Are Security Token Offerings (STOs) succeeding Initial Coin Offerings (ICOs)?

In the United States, the Securities and Exchange Commission (SEC) has started issuing guidance on how to handle the cryptocurrencies being sold in ICOs.  They’re working hard to protect the residents from fraudulent schemes. For any entrepreneur, the practical applications of Blockchain are perhaps the democratization of fundraising. Blockchain solution in a venture capital ecosystem enables entrepreneurs to tokenize the equity and bringing liquidity to venture capital and angel investors in return. In this blog, we will discuss how Security Token Offerings are outnumbering ICOs especially in US economy where the effect of new rules on efficiency, competition, and capital formation in regards to cryptocurrencies keep fluctuating.


ICO-A high-risk speculative investment?

ICOs lately has been a subject of speculation among the high-volume institutional investors. The fruits of the industry are starting to be borne—Nearly $400 million, or more than 10 percent of $3.7 billion raised in initial coin offerings, has been lost or stolen, Ernst & Young claim.

This boils down to the fact that participating in an ICO is perhaps not a preferred option for individual investors. For individual investors, it is hard to stay upbeat with the on-goings in the cryptosphere and they are most likely to be unaware of the token purchase price of seed investors or VC rates. Another reason surrounding the mistrust in ICO is that ICOs are not liquid like investments in public like stocks and they are not compliant with SEC regulations either.

The fact that the ICO terms might fail and the project is always a high-risk investment makes ICOs highly regulated especially in countries like the USA. Moreover, the DAO tokens following the DAO Hack failed to pass the Howey and other alternative tests and were deemed securities by the SEC. That’s when Security Tokens comes into the picture.


What are Security Tokens?

Unlike ICO where the token issues are dApp or utility token, the token hodlers gain governance voting rights or they get the profit-sharing rights then the token is considered to be a Security Token.  They have the attributes of a security; the regulatory compliance can be applicable to both the investors and entrepreneurs on their respective sides. Furthermore, the following can be regarded as a security token:

  • If the token offering is giving the right to equity shares in the enterprise
  • If the token hodler gains the profit or ownership in the company, just like stocks
  • If the token represents a kind of unit of a mutual fund, loan or any debt obligation
  • If the token is backed by real assets such as landholdings

STOs are subject to federal security regulations in the states. Below are the regulations which when properly met can pave way for Security Tokens to attain the same reputation as the stocks.

For a thorough understanding of these regulations, you can also refer to this Medium publication.


Now, what makes token a security?

Before moving ahead, you must know that according to the government and regulating authorities any investment being done with an intent to make a profit is security. Usually, STOs look more like IPOs are they are somewhat similar in nature and offerings. Talking about the United States, understanding the purpose of the investment is of paramount importance.

The SEC and FINMA categorized tokens into two broad categories, i.e. Utility Tokens and Security Tokens. The centennial case that addressed this issue is the SEC v. Howey Co., 328 U.S. 293 (1946). The Howey test will answer these four questions based on which the type of token is decided:

  1.      Is money or real-assets are involved in the investment?
  2.      If yes, then are these investments are in a common enterprise?
  3.      Whether the investors are expecting profit from the investment?
  4.      Are there third-parties efforts involved in making the profit?  

If the answer is ‘Yes’ to these questions, then the token sale is likely subject to the U.S. securities laws.

The token buyers can avail benefits like profit shares, dividends and voting rights. Moreover, the security tokens can also feature similar attributes as that of utility tokens. If an organization acknowledges that its token is a security, then it can be considered as an investment. For the buyers, security tokens bring more transparency in token economics.


To achieve the crowdfunding goals, is it important to launch an STO?

As mentioned above, the investors in an ICO do not need specific rights or company share where they are investing. In contrast, the STO investment is more about empowerment, here the investors gain more rights and own shares which is somewhat similar to that of a regular business intending to initiate an IPO. However, with STOs the decentralized nature of cryptocurrency is absent as there are governing bodies involved for the approval. Here are a few major reasons why people find STOs more legitimate than ICOs:

  • They received an asset-backed token, basically a share in the company
  • STOs require government compliance which means no scam projects
  • Through blockchain, STOs will unblock trillions of dollars of illiquid assets
  • Any company can tokenize its equity, STOs are not just limited to blockchain companies
  • STOs provide global regulatory compliance, unlike ICOs they are not limited to Switzerland, Moldova or Singapore

STOs can effectively address the major issues faced with Utility Token Offerings — they offer corporate accountability and minimize the possibility of fraud.


Key takeaways
  • We have two legal structures of tokens: Security and Utility tokens
  • Howey Test in the USA might be a good approximation to evaluate the secure nature of the token, there’s still a lot of uncertainty surrounding cryptocurrencies
  • If there is some value associated with a token, this will not automatically prevent it from being qualified as a security token
  • Security Tokens brings legal clarity for everyone in the ecosystem be it the company or the ICO contributors (although this is a speculation as of now)
  • Only the licensed security trading platforms will facilitate secondary trading of security tokens
  • Security tokens cannot be used as utility tokens, this means they cannot be used as a medium of exchange or trade
  • Unlike ICOs, you cannot use security tokens to incentivize the users neither you can gain access to any platform with that.
  • Security tokens differ from jurisdiction to jurisdiction, i.e. it is not necessary that what one platform consider as security would be the same for another platform.
  • The security tokens are designed in a way that they will not convert to utility token once the business operations are live
  • You as an investor must have a holistic look at both kind of tokens depending upon your investment.


