Unsolicited Advice for those Holding Token Sales
This is part of a series where Taylor pulls sweet comments she has made or found over the years in the hopes that they can be useful, searchable, remembered, referenced, and/or aid in the creation of future knowledge base posts. Many are unpolished & contain typos, specific references to previous discussions or the user, and gratuitous cursing.
If you are having a token sale you now have a fiduciary and moral responsibility to your users (who are now your investors).
Building a product is easy...dealing with people is hard. If you are not prepared to support, educate, and set your users up for success, do not have a token sale.
Publish your token sale address ahead of time (at least 24 hours)
Make sure you have secured all platforms - website, social media, everything. There will be very diligent attempts to hack you. Do not take this lightly and do not think you cannot be hacked. A light pentest on your web security would be in everyones best interest. Check hackerone or upwork.
Educate users on the importance of not sending to any random address and properly securing their account. e.g. PRIVATE KEYS ARE PRIVATE! PROTECT THEM!
Educate your users on how to safely participate using a number of clients. Provide tutorials with video and/or images.
Focus on making Ethereum better and contributing to the larger ecoysystem. If you do this, you will go places as most people are too self-centered at this point. If Ethereum is not easy-to-use, secure, and improving, your product and users will fail too.
Around the week of your token sale, make sure you have at least one person monitoring all social media channels 24/7 to gain trust, report scams, and ensure phishing links, fake addresses, and misinformation are quickly called out and removed.
Make sure you provide customer support before, during, and after your token sale. Scammers get away with more if you aren't accessible.
Get an ENS name for your token sale.
Get all contracts verified on etherscan.io beforehand. Teach users how to check if it is verified, and how to check comments on etherscan.io, and how to tell if they are sending to a normal account or contract (sending to a normal account would indicate a scam)
Encourage users to get a hardware wallet or run MEW offline or run a full node.
Get your token on MEW & provide custom message when users enter your address: https://kb.myetherwallet.com/tokens/token-creators-add-your-token-to-myetherwallet.html
You are free to use, modify, or shamelessely steal any information in our knowledge base. A shoutout is nice, but not required. Take advantage of this. https://kb.myetherwallet.com/
From a random reddit comment:
Token sale holders, take note:
YOUR SITE WILL NOT HOLD UP TO A FOMO F5 ATTACK BY YOUR "INVESTORS"
There is no excuse not to release the address for the token sale beforehand. If someone sends too early, that's their fault and they lose ~0.20 cents in gas. Instead you chose: release at start of sale with shitty infrastructure & let your users send ETH to a scammer? ?
It is your fault for ignoring all previous experiences from token sales and laying the same trap. It is not your fault that they sent. It is your fault for not setting your investors up for success.
This has been a thing since the DAO, 365+ days ago. Sure, the user should have known better. But you have the ability to prevent it and keep scammers from stealing! I guess when you are about to get millions of dollars, regardless of the number of scammers, it doesn't actually matter?
At the very least take the time to set up something on AWS or use a free public service that can handle traffic like Medium, Reddit, Twitter, Facebook. You should be able to sustain 1000+ requests/second. Peak times for ICOs are ~30 minutes before hand and skyrocket quickly.
Investors take note:
You are encouraging this sort of laziness and greed by buying into token sales with lazy teams who refuse to take the time and effort necessary to protect you. You should demand more from a team about to take $10M+ in 10 minutes. You have the power. You don't have to give them money unless they do what you want, when you want it. Utilize that power.
Ask hard questions BEFORE the token sale. Ask on reddit. And twitter. And slack. And every blog and forum that they post in. Demand answers BEFORE the token sale. Upvote and encourage others doing the same. Once you give them $10M+, your questions will go unanswered. Why? Because why should they answer you once you have already given them all the money? You put the reward before the work and now expect something from them? Good freaking luck.
Report Scams / Phishes: https://etherscamdb.info/
Encourage people to install https://chrome.google.com/webstore/detail/etheraddresslookup/pdknmigbbbhmllnmgdfalmedcmcefdfn or MetaMask (uses above to block malicious sites)
Encourage people to be secure: https://kb.myetherwallet.com/getting-started/protecting-yourself-and-your-funds.html
Look over how 0x did things to prevent scams. Philippe is like the best ever, touch base with him for the code for Slack if you need it (blacklists and auto-deletes malicious messages). https://blog.0xproject.com/a-note-on-scams-and-phishing-attempts-e2d72577a470
MetaCert also provides similar functionality. Paul (Founder) is on Twitter and loves helping ICO's protect their investors. Get in touch with him.
Starter template on what to tell people who get phished: https://kb.myetherwallet.com/security/phish-hacks-thefts-and-stolen-funds-due-to-phishing.html
Suggestions in this discussion to move to other platforms with better anti-spam tools https://github.com/aragon/governance/issues/7.
Install and encourage others to install @Harry's EAL extension which blocks known bad addresses and sites: https://chrome.google.com/webstore/detail/etheraddresslookup/pdknmigbbbhmllnmgdfalmedcmcefdfn
Read Harry's blog on EAL: https://steemit.com/ethereum/@sniko/my-attempt-to-prevent-private-key-phishing
Status.im built a slack bot that auto-adds everyone to a Scam alert channel so when scammers come in they can be reported and everyone can be alerted. I think it is this https://github.com/status-im/gone-phishing
Phillippe / 0x: https://www.youtube.com/watch?v=pFKFSlfdWeM
Harry / 409H: https://safeslack.harrydenley.com/
Paul / Metacert: https://metacert.com/
Insights from Hudson regarding the Slack issues:
Here is an overview of what has been done and what is currently underway:
Slack has not been very receptive to our requests for better anti-spam solutions because Slack is designed for groups of people/businesses where everyone knows each other. They don't build anti-spam tools because they did not anticipate their platform would be used in this way.
Swarm City added a short form in lieu of the Slack Invite, with 2 questions. 1. A way to contact them. 2. Someone in our community who can vouch for them. We’ve had no issues since. http://slackinvite.swarm.city/