|
|
|
|
|
|
by Aledgerly
3150 days ago
|
|
|
This is a common misunderstanding. IOTA never deployed a vulnerable hashfunction. They had precautionary measures in place and thus had Curl there to test it out, which worked out brilliantly. Keep in mind that IOTA asked the team to attack Curl, not the other way around. This was planned. Curl is meant to be a lightweight crypto for IOT, a field of very active research. None of this is controversial to anyone that isn't looking for things to latch negativity onto. |
|
|
This seems to contradict the researcher's own post [1]:
> We discovered a vulnerability in IOTA after reviewing their code on GitHub in July. We disclosed what we found to the IOTA team on July 14th, and have been in contact with them since then as we discovered new issues and exploits.
Finally, even if Curl is meant as a new, lightweight hash function, it was broken by differential cryptanalysis, not some novel, exotic attack vector. Sounds like it needs a lot of work before it's fit for purpose.
[1] https://medium.com/@neha/cryptographic-vulnerabilities-in-io...