EndNote – STOs are defeating its nemesis in the USA

Experts believe that tons of capital is expected to flow from Wall Street to security tokens in the coming years which will open up fractionalized investment. You can choose to offer security tokens by adhering to SEC guidelines and you will not be required to give up equity in the company or a revenue share. Despite the technical and regulatory hurdles, the token economy is moving forward and the token issuers must use the existing tools and shall not bet on these regulations to be modified.

DISCLAIMER: The purpose of this blog is to help potential token issuers understand how security tokens are regulated in countries like the United States. As a reader, you must conduct your own due diligence and seek consultation which provides a greater understanding.

10 ICOs to look for in 2018

In 2017, we witnessed a number of cryptocurrencies gaining momentum for good reason, however, the entire blockchain aspect is way bigger than just that cryptocurrencies. Even the White House, DC has weighed in on blockchain, by issuing an official statement:

“We follow blockchain technologies for a number of reasons, including economic, innovation, national security and public safety. Blockchain has the promise to be used creatively for a number of cybersecurity and other issues, and it is important for us to remain informed on this and other new and emerging technologies.”

If you invest in blockchain technology companies, consider investing in companies that are back-end leaders.  We have chalked down few companies that bring unique offerings to the table, so if you are planning to invest you may go ahead and review their whitepapers.




PundiX empowers blockchain developers, and token holders to trade cryptocurrency and services on any physical stores in the world. It intends to take POS systems a whole new level where the transaction can be done on a blockchain network taken where payment from both cryptocurrency wallets and traditional mobile wallets, including Alipay, the Bitcoin wallet, are supported.

Pundi X’s mission is to make buying cryptocurrency as easy as buying bottled water. Pundi X POS device has an adaptable interface and helps the merchants to facilitate transactions based on the cryptocurrency of their choice, for e.g. BTC, ETH, XEM, QTUM, or ACT. It also has check-out menu to complete crypto-transactions along with membership, and inventory management integrated into the offering.

ICO Details

[table id=11 /]

Our Thoughts
As soon as Pundi X launched their ICO it was sold out within 2 hours and it is reported that 6,000 transactions were placed through the Ethereum platform in the first five minutes of its launch. The POS device costs 300 USD per piece and PUNDI X has a plan to reach ROI in 12 months, which indicates that we can expect about 30 USD profit from each device every month. With such a promising start, we can expect a tremendous performance in 2018 as this built-to-order and the highly configured device will be made available in the open market making it a must-to-have for retail businesses in coming future.


coin metro

The blockchain powered CoinMetro platform is built for investors for leveraging the spectacular user interface and simplistic functionality in order to make trading as simplified as online purchasing of an item. With its unique features an extensive wealth of knowledge and experience, CoinMetro caters for the technically challenged people such as grandparents and countryside people through its interesting and unique features.

CoinMetro plans are expected to make use of an open-source, document-oriented database program known as MongoDB in order to bring role-based access control to administer things like network isolation. CoinMetro has also deployed PostgreSQL, which is open-source and promises a strong reputation for reliability, data integrity, and performance. With CoinMetro, all the services can be easily streamlined via a blockchain powered web app having spectacular UI thereby creating a flexible environment that integrates unique features into CoinMetro’s digital asset ecosystem.

ICO details

[table id=12 /]

Our Thoughts
Since the digital technology is changing rapidly, the entire landscape needs a bridge that links the traditional and emerging asset classes which are specially designed for mainstream adoption. The CoinMetro platform is a promising an all-in-one solution which can be helpful for businesses to maximize their client value by delivering rock-solid framework. CoinMetro’s customer support network has plans to incorporate a live-chat option via Intercom along with a knowledge base and an extended FAQ section making it extremely helpful for newcomers to understand how it works. 



Loomia is a New York-based startup that wants your wardrobe to be chic. The start-up intends to bring clothing and textiles into the IoT marketplace. Loomia adds an electronic layer to the fabric and turn them into functioning sensors (more like a circuit board) in order to communicate with the IoT environment.

The innovation Loomia brings can spare a huge number of lives each year. For any significant car crash or an episode of terrible mishap, the severe impact acted upon the clothing could provoke Loomia’s smart clothing. The blockchain powered technology contact the nearest healthcare facility and pinpoints the exact location of the individual and provides the identity, thereby maximizing the chances of survival. Loomia have introduced a device called the data tile which facilitates valuable clothing data for businesses as one of the applications of blockchain technology. This can further be sold by the individuals in exchange for tokens.  

ICO Details

[table id=13 /]

Our Thoughts

The Loomia products will be registered on a blockchain which will provide data authenticity and accurate information thereby eliminating the use of phone calls, high alerts, and other procedures being carried out during emergency cases. Not only Lumia products and IoT devices, the information can be read by other technologies and therefore the wearable can be integrated with third-party applications like anti-theft device etc. Loomia ensures that the personal data belongs to you and establishes a ‘belief that ‘Physical You Is Digital You’.




A decentralized application runtime environment that provides blockchain powered mobile experiences to mobile users seeking data security and transparency. It gives the power to individuals with smartphone devices to engage in value and ownership exchange without middlemen.

