Feb 28, 2020 · 13 min read

They say in crypto you haven’t made it until you’ve been “FUDDED”…

While we prefer to stay “above the FUD” at COTI, there are occasions in which FUD must be addressed directly. Some of our community members have brought to our attention a recent “review” of COTI with several misconceptions, misconstructions and general lack of understanding of how our blockchain and distributed tech actually works.

We take any constructive criticism seriously and aspire to learn everyday. Unfortunately, this wasn’t the case with this “review” and probably and the intention of the “reviewer” isn’t to seek truth, but to raise FUD. The claims made in this review are ridiculous at best however as they deal with accusations regarding our network security, how we secure our network and your funds, it’s important they are addressed.

Feel free to use all or parts of this document so spread the truth and stop the FUD.

To begin with, the review was made on an outdated version of our code. The two repositories that the reviewer are referring to are not the latest ones (a simple question to the dev team could have cleared that up). The latest branch is “dev” which includes all of the latest source code and progress.

This is a link to latest code - (branch dev)

We clearly communicated our coding approach and how to read our Github in the following article, however it looks like the author of the “review” missed reading this as part of his “research” —

On COTI, the seed phrase is not generated on the server side, it is not sent anywhere and only used locally together with the private key to encrypt all the messages sent from the wallet to the network. The seed phrase is generated on the client’s side. Each CPS user gets a one time use server side secret key after they are authenticated, and they concatenate their client secret key to the server side secret key to generate a seed phrase locally.

Again, unfortunately the author of this review also didn’t read the below article, released in May of 2019, which clearly states how seed phrases are generated on our network —

As stated above, the seed phrase is not generated on the server side and the way it is generated fully defines it as a random variable. Each address gets a private key that is generated by concatenating the seed phase and addressIndex. It is only then run through the keccak256 hash algorithm in order to get keys with 32 bytes (longer keys means more protection). As such the keccak256 hash algorithm has NOTHING to do with the randomisation of the seed phrase, it simply reduces the already, and correctly generated, seed phrase and addressIndex combo into a 32 byte private key.

Randomisation occurs, as it does on Bitcoin and Ethereum by using elliptic curve algorithm to generate the user private keys. As the user chooses a phrase which is then concatenated and combined with 32 bytes of keccak256 it is generated in a random manner, as shown in the code below -

“In essence, the means $COTI uses to generate wallet addresses in their code is nowhere near safe or standardized…”

All communication with the COTI network is encrypted using the private key of the user and signed using both the private key and the seed phrase, so all messages sent from the wallet are validated and no spoofing or manipulation is possible. In addition, all communication between all parties on the COTI network is secured with SSL.

It is important to note that our way of generating addresses is almost the same as both Bitcoin and Ethereum are using to generate addresses and it is a mean standard.

You can refer to the following to see how Ethereum address and key generation works —

Again, if the reviewer had bothered communicating with the dev team it would have saved them the embarrassment of calling Bitcoin and Ethereum non standard…

As you can see, addresses on the COTI network are generated using the same method as both Bitcoin and Ethererum. Ethereum standard is to use the secp256k1 curve. The same curve is used by Bitcoin. There are three main steps to get from private -> address in Ethereum/Bitcoin/COTI:

  1. Create a random private key (64 (hex) characters / 256 bits / 32 bytes)
  2. Derive the public key from this private key (128 (hex) characters / 512 bits / 64 bytes)
  3. Derive the address from this public key. (40 (hex) characters / 160 bits / 20 bytes)

And the process for generating addresses from public key is also the same:

  1. Start with the public key (128 characters / 64 bytes)
  2. Take the Keccak-256 hash of the public key. You should now have a string that is 64 characters / 32 bytes. (note: SHA3–256 eventually became the standard, but Ethereum uses Keccak)
  3. Take the last 40 characters / 20 bytes of this public key (Keccak-256). Or, in other words, drop the first 24 characters / 12 bytes. These 40 characters / 20 bytes are the address. When prefixed with 0x it becomes 42 characters long.

Is it real life? Or is it just fantasy?

Regarding the above statement, isn’t it the concept of a decentralized network to be public and open meaning all users transaction and chain info are stored transparently? Addresses and transaction data are all publicly queryable on the COTI network, without authentication, by design, in almost the exact same manner as they are on both Bitcoin and Ethereum.

