Ethereum Foos - A Curated List Of Costly Ethereum Mistakes To Learn From

Status: Just commencing work on this. Enter a GitHub issue if you have further information to include into this report.

This is a list of costly mistakes that have occurred in the Ethereum ecosystem, and some suggestions on how to mitigate the risk of this happening to you.

This page has not been created to attribute blame, as developers (myself include) build imperfect systems. This page has been created to list some of the weak points in systems (including people and group processes) that will need to be protected with additional care.

The Ethereum and cryptocurrency field is experimental, and care should be taken to minimise your chances of losing funds.

If you have improvements to this list, please submit a GitHub issue.

Table Of Contents

• An Enigma
• What Crowdsale?
• Check Your Crowdsale Contract Parameters
• Hack With Unknown Vector
• Even Commonly Used Software Can Have Costly Bugs
• Protect Your Crowdsale Website
• The Phishing Waves
• The Great DAO Hack
• Dont Leave Your Ports Open
• Mismatch Of Private And Public Keys

An Enigma

Aug 22 2017

User /u/AEonCIpher posted Enigma ICO website hacked? address from enigma.co/presale already has 590+ etherum deposited. Also getting announcements of open presale access on slack channel and email.

User /u/YYCExplorer added that the following message was posted by the phishers:

Hello All,

We are pleased with the enormous support we have gotten in the last couple of weeks, The Enigma team has decided to open the Pre-Sale to the public. The hard cap for this pre sale will be 20 Million. Please note that tokens will be calculated and distributed based on how much the Pre-Sale raises.

Ethereum address: 0x29D7d1dd5B6f9C864d9db560D72a247c178aE86B

And the address 0x29D7d1dd5B6f9C864d9db560D72a247c178aE86B shows that 1,492 ethers (4 lots of 373) were transferred out of this account.

According to Here’s one way hackers can be stopped from stealing millions in an initial coin offering, the cofounder and chief product officer of Enigma was quoted on the Coindash hack (see below):

Hackers got into the backend of the site and changed the address...

Thus, investors sent their money to the wrong Ethereum address.

Hmmm.

An then the scammers came back for more with the following message posted on slack (from Enigma hackers have no shame):

Clicking on the link took me to:

Clicking on "CLICK HERE TO VERIFY YOUR ADDRESS" reveals a text box for users to enter their private keys:

Losses

• 1,492 ethers ~ USD 500k @ 341.4710 ETH/USD

How To Prevent This Happening To You

• Crowdsale investors, don't respond to unofficial messages. Be aware that even the official web site can be hacked as has happened twice in about 2 months.

Further Information

• Hackers nab $500,000 as Enigma is compromised weeks before its ICO
• Hacker Nets over $500,000 after Hacking Enigma before ICO Date

What Crowdsale?

Aug 5 2017

User /u/White_sama posted Eros was (obviously) a scam. I sure hope nobody here invested.

The link https://eros.vision/ now displays:

The link https://icobazaar.com/eros show that the crowdsale raised 4,835,093.00 USD:

There was a warning Alert: EROS.vision ICO is a scam posted on Jul 4 2017.

The whitepaper was apparently copied from https://icobazaar.com/static/13fd64a514d4261422d424249b838172/464.pdf, but is now deleted:

One of the founders LinkedIn account https://www.linkedin.com/in/michael-carter-o-brien-a32432146, apparently:

One of the founders GitHub account https://github.com/kairan0215 contains 3 forked projects, dated May 5 2017, and no further activity:

And Eros placed a press release in Bitcoinist - http://bitcoinist.com/eros-openbazaar-sex-backpage-ico/:

Losses

• 4,835,093.00 USD

How To Prevent This Happening To You

{TODO}

Further Information

• Imminent ICO of Uber-like decentralized “SilkRoad of Sex” from Eros
• How to announce an ICO soon after a related scam ICO launches?
• Another crowdsale scam - Contingency
  • Contingency Presale just went live! $140K USD raised so far
  • So what happened with the Contingency scammers?
  • Contingency - With pre-sale launching in a little over 24 hours, let's meet the team
    • Contingency — Who are they?

Check Your Crowdsale Contract Parameters

Jul 31 2017

REXMls's deployed their RexToken crowdsale contract to 0x99d439455991f7f4885f20c634c9a31918d366e5 with an incorrect vault address.

