Large scale thefts usually involve an exchange or a bug in a smart contract. While individual hacks are common, they don’t tend to make news because, by their nature, they only affect one person.
But one alleged hack of an individual is affecting an entire ICO, its participants and it has shed some light on how ICOs are handled.
Shopin ran its ICO a few weeks ago and things seemed to be progressing as you would expect. However, earlier this month they announced that the syndicate they sent a significant portion of the ICO funds to, had been hacked.
Which means that all the customers who were a part of that syndicate have potentially lost the funds they have paid for.
We should back up, because the idea of a syndicate might be new to many of our readers.
ICOs are very popular in Japan at the moment. And the syndicate model, while far from exclusive to Japan, is a popular method to invest there. A bunch of people join together in a group and pool their money together. That money is then used to invest in ICOs in bulk, getting a better price for their trouble and sometimes are able to enter the ICO before the general public.
Ideally, this is done with a smart contract. Participants put their bitcoin or ether into a smart contract and when the ICO ends, everyone gets the correct amount of the ICO token back.
But oftentimes, smart contracts aren’t used and this seems to be the case here. Instead, the syndicate’s funds were controlled by one person and that person was supposed to distribute the Shopin coin to the syndicate’s individual members. That didn’t happen because apparently, the syndicate’s representative was hacked before she could distribute the funds.
The hack resulted in the loss of 12% of the ICO coins (4% of the total supply) and the creators have decided to move forward with a coin swap to rectify the situation. An announcement with details is expected soon.
The syndicate rep, who also lost some of her own coins, has filed a police report with Japanese authorities. That said, Shopin refused to provide me with any contact details of the Syndicate representative, so I was unable to confirm the story they provided me.
While I find it unlikely that they “hacked” their own ICO, it could potentially be profitable for them to do so. While none of the coins have moved from the alleged hacker’s account, they don’t necessarily have to. Shopin’s price has dropped significantly since the hack was announced, despite the promise of a coin swap. A price drop has to be accompanied by someone selling coins, and we know the hacker isn’t selling theirs. So the only other options are either former Shopin investors who have been scared off by the incident (most likely) or Shopin is using this time to dump their own coins since they are creating a new one anyway. Nothing has been moved from their official account, but that doesn’t necessarily mean they don’t have coins in other accounts.
All they would have needed to do is sell some coins to themselves during the ICO, or use the Tokens reserved for the Team (that account is not public) and sell them on the open market. The buyers will likely participate in the coin swap when it happens but since Tokens are essentially created out of thin air and they have to make an identical amount of coins anyway, they wouldn’t be losing anything by doing this.
To be clear, I didn’t find any evidence that is what happened. Only that without being able to verify the story with anyone else, it is a possibility that must be considered. If that is what happened, someone would be liable for filing a false police report with the Japanese authorities, but besides that, there wouldn’t be any consequences.
There is also the possibility that the Syndicate representative stole the coins herself, but with the police report, that seems unlikely.
More likely, the Shopin story, or something close to it, is accurate and the Syndicate lost the funds given to them.
In another twist, someone claiming to be the hacker has commented on the wallet, saying that the private key for the Syndicate’s account was not hacked and that instead, the account’s keys were publicly available on the internet. They wanted $1M worth of ETH to return the coins. With the coin swap already planned, that seems unlikely to happen.
I have reached out to this person for clarification.
Ultimately, the whole fiasco showcases two things: ICOs are risky. Having someone buy your ICO tokens for you adds another significant risk, even if they promise to get you access to better deals.
Shopin’s ICO in general has been far too secretive. As mentioned above, they refused to provide me with information on what Syndicate failed or provide the account where the Team tokens are held. Looking at the holders list on Etherscan, there is one account with 25.19% of the total tokens. The Team account was supposed to have 24.42% of the total tokens, but that is the closest one. In any case, it has consistently been sending tokens out when I was told those tokens were supposed to be held for three years. Even after sending out the Shopin tokens (including over 400,000 tokens on June 22nd in two transactions) they are still slightly above the planned amount.
They seemingly want me to trust them without verifying that information. You would think with their recent experience, they would understand why I can’t and their community shouldn’t.
The number one rule of cryptocurrency is “verify, don’t trust” and yet we have potentially thousands of buyers trusting one person to handle their funds responsibly. And these buyers are by necessity, ethereum users with some sort of ethereum wallet. That would seemingly indicate that they have some level of crypto knowledge.
And now they, and an entire project and community are facing the consequences of one person’s negligence.
As Shopin CEO Eran Eyal told me in an interview shortly after the alleged hack:
“This is a situation where people are negligent and lazy. There is nothing you can do about it. Harrison Hiens’ [Token Foundry] does it right, with smart contracts that are irrefutable. The moment they get the tokens, it is out of their hands.”
That is advice every potential ICO buyer should take to heart. And while ICO issuers don’t decide which Syndicates attempt to buy from them, they can decide who gets into their pre-sales. Perhaps this also stands as a warning for other ICO creators to be careful who they work with.