IOTA hack and subsequent hard-fork

IOTA has surely been marketed well. But how good is the technology behind it? MIT digital currency lab decided to find out for themselves.

IOTA hack and subsequent hard-fork

IOTA boasted to be the first team to solve the problem of decentralized graph-based payment system, that are parallelizable by design and are so easy to process that you may get away with paying no fees. In reality though, the top-10 cryptocurrency has a pretty serious vulnerability that allows hackers to steal funds from any wallet using nothing but commodity hardware, and is centralized with no real roadmap towards decentralization.

MIT digital currency lab has published a review of IOTA ledger and filed a bug report to iota the company. In this report they've demonstrated a vulnerability in the core cryptographic library that allowed them to burn someone's funds, as well as to steal them.


A simple algorithm to determine whether you should write your own crypto

The vulnerability was found in nothing less than the core hashing function that is used by IOTA. Instead of relying on decades of publicly funded research, like bitcoin (SHA-256) or ethereum (KECCAK-256), IOTA devs decided to roll their own and named it Curl. And it turns out that curl was written by an amateur and it didn't take long for pros to crack it.

What kind of blockchain is IOTA?

IOTA as it is currently deployed has several uncommon design features and terminology:

  • IOTA is built on the concept of a tangle (known also as a DAGchain or Directed Acyclic Graph Blockchain) where instead of a single chain of blocks, transactions are linked together in a graph. A group of transactions which together specify a transfer is called a bundle; in a bundle, transactions roughly correspond to Bitcoin inputs or outputs. Each transaction must include a small amount of proof of work, and point to two other transactions already in the Tangle. Sounds cool, right?

  • IOTA uses balanced ternary (base 3) instead of binary (base 2). That is trits and trytes instead of bits and bytes. A tryte consists of three trits. While a cool idea in theory, in practice it doesn't work quite well for two reasons: the rest of the world has made tremendous progress in making secure binary systems, and because predicate logic in base-3 and higher systems is a mathematical Detroit - an area that showed a lot of potential, and then suddenly died because of humankind's inability to solve a fundamental problem.

It's worth noting that base-3 systems are more efficient in terms of stored information density. If you're interested, let me know in the comments and I'll write a dedicated blog post about the history of base-3 {0, 1, 2} systems, and why we're still using base-2 {0, 1} for all practical applications.

  • IOTA currently relies on a trusted party called a coordinator to approve and checkpoint state. This has led to concerns that IOTA is centralized. The IOTA developers argue that IOTA is not centralized and that this is a temporary measure (sure). However, the source code for the coordinator is not available for public inspection. This essentially means that IOTA is an overcomplicated, inefficient and bug-ridden paypal, that in addition to centralization doesn't insure your monetary transactions against fraud.

A close inspection of the Curl source code revealed that Curl was vulnerable to a well known technique for breaking hash functions called differential cryptanalysis. Using this observation, the MIT digital currency group were able write software that could quickly generate practical collisions for messages of the same lengths. Since these collisions fully collide the internal state of the hash function, a single collision enables a hacker to generate an unbounded number of additional colliding messages. These collisions are for all rounds of Curl and can be generated in seconds on commodity hardware. Using 80 cores, the MIT group were able to find collisions in a few minutes.

You can follow along the hack and learn from the best of the best at MIT here.


IOTA has since issued a hard fork (notice how they barely mention the hack, and hide behind marketing fluff), and all exchange activity was halted for three days. If only IOTA focused more on building the right tech and learning what they don't know, instead of making a website that's so unoptimized that it freezes my laptop and building a broken, underperforming, centralized cryptocurrency.

Here at Rados, we wish them all the best in their adventures, and hope everyone can learn from this incident.

Lack of official seed generator lead to more than $4 million stolen by hackers

If you thought that the developers are negligent only when it comes to nerdy computer science algorithms I'm afraid you're wrong.

In January'18 a new bug was discovered. The users that wanted to store their IOTA in a wallet, per the usual recommendation, were searching for a web wallet to use on their desktop machines. The recommended web wallets were working just fine, until somebody decided to perform cryptanalysis on them too. The hackers discovered that the random number generator on that web wallet was producing numbers that are not that random. They were able to recover just enough information from this web wallet's server to steal about $4 million USD from unsuspecting users.

The reasons for this bug are three-fold:

  1. Lack of official web wallet. This caused the community to figure it out for themselves.
  2. Inability to generate a secure seed on Windows. Official documentation provided guidance only for Linux and OS X.
  3. Lack of official seed-generation code. Every other serious blockchain project provides secure seed generation code. What good is a cryptocurrency if you cannot generate a secure wallet? IOTA decided that writing a blog post about a fake Microsoft partnership was a better use of their time than ensuring their users' funds are secure.

Again, the IOTA crowd will preach that it is not an IOTA bug. Call it what you will, technicalities don't matter to those people who have lost money due to a hacking attack. You could argue that IOTA is not a blockchain, but the whole ecosystem, and that includes secure wallets. If only IOTA spent a bit more time developing their project and included seed generation code (like literally every other blockchain project) then people's money would not have been stolen.

For a centralized cryptocurrency (don't forget the coordinator) IOTA is surely in some trouble. The most apt comparison would be a clone of PayPal that routinely gets hacked, sometimes doesn't work, doesn't deal with fiat, and isn't being used for anything outside of speculation on crypto exchanges.

Lessons learned

  1. Don't roll your own crypto if you don't know what you are doing.
  2. A lot of PhDs is good for research and for publicity, but you need people with real world experience to build systems that work in the real world.
  3. If you're working on a blockchain project, it may seem to be more prudent to spend 80% of the money on marketing and maybe 20% on development. However, it will backfire.

Related Articles