MIT Researchers Found Critical Cryptographic Vulnerabilities in IOTA

According to a report by a group of researchers from the Massachusetts Institute of Technology (MIT) and Boston University (BU), IOTA, the cryptocurrency supporting Internet of Things (IoT) transactions, had “serious weaknesses.”

Andy Watson By Andy Watson Updated 3 mins read
MIT Researchers Found Critical Cryptographic Vulnerabilities in IOTA
Photo: Linux Screenshots / Flickr

The IOTA price fell 20% after the discovery that the Digital Currency Initiative MIT Media Lab (DCI) discovered “cryptographic vulnerabilities” in the IOTA hash function. Although IOTA developers are challenging some aspects of the report and have already released a patch for reviewing the results, the DCI message has attracted a lot of attention in social networks.

“When we looked at their system, we found a serious vulnerability and unstable textbook code,” writes Necha Narula, director of the MIT Digital Coin Initiative, and a researcher engaged in identifying a shortcoming, writes in a blog post.

In particular, Narula and three other researchers claim that they were able to destroy the internal hash function Curl, which IOTA used as part of its digital signature scheme, which ensures that funds can only be spent by legitimate owners. Then they demonstrated how an attacker could forge a digital signature to steal user money.

DCI brought its results to the IOTA long before it was disclosed to the public, and the developers released a patch to solve the problem last month. DCI’s report quickly spread across social networks, so IOTA founder David Sonneby wrote a response challenging some aspects of the results:

“Attacks presented in the article by Naruli and others, being a real academic criticism of the latest public version of the Curl hash function, do not represent real attacks on the IOTA crypto currency.

At his post, he gives a more detailed explanation of why he does not consider the attacks to be valid.

Researchers notified IOTA of their initial findings in late July. In response, IOTA deployed a type of software upgrade known as a hard fork, on August 7, to stop using Curl for signatures. During that upgrade, cryptocurrency exchange Bitfinix halted withdrawals and deposits of IOTA for three days.

When reached out to for comments, Dominik Schiener, cofounder of IOTA, called some the claims in the vulnerability report “wrong,” and indicated his team would be releasing a formal, more detailed response soon.

“We are currently working on our response to this publication to refute some of the claims, especially related to the practicality of the attack and the loss dangers related to it,” he wrote in an email. (As an update, it looks like IOTA has posted their formal response here.)

Schiener also stated that IOTA has always been up front about the “weaknesses sand unknowns” in its protocol. In June, the project published a Transparency Report, where it admitted Curl did not have the vetting of “older” hash functions.

Despite that, it is curious the project took the risky step of creating its own cryptographic primitive.

In the hours following the DCI message, the IOTA price dropped sharply. Over the past 24 hours, it fell from 0.632 to 0.517 US dollars, which is 20% less.

It is unclear how much of the reduction should be attributed to the issues that DCI raised in the IOTA code review process, because probably some investors just looked at the header and believed that IOTA has active cryptographic vulnerabilities.

Today, the capitalization of IOTA is about 1.41 billion dollars. USA, taking 10th place on the charts.

Andy Watson
Author Andy Watson

Please check out latest news, expert comments and industry insights from Coinspeaker's contributors.

Andy Watson on X