Zipper has the vision to upgrade smartphones to blockchain powered devices so as to inherit trust, transparency along with low-cost transactions. The technology used blockchain integration that keeps data and wallet secure through blockchain whilst providing ease of access to all. The main objective here is to make the use of cryptocurrencies and dapps easy and secure to use for everyday smartphone users. Zipper specialized in creating an open source operating system for mobile devices and have a major contribution in building MeeGo for Nokia which is now licensed by many industry players.

ICO Details

[table id=14 /]

Our Thoughts
Ever since Ethereum and other blockchains have contributed to a new decentralized economy, the millions of smartphone users need technology that can be trusted. By simply using an iPhone or Android device; the users can download the app and simply start earing, without worrying about data security. Zipper platform is based on several open source technologies and is already in the process of developing Android and Sailfish OS powered Sony Xperia device. The Zipper platform brings easy of using cryptocurrencies where the users get to choose which data to share and with whom. Moreover, they can monetize storage and get paid to share the data thereby making Zipper one of the most promising entries in the 2018 cryptomarket.


Kyber network


Kyber Network is all about trustless decentralized exchange and payment service. This new system facilitates the exchange and conversion of digital assets by allowing anyone to seamlessly receive payments from any token. What makes KyberNetwork different is that it is compatible with existing smart contracts and no deposits are required and users can instantly get token when they trade.

A blockchain powered platform that empowers merchants and users to instantly concert token and eliminate extra charges excluding the gas fees. Here, users can send existing token A, by converting it to a different type of token, suppose B, the receiver on the other end only accepts payment in all in one transaction. KyberNetwork has introduced a new standard contract wallet that allows existing contracts which accept only a few tokens, thereby enabling merchants to address a wider class of users and receives payments and contributions in form of tokens that KyberNetwork supports.

ICO Details

[table id=15 /]

Our Thoughts
The KyberNetwork exchange platform is first to provide on-chain, transparent and instant trades with high liquidity and its roadmap throws a light on supporting cross-chain trades between different cryptocurrencies using future protocols like Polkadot and Cosmos. At present Kyber’s ICO Drops score is very high, looking at which we can forecast its amplified market value in 2018 cryptomarket.  Moreover, here the users can mitigate risks of price fluctuations in the cryptomarket with derivative trading, the platform facilitates payment APIs that allow Ethereum accounts to seamlessly receive payments from any crypto tokens.



Datawallet is the project that aims to solve the ethical, economic and quality problems of day-to-day data brokerage. By making use of the Datawallet application, organizations are able to fetch high-quality information whereas the users receive remuneration in form of tokens. Here users monetize the data collected from social networks by simply linking with this application and then choose which information to sell to which organizations.

DataWallet is a decentralized C2B data exchange application that allows data producers to reclaim the data they primarily own. The app provides users with a self-sovereign wallet that allows them to monetize and utilize an asset that is rightfully theirs. DataWallet provides organizations with insights that solve existing problems like collating datasets in an intelligent way and overcoming silo problems etc. The Datawallet is helpful not only for the data producers but also for the data consumers. Since the data is deterministically linked to each user profile, the information is ethically transferred with the user’s consent, which makes DataWallet a trustworthy information sharing platform.

ICO Details

[table id=16 /]

Our Thoughts
Datawallet aims at disrupting information industry, which is 4th most valuable product on Earth. Sharing ethical and approved data is perhaps the future of precise application development. Data brokers supply information such as what are the products you wish to buy online? Who is the best social media star this month? Etc.  This critical information is being sold to the organizations in exchange for finances. However, you can manage your own data and earn tokens using DataWallet by providing high-quality ethical information.

7.STK Token


STK token is an end-to-end blockchain powered technology solution that allows retail businesses to gain access to previously inaccessible data through its real-time sensor technology. The vision is to enable real-time POS transactions directly from private cryptocurrency wallets.

STK Tokens provide the ability to make crypto-payments in-store in order to introduce a faster and efficient payment method. STK tokens are implemented on the public Ethereum blockchain and adhere to the ERC20 protocol and automatically opens a state channel between different users and STK wallet. STK will allow you to store your money safely anywhere and gives you instant access using your smartphone using STACK app thereby eliminating the traditional card solution.  

ICO Details

[table id=17 /]

Our Thoughts
Being a contributor to promoting borderless transactions, the STK model of instant global payments is likely to be widely accepted. STACK makes use of industry-leading safeguards to protect your hard-earned money along with minimizing the risk of data breach and privacy, so accounts are highly secure. The platform gives you personalized tools to help you reach your goals faster by being smart with your money spending.

8. BABB (Bank Account Based Blockchain)


A decentralized bank that caters to provide anyone in the world with access to a bank account for P2P financial services. With built-in access to crowdsourced financial services, people at BABB wants to offer bank accounts to anyone throughout the globe.

BABB harness blockchain technology to that enables anybody in the world can obtain a UK bank account for international payments. The idea behind the obtaining local physical Fiat currencies is to eliminate the waiting time and extended working days when it comes to complicated bank transactions, the local merchants (those accepting cards) can trade physical cash in exchange of any digital equivalent.

ICO Details

[table id=18 /]

Our Thoughts
BABB will work around the existing local and international fiscal and monetary policies and is most likely to work directly with the central banks. The next decade will see a crypto boom as many central banks have planned to execute CBDCs which makes BABB an integrated part of the global financial platform.



DADI is a new era of cloud computing services, powered by blockchain technology which focuses on scaling and expanding your digital products outreach. Exclusively built for everyday users who can rent Dadi’s computing power to transform their web presence into extremely efficient, business-specific workplace. DADI provides database storage, content delivery and variety of digital products which can effectively refurbish a dysfunctional website into a vibrant hub.

