In token sales, sometimes called “initial coin offerings,” or ICOs, millions in cryptocurrency can change hands quickly. That attracts scammers and hackers looking to intercept funds, but token sale promoters so far have not taken a security step highlighted by one of the worst token sale scams to date.

On Monday, July 17, Israeli portfolio management startup CoinDash was the victim of a 10 million USD heist when an unidentified hacker posted a fraudulent contract address on the token sale website, resulting in buyers sending a total of 43,500 ETH to the fake address.

In a blow-by-blow recount, Alon Muroch, chief executive of Israel-based CoinDash, described how the project’s developers waited until the last minute to publish the smart-contract address where buyers could send funds. Once the sale opened to the general public, a hacker took over the CoinDash website, replacing the legitimate address with a fraudulent one.

In a Reddit forum on the CoinDash hacking, many expressed dismay that the contract address was not publicly shared well before the sale, with some posting that sales that do not release addresses early should be avoided altogether.

As of Friday, out of nine token sales opening in the coming seven days, none had yet publicized its smart contract address in advance. Token Report combed through the websites, Slack channels and social media of all nine that we have listed on the Token Tracker, here; we have not been able to find contract addresses published anywhere for any of the sales. The token sales are: Filecoin, Tierion, Ziber, Investfeed, PAquarium, Everex, Propy, Rivet and SLOGN.

Coding at the 11th hour

Two out of the nine, SLOGN and Rivet, are currently in a pre-sale stage, with the former’s contract address viewable on Etherscan and the latter’s available only to registrants. A third, Filecoin, is on the Coinlist platform, which only accepts accredited investors.

Token Report reached out to all nine teams for comment on contract address release protocol. The only one to respond was Investfeed, who informed us that they will release the address on the day of their sale, Sunday. A spokesperson said “consensus in the industry” holds that “it’s all very high-risk to release it early in advance.”

We talked to several cybersecurity and assurance experts who disagree. Publishing addresses well in advance provides fewer opportunities for scammers to substitute the wrong address, they said. It also allows a wider review of the smart contract code, generally accepted as the best way to catch bugs and vulnerabilities.

There’s one problem with publishing the smart-contract address early: It’s not as easy to make 11th-hour changes to the code. Projects that haven’t published smart contract addresses may be holding back because their smart contracts aren’t complete.

A little-used remedy

The majority of contract addresses used by token sales, including CoinDash’s, are hexadecimal strings that look like a series of random numbers and letters. This usually requires buyers to copy and paste the long address in order to contribute funds. An alternative type of address that solves this issue is a human-readable name provided by the Ethereum Name Service (ENS). ENS allows developers to connect any smart contract address on the Ethereum blockchain to a name followed by “.eth” as a domain name.

Few token sales have deployed this type of contract. They include FunFair (funfund.eth) and District0x (district.eth or district0x.eth). (Disclosure: Token Report parent company New Alchemy is an advisor on FunFair’s token sale and smart contract.) Once an ENS domain is bid on and bought, developers can point it to multiple resources as well as create subdomains.

Nick Johnson, developer at ENS, says that the best way to prevent address phishing is to publicize the token sale’s real address well ahead of time, before a sale begins. This way, “last-minute announcements are inherently suspicious,” Johnson says. He added that it is “bad practice” for token sales to publish contract addresses last-minute, and said this sentiment is shared among buyers.

ENS is still new; it launched in the spring of 2017 with the first biddings taking place in May. Token sales have yet to adopt its service; the wallets that handle transfers in a token sale have only recently been getting widespread support. Currently, Bitfinex, imToken, My Ether Wallet, Metamask and Leth have integrated ENS into their wallets. Mist, Shapeshift and Status are soon to follow, Johnson said.

CoinDash will likely never see the funds that were transferred to the scam address, but the company says it plans to credit contributors who fell victim to the scam with the tokens they thought they were buying. Muroch told Bloomberg on Thursday he is confident that enough funds were raised in order to continue product development.

CoinDash has filed an official police complaint at Israel’s cyber security law enforcement bureau as well as commissioned an internal investigation.

Token Report is an independent financial information service founded by Galen Moore and Peter Vessenes. Galen is a financial journalist with a background in startups, venture capital and launching news sites. Peter is a co-founder of the Bitcoin Foundation, and launched the first VC-backed Bitcoin company in 2011. He is managing director at New Alchemy, a boutique consulting and investment group based in Seattle, Wash., that is making a pre-seed investment in Token Report.​

Nothing contained in Token Report materials or posted at tokenreport.com constitutes an offer or a solicitation of an offer to buy or sell a security, financial instrument, or other category of asset, or investment advice or recommendation of a security, financial instrument or other category of asset. Tokens involve risk and are not suitable assets for everyone. Token Report believes its information was obtained from reliable sources but does not guarantee its accuracy or completeness and accepts no liability for losses arising from the publishing of this information. The information provided by Token Report is not a substitute for financial, legal and other professional advice. Each individual should always consult his or her own financial, legal or other professional advisors and discuss the facts and circumstances that apply to the individual.