from Hacker News

CoinDash’s ICO Website Has Been Hacked

by seansoutpost on 7/17/17, 2:11 PM with 239 comments

  • by jamespitts on 7/17/17, 4:45 PM

    Important information related to this incident:

    1. CoinDash did not publish the address of the contract in advance of the ICO:

    https://www.reddit.com/r/ethereum/comments/6nsy6x/coindash_w...

    2. Allegedly, CoinDash ignored issues brought up by a software contractor / code reviewer:

    https://www.reddit.com/r/ethtrader/comments/6nrxk5/never_mis...

    > In reviewing their crowdsale code, I found multiple bugs and many errors. I've been ignored since I brought up the problems with the CoinDash team three days ago.

  • by nikolay on 7/17/17, 2:42 PM

    Where's the news?! Why do people continue to bang heads against the wall with this madness? Unless you're a thief, how is the craptocurrency thing better than my credit card that's insured from unauthorized use and gives me a cash back?! Yeah, you can't speculate with credit cards, and get rich quick, because $1 = $1 like forever, but isn't that what the real investment tools are for?

  • by fokinsean on 7/17/17, 2:42 PM

    That's a bummer since Coindash appears to have an MVP and a reasonable funding cap of $12MM. I wouldn't wish this on anyone, but it's unfortunate it didn't happen to one of the scammy ICO's instead.

    On a side note showcasing the ridiculousness of some of these ICOs, [1]"Useless Ether Token" (UET) raised around $45k and literally doesn't do anything.

    [1]: https://coinmarketcap.com/assets/useless-ethereum-token/

    https://uetoken.com/

  • by albertgoeswoof on 7/17/17, 2:38 PM

    No problem, just hardfork and start again

  • by buryat on 7/17/17, 4:35 PM

    I tend to believe that it was a scam because they refused to disclose the contract beforehand and there were some people claiming that it's a scam few months before [1].

    [1] https://bitcointalk.org/index.php?topic=1905500.0

  • by mcherm on 7/17/17, 2:36 PM

    Where does the amount in the title ("45k ether") come from? I didn't see that in the article.

    EDIT: Apparently from https://etherscan.io/address/0x6a164122d5cf7c840D26e829b46dC... , which is something I don't have the depth of knowledge to assess for myself.

  • by option_greek on 7/17/17, 2:39 PM

    I don't understand how any of these ICO companies are valued so high. If they had to raise this 12mil from VC/PE would they still be valued the same ?

  • by free_everybody on 7/17/17, 6:22 PM

    Please please PLEASE do not buy into these ICO's. Nothing but vapor, I promise you. Crypto is going to crash SO hard if people keep giving these ICO scammers millions of dollars for each slick marketing campaign they can spin up.

  • by ty_a on 7/17/17, 2:43 PM

    For anyone wondering, 45k ETH is about 7.65M USD.

  • by discombobulate on 7/17/17, 3:00 PM

    Token sales are risky. What do people expect? Guaranteed thousands-of-percent returns.

    At this point, it probably takes good judgement to make money in crypto. You can't just throw fiat at anything & expect to walk away rich.

    One of the reasons criminals are all over crypto is because they're valuable.

    When Willie Sutton was asked why he robbed banks he replied: 'Because that's where the money is'.

    I'd say caveat emptor.

  • by SirensOfTitan on 7/17/17, 3:02 PM

    The full title on the link is: "Breaking: CoinDash’s Token Sale (ICO) Website Has Been Hacked." This submission is disingenuous at best, as it implies the ICO contract was hacked: someone hacked the webpage and changed the token sending address.

    Edit: Looks like the title was updated. :)

  • by AsyncAwait on 7/17/17, 2:36 PM

    This seems to be the same problem that many open-source projects have, where the md5 hash to verify your download is at a single, (often the same) location.

    One possible solution would be to use Twitter pinned tweet to also announce the address, however it's questionable how many people would actually cross check.

  • by SomeStupidPoint on 7/17/17, 2:35 PM

    So it was their website that got hacked, not their cryptocurrency widget (or whatever the appropriate term is)?

    I mean, not unexpected: hit the softest part of the chain, which in this case seems to be a webserver rather than the crypto/contract. Just trying to make sure my understanding is correct.

  • by dvcc on 7/17/17, 2:36 PM

    'Hacked' - or just stolen. Who could ever know in crypto-land? I am sure the ICO contract had something about lost coins in it as well.

  • by lin_lin on 7/17/17, 3:01 PM

    The freedom of unregulated money!

  • by ganonm on 7/17/17, 2:46 PM

    Either the average blockchain startup is unbelievably amateurish re. security or this was an inside job. I suspect the latter but the former does not surprise me one bit.

  • by kin on 7/17/17, 2:55 PM

    Does Ethereum not have an escrow like Bitcoin where a 3rd party can confirm a transaction first?

    But also, if it's really as easy as replacing some arbitrary address with another I'm surprised Coindash wasn't more careful.

  • by sharemywin on 7/17/17, 2:59 PM

    I wonder if a block chain could certify websites:

    1. someone writes a url to the chain

    2. others post a (url/hash/date time) of the output of the url

    3. then people could post an image with their face and a blockchain address. could be a form of ID.

  • by sna1l on 7/17/17, 4:57 PM

    This underscores the need for legitimacy and best practices around ICOs. I think CoinList (angellist company) will end up killing it in this space.

  • by icoicoico on 7/17/17, 3:34 PM

    Waiting for their announcement, but this would be a great way to pull a quick scam. Make a decent looking site promising a random piece of software that seems legit, promote an ICO, setup a fake wallet, then when the ICO goes live claim your site was "hacked" and points to a fake wallet you control. Grab a few million and never have to actually write said piece of software.

  • by arcaster on 7/17/17, 2:36 PM

    This was bound to happen at some point... It'll be interesting to see how low the dip goes as a result of this ICO failure.

  • by lloydde on 7/17/17, 2:51 PM

    > CoinDash's Token Sale page was tempered...

    Now reads "tampered", but "tempered [sic]" would seem to have been appropriate if really was the message sent to investors. Funny how the subheadline had the typo before as well.

  • by Dolores12 on 7/18/17, 9:51 AM

    So you just got robbed. What law enforcement agency will you complain? Gold rush & Wild wild west.

  • by handzhiev on 7/17/17, 7:07 PM

    Has anyone here played with "HYIPs" few years ago? Stories with many ICO are so similar.

  • by justusw on 7/17/17, 4:34 PM

    Could HTTP public key pinning have prevented this at least partially?

  • by imron on 7/17/17, 3:19 PM

    I should launch an ICO.

  • by dsun176 on 7/17/17, 2:37 PM

    Running a P2P-ICO over a centralised server. Good job coindash. That's exactly what you deserved.

  • by imron on 7/17/17, 2:37 PM

    'hacked'