Connect with us

Analysis

IOTA Update: The Tangled Web of Home-Rolled Cryptography

Published

on

Time for a disclosure: this author is not an application to monitor the behavior of the ICOs post-analysis. Sometimes, by the time of publication, things are already shifting, and updates are necessary. In IOTA, there was a rush to publishing because we did not want readers to miss out on the obvious hype bubble. We feel that plenty of such readers were able to extract profit at the top there, but this doesn’t prevent us from checking in on IOTA.

We find that a few days ago, a major security vulnerability was discovered in IOTA, and that trading was suspended at Bitfinex for at least a day. We find two separate blog posts from IOTA on the matter, we’ll call these Exhibit A and Exhibit B.

In Exhibit A, IOTA cursorily alludes to the security vulnerability:

One of the cryptographers we reached out to months ago to review Curl has disclosed that he is worried there might be a potential vulnerability in Curl. We have since had our internal team, as well as other cryptographers review it and asked the disclosing party for more information. While the party that did the responsible disclosure has been quite forthcoming, there are still some of the last details to be discussed more thoroughly with the respective teams in order to reproduce the claims and verify if there was even any vulnerability.

We reached out to the researchers (associated with a security lab at MIT) who discovered the vulnerability. We spoke with Ethan Heilman from Boston’s Commonwealth Crypto, who works with Neha Narula, Tadge Dryja, Madars Virza, the other researchers. The author first reached out to Narula, but she was on vacation was traveling for work, deferring to Heilman. Heilman’s first reply to our inquiry was illuminating, and led to more questions, especially as we had just discovered Exhibit B as well. The first piece of IOTA’s response that he addressed was the following passage:

“Don’t roll your own crypto” is a compulsory uttered mantra that serves as a good guiding principle for 99.9% of projects, but there are exceptions to the rule. When spearheading technology for a new paradigm this statement is no longer axiomatic.

To this, Heilman said that if a new cryptographic hashing function is necessary, then there is a process for that and it should have been followed. “I’ve found no record of any such paper for IOTA’s Curl, we had to read the IOTA source code to understand how the algorithm functioned. For instance as part of my work on MD6 I spent two years designing a proof of differential resistance for MD6 which I then published at a peer reviewed conference. The burden of proof rests on the designer of a new cryptographic algorithm,” he wrote.

Heilman also tipped the author off to another primary source, a post on Reddit which quotes the author of IOTA’s Curl function –Sergey Ivancheglo who goes by the name of Come-from-Beyond – as saying that the vulnerability that Heilman and friends were able to exploit was actually a feature intended to copy-protect the source code of the project.

This is extraordinarily unusual among cryptocurrency projects or open source projects in general. Transparency in the code does not lead to less opacity in the ledger; open source is not only safer in argument, it’s safer in practice. Had this code been previously published, for instance, despite its design intent, the bug could have been caught. According to Heilman, it’s unlikely that this code was looked at by the alleged legion of cryptographers “over the years.”

I look forward to IOTA providing a list of cryptographers who reviewed Curl, until that point I have no way of knowing who IOTA did or didn’t speak with. What I will say is that the vulnerability we found was fairly simple and I believe many people with a cryptanalytic background would have discovered it after visually inspecting the Curl source code. Differential cryptanalysis, which is what we used to break Curl, is the first thing you check when attacking a cryptographic hash function.

Bruce Schneier, globally recognized security pundit, brilliant cryptographer, and one of the core contributors to the Skein hashing function (which has passed peer review and is currently in practice in more than one cryptocurrency) commented on the research saying:

In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low.

In Exhibit B, IOTA were a little more forthcoming about what all went down, but still couldn’t help themselves: they had to spin it.

As part of an on-going conversation between the IOTA Team and security researchers from Boston University and MIT DCI, the teams published their report on a vulnerability in Curl today. […] We have since formed stronger partnerships with several large academic institutions around the world, and will continue to do so. As for Curl, the IOTA Foundation has already subcontracted a team of 5 world-class cryptographers, as well as 3 independent ones to come up with a final design of Curl and then start the long peer-reviewed process, as was always the plan. No change.

Most of this sounds good, and positive. This post also works to downplay the seriousness of the steps that were skipped in the process of developing the IOTA alpha. There are several arguments you can make in their defense, but in the end, doesn’t it begin to feel like IOTA were just afraid their grand idea wouldn’t fund in another, less frenetical ICO investor setting?

