A $5 Billion Cryptocurrency Has Enraged Cryptographers

Leaked emails between IOTA developers and researchers have landed the cryptocurrency in hot water.
Image: Wikimedia Commons, IOTA. Composition by Author

Nerd fights are the the background radiation of the cryptocurrency universe, but occasionally a beef becomes so acrimonious that it bubbles over in public. A recent spat between famous cryptographers and a digital currency called IOTA was one such beef.

For example, security researcher Nicholas Weaver from UC Berkeley wrote that the IOTA team were “drooling idiots” in a tweet on Sunday, and Johns Hopkins cryptography professor Matthew Green tweeted that people should “avoid the IOTA project—with your brains and your money.”


But wait, you may be asking, what is IOTA and why are a bunch of really smart people very mad about it?

IOTA is a cryptocurrency that’s been around since 2014 and is designed for micro-transactions between machines in the Internet of Things. IOTA is the tenth-largest cryptocurrency with a roughly $5 billion market cap. It doesn’t use a standard blockchain like most cryptocurrencies, but instead uses a Directed Acylic Graph (DAG) it calls “the Tangle” among other attempts at innovation. For example, IOTA infamously used an in-house algorithm called Curl instead of the well-studied algorithms that underprin other digital coins.

Read More: A Hacker Returned $17 Million In Stolen Ethereum

Last July, Ethan Heilman, a Boston University researcher affiliated with MIT’s Digital Currency Initiative, informed the IOTA team in an email that he and his colleagues at MIT had discovered “serious cryptographic weaknesses” with the current implementation of Curl in IOTA. (IOTA says it reached out to the DCI team months earlier.) After disclosure, the IOTA team disputed the vulnerabilities’ existence. This is all pretty much in the public domain already; Heilman and his colleagues (including Neha Narula at MIT) published their work in September, and ahead of the vulnerability disclosure in August IOTA changed their algorithm from Curl to the well-documented Keccak algorithm.

Emails between the IOTA team and Heilman and Narula were leaked to the IOTA-focused blog The Tangler over the weekend, and reveal that the initial July email from Heilman resulted in a correspondence that stretched into September between DCI researchers and IOTA developers. It got ugly.


In July, Heilman and the DCI researchers disclosed an alleged vulnerability in Curl that, they said, would effectively let anyone forge IOTA transactions. The IOTA developers wrote back that the researchers had misunderstood Curl, saying, for example, that the possibility of finding cryptographic collisions—the point at which a cryptographic function is generally considered broken—was intentional. According to IOTA cofounder Sergey Ivancheglo, the “practical attack” demonstrated by the DCI researchers only works in a limited number of improbable situations that would affect a negligible number of IOTA users, mostly thanks to a closed-source and centralized solution called the “Coordinator” that helps secure the network. Because the Coordinator is closed-source, Heilman and the MIT researchers couldn’t account for its effect on their attacks. The IOTA team also complained that the flaws identified in Curl by the DCI team were actually “anti-scam copycat mechanisms” in case someone tried to steal IOTA’s code, somehow.

The emails reveal that the teams failed to arrive at a consensus regarding the nature or reality of the vulnerabilities in Curl. Eventually, the conversation degenerated to insults. IOTA co-founder David Sønstebø accused Heilman of “pushing this for his own gain,” asked Narula if she was sober, and wondered “what kind of academic rushes to the press before peer review?” Narula wrote on August 5, “If anyone personally insults a member of my team, we will have to cease communication.”


On August 7, IOTA changed its hash function from Curl to Keccak citing the upcoming DCI publication, and a month later Heilman and the DCI researchers published their work.

“We made it very clear at the beginning of the email chain that if they stopped being professional and civil we would cease communication,” the DCI team wrote Motherboard in an email. “They stopped being professional and civil.”

Now that the conversations that led to the algorithm change have been made public, high-profile cryptographers have urged people to avoid IOTA based on how the team responded to Heilman and the DCI researchers’ attempt at disclosure. One popular cryptocurrency investing Twitter account, “360Trader” tweeted that it would never buy IOTA, adding, “When the cryptographers are telling everybody to leave… well…” On the other hand, cryptocurrency fans have come to IOTA’s defense because the current Keccak algorithm is thought to be safe.

Ivancheglo, for his part, has called the September DCI report “academic fraud” and said on Twitter that Heilman “should be scared” because there were lawyers working on the issue. Ethereum co-founder Charles Hoskinson volunteered to pay Heilman’s legal expenses if he is sued by Ivancheglo. (After this article was published, Sønstebø reached out to Motherboard to clarify that the IOTA Foundation as an entity has not threatened any legal action.)

“This is crypto-FUD 101,” Sønstebø wrote Motherboard in an email, referring to the acronym for “fear, uncertainty, and doubt” commonly used in cryptocurrency circles.


Nerd fights aside, the controversy between IOTA and the DCI team highlights a couple key things about experimental technology of the kind that IOTA employs.

First, experimental approaches often don’t work perfectly right away. The IOTA team wrote in June of 2017 that the technology “is still beta software in continuous production” and is not “production ready.” In the algorithm switch announcement in August, IOTA referred to the current phase of the network as the “training wheel stage,” necessitating extra security measures like the closed-source Coordinator.

Second, startups have to be diligently transparent. As Heilman noted in a July 19 email to the IOTA team, it wasn’t initially clear if cryptographic collisions break IOTA’s security scheme because the technical details behind the IOTA project are not thoroughly described anywhere. In a January post responding to criticisms, the IOTA team wrote, “We take full responsibility for the poor state of current documentation.”

Finally, experimental technology is not always the best choice for mission-critical stuff, like securing tons of money. This is true for IOTA, but also for other digital currencies; In March of 2017 Ethereum Foundation developer Vlad Zamfir tweeted, “Ethereum isn't safe or scalable. It is immature experimental tech. Don't rely on it for mission critical apps unless absolutely necessary!” Of course, there are degrees of experimentation—with IOTA being on the more extreme end—but Zamfir was still right.

Sometimes you just need some prime beef to remind you of the facts.

Get six of our favorite Motherboard stories every day by signing up for our newsletter .

UPDATE: This article was updated with additional information from the IOTA team.