Introduction to IxO Security

24 Jan 2023 Author: Vladimir Buldyzhov

What are ICO, IEO, IDO, IFO, STO, and IGO, what are the risks, and how to reduce them

Today you will learn what the acronyms ICO, IEO, IDO, IFO, STO, and IGO mean, and what features, similarities and differences they have. We also described the problems, incidents, threats and information security vulnerabilities associated with these investment tools.

ICO is an initial offering in the world of cryptocurrencies

image ICO

The mechanism for the initial offer of company assets on the stock exchange appeared long before the advent of cryptocurrencies. Any company, issuing its shares for the first time, conducts an IPO, an initial public offering of its securities for a wide range of small and large investors.

With the advent of cryptocurrencies, the first public offerings in this domain began to be called ICO (Initial Coin Offering) by analogy with IPO. A synonym for ICO is crowdsale.

ICO is the emission (release), by some project, of tokens, which are analogues of corporate shares in the blockchain world. Tokens are also called digital coupons, as they are often used for all kinds of discounts, promotions, purchases of services, etc.

Additionally, tokens are intended to finance the project and receive a part of its profit in the future, and also to pay for the services of this project and other purposes related to this project.

An organization that issues financial assets to receive investments is called an emitter. Big projects like Ethereum, Cardano and Neo started as ICO emitters. It was this type of investment that allowed them to develop to today’s scale.

ICO security

Along with the explosion of interest to cryptocurrencies and ICOs, new information security vulnerabilities have also come to light. Due to the cryptographic security and decentralised nature of blockchain technologies, attacks directly on these technologies are usually more difficult than attacks on traditional IT.

At the same time, due to the immaturity of the blockchain industry, the security of its related technologies and processes is much weaker than, for example, in the banking industry. As we wrote earlier, the growth rate of damage from incidents in the blockchain is more than 5 times higher than the growth rate of damage from incidents in traditional IT.

Some of the most notorious attacks on ICOs were attacks on CoinDash and Bitcoin Gold. In the case of the first, the reason for the loss of about USD 7 million was the lack of web application protection. In the case of Bitcoin Gold, clients lost confidence in the project since the site was down for about 5 hours due to a DDoS attack.

A specific risk associated with tokens is their freezing in smart contracts. All transactions take place on the emitter’s platform, in the investors’ browsers and on the blockchain network. Therefore, security problems and financial losses can occur for both investors and the emitter.

Finally, the ease of issuing tokens leads to high risks of fraud and other violations by emitters: scams, ragpulls, misuse of investor funds, etc.

IEO is an ICO option led by a crypto exchange

image IEO

IEO (Initial Exchange Offering) is a fundraising event when crypto startups raise money through a centralized trading platform, namely a centralized crypto exchange (CEX). Crypto exchanges are organized like traditional stock exchanges.

With an ICO, a business is trying to generate interest in its project on its website. Unlike ICO, where shareholder contributions are sent to the emitter’s smart contracts, in case of IEO, participants (investors) send their cryptocurrency to the exchange platform. CEX takes a commission from the startup and also keeps a certain share of the tokens that were sold.

In other words, the crypto exchange conducts IEO on behalf of a startup. This helps to increase its credibility in the eyes of investors. After the completion of the IEO, the tokens are placed on the exchange, that is, they are included in its listing. Startups can take advantage of exchanges’ vast customer bases to attract investor interest.

Binance Launchpad was one of the first IEO platforms. Many competing crypto exchanges quickly followed suit and developed their own IEO platforms.

IEO Security

The biggest benefit of an IEO is increased transparency and trust. Since the sale of tokens is carried out by a regulated crypto exchange, the likelihood of fraud is much lower than with an ICO, since reputable platforms conduct their due diligence on the project before offering it to users.

IEOs are considered more reliable than ICOs. Investors interested in the project must go through the Know Your Customer (KYC) and Anti-Money Laundering (AML) procedures before gaining access to the project. At the same time, IEOs can be associated with higher costs for startups in exchange for increased transparency.

On the other hand, the likelihood of IEO fraud and hacking is far from zero. The security of the IEO and its tokens is no higher than the security of the CEX exchange itself, on which this IEO takes place, and on which these tokens are listed, that is, included in the exchange list of assets admitted for trading. In the event of critical vulnerabilities in the server or client software of the exchange, IEO and tokens may also become vulnerable.

For example, in 2020, the KuCoin exchange became the target of a hack. The criminals managed to steal USD 281 million and get the keys to some hot wallets on the exchange. Although KuCoin quickly blocked all transactions on its website, this case was one of the biggest violations in the history of cryptocurrencies.

IDO is fundraising through a decentralized exchange

image IDO

As blockchain technology evolved, other ways to offer cryptocurrency assets began to emerge.

IDO (Initial DEX Offering) is a fundraising that helps a project issue its token through a decentralized liquidity exchange (DEX). This technology is part of a more general concept of distributed finance (DeFi).

