MIT Media Lab researchers Neha Narula, Thaddeus Dryja, Madars Virza and Boston University researcher Ethan Heilman discovered a cryptographic vulnerability in the code of the ninth largest cryptocurrency by market share, IOTA.
IOTA’s Code Vulnerability
According to a blog post by Neha Narula, Director of the Digital Currency Initiate at MIT Media Labs, the researchers analyzed the repositories of the IOTA Ledger on GitHub and were able to discover a serious vulnerability in the project’s cryptographic hash function called Curl.
IOTA’s proprietary hash function, Curl, created collisions when different inputs hash to the same output. The team of researchers developed an attack that could discover collisions using commodity hardware within minutes and allowed them to forge signatures on ITOA payments, which malicious hackers could have potentially stolen funds from IOTA users.
A desirable property of cryptographic hash functions is that they are collision free, not in a strict sense, but in a way that it would take an almost impossible amount of time to find a collision.
As the MIT/Boston University researchers are not black hat hackers out looking to gain or destroy something, however, they responsibly informed the IOTA development team of the vulnerability back in August. The exploit was made public around a month later, on September 7, 2017, and “recommended that they replace the Curl hash function with a recognized and publicly vetted hash function” to reduce the risk of another vulnerability appearing.
“This report is the product of a responsible disclosure process. Over a month before publishing this report we disclosed these vulnerabilities to the IOTA developers. In response, the IOTA developers have updated IOTA to no longer use the Curl hash function to hash transactions as part of the IOTA signing process. Curl is still used for other purposes in IOTA,” Narula wrote in the IOTA vulnerability report on GitHub.
On August 8, IOTA developers replaced Curl with a new cryptographic hash function they call KECCAK-384 (or “Kerl’) that fixes the vulnerability in IOTA’s code and prevents such attacks from happening.
Here is an example of a transaction that would capitalize on the Curl hash function vulnerability that the developers sent to the IOTA team. Alice signs a payment that pays Eve 100 IOTA, and Eve could then use the signature on this payment to authorize and process a payment where Eve receives 129,140,263 IOTA out of Alice’s funds.
An event sprung up on Meetup on September 13 which promised to display a live breaking of IOTA’s hash function, but some of the comments reveal disappointment with the actual demonstration.
IOTA Response to the Discovery
In response to Narula’s announcement of the faulty code discover on her blog and via a vulnerability report on GitHub, IOTA’s team published a statement on the same day to clarify its stance on the discovery.
While the IOTA team is happy about the fact that the MIT/Boston University researchers informed them of the vulnerability of the Curl hash function, the example of how their code could be exploited to steal funds “[does] not represent valid attacks on the IOTA cryptocurrency” and are only academically valid criticism.
“Firstly, none of the existing IOTA wallets offer this functionality of signing foreign bundles — Alice would, therefore, have to be a proficient programmer to manually sign a bundle using existing libraries and naive enough to sign a bundle she did not create.”
“Secondly, for Eve to be able to generate such a bundle in the first place, Eve would have to know which addresses belong to Alice. Eve can not calculate addresses belonging to Alice from knowing just one of Alice’s addresses, so this attack would require prior seed compromise by Eve (making the entire attack moot) or Alice leaking her address to Eve in the first place.”
“Thirdly, only one of each of Eve’s bundles can exist on an IOTA node at any given time. Without Eve having better network propagation than Alice or executing a successful eclipse attack against Alice, Eve would not be successful in being able to see her malicious bundle confirmed before Alice’s bundle is confirmed. However, the mesh network characteristics of the IOTA network make such an eclipse attack very hard to implement,” IOTA’s statement reads.
Sergey Ivancheglo, IOTA co-founder, published a more detailed response on September 10 in which he claims the letters to and from the researchers show there is no vulnerability affecting users. Therefore, the IOTA team believes that such attacks would be very unlikely to occur in real life and, hence, did not pose a real threat to the security of users’ funds.
As for using its Curl function, the team stated it had subcontracted a team of five experienced cryptographers as well as three independent cryptographic researchers to develop the final design of Curl and to then start the long peer-review process as was originally planned.
The IOTA Project
The IOTA project was launched to develop a transactional IoT settlement layer through the combination of the internet of things with key elements of blockchain technology.
Interestingly, IOTA’s token, which carries the same name and ticker, is the only large digital currency that does not run on a full-scale blockchain to process transactions.
Conversely, the IOTA project uses a Tangle, which solves issues surrounding scalability as well as transaction fees by requiring each individual who sends funds to conduct a verification of the transaction at the same time. This, in turn, gives the IOTA ledger a very high degree of decentralization and allows for zero-fee transactions as no network participants need to remunerated for verifying transactions as it is the case in Proof-of-Work blockchains such as bitcoin, litecoin, or DASH, for example.
The Golden Rule of Cryptography
In her blog post, Narula reminds the community of the golden rule of cryptography: “don’t roll out your own crypto.” She claims that if you ask any researcher in this field, they will tell you to use well-tested and widely-understood cryptographic primitives when developing a new system as it generally takes years to vet a new cryptographic function to ensure its security.
Hence, she believes that the fact that IOTA wrote their own cryptographic hash function should have been a red flag for anyone getting involved in the project.
As the announcement of IOTA’s faulty code was made after it has been fixed by IOTA developers, the price of IOTA’s token was largely unaffected by this revelation. However, this does act as a stern reminder for ICO investors that they may be investing in a token that is built on vulnerable code, which once again highlights the risks of investing in newly issued digital tokens and assets.