With DADI, retailers gain the much-needed flexibility to manage their content by effortlessly managing product detail and inventory along with enhanced analytics required for achieving business targets. With Dadi, businesses that rely on content management can seamlessly connect with myriad third-party providers which includes using advanced level POS technology and payment gateways.


ICO Details

[table id=19 /]

Our Thoughts
DADI’s one-size-fits-all approach towards providing an all-new content management ecosystem looks promising in 2018. The user experience with DADI helps retailers to make real-time decisions and market their content in the most effective manner. Those who are finding ways for customer retention can make the best use of DADI in order to maximize conversions and leads by acting as an umbrella store for user data across multiple products in their respective digital portfolio.



The Fabric Token ecosystem bundle of user-friendly software to individuals and businesses so as to empower them to access to blockchain technology and smart contracts with an ease. The primary focus of Fabric is to motivate the people with minimum programming and blockchain knowledge to create and deploy their own Dapp.

The fabric token can be used as a digital asset which can be exchanged between third-party developers and users on the Fabric Store. The entire ecosystem will depend on performance and growth, it is all set to have for components which are Fabric Token itself, itself, TokenGen, DApp Workbench, and the Fabric Store. Fabric’s innovative solutions have the tendency to create lucrative markets, at the backend, it gives a room for developers to create and sell components within a drag and drop ecosystem.

ICO details

[table id=20 /]


There is an overall optimism surrounding the underlying power of a number of applications of the blockchain. The investors and Silicon Valley venture capitalists continue to aggressively pour money into blockchain technology. There is an opportunity for investors to consider such blockchain powered business models and realize that there is a potential market for digital-first brands in almost every business category.

*The above information and analysis are based on our personal interpretation and research.

Organizing Your Own ICO-101

If you have an innovative idea worth millions and you’re thinking about your own ICO to achieve this feat, you should be prepared to ask yourself several questions before you approach a solidity developer. If you’re a solidity developer, writing crowdsale and token contracts, it’s your responsibility to ask questions from your clients. In many cases asking the right questions is a very important job, as it can reduce planning time drastically and can help you proceed to the required solution. This article will help you understand basic questions you must ask yourself before finalizing a crowdsale or a token strategy. Their answers will shape the smart contract and the way you’ll handle your investment plan. We’ll go through them one by one.

Crowdsale Questions:

A crowdsale offers a platform where investors can come and buy crowdsale tokens, offering support to the ICO, with added benefits for themselves, if the organizer’s idea succeeds. Your crowdsale would be handling people’s money, moreover it will be collecting money for you. Therefore, you should plan properly before proceeding. Following are some questions to help you through:

  • When should your crowdsale begin?
    It should depend on following factors – time to market your idea properly, cryptocurrency market conditions, status of your idea prototype.
  • What should be the duration of your crowdsale?
    It should be a duration apt for you, to raise an amount which will be sufficient to proceed with your project.
  • Duration of your crowsale should be dependent on timestamp of a block or block number?
    In Ethereum blockchain, a sense of timing can be consumed in two fashions- block timestamp (now) and block number. You have to choose which one you will use. Usually block timestamp, i.e. now is used and we recommend it too.
  • Do you want a presale?
    It could be a nice strategy to attract investors before your actual crowdsale, and measure your popularity in the market. It could also be organized for special customers who want subsidized token swap rates for showing early trust in your idea. If you want a presale, more questions are waiting for you:

    • When will it begin?
    • What will be it’s duration?
  • Should your crowdsale be divided into milestones?
    Milestones are periods of time during which your crowdsale will be active, but these time periods can have gaps between them. Each milestone can have separate properties such as its own token swap rate, cap etc. You should also think about the following questions:

    • How many milestones do you need?
    • When will each milestone start?
    • What will be the duration of each milestone?
    • Will there be a cap for each milestone or an overall cap?
  • Do you want your crowdsale token swap rate to be based on fiat currencies (USD/EUR) or ether (ETH)?
    We recommend ether because during the duration of your crowdsale ether to fiat rates may vary excessively, this could introduce complexity which could be easily avoided if we choose the latter option. Nevertheless there are many ICOs which opt for the former option, but you should think carefully before doing so.
  • Do you want a Cap?
    A cap helps you decide when to stop and when to give up. It also helps you regulate control and shows that you’re no scrooge, ultimately building a relationship of trust with your investors. This is one of those questions that you must answer with a yes. There are various questions associated with capping you should ponder on:

    • What should be your minimum ether/fiat cap?
      This is the minimum financial goal of a crowdsale. In Layman’s terms, it’s the minimum amount at startup, which is deemed sufficient to carry on with a project.
    • What should be your maximum ether/fiat cap?
      This is the maximum desired financial goal from an ICO. It’s the amount that the project needs to develop or improve their product. The team usually believes this amount will cover the successful development of the project until the moment it becomes profitable. Still most projects set a very high cap that is unlikely to be achieved. Only a few famous projects like Status or Brave browser successfully reached their hard cap. You can find a list of complete/incomplete ICOs on ICOdrops.
    • Do you want to accept multiple contributions from an investor or do you want a limit on number of investments from a single investor?
    • Do you want an individual min/max cap for each investor? If yes, how much?
    • Do you need a fixed token supply (max token cap) or a fixed ether/fiat cap?
      You want your tokens to be created at the very start of your ICO or you want new tokens to be created every time someone buys your tokens, until your ether/fiat cap is reached? If former is your choice, answer the following:

      • What should be the total supply of your tokens?
      • What should be the swap rate of your tokens?
        Decide this on the basis of maximum ether/fiat cap and total supply of your tokens.
      • What should happen to the tokens if required cap is not reached?
        This means if some tokens are left even after crowdsale ends, should they be sent to some reserve or they’re to be distributed among crowdsale owners. Another strategy is Airdrop, where left over tokens will be distributed among token holders according to their fare share after crowdsale.