Unlike CEX, DEX software (smart contracts) does not run on specific exchange servers, but in a distributed manner on the blockchain network. DEX, unlike CEX, is a full-fledged distributed blockchain exchange that fully implements the ideas of blockchain independence and autonomy.

IDO has some of the properties of ICO and IEO, but the main feature of DEX is that this exchange does not store user funds or control user transactions. The users transfer funds directly from their crypto wallet to the smart contracts of the platform. Tokens are managed automatically by DEX smart contracts. Sometimes, to make important decisions, exchange administrators organize voting for their participants. DEX, unlike CEX, does not check or verify users.

The first IDO was completed by Raven Protocol in June 2019 on Binance DEX.

IDO Security

Compared to CEX, DEX projects and participants receive higher confidentiality, and protection of funds from confiscation, freezing, regulatory restrictions, etc. However, in general, today the risks of DEX are much higher than in CEX.

Since DEXs operate in a “grey area” under the laws of many countries, these exchanges are used by criminals to launder money. This causes a number of specific risks and restrictions associated with law enforcement, even if you are not a criminal.

Due to the reduced centralized control, the risk of fraud is much higher in the DEX than in the CEX. Just like with non-custodial wallets, those who are prone to forgetting or losing their passwords and keys should beware of DEX exchanges, as they cannot help recover those credentials.

A separate group of DEX risks is due to the relatively immature distributed exchange technologies. Vulnerabilities in DEX software or protocols are very rare and exotic. However, if they are found, then all the funds that pass through the exchange immediately become at risk.

One of the common DEX-related threats is MEV bots. The concept of MEV (Maximum Extractable Value) means the maximum profit that a miner can receive by including, excluding, or changing the order of transactions in a blockchain block, before it is confirmed. Because of this, miners try to adjust the order of blocks in such a way as to get the most benefit. Such actions lead to an increase in transaction fees. Special bots that monitor unconfirmed transactions initiate a price-increase operation right before the transaction is carried out. By doing this, they collect an “invisible tax” from an unsuspecting user.

One of the major attacks by MEV bots was the incident with Twitter. It was reported by an employee of the research firm Flashbots. Back then, the MEV bot earned up to 800 ETH on arbitrage trades, worth about USD 1 million. It all ended with the fact that the bot itself was hacked on the same day. The hacker found a vulnerability in the code and authorized the transaction, thus the bot lost about 1101 ETH.

You can find many interesting cases of other major DEX-related attacks.

In March 2021, PancakeSwap and Cream Finance reported a DNS attack. In the same month, another exploit cost DODO users USD 3.8 million. In November 2021, the MonoX exchange was subjected to a cyberattack, as a result of which the losses amounted to about USD 31 million. Also, major hacks that led to the loss of millions of dollars affected MakerDAO, Eminence, bZx,, PAID Network, Harvest, and Pinckle Finance.

Due to these and other major thefts that have taken place on DEX and DeFi, a large number of users still prefer centralized exchanges.

Thus, the use of DEX and DeFi requires special care and responsibility on the part of each user. In other words, decentralized exchanges are more intended for experienced users and those who are not afraid to take responsibility for the security of their finances.

IFO is the most modern crowdsale model

image IFO

IFO (Initial Farm Offering) is a fundraising model that helps new DeFi projects raise capital by participating in pre-sale events that are held after the projects have been vetted by decentralized exchange administrators. This technology is often considered an evolution of all the previous ones and is considered one of the most reliable and modern.

As in the case of IEO, when launching an IFO, the exchange acts as an intermediary between the project and investors and performs mandatory audits of the project to filter out scammers.

The most common IFO platform is PancakeSwap. PancakeSwap users are rewarded with tokens and digital currencies, and new project owners benefit from the liquidity pool offered by the platform. Most IFO tokens are managed by the community and are subjected to little or no control by any central authority.

IFO Security

The IFO platform is integrated with high-end security protocols and algorithms, such as escrow protection. In this case, a third party acts as a guarantor and holds the assets or services of the two parties making the transaction. This approach helps to securely make transactions without risk, when one of the parties may act dishonestly with the other.

Despite this, IFO security is not perfect. For example, while PancakeSwap has passed security audits from companies such as CertiK and Slowmist, in 2021 scammers stole USD 1.8 million worth of assets from the trading platform’s lottery pool.

STO are security tokens

image STO

Above in this article, we mainly talked about utility tokens and payment tokens (i.e. cryptocurrencies). There are also other kinds of tokens in the Web3 world. We mean stablecoins, NFTs, meme tokens, DeFi tokens, exchange tokens, privacy tokens, and security tokens. Let’s take a closer look at the latter.

STO (Security Token Offering) is a special type of public offering in which tokenized digital securities, known as security tokens, are traded on crypto exchanges or even specialized security token exchanges.

Security tokens differ from utility tokens mainly in that they reflect the share of a business, usually offline, issuing public assets. Essentially, security tokens are a cross between traditional, “paper” stocks and utility crypto tokens.

Security tokens operate on the blockchain and are regulated by the government. Therefore, it would be more correct to call them “regulated secured tokens”.

