University College London Ends Relationship With IOTA Foundation Due To Legal Threats

News | May 22, 2018 By:

University College London (UCL), the third largest university in England, has dissolved its ties with the IOTA Foundation after IOTA threatened legal action against a researcher at Boston University.

Patrick McCorry, a researcher for UCL’s Initiative for Cryptocurrencies and Contracts, published the UCL’s official statement, in which UCL emphasized that researchers should not fall victim to lawsuits for disclosing their findings. It also suggested that universities and colleges should follow the example of UCL and end their relationships with foundations that threaten researchers with lawsuits.

“UCL Center for Blockchain Technologies is no longer associated with the IOTA Foundation,” UCL said. “In relation to recent news report, we reaffirm our support for open security research as a prerequisite for understanding the assurances provided by any blockchain technology. It is inappropriate for security researchers to be subject to threats of legal action for disclosing their results.”

In September 2017, Ethan Heilman, a cryptography researcher at Boston University and affiliate at MIT’s Digital Currency Initiative (DCI), published a report that exposed a vulnerability in IOTA’s hash function, Curl. According to the report, the cryptography used by IOTA leaves the network vulnerable to forged signatures and potentially to stolen funds.

“We have developed practical attacks on IOTA’s cryptographic hash function Curl, allowing us to quickly generate short colliding messages,” the report said. “These collisions work even for messages of the same length. Exploiting these weaknesses in Curl, we break the EU-CMA security of the IOTA signature scheme. Finally we show that in a chosen message setting we can forge signatures of valid spending transactions (called bundles in IOTA). We present and demonstrate a practical attack (achievable in a few minutes) whereby an attacker could forge a signature on an IOTA payment, and potentially use this forged signature to steal funds from another IOTA user.”

IOTA questioned the authenticity of the vulnerability report, citing alleged conflicts of interest within the DCI. In October 2017, IOTA Co-founder Sergey Ivancheglo threatened Heilman with legal action.

“In our very case Heilman published a research report containing inconsistencies … As a scientist you know that even a single inconsistency is enough to raise doubts about the validity of the research results,” Ivancheglo said. “Unfortunately, Heilman refuses to cooperate with me on clearing the doubts up so I have to use lawyers help.”

The IOTA Foundation, however, distanced itself from Ivancheglo and said that it never threatened any researchers with legal action. The foundation also noted that while Ivancheglo is a co-founder of IOTA, he had no involvement with the foundation.