Official IOTA Foundation Response to the Digital Currency Initiative at the MIT Media Lab — Part 3…
The full article was originally published by the IOTA Foundation on Medium. Read the full article here.
2. IOTA Protocol Security and Tangle Reliability
“Whether or not IOTA’s ledger is “tamper-proof,” the entire IOTA network went down in November, and was completely inoperable for about three days. That this has never happened in Bitcoin or Ethereum suggests the extent to which the IOTA network relies on the “coordinator” — a single point of failure — and is not truly decentralized.”
The referenced shut down actually took place in October and was related to an attack on the network which would have resulted in the loss of user funds due to continuous key reuse. At the time of the attack, the IOTA Foundation, in conjunction with the full node operators, swiftly responded by suspending operations. Once the issue was identified and resolved, a snapshot was taken to protect vulnerable addresses, the network full node operators came to a consensus on this snapshot, the Coordinator was turned back on and the network resumed normal operations. IOTA node operators, understanding the importance of the Coordinator’s role in securing the network while it is still young, voluntarily suspended operations during this time.
The purpose of the Coordinator in the infancy stage of the IOTA network has been transparently communicated throughout the history of IOTA. As the team has explained at length, the Coordinator is a temporary measure to help bootstrap the network and protect it during its infancy. Once there are enough full nodes and transactions to secure and sustain the IOTA network, the Coordinator will be permanently removed from the network. The specific reasons for this are complicated; there is a more detailed explanation on page 19 of the white paper:
“… This indicates the need for additional security measures, such as checkpoints, during the early days of a tangle-based system.”
It is important to bear in mind that IOTA is still extremely young compared to Bitcoin and Ethereum. Bitcoin and Ethereum both also needed additional bootstrapping while the networks were still young and vulnerable, and both have also experienced the occasional hiccup along the way. In addition, several of IOTA’s core developers have learned from personal experience that even the blockchain architecture’s overall security, vulnerability to certain sophisticated types of attacks, and long-term stability are not without their own legitimate open questions.
IOTA, like Bitcoin and Ethereum, is the “first of its kind” and we should anticipate that things will not work perfectly from the start. Fortunately, the IOTA Foundation has an excellent team, amazing community support, and is dedicated to resolving any issues that do arise as quickly as possible. It is vital to note that as any fundamentally new technology is adopted by large groups of people, new problems and unforeseen edge cases will invariably cause some hiccups along the way.
A further mistakenly identified flaw was mentioned by the DCI report:
“Also troubling, IOTA developers were able to transfer funds out of users’ IOTA accounts. The user was then required to participate in a “reclaim” process to request their funds. We believe IOTA’s developers should not have access to such funds; it’s rife with risk.”
This is a blatant mischaracterization of the situation. One of the most well-known and well-documented (e.g., here, here, and here) technical challenges with the current implementation of IOTA from a user’s perspective is the private-key reuse issue. In the IOTA GUI Wallet introductory blog post, Dominik specifically alerted users to the fact that IOTA “can be hard to grasp for newcomers, [even] for people coming from other Blockchain projects.” Due to some mathematical and technical details regarding the digital signature design chosen by IOTA for security (appreciating the very real threat posed by quantum computers to industry standard cryptography functions in the not-so-distant future), each address should have at most one outgoing transaction. Subsequent outgoing transactions from the same address make it vulnerable to theft through brute-force attacks.
The IOTA team has taken special care to educate users about these unique problems and how to avoid them. In addition to the many technical guides for using the GUI Wallet (referenced above) and an active community support group with people offering round-the-clock technical advice, the GUI Wallet itself has numerous built-in safety features such as address reuse warnings and address tracking features. Despite all of these precautions, many users were still making the mistake of signing transactions multiple times with the same private key, thereby exposing the key to a brute-force attack. As a result, these addresses became vulnerable to attack and sadly, some users indeed fell victim to hackers.
In September of this year, a significant and growing number of potentially vulnerable addresses were noted, and the IOTA team decided to take action to protect the affected addresses. This decision was not taken lightly, but rather after careful consideration of the situation at hand:
- On the one hand, it was only a matter of time before users’ addresses would be hacked and their funds would also be stolen through brute-force attacks. Sophisticated hackers around the world were undoubtedly aware of their vulnerabilities, actively working to break them, and getting closer every day.
- On the other hand, freezing user funds, even if only to protect them, violates many of the core principles of the DLT community which we also hold dear.
In the end, with the community’s best interests in mind, we decided to take drastic and protective measures to prevent further theft from IOTA token holders. Importantly, these protective measures were only possible with the direct and active support of the IOTA community.
The vast majority of IOTA node operators have a good working relationship with the IOTA Foundation and the community. They respect the Foundation leadership, and they understand the purpose of both the Coordinator, which currently secures the network against attacks in its infancy, and the regularly scheduled snapshots and software updates. Ultimately, in order to implement the preventative measures mentioned above, a special snapshot was scheduled wherein all funds vulnerable to theft were tagged with a key reuse marker. The community was then asked to independently verify this key reuse designation, and once it was verified by the community, the subsequent snapshot moved all the vulnerable balances into a new address controlled by the IOTA Foundation. The IOTA Foundation would keep the funds safe, and the owners would have the ability to reclaim them at a later date once a reclaim process was implemented (to prove ownership and handle it in an organized and efficient manner). This has since been completed (see reclaim instructions here).
This movement of funds was only possible with the full cooperation of the community and the IOTA node operators, and would not be possible for the IOTA Foundation to do unilaterally. We took great care to ensure that this entire process from start to finish was completely transparent and independently verifiable by our community, and indeed our community did independently verify it (see, for example, here, here and here).
This situation has some parallels with the Ethereum DAO hack of 2016. The Ethereum Foundation, in an effort to protect users from losing hacked funds, rewrote history and changed address balances. Undoubtedly, some Ether token holders were surprised to find out that after having provided a service or sold a product and having received payment in what they believed to be an immutable and irreversible Ether token, this was actually not the case. This rewriting of history was extremely controversial for the Ethereum community, and Ethereum Classic was born as a result. For both Ethereum and IOTA, these unfortunate situations were not the fault of the underlying technology behind them, but rather — in both cases — user error. Also in both cases, because these situations happened while the projects were still very young and vulnerable, and consequently were potentially fatal to the entire undertaking, drastic measures were taken. We know how difficult of a situation this must have been for the Ethereum Foundation, because we know how difficult it was for us.
The IOTA team and the wider IOTA community continue to work towards making all IOTA users aware of the address reuse vulnerability, and to educate users about how to safely perform IOTA transactions. We have chosen not to change the digital signature design because while traditional cryptography’s vulnerability to quantum computers is permanent, the address reuse vulnerability can and will be mitigated by a better engineered wallet. New safety features on the current wallet have been since introduced (see below) and the IOTA team is hard at work developing a user-friendly solution to this problem to prevent unintentional misuse from occurring altogether — which is not at all a trivial task.
New wallet feature to prevent key reuse
We appreciate the support from the IOTA community through this unfortunate situation, and hope those users who had their funds moved to an IOTA controlled address understand that we made our decision only after careful consideration and with only the intention of protecting those funds from theft.
In the interest of answering the DCI’s claim comprehensively, we say this: the IOTA Foundation does not have any technical means to access funds apart from the full cooperation of the community and the node operators, and the decision to move funds was taken solely out of care and concern for the community. While we regret that this difficult situation arose, we believe we made the right decision in light of all the facts and circumstances.