If latter is your choice, just decide the token swap rate considering the max ether/fiat cap and the duration of your crowdsale (also include, presale and milestone strategy, if any).

  • What will be your refund policy, if cap is not reached?
    Usually ethers are transferred to a vault contract for safe keeping until min/max cap is reached. If cap is not reached user’s can come to the crowdsale contract and claim their tokens using a pull mechanism. ICO organizers can also opt for a seperate strategy according to their needs.
  • Would tokens be available to buy after crowdsale?
    If you intend to sell all your tokens during a crowdsale, you should not opt for this option.
  • Do you want a referral policy during your crowdsale?
    Your investors will have a referral code, when someone signs up on your platform using this referral code, the referrer will be able to claim reward tokens. It has the following questions associated with it:

    • What should be the percentage of tokens assigned for referrals.
    • How many referrals should be allowed for a single user?
  • Do you want a pause feature for your crowdsale?
    Crowdsale owners will be able to stop investors from buying tokens, in case of malicious attack on their platform or some bug report. After resolving these problems the crowdsale could be continued.
  • Do you want your crowdsale to be extendable?
    Crowdsale owners will be able to change start and end time of your crowdsale, though it is advisable only when milestone strategy is not being used.
  • Do you want your crowdsale to have a KYC logic?
    Crowdsale address is public and anyone can access it, it could lead to a huge problem- even non KYC contributors would be able to participate in your crowdsale. This could be solved with a simple whitelisting solution.
  • Do you need an owner assigned token mechanism for your crowdsale?
    This allows the crowdsale owner to assign tokens at will, it could have some checks to restrict it’s unauthorized use of course. Still it is not advisable because it promotes centralization and reduces the trust of customers.
  • Any other special functionality for your crowdsale?
    There might be some special functionality of your crowdsale that could be unique in itself, you cannot leave anything. So think about it carefully.
  • What will be your initial share distribution scheme?
    Have you reserved some tokens for project owners and different teams associated with your project?
  • How do you vision the ether to be handled after the crowdsale?
    • Straightaway transfer to a private account.
    • Handle using a multisig.
  • Owner of the crowdsale should be single account or multisig?
    Multisig or multisignature require another user or users to sign a transaction before it can be broadcast onto the blockchain, this is a good practise and is recommended over single account.

Token Questions:

  • What is the name of your token?
    It should be something catchy, but more importantly it should be unique. Due to the increasing number of crowdsales you should check that your token name is not already in use.
  • What is the symbol for your token?
    A token symbol is usually a three letter symbol derived from the token name itself, eg ETH from ether. Though it is not a rigid rule and the important thing about it, like token name is its uniqueness.
  • How many decimal points you want to track for your tokens?
    Usually preferred value is 18, because ether has 18 decimal units. But it can completely depend on the price of your token and which sub units should be available to trade later.
  • Do you want token transfer and other basic ERC20 functions to be active during a crowdsale?
    Some specific crowdsale organizers may need to restrict token functionality during a crowdsale, this is to stop devaluation of a token price by transferring at very low rates on exchanges. To avoid it, they can remain inactive until the crowdsale is finished or some other time/block limit?
  • You want to allow only high level purchase, low level purchase or both?
    • High level purchase: Only the one who sends ether to the contract will be able to buy tokens.
    • Low level purchase: Investors will be able to buy tokens for some other account, sending ethers on their behalf.
  • Your token should be ERC20 or ERC223?
    ERC20 is the widely popular standard for tokens, which helps in buying selling and trading them. ERC223 is built on top of ERC20 and provides the following advantages:

    • Eliminates the problem of lost tokens which happens during the transfer of ERC20 tokens to a contract (when people mistakenly use the instructions for sending tokens to a wallet). ERC223 allows users to send their tokens to either wallet or contract with the same function transfer, thereby eliminating the potential for confusion and lost tokens.
    • Allows developers to handle incoming token transactions, and reject non-supported tokens, which is not possible with ERC20.
    • Helps in energy savings. The transfer of ERC223 tokens to a contract is a one step process rather than two step process (for ERC20), and this means two times less gas and no extra blockchain bloating.
  • Do you want to restrict your tokens among a whitelisted group?
    If restricted to a group, your tokens will be transferable among a whitelisted set of users only. Thus, cannot be listed on public exchanges. It could also be used to restrict all ERC20 based functions to a particular group of users, to maintain privacy.
  • What should be the basic features of your token?
    Here are some recommended features you can start with.