Ethers contributions to the crowdsale contract were transferred to the incorrect vault address 0x03e4b00b607d0980668ca6e50201576b00000000, instead of the correct vault address of 0x03e4b00b607d09811b0fa61cf636a6460861939f.

As no one has the private key to the incorrect address, the amount is forever locked in the incorrect address.

REXMls has since deployed a new crowdsale contract to 0xf05a9382a4c3f29e2784502754293d88b835109c, this time sending the contributed funds to the correct vault, and they will migrate the token balances into a new token contract at the end of the crowdsale.

Losses

• 6,687.6257271739995 ETH (~ USD 1,480,573.46 @ 221.39 ETH/USD)

How To Prevent This Happening To You

• Always triple check, and have separate individuals recheck, the parameters in your crowdsale contract before releasing the address to participants
• If possible, send a contribution transaction of your own and check that the ethers reach the destination account correctly
• If you are using crowdsale/token contracts that made up of a few separate contracts, it is safer to use a script to extract the parameters from each of the contracts and compare the values automatically
• Develop and test your crowdsale contract way before the crowdsale commences. Then give sufficient for your crowdsale contract code to be audited

Further Information

• Did REXmls ICO just lost 6600 ETH due to a copy&paste error?
• The Solution

Hack With Unknown Vector

Jul 26 2017

Veritaseum founder claims USD 8 million in ICO tokens stolen. Here is the account that received the stolen tokens.

Losses

• USD 8 million

How To Prevent This Happening To You

• Vector unknown, but the hacked account is not a multisig account. This could perhaps have been avoided by using a hardware wallet like the Ledger Nano S or the Trezor.

Further Information

• Search "Veritaseum hack"

Even Commonly Used Software Can Have Costly Bugs

Jun 18 2016

A hacker found a vulnerability in the Parity Multisig and stole ~ USD 32 million from 3 of these multisig wallets after exploiting this vulnerablity. The groups suffering losses from this hack were Edgeless, Swarm City and æternity.

The White Hat Group checked the 500+ wallets suffering from the same vulnerability and exploited this vulnerability to secure ~ USD 208 million before returning all the funds back to the original owners.

Losses

• ~ USD 32 million

How To Prevent This Happening To You

• Don't rely on software that is commonly used if you have to secure a large amount of funds. Check that you are using the correct version of the software, and this this software has been sufficiently checked, tested and audited

Further Information

• Parity Multisig Vulnerability - White Hat Group Rescue Reconciliation
• The WHG has Returned 100% of the Rescued Funds to their Rightful Owners
• An In-Depth Look at the Parity Multisig Bug
• The Multi-sig Hack: A Postmortem

Protect Your Crowdsale Website

Jun 18 2016

CoinDash prepared their crowdsale smart contracts and published the address of the crowdsale contract address at the start of the crowdsale. A hacker replaced the crowdsale contract address with their own address 0x6a164122d5cf7c840d26e829b46dcc4ed6c0ae48 and over the 20 minutes before the hack was discovered, this address collected 43,488 ethers (~ USD 7 million).

Losses

• 43,488 ethers (~ USD 7 million)

How To Prevent This Happening To You

• Crowdsale Projects
  • Your website becomes a high value target when the crowdsale contract address is published on it and will need to be protected with extra care.
  • Protect your DNS registrar, your DNS entries
  • Monitor closely your website during the crowdsale period

Further Information

• Search "CoinDash hack"

The Phishing Waves

May 2017

As crowdsales are becoming quite common in the Ethereum ecosystem, scammers keep inventing new ways to steal your cryptocurrency. Scammers will message you directly with URLs and contract addresses. Do not click on these links. Only use links and addresses from trusted sources, and always double check.

Slackbot Phishing

Following is an example of an official-sounding Slackbot message offering some free tokens and providing a link to a phishing website with the URL myethervvalet DOT com (note the vv instead of w):

Clicking on the link takes me to myethervvalet DOT com:

Clicking on the green padlock next to the URL in the web browser shows me the web site information:

The SSL certificate looks authentic enough (except for the spoofed domain name):

I copied and pasted the domain name into https://www.whois.com and this shows the website is registered to Protection of Private Person (which is a big warning sign):

A lot of cryptocurrency based crowdsale projects use Slacks and their administrators cannot stop these Slackbot messages from being broadcast to all their users. Apparently it may not be a high priority for the company providing these Slack service to shut down these Slackbot services as these cryptocurrency projects do not pay for the Slack services.

