook (specifically: “message” → “text”) and checking against a regular expression to check for the presence of an Ethereum contract address. If detected, it pulled out the message id and calls the Telegram sendMessage API to post “Danger…”.
- Create an API endpoint (POST) with AWS API Manager. Attach the Lambda script and deploy. Copy the https endpoint URL (the AWS one is fine).
- Call the Telegram setWebhook API with your API endpoint url and allowed_updates = [“message”]. This will make sure Telegram starts firing update events at your API every time the bot hears a group message. Make sure your endpoint returns 200 OK in order to ‘ack’ the update, otherwise it keeps sending them.
- Attach your bot to the group. Give it limited admin rights. Enjoy! It’s essentially free to operate since AWS Lambda+API Manager is so cheap (probably even free tier).
It’s worth the money to buy an EV certificate. You’ll need to register your company with DUNS to make this a little easier. Anticipate this taking several days for authorise. Once you receive your certs, put them into AWS Certificate Manager and attach to your CloudFront endpoint → instant green bar.
If people are used to seeing the green bar (which are a huge pain to get!), it will make scammers job slightly harder to fake your website. Plus it looks cool and gets you +1 cred.
Use a CanYa Ledger if you can get your hands on one (or buy a normal one if you cannot). Write down your backup 24 words in a secure offline location. All transactions are signed on the wallet and your private keys are never exposed. They are brilliant — worth every cent.
Multisig’s are hugely important for a secure team wallet, although there’s been a recent bug in Parity’s mutlisig wallet CanYa still considers them essential for ICO fund management. At time of writing, gnosis has an awesome multisig.
Publish Contract Address?
There’s a few decisions to make regarding when/where to publish the ICO contract address. Our contract address is available on EtherScan and we’ve planned to use only an ENS address for our primary ICO. The contract has a start-block and end-timestamp for time limits. We decided to do this instead of a last-minute reveal as that seems to be a scammers paradise with every scammer in the world posting fake contracts in channels.
Final word on security
There’s been a wide range of exploits, bugs and scams happen in the creation of smart contracts and the deployment of Initial Coin Offerings. CanYa has taken all of the steps list above to ensure we don’t join that list.
Like the sounds of CanYa?
- Contribute to the CanYaCoin ICO here: https://sale.canya.io
For all the latest news and updates follow us here:
- Telegram Announcements: https://t.me/canyacoin
- Telegram Community: https://t.me/CanYaCommunity
- Website: https://canya.io
- Twitter: https://twitter.com/canyacoin
- LinkedIn: https://au.linkedin.com/company/canya
- Facebook: https://www.facebook.com/CanYaCoin/
- Hello World Blog: CanYaCoin – An ICO with a mature product, not a hopeful idea