A Cost-Effective Solution to Costly Security Audit

in #ico6 years ago

A post by our CEO, Mr. KEY (Karnika E. Yashwant)

Here’s a couple of advice for successfully launching ICOs we often come across:

“Blockchain application development and ICO companies often forget that compliance is different from security and think that as long as they follow the compliance regulations, their data is systematically shielded and safe from theft or hack. It’s urgent to carry out the ICO audit by hiring independent audit companies. These companies provide penetration testing, smart contract audit and bug tips to help you get ready for your ICO platform promotion. As the Audit can expose the vulnerabilities of your system, not only millions of dollars and hours of time can be saved, but your ICO as well.”

Well and good if the budget covers the security audit for the ICO. If not, how do I address this with clients? Here’s the thing, I’ll start by citing one of my real experiences with a client. We were working with one of our favorite projects. We liked the project, we loved the team and we started to work with them. They’re pretty well-funded as well. More than a million dollars for marketing in early 2018. At that point, a million dollar for marketing is a very good budget and they were all set for massive success.

Everything was in line. We handled the whole process in terms of marketing, in terms of every other media in the process. The only part we did not monitor was the tech part because those guys were tech guys themselves. There was a CTO, a tech team, and their software developers.

Pre-ICO started. There was a lot of hype. A massive number of Telegram followers, everyone was waiting up and the ICO started. A huge number of people started to register, and get in as soon as the countdown timer went to zero. Within less than a minute, they made more than six figures, something like $152k came in within the first minute or so.

As soon as that happened, something went down, the smart contract and the dashboard started showing some weird numbers. They took it down for a few hours and relaunched after their tech team fixed it; repeated the process for a second time when it still did not work. They took a break for a few days and then relaunched it, and still, it did not work.

Cheap Developers across Multiple ICOs

The whole problem was the cost because they hired some cheap developers to get the stuff done which costed more at the end. No one was monitoring the platform and they didn’t do any of their testing as well on top of it.

Lack of monitoring and testing screwed up their whole ICO. They tried relaunching three times within a week and every time they did, their dashboard and smart contract were not functioning.** I’ve seen this issue happen across multiple ICOs that kind of killed the whole ICO because at that point people start to think it’s a scam.**

So, the security audit is definitely very different from the compliance but it is a very good consideration for sure. Let’s imagine the cost of doing the smart contract dashboard. The whole tech part is costing you x dollars, while the cost of a security audit is 2x, 3x or 5x. So basically, the security audit would be more expensive than the actual development process. This is one of the challenges that the market is facing.

Make sure your platform is inline

I would say irrespective of who does the development, one should definitely get someone to test it out very well to make sure it is inline. Everyone could make mistakes and there are some exceptions to these in terms of risk-reward ratio. For example, if you’re using an existing platform, there are many more ICOs running on top of them and they have been working for a few months, if not more. They charge you a percentage of the raise like two to four percent and you’re free to use the platform or they add in some upfront costs and then, they reduce the percentage collected on the backend (which is my preferred mode).

Using an existing platform reduces your risk substantially, but anything that is developed directly at your end or bought from a private company incurs a risk and the security audit becomes a must. Bottomline, it’s just a matter of finding the right cost-effective solution instead of just pouring in six figures to do a security audit.

Use a Hackathon Freelancer Board

Recently, I was discussing with my good friend, Ameer Rosic, who launched a platform called Bountyone.io. It’s a managed platform for hackathons where you post your project; put a price to it; people apply and do their magic; and finally, you get the report and one of the members get paid, etc. It reduces the security audit cost by five times and also shortens the timeline by two or three times.

That’s the only solution that I’m aware of right now in the market for such use cases. I don’t think it’s even a couple of months old, but that’s the only solution at this point which is cost-effective, time-effective and crowd-sourced.

Disclaimer: This is NOT a sponsored post. This is my response to many of my clients who needed assistance around this, and I decided to just make it as a post and share with everyone else.

Every other solution is too expensive and that by itself could easily take one month, one and a half month, two months, etc. The key innovation is a commercially scalable consensus mechanism with a reviewer board selection built into the blockchain.

Invest in Qualified Developers

In a nutshell, that’s the challenge and that’s the opportunity out there and I’ve shown you the good and bad side of security testing. Sometimes you go with what makes the best sense. But at this point in time, when I work with my clients,** I tell them the foundational rule: If they’re just buying my company’s services, that’s fine, they can just use it.** I’m not getting involved in the project. If I am involved in the project, however, I make it clear that I like to be involved in all processes of the ICO, it could be legal, or it could be technical. I’d like to at least always see what’s happening so I can make the right marketing choices or suggestions at the right time and when the technology part comes, definitely, I look at who’s developing.

At least, it should be somebody qualified, someone good instead of just some random freelancer. If that is someone who’s not reliable, then security audit is going to be a must. Unfortunately, over the past few months, it was impossible to hire anyone for security audit because that was huge in terms of cost, which was not affordable by most clients. The associated risks were properly handled through a quality developer and a proper testing with their own team.

That’s the situation right now but moving forward, I would definitely get my clients to use a hackathon and a crowdsourced means of testing their ICO so they can actually launch with strong confidence. **Technology is just a small part of the ICO but by itself, it can ruin, and at the same time, it can also make life easier and make the ICO smoother and stable. That’s my take on it. *****