“IOTA is a Bad Actor” Says Ethereum Developer – Trustnodes

“IOTA is a Bad Actor” Says Ethereum Developer


Nick Johnson, a developer at the Ethereum Foundation, has stated he finds IOTA – a currency with a current market cap of $1.5 billion – “deeply alarming.”

Johnson says they are reinventing “basic operations such as cryptographic hashing,” violating “rule 1 of cryptography: don’t roll your own crypto.” A basic and fundamental mistake which led to findings by Neha Narula of a number of significant vulnerabilities in their cryptography.

But Johnson’s biggest concern is that IOTA’s developer claims to have intentionally added these vulnerabilities so as to prevent others from copying their open source code by allowing them to compromise these projects if they wished. Johnson says:

It honestly astounds me that anyone would think this justification redeems them; it’s an admission of hostile intent towards the open-source community, akin to publishing a recipe but leaving out a critical step, rendering the resulting dish poisonous to anyone who eats it.

Sergey Ivancheglo, IOTA’s founder, says that he has “been working on techniques of open-source software protection” for more than a decade. He used these techniques in Nxt, he says, a currency that was once much hyped but now has fallen to 78th position.

He says he inserted three flaws in Nxt, “a serious, a critical and a fatal” flaw. Bounties were given for anyone who finds them, with all three found. He then says:

“Remembering how quickly Nxt protection was disarmed I was keeping in secret the fact of existence of such mechnism in IOTA. I was pretty sure that the protection would last long time because it was hidden inside cryptographical part and programming skills would be insufficient to disarm the mechanism. But nothing lasts forever and finally the copy-protection measure was found by Neha Narula’s team.”

Regarding the vulnerabilities that were found, after describing them at quite some length, Narula says of the potential consequences when exploited:

“We used our technique to produce two payments in IOTA (they call them “bundles”) which are different, but hash to the same value, and thus have the same signature. Using our techniques, a bad actor could have destroyed users’ funds, or possibly, stolen user funds.”

It appears, therefore, Ivancheglo is claiming he intentionally inserted code into IOTA which allows someone to steal users funds, and he did so as “copy protection,” even though people’s money was very much left unprotected.

Johnson then says IOTA is not secure because it would be trivial to 51% attack it. Elaborating on the point, Johnson states:

“Each transaction is secured using a proof of work, but this PoW function has a fixed difficulty. Since Iota is designed to run on low-power nodes, the difficulty is quite low, and it would not take much in the way of dedicated resources to outweigh the entire processing power of the Iota tangle.”

It may be the case Johnson is not aware of the mechanism that tries to prevent such attack because IOTA doesn’t quite mention it in any of their formal documents. Ivancheglo says:

“These days IOTA is still small and this opens it to the following attack: an adversary joins IOTA with his computers which take more than 1/3 of IOTA’s body and then makes the computers fail thus triggering IOTA’s collapse. To counteract this attack we are running a set of computers called Coordinator which issues milestones published on IOTA’s tangle. Computers not belonging to an adversary rely on these milestones to detect faulty computers. In this setup IOTA can survive even if 99% of the computers fail.”

And it can so survive because the currency is fully centralized into effectively just one node or “coordinator” that decides what transaction is valid or otherwise. Thus allowing them to claim they can handle tens of thousands of transactions.

In such centralized set-up, they most probably can handle millions of transactions as all they would need is more servers for their one coordinating node.


Comments (9)

  1. Hmm. A developer of Ethereum bad-mouthing the competition. I wonder what the motivation could be…
    All these complaints have been addressed 1000 times over the last month in numerous locations and now it has become a pathetic smear campaign.

    1. How have the concerns of it beeing closed-source been addressed? Why they still claim to be open-source?

  2. IOTAos a very very bad crypto. Can you belive it? They are very very unfair because there are no miners and fees…
    The article makes so much sense that i think IOTA is covfefe! 😀

    1. It’s extremely fair because the incentive to include valid transactions stems from the fact that nobody will include your transaction if you based on top of fake transactions. There are various “attacks” but they all have solutions, as far as I know (https://www.youtube.com/watch?v=tYbRyVrrUDY)

  3. Author didn’t do diligence

  4. https://satoshiwatch.com/coins/iota/in-depth/cryptographic-vulnerabilities-in-iota-a-biased-hit-piece/

    The IOTA vulnerability is not in the current version of IOTA — nor was it at the time the vulnerability was found. The vulnerability was found in the open-source code, but is not present in the actual production IOTA distributables. The researchers noted this themselves.

    1. They don’t have the spirit of open-source, they have attitudes of a high-school black hat hacker. How do you trust them with 1.5B dollar company? They try to poison everyone who uses the tech, and how do you even consider them to be doing the right thing on their production code?

  5. Was once amazed of IOTA’s claims, who won’t be amazed of no-fee and self-scaling crypto? but after the fiasco with Microsoft and getting caught red-handed, and then getting the supposedly scalable network clogged, IOTA’s tangle already lost it’s glory after being proven wrong.

  6. The innovation behind IOTA is the Tangle. A revolutionary new distributed ledger that is scalable, lightweight and for transfer value without any fees. First time ever makes it possible this.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>