$7 700 000 USD

JULY 2018

GLOBAL

KICKICO

DESCRIPTION OF EVENTS

"KICKICO [is] a blockchain-based initial coin offering (ICO) support platform" and "fundraising platform". "KickICO is a crowdfunding platform that supports AIO fundraising, but the auction sale takes place on both the KickICO platform and campaign tokens are automatically approved for listing on the KickEX exchange. As a result, both communities - platforms and exchanges - participate in the auction. This significantly increases the organic demand for traded tokens, as it reaches the audiences of both platforms and both communities. After the successful completion of the campaign and all the necessary checks, the company's tokens become available for trading on the KickEX exchange, receiving an automatic listing there."

 

"AIO (Auction based Initial Offering) is a type of crypto fundraising based on fair pricing, a know-how developed by the Kick Ecosystem team. Unlike ICO, IEO, IDO and other forms of fundraising, the price of a token, offered here for sale, is not fixed, but is formed by the users themselves during the auction. The greater demand for a token is, the higher its price, and vice versa. Companies have no direct influence on the value of the token, what makes pre-sales of the token at a 50-80% discount pointless. Thus, the price of the token is formed by the market itself and by the users participating in the auctions, who take into account the importance and relevance of the products offered by the company. So, the authors do not declare the price of their token, which, after entering the secondary market, can be collapsed by those who received early allocations with huge discounts: this kind of risk is excluded."

 

"CEO Anti Danilevski wrote in a blog post that, on July 26, "KICKICO has experienced a security breach, which resulted in the attackers gaining access to the account of the KICK smart contract — tokens of the KICKICO platform." KICKICO fell "victim to a suspected cyber attack and lost more than 70 million KICK tokens (or KickCoins) worth an estimated $7.7 million."

 

"[H]ackers were able to gain direct access to the smart contract of the KICKICO blockchain network by obtaining the private key of the KickCoin smart contract." "Once obtained the key, the attackers used it to destroy KICK tokens at approximately 40 addresses and created the same amount of tokens at other 40 wallets he was controlling. Using this trick the overall number of tokens hasn’t changed and security measures in place were not able to detect the fraudulent activity." "The team learned about this incident after the complaints of several victims, who did not find tokens worth 800 thousand dollars in their wallets." "KICKICO admitted that the company had no clue about the security breach until and unless several of its customers fell victim and complained about losing KickCoin tokens worth $800,000 from their wallets overnight."

 

"During the investigation, it was found that the total amount of stolen funds is 70,000,000 KICK, which at the current exchange rate is equivalent to $ 7.7 million."

 

“The hackers gained access to the private key of the owner of the KickCoin smart contract. In order to hide the results of their activities, they employed methods used by the KickCoin smart contract in integration with the Bancor network: hackers destroyed tokens at approximately 40 addresses and created tokens at the other 40 addresses in the corresponding amount. In result, the total number of tokens in the network has not changed.” continues the notification.

 

"The exec says his team immediately started investigating the hack in light of the report." "A few hours after the incident, the KICKICO team was able to regain access to its smart contract and replaced the compromised private key with the private key in its cold wallet, to protect the network and remaining user funds." "As of Friday, the company announced the situation was under control and the smart contract has been restored."

 

"Thanks to the rapid response of our community and our coordinated team work [sic], we were able to regain control over the tokens and prevent further possible losses by replacing the compromised private key with the private key of the cold storage," Danilevski said. “KICKICO guarantees to return all tokens to KickCoin holders. We apologize for the inconveniences,” Danilevski said. "KickICO announced it will return all stolen KICK tokens to their legitimate owners, for this reason, it invited them to connect via email."

KickICO is a service which assists blockchain projects with raising funds for operation. In order to gain operating capital for their project, they use a smart contract to issue Kick tokens. While Kick ICO is not an exchange, it offers the ability to buy/sell tokens, and many platforms similarly have their own token.

 

However, this contract was managed by a single private key, which appears to have been breached, allowing an attacker to create their own KICK tokens. The attacker avoided detection by ensuring that the same number of tokens were destroyed as they had minted, however this meant that the tokens of legitimate purchasers were destroyed.

 

The Kick ICO team ultimately restored the tokens back to their rightful owners. It's unknown if anyone may have purchased the illegitimate tokens and suffered a loss, however there are no reports of this.

HOW COULD THIS HAVE BEEN PREVENTED?

Ultimately, no funds appear to have been lost in this case.

 

The situation highlights the importance of using multi-signature setups for security, rather than relying on a single key. It also highlights the importance of storing critical keys offline. This theft would not have been possible with either of these measures in place.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.