Another day, another crypto hack.
About two weeks ago, KICKICO revealed that 70 million KICK tokens had been pilfered by a hacker at a value of around $7.7 million – peanuts in the ICO hacking space.
On July 26th, KICKICO said the security breach had been uncovered when the team received complaints from several victims, who did not find tokens worth $800,000 in their wallets. The company stated that crooks gained access to the private key of the owner of the KickCoin smart contract and used the integration of Bancor to hide their tracks.
“… hackers destroyed tokens at approximately 40 addresses and created tokens at the other 40 addresses in the corresponding amount. In result, the total number of tokens in the network has not changed. But thanks to the rapid response of our community and our coordinated team work, we were able to regain control over the tokens and prevent further possible losses by replacing the compromised private key with the private key of the cold storage.”
KICKICO stated at that time:
“KICKICO guarantees to return all tokens to KickCoin holders. We apologize for the inconveniences, but claim that the situation is under control.”
Alexander Spirin, Head of Community at KICKICO, said they appreciate all of the ongoing support of the KICKICO community which “encouraged us to set our goals even higher.”
They also added that demand in the coin had surged driving the value higher – at one point over 45%. Since that time, KickCoin has bounced around a bit currently holding a market cap of around $34 million.
But could all of this been avoided? CI reached out to Dan Rice, co-founder of SageWise. Rice is super active in the crypto space and CTO of the ICO / Blockchain smart contract dispute layer service. Speaking about the KICKICO hack, Rice shared this with CI;
'We're seeing this more and more now. Many ICO smart contracts, like this one, have a special admin mode. We call this irresponsible admin interfaces. There was no bug exploited in the smart contract' #ICOClick To Tweet
“We’re seeing this more and more now. Many ICO smart contracts, like this one, have a special admin mode,” explained Rice. “We call this irresponsible admin interfaces. There was no bug exploited in the smart contract, but on top of this decentralized network, the token was built with what computer science often calls a “back door”.”
Not so Immutable?
Rice pointed to this etherscan page to buttress his statement.
He continued to add that one Ethereum account is deemed the “owner” of this smart contract and can do special things.
“In this case the “owner” account is able to mint new tokens without seeking permission from anyone else,” added Rice. “Sagewise is proposing that not only should people think about how they can recover from a smart contract failure, but contract writers should also build responsible controls that do not destroy the decentralization properties. In this case a single account has special root permission and this single account was compromised, giving the attacker super powers within the smart contract.”
Rice said that by using their framework, a single account would not need root access like this because they provide a layered approach to single contract governance – as opposed to the back door approach.
KICK Coin is traded on 10 exchanges. The platform states it has launched more than 30 projects, successfully completing their ICOs and raising more than 300,000 ETH in total funds. KickCoin has recently been listed on Singapore based cryptocurrency exchange CoinBene. Their forthcoming airdrop has been pegged at distributing around $40 million tokens.