Vulnerability statistics: only one ICO held in 2017 without any security flow

Auditors pointed out, that typically weaknesses include non-compliance with ERC20 standard, incorrect random number generation and inaccurate scoping. According to the researchers, the reasons for vulnerabilities to occur are lack of programming expertise and insufficient source code testing.

Investigations also demonstrate that all the mobile apps of corresponding ICOs contained security vulnerabilities. The number of those was more significant than of ICO web applications. Among security flaws found in mobile apps were insecure data transfer, saving the user data in phone backups and unveiled session IDs.

All the vulnerable points could be used by hackers to initiate an attack. Security flaws in web apps included accessible, sensitive information on the server, insecure data transfer, and others.

Auditors claim that ICO initiators did not always register social media accounts of the project, and all versions of ICO domain, thus making another possibility for attacks and fraud. The ICO leaders did not always enable two-level authentication on the accounts, making it easier for hackers to take the wallets with funds under control.