    • Upgradable:
      Allows future modifications in your token contracts. Can be useful in case of changing requirements, or for bug fixes.
    • Owner Assigned:
      Owner will be able to mint and assign tokens to accounts even after the crowdsale ends.
    • Pausable:
      Basic ERC20 features like transfer, transferFrom and approve can be paused by owner. It is useful in case of bug fixes.
    • Burnable:
      On the basis of token functionality owners or users can be allowed to burn their tokens using this feature.
  • Any other special functionality of tokens?
    Tokens can be used for many other processes like voting, gambling etc. It depends on your requirement that what else your token would do.
  • What will be the vesting scheme of your tokens?
    Do you want to release all your tokens at once or do you want to release them gradually, at different block timestamps? Suppose release 30 percent during presale and 70 percent during your crowdsale. You can also use this strategy on token holders and release their tokens in a vested manner.


There are many positives in opting for an ICO solutions instead of more ‘traditional’ funding methods such as IPOs or VC funding rounds, but take time to consider how they fit into your long term plans. Will your ICO fail, and if so, can you still accomplish your ideas? No one can tell for sure, what you can do is plan effectively and understand this new venture, instead of making on-spot decisions.


Every crypto company is raising millions of dollars by organizing their own ICO, marketing their innovative idea. ICO has become the buzzword of recent times. Although, it is important to note that they’re meant to deal with huge sums of money, people’s money, your money. This makes it important for ICO organizers to ensure a fool proof security, especially after the recent ICO hacks.

This blog is aimed to help newbies to find general, web-security and smart contract based security solutions, to help ICO organizers find a solution to the security problem.

Smart Contract Recommendations

Ethereum and complex blockchain environment is highly volatile. In this manner, you ought to expect consistent changes in the security scene, as new bugs and security dangers are found, and new accepted procedures are produced. Following the security hones in this report is just the start of the security work you should do as a shrewd contract designer.


In case a mishap occurs during the ICO, organizers should be able to pause their crowdsale. Deal with the attack or bug and then proceed. Zeppelin-solidity provides a process lifecycle management interface allowing to implement an emergency stop mechanism. Solidity developer are advised to use it in their contract code with essential functions as a damage control mechanism. You can see it here.


Code should be changed if errors are found or if upgrades are needed. Finding a bug, yet having no real way to manage it can be very bad. Similarly, token contracts should be able to fix bugs discovered during bounties and should be able to add functionalities later if necessary. Their can be two approaches to this problem:

  • Solidity developers can have a registry contract, pointing to the current version of the contract. Here developers must take care that all user requests are pointed to the current version of the contract only and a way to handle data from older versions of the contract.
  • Solidity developers can use delegate call to forward data and calls. This method removes overheads associated with the previous one, but introduces drawbacks of its own. If the new version of contract has a different storage layout than the first one, it’s data may end up corrupted. Additionally, this simple version of the pattern cannot return values from functions, only forward them, which limits its applicability.
Rate limiting

Rate limiting is a strategy which halts or requires approval before substantial changes are made. For instance, a depositor may only be allowed to withdraw a certain amount or percentage of total deposits over a certain time period (e.g., max 100 ether over 1 day) – additional withdrawals in that time period should fail or require some sort of special approval. Or the rate limit could be at the contract level, with only a certain amount of tokens issued by the contract over a certain time period. Here is an example to help developers.

Bug Bounties

Bug Bounties are an important part of a crowdsale and should be taken very seriously by ICO organizers. It develops trust among investors and helps identify hacks overlooked by the developers of organizing team. Here’s a Zeppelin Solidity based bug bounty contract.

Security tools

Automated audit tools like Oyente, Mythril and Securify should be used to audit ICO contracts and discover vulnerabilities, before they go through a manual audit process. These are static analysis tools with features ranging from bytecode analysis to test case generation. Though, most of them are still in their beta versions and therefore cannot be completely trusted. Some other tool like – Solidity-Coverage, code coverage for solidity testing and Solint, Solidity linting that helps you enforce consistent conventions and avoid errors in your Solidity smart-contracts, are advised to be used.

Security Notifications

This is a catalogue of sources that should be followed to know abou regular updates in Ethereum or Solidity environment. The official source of security notifications is the Ethereum Blog, but in many cases, vulnerabilities will be disclosed and discussed earlier in other locations. It’s highly recommended that ICO organizers regularly read all these sources, as exploits they note may impact your contracts.

Web Security Practises

Blockchain is very hard to be hacked but people hackers know that it’s interface to web based services is not that secure. They find loopholes overlooked by the developer and use it to cause nuisance. It’s the responsibility of a website owner to safeguard their website against nefarious hackers. In addition to regularly backing up their files, taking the following steps will help them keep their website safe:

Content Security Policy (CSP)

Content Security Policy (CSP) can help ICO organizers to specify the domains a browser should consider valid sources of executable scripts when on their webpage, so browser knows to ignore any malicious script that might infect their visitor’s computer.

Using CSP is simply a matter of adding the proper HTTP header to ICO web page that provides a string of directives that tells the browser which domains are allowed and which are to be banned.  Developers can find details on how to craft CSP headers for a website provided by Mozilla here.

Input Validation and Sanitization

Validation checks if the input meets a set of criteria (such as a string contains no standalone single quotation marks).

Sanitization modifies the input to ensure that it is valid (such as doubling single quotes).

These checks should be handled at the front-end of ICO website. Developers should combine these two techniques to provide in-depth defense to ICO website. For example, developers might change all single quotation marks in a string to double quotation marks (sanitize) and then check that all the quotation marks were actually changed to double quotation marks (validate). Validation checks include testing for the length, format, range, and allowable characters. For example, if your application expects positive integer input, developers need to validate that any input string consists of the digits 0 through 9 only. Another popular technique which can be used here is asset integrity check, where checksum of assets is verified on frontend.