Regardless, there’s more to it. There is this post which emerges from the IOTA community. In it, we learn that Come-from-Beyond has made a statement on the matter:

IOTA team has already responded to the paper published by Neha Narula.
It was me who created Curl and IOTA signature scheme in those old days when there was no IOTA Foundation.
[…] […] In 2013 I created the first full Proof-of-Stake currency and protected it with my novel techniques against cloning.
Those who knew me as BCNext were sure that I would do the same trick to protect IOTA, some people even approached me asking about that.
Remembering how quickly Nxt protection was disarmed I was keeping in secret the fact of existence of such mechnism in IOTA.
I was pretty sure that the protection would last long time because it was hidden inside cryptographical part and programming skills would be insufficient to disarm the mechanism.
[…]

Sergey Ivancheglo aka Come-from-Beyond

To this, Heilman responded:

Is IOTA saying they backdoored their own cryptocurrency? How does that relate to David Sønstebø earlier statements?

It would seem there remains more to the story, but we’re here to talk about the impact on the market.

Updated Disposition

All of these things being noted, we can’t leave IOTA in such high standing by comparison to her peers who are blameless of these sorts of hubris-induced mistakes. For whatever IOTA wants to say in their press releases, they were given a serious pass by the entire industry in getting listed at Bitfinex in the first place. The machinations there, allowing unreviewed cryptographric code on a multi-billion dollar exchange, are interesting. Economic impact was had by their entire investment community, in a negative way: trading was halted for at least one day because of something the firm did. This disposition would be reading differently if things had not turned upward following resumption of trading.

Nonetheless, after trading did resume, it appears the market was okay with their response, while this author clearly isn’t, and while established cryptographers are clearly calling warning signs on this project, and the market rewarded the token with a moderate rise:

 

 

Thus, our actual point revision has to be less. It looks like they might get through this, but there are serious issues raised during this episode, some of which the author is keeping under his collar for the moment, which make us weary of the future for IOTA.

Luckily for everyone involved, IOTA have a vault of cash to throw at these problems. It seems they might even know where it should be thrown. As such, we’re deducting 99% of one point from IOTA, since we believe their response and intent was worth about 1% of the market reward that followed it. We still believe this technology has legs, but like with Enigma, at this point, they’re vulnerable to a far more competent team coming along and doing the job independently of them. More to the point, those copy protections aren’t going to slow down a firm if they see the opportunity and the gains that IOTA had just through being the big first-mover on sponge-type cryptocurrency. This leaves their updated rating at a 6.01, still probably plenty to be made in speculating here. 

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

5 stars on average, based on 2 rated postsP. H. Madore has covered the cryptocurrency beat over the course of hundreds of articles for Hacked's sister site, CryptoCoinsNews, as well as some of her competitors. He is a major contributing developer to the Woodcoin project, and has made technical contributions on a number of other cryptocurrency projects. In spare time, he recently began a more personalized, weekly newsletter at http://ico.phm.link




Feedback or Requests?

2 Comments

2 Comments

  1. jmcc

    September 10, 2017 at 10:22 pm

    Well-balanced analysis of speculative outlook in this situation. The bitcoin hack in 2010 is a good reminder that all code has bugs. Perhaps most troubling may be the personalities running IOTA, as alluded to.

  2. yillinchen

    September 11, 2017 at 10:27 am

    This is a very balanced analysis, Thank you.
    Too bad it came out few hours before the full response from Come-from-Beyond came out on the same day, it would be extremely useful to know what the author things about it.
    Especially this sensed competition that is perceived between already established blockchain projects, and what it means for the market goin forward.
    :

    http://ist3-1.filesor.com/pimpandhost.com/1/3/7/4/137440/3/U/i/x/3Uixh/Feet_worship_day_part%201_giftrailerFHD.gif

You must be logged in to post a comment Login

Leave a Reply

Analysis

5 Things To Watch Next Week

Published

on

An Italian Budget Deal?

EuroStoxx50 Index CFD, 4-Hour Chart Analysis

Outside the European Union, the ongoing debate regarding the Italian budget might be quite perplexing, especially given the strong reaction by financial markets. While the relatively small budget deficit of the country is really violating the rules of the Eurozone, we have seen much larger deviations from the fiscal rules without meaningful consequences.

That said, the sorry state of the Italian financial system, the stealth capital flight from the country, and the structural imbalances of the ECB’s bond purchasing program validate the scrutiny of the EU. Some analysts say that the Italian banking system is outright insolvent, but in any case, deep structural reforms would be necessary, and the real issue behind the debate is the populist anti-EU rhetoric of the new government. With that mind, even if the two sides reach a deal on the budget, which could lead to a strong relief rally in Europe, Italy will likely cause further severe headaches down the road.

Trillions in Market Cap Reporting

Nasdaq 100 Futures, 4-Hour Chart Analysis

The US earnings season is entering its crucial phase, with next week being one of the busiest in this quarter. The Nasdaq will be in the focus throughout the week, but the sheer size of the tech giants reporting means that the whole market could experience wild swings.

