Cryptographic vulnerabilities in IOTA

Last month, Ethan Heilman, Tadge Dryja, Madars Virza, and I took a look at IOTA, currently the 8th largest cryptocurrency with a $1.9B market cap. In its repositories on GitHub, we found a serious vulnerability — the IOTA developers had written their own hash function, Curl, and it produced collisions (when different inputs hash to the same output). Once we developed our attack, we could find collisions using commodity hardware within just a few minutes, and forge signatures on IOTA payments. We informed the IOTA developers, they patched their system, and we wrote a vulnerability report. The current version of IOTA does not have the vulnerabilities we found, but there’s more to be said about how this happened and what’s going on with cryptocurrencies right now.

2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low
— Bruce Schneier

Who’s responsible for vetting cryptocurrency technology?

The cryptocurrency space is heating up — Protocol Labs raised $200M for Filecoin, Bancor raised $150M, and Tezos raised $232M. Some are heralding this as a new funding model: a new way of monetizing distributed networks and applications. I’m enthusiastic about the underlying technology, but urge serious caution around ICOs. The SEC has already issued warnings, suspended traditional trading on companies doing token sales, and caused one company to revert its ICO.

Written by: Neha Narula

Read more: https://medium.com/@neha/cryptographic-vulnerabilities-in-iota-9a6a9ddc4367