Handling File Uploads

Files uploaded however innocent they may look, could contain a script that when executed on server completely opens up a website. If an ICO website has a file upload form, then developers cannot solely rely on the file extension or the mime type to verify that the file is an image as these can easily be faked and a file with the name image.jpg.php has been known to get through. Even opening the file and reading the header, or using functions to check the image size are not full proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.

Some options are to rename the file on upload to ensure the correct file extension, or to change the file permissions, for example, chmod 0666 so it can’t be executed. The recommended solution is to prevent direct access to uploaded files all together. This way, any files uploaded to ICO website are stored in a folder outside of the webroot or in the database as a blob.

API Throttling

In order to protect API from being abused, API throttling should be used. If a single IP is making more requests, much higher than what is expected from an average user, then new requests from such an address should be banned. This is to save ICO website from DDOS attacks. Malicious users can make too many requests and bring ICOs website down during crowdsales. In such a case the IP can be banned for a relatively small period of time, to handle accidental situations. Although if the user repeats his actions, blocking periods should be exponentially increased each time a user crosses the limit.

Handle Account Takeovers

Account takeovers or brute force attacks are easy to set up. Developer should make sure their website users are protected against account takeovers. A popular and easy way to handle this is by restricting the number of login attempts for a particular user.  Another strategy is to restrict user to be logged in only from a particular device at a particular time, i.e. disable multiple login. We can add another layer of security against brute force attacks by using user IP-tracking to stop IP abuse. For instance users trying to login from varied geographical locations should be blocked. This will also help developers handle DDOS attacks.

Library Vulnerabilities

Developers need to fix library versions of their project and upgrade them only after properly testing the new upgrade. This stops exposed vulnerabilities in library upgrades from affecting the ecosystem of your ICO. For testing these vulnerabilities there are many popular tools available. Among them snyk is a popular option and is widely used. For ultimate security needs developers can also fork libraries to a private repo and then use them.


HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees to users that they’re talking to the server they expect, and that nobody else can intercept or change the content they’re seeing in transit.

  • Get your certificate from a reliable CA that offers technical support.
    • Decide the kind of certificate you need:
    • Single certificate for single secure origin (e.g.
    • Multi-domain certificate for multiple well-known secure origins (e.g.,,
    • Wildcard certificate for a secure origin with many dynamic subdomains (e.g.,
  • Redirect your users and search engines to the HTTPS page or resource with server-side 301 HTTP redirects.
  • Do not block your HTTPS pages by robots.txt files.
  • Do not include meta noindex tags in your HTTPS pages.
  • Use Fetch as Google to test that Googlebot can access your pages.
  • We recommend that HTTPS sites support HSTS. HSTS tells the browser to request HTTPS pages automatically, even if the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users.
Server Monitoring

ICO organizers should prepare for an attack. First of all they should have a monitoring system in place that will detect security events targeting their application before it’s too late. Knowing when your application is starting to get massively scanned is key to stop more advanced attacks. They can use alerta for this. Secondly, they should have something similar to an emergency protocol in place to help themselves through such attacks. Takeovers can also be intended to steal ICO data or setup your servers to be used as bouncers. These can be detected by watching for unusual patterns in metrics such as network bandwidth, CPU and memory consumption, and disk usage. Developers can use server monitoring tools like – newrelic’s server-monitoring or sysdig, to achieve this. Use free tools by mozilla and ssllabs to scan your infrastructure regularly and make sure the SSL configurations are correct.

Hack Yourself

Once in awhile, the entire technical team should sit together and spend time targeting all parts of the application, looking for vulnerabilities. This is a great time to test for account isolation, token unicity, unauthenticated paths, etc. Developers will heavily rely on their browser’s web console, curl, and 3rd party tools such as Burp.

Additional Tips
  • Infrastructure logs and application logs are your most precious allies of a developer, for investigating a data breach. Make sure your logs are stored somewhere safe and central. Also make sure you whitelist or blacklist – specific incoming data to avoid storing personally identifiable information (PII) data.
  • Developers should run security linters on their code. Static Application Security Testing (SAST) is an easy and fast way to find unsafe patterns in your code. You can enforce SAST security checks with a pre or post commit hook, but be aware of the high number of false positives.
  • Use third-party services to store credit card information to avoid having to manage and protect them. Stripe and braintree are recommended and commonly used payment gateways.
  • Before committing their code or publishing their package to a repository, developers should ensure no sensitive data will be shipped. Using a pre-commit hook or a prepublish script helps to prevent such leaks. You should particularly look for: Database credentials, API keys or configuration files. Here’s a recommended tool.
  • If using node, developers should avoid using fs, child_process and vm modules with user data. The fs module allows access to the file system. Using it with unsafe data can allow a malicious user to tamper with the content of your server. The child_process module is used to create new processes. Using it can allow a malicious user to run their own commands on your server. The vm module provides APIs for compiling and running code within V8 Virtual Machine contexts. If not used with a sandbox, a malicious user could run arbitrary code within your web application.
  • It is a very common mistake to confuse authorization with authentication and ignore the former one. Developers should ensure proper endpoint authorization for their APIs.
  • Projects using SQL, should not use incremental IDs and prefer UUIDs Incremental IDs can be used by hackers to guess IDs of other users and exploit this knowledge in an unfavourable way.
  • Never try to implement your own cryptography, unless you’re an expert. The problem with cryptography is that you don’t know you are wrong until you are hacked. So don’t do your own crypto. Use standards instead. For most crypto related operations, the ‘crypto’ core module can help you.
  • Mocking your server details can be a good practise, for example if node.js is used for ICO website backend, portray that ruby is used. This deception can make the task of a hacker somewhat difficult.
  • When using a templating engine, you should know which syntax can introduce XSS vulnerabilities. For instance, Pug (formerly, Jade) escapes all inputs by default unless you use the ‘!’ symbol.
  • If using React, serve static parts of ICO frontend app from a secure location such as AWS S3 bucket.
  • Users session and cookies can be hijacked by a hacker and misused to gain unauthorised access to ICO applications. Simple things such as an appropriate time to live for a session can have a huge impact against this problem. Here’s a link to help users setup secure sessions.
  • Developers also need to setup a firewall, and block all non essential ports. If possible setting up a DMZ (Demilitarised Zone) only allowing access to port 80 and 443 from the outside world.
  • If possible run database on a different server to that of your web server. Doing this means only your web server can access required database, minimising the risk of user data being exposed.