The three largest companies Microsoft (MSFT), Amazon (AMZN), and Google parent Alphabet (GOOG), alone represent more than $2 trillion in market value, and Intel (INTC), Verizon (VZ), AT&T (T), Visa (V) are also very important for the US and the global economy.

So far, the quarter surpassed expectations, and should the string of earnings beats continue, it could provide stability to the shaky stock markets. Besides the largest firms, we will keep a close eye on anything China-related, to get authentic information on the real state of the country’s economy.

The European Central Bank Behind the Curve, as Usual…

EUR/USD, 4-Hour Chart Analysis

As global economic growth is clearly slowing, and the Italian worries already caused a widening in the yield spreads between the core and the periphery in the Eurozone, the ECB seems to be way behind the curve with its monetary policies.

Although the tightening the schedule of ECB is very gradual, we could still get a hawkish surprise next week, and that could enter the hall of fame among the disastrous decisions by the central bank. The ECB managed to hike rates in the middle of financial crises before (the summers of 2008 and 2011), and although the Euro’s weakness and the Fed’s tightening steps could give the impression that there is room for a hawkish shift, the macro backdrop suggests otherwise. Look for a strong bounce in the Euro and further weakness in equities, should Draghi & Co. confirm our suspicions.

Will the Chinese Bounce Last?

Shanghai Composite Index CFD, 4-Hour Chart Analysis

2018 for Chinese stocks has been nothing short of disastrous, with the key benchmarks entering deep bear markets, fading all rally attempts so far. With the largest credit bubble in history threatening the country’s financial system, and with Chinese growth being more important than ever for the global economy, what happens in the coming months could be crucial for all investors.

On Friday, one of the lowest (official) GDP prints came out from China, while auto sales also dropped for the first time in decades, suggesting that the stock market could be correct in pricing a hard landing. While the verbal and other forms of intervention lifted stocks before the weekend, should another rally attempt fail, the bear market could enter an accelerating, mainstream phase.

US Midterms Drawing Closer

The Chinese problems are likely not caused, but definitely amplified by the ongoing trade spat with the US, and before the midterm elections in three weeks time, it’s unlikely that we will see easing in the conflict. According to polls and prediction markets, the GOP will likely keep the Senate majority. While the Democrats are still expected to take the House, the Republicans and Trump seem to have the momentum.

As stocks usual suffer in times of political uncertainty, risk assets would likely be better of, at least short-term if the current trends would continue, as A blue House + Senate combination could mean two very stormy years in Washington.

ChartBook

Major Stock Indices

S&P 500 Futures, 4-Hour Chart Analysis

Dow 30 Futures, 4-Hour Chart Analysis

VIX (US Volatility Index), 4-Hour Chart Analysis

DAX 30 Index CFD, 4-Hour Chart Analysis

FTSE 100 Index CFD, 4-Hour Chart Analysis

Nikkei 225 Futures, 4-Hour Chart Analysis

EEM (Emerging Markets ETF), 4-Hour Chart Analysis

Forex

USD/JPY, 4-Hour Chart Analysis

GBP/USD, 4-Hour Chart Analysis

EUR/GBP, 4-Hour Chart Analysis

AUD/USD, 4-Hour Chart Analysis

Commodities

WTI Crude Oil, 4-Hour Chart Analysis

Gold Futures, 4-Hour Chart Analysis

Copper Futures, 4-Hour Chart Analysis

Featured image from Shutterstock

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.6 stars on average, based on 380 rated postsTrader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive strategies, with a passion towards anything that is connected to the market.




Feedback or Requests?

Continue Reading

Altcoins

Monero Price Analysis: XMR/USD Marching Higher amid Large Reduction in Fees

Published

on

Kovri Bulletproofs Monero
  • Monero community members are sharing their delight with the instant impact of the recent update.
  • XMR/USD bulls will be looking at another retest of the breached Aug-Oct ascending trend line.

Latest Update from Monero Developers Sees Huge Reduction in Fees

The Monero community are sharing their excited observations of the benefits from the Beryllium Bullet update. Earlier this week, the foundation had another hard fork going live. The release was known as, “Monero 0.13.0 “Beryllium Bullet,”. The goal was for greater efficiency of their protocol, to facilitate stronger privacy, faster and more cost-effective transactions. In addition, more resistant ASIC miner protection, as previously reported via the last Monero article.

The update has instantly demonstrated its enhanced performance and new features. Monero users have been taking to the social space to express their delight, with the changes being very noticeable.

Members of the Monero community via the Reddit social page were sharing their photos, providing examples of how low the fees are for processing transactions are now.