Some of these projects are moving into more secure forum services like Discord.

A Phishing Account

Following is an account identified in EtherScan as a phisher's account 0x5b1a67c25ba691b251f39dde42bc7384e1c48814:

Following the trail of transactions shows the transfers to 0x39b2254d0cba73fb65f34fa6ccd4dad6d4c16e65 and this phisher has so far accummulated ~USD 50,000 in ethers and tokens:

Losses

Unknown

How To Prevent This Happening To You

• Cryptocurrency users

  • Do not blindly click on web links in messages (Slack, Slackbots, Twitter, Reddit, ...) or emails sent to you
  • Carefully verify websites you visit
  • Bookmark your verified website
  • Access your verified website through your saved bookmarks
  • Do NOT blindly rely on autocompleted websites - if you have accessed a spoofed website in the past, your autocompletion may retrieve the spoofed website from your browser history
  • You can hover over a link to check the exact naming of the link at the bottom left of your browser
  • Use a hardware wallet like the Ledger Nano S or Trezor. These devices cost less than USD 100 and could save you a lot of losses.

• Slack based projects

  • Consider Discord or services that are more secure than Slack
  • Rename your #general channel to #announcements, and only allow the project administrators to post to this #announcements channel.
  • Inform your users that all official announcements will be broadcast in the #announcement channel, and tell them to ignore all other messages.

Further Information

• ⚠ WARNING! Stop clicking links. Stop sending to addresses that were msg'd to you. Stop trusting slackbots. Stop trusting anyone on the fucking internet. Stop falling for scams.
• Hacks, thefts, and stolen funds due to phishing links between 7/5/2017 - ??? (Slackbot Scambot phishing / Reddit DM / ???)
• EtherScamDb.info
• Decentraland to reimburse victim after compromised official account scams investor out of 500 ETH

The Great DAO Hack

Jun 18 2016

A bug in the smart contracts The DAO was built on had vulnerabilities leading to the hack, the hard fork of the Ethereum blockchain and the return of funds to the original investors.

Losses

• USD 70 million (at that time)

How To Prevent This Happening To You

• Smart contracts are high value targets when they hold funds. Make sure that your smart contracts are well tested and audited. Keep your smart contracts simple so it is easy to verify the functionality
• See The History of the DAO and Lessons Learned and search "The DAO hack lessons"

Further Information

• Search "The DAO hack"

Dont Leave Your Ports Open

May 12 2016

Patrick, an Ethereum miner, opened up his Ethereum node RPC connect to the world. A script was polling his RPC connect for a chance to move this ethers. When Patrick unlocked his account to execute a transaction, a hacker made off with 7,218 ethers during the 3 second window that the account was unlocked.

Losses

• 7,218 ethers (~ USD 1.62 million @ Aug 2 2017)

How To Prevent This Happening To You

• If you open up your Ethereum client ports to the Internet in a non-standard way, make sure you know what you are doing and take measures to protect it.

Further Information

• Search "7218 ethers"

Mismatch Of Private And Public Keys

Feb 8 2016

I was using the ethaddress.org software to generate a bulk list of paper wallets. I produced 80+ pairs of private and public keys.

Being paranoid, I tested each generated pair by importing the private key into geth using the command geth account import {privatekeyfile} and I found some of the generated public keys did not match.

So I created my first ever open source issue #19 Invalid public key / private key generated.

It turned out that a downstream library used by ethaddress.org had a bug that generated incorrect private and public key pairs - #14 Update ethereumjs-tx dependency.

Losses

• 121 ETH - Trying to recover my 121 ETH from 2015 js bug

How To Prevent This Happening To You

• Always test your new accounts before sending substantial amounts to your account
  • Test by unlocking your private key in another client and check the public key
  • Test by sending a small amount of ethers to your new account, then sending back the ethers to the originating account

Further Information

• PSA: Check your EthAddress.org wallets (and any other wallet generated using ethereumjs-accounts)

(c) BokkyPooBah / Bok Consulting Pty Ltd - Aug 2 2017. The MIT Licence.