In all public ledger networks anyone can view address balances, transactions and all history data related to it, but that obviously does not mean in any way that they have access to your wallet or can execute operations and transactions on one’s behalf as all operations are protected using the user seed and public/private keys. Again, this is the standard way for all cryptocurrencies projects which offer transparency of the network.

The wallet uses the users seed phrase to login to and locally generates the addresses contained within the wallet. It then asks for information from a decentralized network of full nodes to enquire about the users locally generated addresses and their status. This status includes…

Since requests to nodes on the network are created by combining the server side key (held by nodes, financial servers etc) and the users seed phrase and private key, it is IMPOSSIBLE to carry out a man in the middle attack. As was clarified above, the server side keys are used only to generate the user local key combined with private key (generated locally). Once the seed is generated and stored locally the server side key is not required anymore. In addition, for all validity of addresses balances there are further checks and balances from our DSP nodes (double spend protection nodes) that users CANNOT directly connect to.

The financial rules within this architecture are comparable to the Libra concept, in which the network is built in a sharding structure that consists of trusted nodes (higher trust score nodes) on the network. which allow full nodes operators to join the network and they are easily able verify and sync their data with the network.

The data that the financial node stores is similar to all the network operators and it is important to note that none of the nodes can generate or send transactions or change the transaction bundle as it requires users signature that anyone can verify but no-one other then the user wallet can generate. The financial node is also responsible for collecting network fees (not full node fees) and distributing them between the network

This is a totally safe and standard way of storing and sending information in the crypto world. The wallet itself is anonymous to the full node and no user information is kept on one entity which can reveal or risk the user information.

There are many nodes on the COTI network, Full nodes, DSP nodes, Trust Score nodes, History nodes and Financial nodes. By only looking at the role the Financial node plays in the overall network, this shows a distinct lack of understanding as how the COTI network works as a whole.

Like Bitcoin’s ledger, all the information and data (addresses, transactions, balances) are stored on COTI DAG and it is stored on all the network nodes. Full nodes obviously communicate information via a websocket to COTI wallet that listen to their addresses (using SSL). So to get any address information does not require any authentication as the ledger is public.

For all transaction based operations in the network, a signature of the wallet is required to sign all messages and only the wallet can sign it correctly using the wallets private key, which each network entity checks and validates. Also all communication is sent via SSL.

“We found out that they were hosting their site on Amazon and looked into the DNS records to figure out that more than likely they have their ‘financialserver’ that holds all of their users’ information on this very same server. Any attacker with a remedial amount of knowledge could probably attack the $COTI website and take it hostage.”

Once again, no one entity holds or stores all information. Information is stored across all entities on the network, not only by financial nodes. The financial node is responsible for disputes, processing network fees and rolling reserves. There is no private information on the databases and no manipulation on the network can be done by gaining access to the financial server.

In addition, our Amazon hosting is secured by the highest Amazon secure management tools and our servers are distributed and clustered on their cloud.

Our website and other blockchain infrastructure DO NOT sit on the same server.

Regarding the vulnerabilities that would supposedly allow -

“any attacker with a remedial amount of knowledge could probably attack the $COTI website and take it hostage…From there, they could impersonate the site and take possession of the domain.”

These are the actual CVE’s being referred to -

As you can see, the worst an attacker could possibly do with these, at the very worst, is crash the website. These are not vulnerabilities that would allow an attacker to take over, control or impersonate the website or web server. To say so demonstrates a lack of understanding as to how such exploits work and is disingenuous at best.

Ironically, the author’s old website shares the SAME CVE’s as the ones found on COTI’s website. It also shares the same hosting as the author’s new website (both sit on the IP address of with a reverse DNS result of 216–24–57– Using the author’s logic, this would leave their new site open to exploitation based by being able to access and exploit the old website that resides on the same server…

As an aside, no data on the COTI network is stored as plaintext.

We took the time to both write and READ our whitepaper…

The analogy between COTI and Bitcoin is a false analogy as we’re certainly not trying to be Bitcoin. Instead of a traditional blockchain ledger, we are building a DAG based network that unlike Bitcoin, allows for almost instantaneous, low cost transactions to be sent across our network, designed specifically for the use of enterprise and exposes COTI to a much wider audience and application than just crypto. Many of the challenges and problems in other blockchain protocols such as: scalability and fraudulent behavior are directly related to the “trustless” behavior of the network.