General Considerations

When considering hacks the first thing that comes to our mind is code breaches, server vulnerability, or application flaws. Although, recent incidents point, most of the times something as trivial as a stolen password or a stolen social media account, leads to a huge mess. Here are a few things ICO organizers can do to avoid them:

Facebook virus link
Facebook virus link


  • Only valid users should be listed as site admins. Give lower permissions and remove everybody who is not needed.
  • Owners should make sure they know about the the third party apps that they add, it should not be a scam.
  • Owners should enable post approval option before they’re published on their website by any guest.
  • Educate users and employees not to identify fake links and stay away from them.

Slack is becoming a popular medium for establishing crypto company communities. However, it was primarily developed as a channel to communicate among team members, who in most cases, are trusted people. Misleading messages like these are quite common in the crypto community space:

Phishing attempt on Slack
Phishing attempt on Slack


The link provided won’t direct users to the real myetherwallet website but to a website that looks almost exactly the same. ICO organizers can take the following points into consideration to avoid such mishaps:

  • Only allow site admins and owners to communicate on general channel, especially during ICOs, it is mainly to avoid fake addresses, when a website is down due to DDOS attack.
  • Channels should only be achieved by admin users.
  • Slackbot reminders should be removed before they reach users.
  • Two factor authentication should be enabled for company members.
  • Unnecessary third party applications should be removed.

Some companies even consider ditching Slack and moving to different platforms like the messenger app Telegram or gaming platform Discord.

  • Twitter teams should be able to share one account, for this owners can use the Tweetdeck application. In this case they don’t have to share the password and it’s much easier to manage If somebody leaves their company.
  • Also enable two factor authentication for all users. It’s one of those things that should be enabled wherever it’s possible.
Additional Tips
  • ICO Organizers should make sure their domain names are secure. Special care must be taken to renew them regularly and if bought from a third party, they should make sure that the authoritative configured name server is their own. Hackers can also use similar domain names to confuse your community members and spread misleading messages. Organizers can use domain name generators to find domains similar to their domain name, then buy the ones which can confuse their customers, especially during their ICOs.
  • ICO Organizers should have a public security policy in place. This is a page on your corporate website describing how you plan to respond to external bug reports. You should advise you support responsible disclosure. Keep in mind that most of the reports that you receive probably won’t be relevant. Here’s an example.
  • ICO Organizers should release their crowdsale address in advance and inform their community about it. They should also use the Ethereum name service to purchase an address that can be easily remembered by their community.
  • ICO Organizers should use a hardware wallet, such as Ledger Nano S or Trezor to access their ICO smart contract/wallets or store funds. Lock up their wallet in a safe so that it doesn’t get stolen or lost.
  • Organizers should be honest about their practises and the data they collect. In the case of a breach, people will disclose any data they gather. Your customers need to be aware of what data you’re storing and what practises you use. Moreover, it helps build a relationship of trust with the users.
  • Non tech employees are less used to technical tricks and can be deceived more easily than others, opening the door to ransomware or confidentiality issues. They should be trained and empowered to be distrustful and to preserve the company’s assets.
  • Educate users about possible security measures. Organise periodic workshops to talk about latest observations, different types of hacking (like social engineering).
  • Use password managers, use different passwords for different accounts. This will ensure that even if one account is compromised, the rest of the accounts are safe.
  • ICO Organizers should have a full time community manager monitoring their ICO slack & telegram chats. Check through the member list regularly and proactively ban members with suspicious names (e.g. their company founder name) or throwaway email address (e.g. yopmail email accounts).
  • ICO Organizers should organize a bug bounty program, it will allow external hackers to report vulnerabilities. Most of the bug bounties programs set rewards in place. Security-aware developers should evaluate the reports received during a bug bounty
  • A secure development lifecycle should be implemented, it is a process that helps tackle security issues at the beginning of a project. While rarely used as is, it provides good insights at all stages of the project, from the specification to the release. It will allow you to enforce good practices at every stage of the project life.


Security is a constant process which has to be taken under consideration with every new implementation, with every new system or every new medium crypto companies plan to use. Don’t forget about it, especially in the case of ICOs because your mistake can lead to someone’s loss of money.

Lastly we need to ask this question – Is it possible to be fully secure? You can’t be always sure, but at least you can do your best and follow common rules of security, just like these basic ones already described.