The public distributed ledger (DLT) IOTA has temporarily halted part of its network to investigate wallet thefts. Transactions that don’t have any financial value are still happening, but the IOTA Foundation switched off the coordinator, which validates token transfers.
IOTA is one of the public distributed ledgers that is fairly popular with enterprise users, especially in the engineering sector. It has partnerships with the likes of Bosch, Jaguar Land Rover and ST Microelectronics. It’s a tangle, not a blockchain, and is much more performant by comparison.
In the early days, there were serious security vulnerabilities that were subsequently rectified. The current issue does not appear to be with the distributed ledger itself.
The IOTA foundation says the situation is currently being investigated. However, it would appear that two engineers may have identified the cause.
The Foundation’s communications imply the problem is with the Trinity wallet.
The IOTA website states: “We are still evaluating multiple possible root causes, including an exploit of a previous Trinity version with all its dependencies.”
“We have been working on the investigation of attacked seeds and analyzed the attack pattern.”
The wallet uses a seed to generate private keys and addresses where tokens are stored on the ledger. If a seed is stolen or revealed, then anyone who gets hold of the seed can take the tokens. This could explain the reference to a previous, likely buggy, version of Trinity.
It seems the team have identified the funds and are trying to block them from being withdrawn at exchanges.
In January 2018, a thief set up a wallet seed generator website. The fraudster kept a log of all the seeds generated and, after waiting several months, stole funds amounting to about €10 million ($10.8 million). The British man was arrested almost 18 months later.
The wallet was the subject of three security audits.
On the one hand, switching off the coordinator node may have protected people financially. On the other hand, in a distributed network it should not be possible to switch off the network. However, there are plans to move away from a centralized coordinator this summer.
But there appears to be another single point of failure – the Trinity wallet which is the Foundation’s official one. If there were several competitive wallets, usage would be more evenly spread, and a bug in one wallet would only impact a subset of users. But currently the wallet appears to be a single point of failure.