IOTA and DCI Email Chain Leaked: Tech & Ego

Blockchain Technology 4 min, 4 sec READ

by Chris Madill

A months-long email conversation between IOTA’s Sergey Ivancheglo and DCI’s Ethan Heilman has been leaked to The Tangler during the weekend. The conversation details a lengthy 124-page exchange regarding a potential vulnerability in IOTA’s Tangle Network.

IOTA has publicly decried the leak, stating in a recent blog post, “Unfortunately, and much to everyone’s surprise, the communications between the IOTA team and DCI that occurred prior to this report were recently leaked, and published on an external blog. We at the IOTA Foundation unequivocally condemn this leak.”

The Issue with IOTA’s Tech

The MIT Digital Currency Initiative (DCI), a Bitcoin Core associated organization, was contracted by the IOTA team to examine their Tangle Network for vulnerabilities in May 2017. On July 15, 2017, DCI team leader Ethan Heilman contacted the IOTA team, revealing, “We have found serious cryptographic weaknesses in the cryptographic hash function curl used by IOTA” and adding, “We are planning on publishing these results within the next two weeks. Let us know what actions you plan to take so that we can coordinate”

IOTA’s Sergey Ivanchelgo responded to the potential vulnerability immediately, thanking Heilman for bringing the potential vulnerability to light, and requesting more information about the logistics of his findings. Ivanchelgo also implies that some of DCI’s findings are based on assumptions about IOTA’s technology, and that he aims to clarify the possible misunderstanding, “I wish you would have contacted me in advanced regarding the other attacks, what you identified as weaknesses is features added intentionally.”

At first, the email chain details the exchange of two industry professionals trying to understand each other’s point of view. IOTA’s Ivanchelgo is receptive to Heilman’s recommendations, and on the 25th of July, Ivanchelgo reveals that IOTA will be updating their hashing function from Curl to Keccak-384, a well-established and reliable alternative to address the issue.

Ego Steps In

It is at this point, the conversation takes a turn. Ivanchelgo’s initial response asks for clarification through a series of questions that go unanswered in DCI’s follow up emails. As Ivanchelgo presses for further clarification, both sides of the conversation become increasingly less interested in genuine peer-review and more focused on the heat of the exchange. IOTA’s David Sønstebø and DCI’s Neha Narula join the conversation.

IOTA appears to be actively trying to expedite a conversation about the potential issue with their tech by inviting DCI representatives to join their Slack channel. DCI is reluctant to do so, questionably citing “Slack fatigue” as a reason to continue to communicate via email. Despite this reluctance to communicate in real-time, DCI is determined to adhere to their findings about IOTA’s vulnerability, and to publish these findings as soon as possible. IOTA continuously outlines reasons to consider otherwise, and requests DCI delay publication until they can issue an update.

On July 28th, 2017 DCI’s Neha Narula agrees to delay the release, stating “Thanks for the updated timeline. Assuming that no one else publishes an attack we are willing to adhere to your timeline and delay publication until August 12.” The IOTA Tangle Network update was rolled out on August 8th.

On September 6th, Narula notifies IOTA, “ETA is that we are ready to publish. Here is a copy of our vulnerability report. We would greatly appreciate it if you could let us know if there are any mistakes.” The report was published one day later, on September 7th, seemingly without a response from IOTA.

After being contacted by a journalist from CoinDesk, David Sønstebø contacts Narula, “We were just reached out to by a CoinDesk journalist that Ethan contacted in an attempt to rush out this publication. This may be the biggest scandal I have ever heard of from what has been portrayed as a professional ‘responsible disclosure’. Ethan is clearly in complete conflict of interest and pushing this for his own gain, this is no longer about academic merits, but a desperate attempt by Ethan to make money. We will use all resources to elucidate this as publicly as possible if Ethan does not effective immediately contact all the people he has been spreading this premature story to and retract all his statements.”

Narula responds by saying, “The responsible disclosure time period is over; you fixed the vulnerability we found and deployed the fix. Our original agreement specified that we were bound until August 12th.”

The DCI -IOTA emails are now published for public review, but their value in terms of public good may be mostly hot air. 

*Additional information has come to light suggesting that Morgen Peck and the Digital Currency Group (which owns Coindesk) are co-conspirotors the the IOTA smear campaign in an attempt to bolster Zcash.