CoinDash, a Blockchain-based trading platform, recently raised $12 mln in its initial coin offering (ICO). However, $7 mln was hacked and redirected to a different address after the website of CoinDash was compromised.
In an official statement, the CoinDash team wrote:
“It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event. During the attack, $7 mln were stolen by a currently unknown perpetrator. The CoinDash Token Sale secured $6.4 mln from our early contributors and whitelist participants and we are grateful for your support and contribution.”
In its announcement, the CoinDash team emphasized that it is wholly responsible for the hack and the theft of $7 mln and that all investors who sent funds to the CoinDash address before the ICO or Token Sale event ended will be credited with its native token CDT.
“CoinDash is responsible to all of its contributors and will send CDTs reflective of each contribution. Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly,” the CoinDash team added.
More importantly, the CoinDash team revealed that it is currently investigating the security breach and will provide briefings in the upcoming days. At the moment, the team is focusing on recovering and providing CDTs to investors who sent funds to the fraudulent address.
Initially, the ICO was set to last 28 days with a limit set at $12 mln. It reached the $12 mln limit relatively quickly but during the ICO, the website was hacked and the security breach led to the loss of approximately $7 mln.
Investors criticized CoinDash for not publishing their crowdsale smart contract in advance. An investor by the name of MJ Dillon revealed that it informed the CoinDash team in its Slack channel that the team needed to publish the crowdsale contract and that it is risky for the team to simply share an Ethereum address and conduct its ICO.
“Has anyone mentioned how bad an idea it is that you have a whitelist of people you'll be emailing a contract address to with a ‘send money now!’ message before the address is public? Isn't that just asking someone to try to hijack that process?”
In response, the CoinDash team wrote:
“MJ Dillon, if you don't know how it will be done why are you making false assumptions then?”
In the end, the team’s relatively lax stance toward security advice and tips from community members led to the loss of $7 mln and a security breach that could have been avoided.