The bespoke Trustchain protocol we have created allows for the creation of a network in which trust is built, not assumed. Positive actions on the network increase an entity’s trust and this benefits the entity by lowering their cost of transaction and increasing the speed of confirmation on the network. This trustscore is used across other aspects of the network too, in time it will allow for greater and cheaper access to other financial products, like low interest loans or working capital for merchants,

While trustlessness works in some regards for crypto payments, in the world of merchants and consumers, where payment is just a small part of the relationship, trustlessness brings up another set of challenges. What happens when a consumer pays a merchant and doesn’t receive their goods, or the goods they receive are damaged? On COTI, each merchant has a “rolling reserve” of COTI coins in their account, which is directly impacted by their trustscore, a higher trustscore = less rolling reserve. If a transaction is disputed on our Network, it is sent to a decentralised arbitration panel where the dispute is resolved and funds are either released or returned, based on the panel’s finding. This is not possible on a network like Bitcoin, where transactions are final and there is no avenue for disputed transactions for consumers and merchants alike.

In this sense, we assign a functional level of trust to all participants on our network that is designed specifically for our use case. It is because of innovations such as these, that COTI is able to walk the line between both crypto and traditional payment solutions and appeal to both worlds, something that is already being demonstrated in our merchant acquisition strategy and the merchant transaction volume now running across our network

We most certainly DO have consensus in our code, in fact this is a core aspect of both our network and protocol, something that is incredibly hard to achieve on a DAG based network and something we’re incredibly proud of.

As with most aspects of COTI that this “review” has touched upon, past our whitepaper, we have a multitude of published resources that highlight what Trustchain and trust scores are and how they work in combination with other aspects of our network to achieve consensus.

A great example of this and how the Trustchain works on COTI can be viewed in the following video —

COTI is registered in Gibraltar and headquartered in Israel.

What’s the news here? This is exactly what we’ve always said. We have sent numerous videos from our Tel-Aviv office and have invited people here to visit us, some of whom have accepted and can be seen in our Telegram group. We even extend an invitation to the “review” author to visit us. We are at Alon tower in Tel-Aviv…Drop by.

We are registered in Gibraltar because COTI group, in an effort to meet the strictest industry standards, chose Gibraltar as it’s place of incorporation given the local Distributed Ledger Technology regulatory framework introduced there in 2018. The address mentioned in the post is the registered office where the company books are held. Doing so serves our prudent corporate governance and responsible standing in front of the relevant stakeholders.
We are headquartered in Israel because of the access to R&D talent. Israel is well known as a startup nation and by making amazing technology based dreams come true.

And we ask again, what’s the issue? There is a huge office building in an address on Gibraltar and some companies completely unrelated to COTI, were put on a list sometime in the past. What does that have to do with COTI anyway? We are not even on this list and we invite you to search the website for COTI and bring us the results. We’re simply not there…

The author also forgot to mention that when you click the link that they posted you are actually forced to read and approve the below disclaimer stating the obvious truth about companies incorporating in a certain jurisdiction and having its headquarters in another jurisdiction (probably most of the tech companies you know).

Regarding Dan Gertler, COTI categorically has no connection to this individual or were aware of his existence before this “review”. The Line Trust Corporation also referenced in the “review” is not the “ownership” entity of COTI, and 5 minutes at the COTI’s ownership registrar would have shown that. “Line” is simply an entity used by the registering entity, Hassans, to establish the corporate paperwork in Gibraltar. We share this registering entity with thousands of other companies, all distinct and distinctly owned by different individuals, almost all of whom have no connection or relation to Dan Gertler.

Hassans is a tier 1 law firm and the Line Group manages over $10b in assets worldwide. We believe that our corporate structure and business conduct are to be among the most responsible in the crypto space.


This “review” was amateur at best. The author obviously doesn’t have access to serious programming talent, like the ones we have in COTI, led by Dr. Nir Haloai — IBM’s former Head of Research and author of 14 patents, and has shown a distinct lack of understanding of how some basic web technology, and some slightly more complicated blockchain technology, works.

If they had — they wouldn’t have wasted everybody’s time with this “review”.

Stay COTI!






Technical whitepaper:


In the decentralized economy of the future, there will be a…


In the decentralized economy of the future, there will be a need for decentralized payment platforms - Our vision is to allow users to exchange value as easily and as freely as it is to exchange information over the internet.