The IOTA price fell 15% following the revelation that the MIT Media Lab's Digital Currency Initiative (DCI) had discovered "cryptographic vulnerabilities" in IOTA's hashing function. Although the IOTA developers dispute some aspects of the report and have already issued a patch to address the findings,…
The IOTA price fell 15% following the revelation that the MIT Media Lab’s Digital Currency Initiative (DCI) had discovered “cryptographic vulnerabilities” in IOTA’s hashing function. Although the IOTA developers dispute some aspects of the report and have already issued a patch to address the findings, the DCI post garnered a lot of attention on social media.
DCI Director Neha Narula explained the findings in a Medium post. She says the DCI reviewed the IOTA source code in July and were concerned when they found that IOTA developers had invented their own hash function, which security researchers caution against. Peter Todd used harsher language, calling it “completely insane.”
According to Narula, a bad actor could have exploited the vulnerability to destroy or steal user funds.
We found that IOTA’s custom hash function Curl is vulnerable to a well-known technique for breaking hash functions called differential cryptanalysis, which we then used to generate practical collisions. We used our technique to produce two payments in IOTA (they call them “bundles”) which are different, but hash to the same value, and thus have the same signature. Using our techniques, a bad actor could have destroyed users’ funds, or possibly, stolen user funds.
For those who would like a more-detailed technical explanation of the vulnerability, the DCI posted one here.
The DCI brought their findings to IOTA long before revealing them to the public, and developers issued a patch to address the issue last month. The DCI report quickly spread through social media, so IOTA Founder David Sønstebø wrote a response disputing some aspects of the findings:
The attacks presented in Narula et al.’s paper, while being valid academic criticisms of the latest public version of the Curl hash function, do not represent valid attacks on the IOTA cryptocurrency.
In his post, he presents a more-detailed explanation of why he does not consider the attacks to be valid.
In the hours following the DCI post, the IOTA price took a steep downward turn. Over the past 24 hours, it has fallen from $0.740 to $0.632–a decline of 15%.
It is unclear how much of the decline should be attributed to the questions the DCI raised about IOTA’s code review process because it is likely that some investors only looked at the headline and thought that IOTA had active cryptographic vulnerabilities.
In any case, today’s movement reversed much of the recovery IOTA had experienced following the sell-off earlier in the week. IOTA now has a market cap of about $1.75 billion, ranking it 9th on the charts.
Featured image from Shutterstock.