Investments in security tokens focus purely on making a profit by external investors. At the same time, utility tokens in the standard context are intended primarily for service use within their online projects.

Companies issuing security tokens are required to comply with certain regulations and provide reporting. STO technology involves the release of digital assets according to the requirements of securities laws.

STO tokens are aimed at accredited investors. If we take US law as an example, they are subject to a considerable number of requirements. There are many technical details that organizers need to know in order to raise funds for their project, as well as investors, in order to properly participate in STO.

The most famous STO platforms are BnkToTheFuture, StartEngine, SPICE VC, NeuFund ETO.

STO security

Security tokens have little to do with cyber security, as it is purely about investment security.

Security tokens solve the problem of compensation guarantees in case of project failure or fraud by the organizers. They also serve as an insurance tool against possible risks in such an investment strategy as SAFT (Simple Agreement on Future Tokens). This model allows investors to purchase tokens after the launch of the project. It seems to be more secure, but has its investment risks. For example, the money is invested not in the tokens themselves, but in the promise to receive them in the future.

At the same time, security tokens, like any other tokens, can be lost, stolen or even hacked. Since a security token is a programmable tool, it may contain vulnerabilities in the program code. Many people think that it is impossible to change or steal it, however, scammers can gain access to the personal account of the exchange, where you store your security tokens.

IGO, or get tokens by playing

image IGO

IGO (Initial Game Offering) is the latest trend in the world of initial cryptocurrency stock offerings. The only difference from IDO is that IGO involves game projects based on NFT or in-game currency.

Investors invest in such gaming projects and can look forward to significant ROI once the gaming project launches on major cryptocurrency exchanges or gains significant popularity in the gaming community.

With the advent of blockchain games, IGOs are becoming the next big technology in the crypto space. Games like Axie Infinity, CryptoBlades and Alien Worlds are visited by thousands of people every day. Among them, Axie Infinity is currently the leader, with sales of more than USD 1.1 billion.

Because of this hype around initial game offerings, several popular IGO launch pads have emerged. The most popular ones are Gamefi, Enjinstarter, Gamestarter and

IGO Security

Since IGO is practically one of the subspecies of IDO that we wrote about above, the security of IGO is based on the security of decentralized exchanges.

To date, the number of cybercrime and lost funds by investors in IDO and IGO is greater than in any other area of digital investment. For example, in April 2022, we wrote about a massive USD 625 million Axie Infinity hack.

General Token Security Tips

image security

Every day, security experts, programmers and hackers from all over the world find new vulnerabilities in software. Every day new tokens appear in the world, many of which are fraudulent. Every day, someone makes mistakes: forgets passwords, makes wrong transactions, gets computer viruses, succumbs to phishing, and so on.

To secure your funds, pay attention to our tips on the security of cryptocurrencies and crypto wallets.

To be completely sure about the particular platform or entire technology that you are going to use, you need to conduct a thorough analysis of them.

As with any investment, there are simple practical tips:

1. Use the right subscription links. Scammers can take advantage of the hype, excitement, and fuss to lure you into fake subscription pages. Any cryptocurrency that you transfer through the scam page will be irretrievably lost.

2. Use a launchpad you trust and know. Every launch pad must follow information security rules and regulations such as the GDPR to protect their customers’ data. Also, the launch pad should provide a KYC (Know Your Customer) process to reduce the likelihood of fraud. Examples of popular launch pads are BullStarter, Polkastarter, Red Kite, BSC Pad.

3. Study the project you are investing in. Does it belong to an already well-known and reliable team? Will the project be available for use immediately after launch? Questions like these can help you determine the likelihood of potential scams.

4. Read the terms of participation. You may receive your tokens with a delay, or they may even be locked up for a while. You must thoroughly understand the tokenomics of the project you are participating in.

5. Invest only what you can afford to lose. Under the influence of excitement, you can invest more money than you should. Do not forget that the token industry is still risky. Even with careful investigation, you can still become a victim of fraud, deception, your own mistake, software failure, hack, leak, or other incidents.

To improve the security of your IxO projects, you can contact us for comprehensive penetration testing, smart contract security audits, or other types of information security assessments.


image conclusion

Now that you know what the terms ICO, IDO, STO, IEO, IFO, and IGO mean, and what features they have in operation and security, you can reduce the risks when creating your startup by choosing the right technology or platform, or become an investor or user of young and promising projects.

In addition to the types of tokens and initial offers we have considered, there are also less common types: INO (Initial NFT Offering), LBP (Liquidity Bootstrapping Pool), SHO (Strong Holders Offering) and even ITO (Initial Twitter Offering). If you are interested in learning about these types of tokens, we will cover them in one of our future articles.

If you have any questions about the security of tokens, initial offerings, smart contracts or any other blockchain and Web3 technologies, you can always contact our experts for a free consultation.

Subscribe to our Telegram channel so that you do not miss our news.

Other posts

Cybersecurity program with your own hands
Anonymous cryptocurrencies and crypto mixers: ethics and legality