For those people that were following the IOTA token price this week, they will have noticed that there were considerable downward movements on the news of a cryptographic vulnerability.
The vulnerability was discovered by a team of researchers from MIT and Boston University. They first became suspicious about potential for a vulnerability in the hashing process when they learned that the development team at IOTA had created their own hashing function.
This was a red flag for them as they knew that such functions are incredibly complex and require years of work and development. For example, the SHA-3 hashing function took over 9 years to develop through a cryptography competition with some of the brightest minds in the industry.
They then decided to look into the publically available code on Github and found the vulnerability in the hashing function. More particularly, they found that the hashing algorithm was able to produce “collisions”.
One would have thought that the 8th largest crypto currency by market cap with numerous sponsors from Microsoft to Cisco, UCL to BNY Mellon would have known the importance of using only the most established protocols.
What is a Collision?
A hashing collision is when a hash function with two separate inputs are able to hash to the same output. This is potentially disastrous for any crypto currency as it allows for the possibility that malicious actors can crack the hash function and forge signatures.
The whole purpose behind hash functions is that they are only one way functions. In other words, given an output it is extremely unlikely that you would be able to find an input. Similarly, even a minute change to the input should produce a completely different output.
This is done so that with a particular private key or signature, this would be unique to you only and no one would be able to use another private key that could produce the same hash. When there is a collision, this is the not the case.
If someone can use another private key that would hash to your public key then you have the potential for them to forge your signature. When someone can forge your signature then they can send funds in a fraudulent manner. Indeed, according to Bruce Schneier
In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake.
IOTA and Market Reaction
When the researchers alerted IOTA to the collision vulnerability in July, the developers quickly took notice. They issued a patch in August which seemed to no longer have the vulnerabilities that the researchers found.
Although this addressed the immediate concerns of the researchers, they were still quite sceptical about the general security on the IOTA protocol. The IOTA code is not open source so it made it harder for the researchers to vet other portions of the code such as the trusted co-ordinator.
The researchers also found other red flags such as their use of Ternary instead of Binary. This adds a layer of complexity that prevents IOTA from benefitting from established security protocols.
They also took issue with IOTA when it comes to the size of the transactions. The current 10kb size is much larger than Bitcoins size of 600 bytes. This means that it is not well suited to devices with limited storage.
When the researchers disclosed their findings to the market on the 6th of September, the price of IOTA started to take a dive. As one can see in the price chart below from coinmarketcap, IOTA has been reacting negatively. Market participants were aware of the potential for catastrophic failure in the currency from any hack. This was seen all too well when the DAO was hacked back in 2016 and the reaction to the price of Ether.
What Do We Take From This?
Although the technology that underpins crypto currency and the block chain is indeed revolutionary, it is quite baffling that a Crypto Currency with a $2bn market cap can have such a vulnerability. Even more surprising was the fact that none of the advisors and partners raised red flags is also alarming.
As more and more ICOs hit the market such as Filecoins $237m raise, there are legitimate concerns about the potential for the lack of best practices from inexperienced developers.
The entire block chain is built on the notion of trust. Trust in the network to be honest to the protocol. When there is any uncertainty to the security on the network it could have adverse side effects. Hence, if any large organisation, venture capital fund or reputable individual is to put their name to a technology they have to be 100% confident in the underlying technology.