Technical Review – 60-minute Chart

XMR/USD 60-minute chart

XMR/USD can be seen moving within a triangular pattern set up, via the 60-minute chart view. This coming after much stabilization has been seen with the price since the overly aggressive movement on 15th October. That’s when prices spiked higher in line with the rest of the market, before quickly retreating. The price behavior would suggest another breakout is very much imminent as it is currently moving within an extremely narrowing nature. Looking to the upside, resistance can be seen just ahead at $108.50, or the upper part of the pattern. Further ahead, a choppy supply area is seen running from $110-112 region. In terms of support this can be eyed not too far below, $106.50, lower part of the triangle.

Technical Review – Daily Chart

XMR/USD daily chart

Looking via the daily chart, there is room for upside and another retest of the breached ascending trend line. This had originally been supporting the price from 13th August up until early October. XMR/USD bulls could run up the price to $124 territory, before being met with a test of hard sellers. During the big spike on 15th October, the upper wick can be seen having attempted to break back above the mentioned trend line.

If the bulls can maintain their course of upside momentum and break back above the original supporting trend line, a price towards $150 could again be reclaimed.  In terms of support on the daily, this looks firm around $104, a secondary running ascending trend line. Further south, a demand zone is seen sub-$100, running from $86 – $76 region.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.5 stars on average, based on 33 rated postsKen has over 8 years exposure to the financial markets. During a large part of his career, he worked as an analyst, covering a variety of asset classes; forex, fixed income, commodities, equities and cryptocurrencies. Ken has gone on to become a regular contributor across several large news and analysis outlets.




Feedback or Requests?

Continue Reading

Analysis

Crypto Update: Market Still in Deadlock

Published

on

The choppy, directionless period in the cryptocurrency segment continues, with no meaningful change in the technical setups of the major coins. While the broader trends are still clearly bearish and sellers remain in control of the market, we saw another minor bullish shift in the past 24 hours, with modest gains across the board.

Most of the top coins are trading in the range of the Monday session, which saw the spike triggered by the turmoil in Tether. Stellar is the apparent positive outlier of the past few days, while Dash, Litecoin, and Ethereum have been the weakest so far this week.

DASH/USD, 4-Hour Chart Analysis

On a positive note, all of the majors remain above last week’s levels, and especially Bitcoin’s continued stability is encouraging for crypto-bulls here, even as our trend model paints a negative picture of the segment.


BTC/USD, 4-Hour Chart Analysis

Bitcoin avoided a test of the $6275 level despite moving below its recent very narrow trading range yesterday, with still no meaningful bearish or bullish momentum present in the coin’s market. BTC continues to trade below the $6500 level, and its volatility is very low, even after the move below the previously dominant broad triangle consolidation pattern.

Further resistance levels are still ahead near $6750 and $7000, while support levels below $6275 are found near $600, $5850 and between $5000 and $5100.

Altcoins Little Changed as Ethereum Still Glued to $200

XRP/USD, 4-Hour Chart Analysis

The weekend has been very quiet for altcoins so far, with even the recently active Ripple settling down near the $0.46 level. XRP is around the midpoint of Monday’ s range but the lack of follow-through after the breakout from the triangle consolidation pattern is a negative sign, and the coin remains on a short-term sell signal in our trend model. Strong resistance is still ahead at $0.51, $0.54, $0.57, while support is found near $0.42, $0.375, and $0.35.

ETH/USD, 4-Hour Chart Analysis

Ethereum continues to hover around the $200 price level still being in bearish short- and long-term patterns and the relative weakness of the second largest coin remains a huge concern for the whole segment.

With no evidence of meaningful capital inflows to the market, the outlook is neutral at best, and traders and investors should wait for at least a short-term trend change before entering new positions. Strong support is found near $180, $170, and $160, while resistance is ahead near $235 and $260.

EOS/USD, 4-Hour Chart Analysis

EOS is also among the relatively weaker coins, and the coin is stuick in a broad Trading range around the $5.35 level since August. Volatility in the coin’s market has been progressively declining, but the vicinity of the bear market low suggests that the long-term downtrend is still intact, especially given the segment-wide trends.

A test of the lows is still more likely than a bullish break-out, with strong support found near $4.50 and key resistance ahead near $6 and $6.5.

Featured image from Shutterstock

Disclaimer:  The analyst owns cryptocurrencies. He holds investment positions in the coins, but doesn’t engage in short-term or day-trading, nor does he hold short positions on any of the coins.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.6 stars on average, based on 380 rated postsTrader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive strategies, with a passion towards anything that is connected to the market.




Feedback or Requests?

Continue Reading

Recent Comments

Recent Posts

A part of CCN

Hacked.com is Neutral and Unbiased

Hacked.com and its team members have pledged to reject any form of advertisement or sponsorships from 3rd parties. We will always be neutral and we strive towards a fully unbiased view on all topics. Whenever an author has a conflicting interest, that should be clearly stated in the post itself with a disclaimer. If you suspect that one of our team members are biased, please notify me immediately at jonas.borchgrevink(at)hacked.com.

Trending