Though at times painful, truth remains the only way forward.
- Team Nuvola
This is our formal statement of dissociation from due to misleading and factually incorrect statements regarding their product and service offerings.
Findings and Proof
Over the course of our partnership with iagon, we’ve identified critical flaws in iagon’s storage services; issues that independent third party audit reports and Catalyst F13 milestone submissions have since confirmed, though not fully disclosed publicly by the iagon team. According to iagon’s Catalyst 13 funding deliverables, iagon’s network design is dangerously flawed, not fully encrypted, highly centralized, and poses significant risks to both security and scalability.
Audit Links:
Catalyst F13: milestones.projectcatalyst.io/projects/13001
Closeout report: drive.google.com/file/d/1GONW6t
Final Audit Summary: drive.google.com/file/d/1i9tOGG
Closeout Video: youtube.com/watch?v=g0BXMO
Modus Architecture Audit (shortened & redacted): drive.google.com/file/d/1c8jG7m
Secureworks Security Audit (shortened and redacted): drive.google.com/file/d/1OT58d7
Remediation Plan: drive.google.com/file/d/1JdsyQI
Internal Report: drive.google.com/file/d/1iraAIW
Factual Findings:
Although the audit reports themselves are heavily redacted, they still reveal extremely concerning findings that have been acknowledged by iagon in the Final Audit Summary.
Below we highlight a few of the 25+ medium to critical audit findings from the “shortened and redacted” reports & summaries:
Security & Privacy:
Any and all files uploaded to the iagon storage network are uploaded to a centralized server, unencrypted and unprotected, giving iagon full, unencrypted access to all user files, see 2.1.1 of Final Audit Summary.
Centralized Server IP Address: 188.34.151.53
DC Provider: Hetzner GmbH
Colocation Server Commissioned by: Impressive Solutions OÜ (owned by Holger Mesiats, CTO, iagon)
Centralization of File Access:
The centralized “gateway/index” server is the only way to access the iagon storage network; if the gateway/index fails, users risk permanent data loss despite underlying decentralization via storage nodes.
This creates a single point of failure for all of iagon’s clients, see 2.1.2 of Final Audit Summary.
Architectural & Patent Design Flaws:
With respect to the architectural design, the Modus Architecture Audit (redacted) Audit report concludes that “a management node has significant potential to collude with compute nodes in order to effect price manipulation” (See 3.1.0.4).
Legal Risk Exposure & Non-compliance:
Because files are uploaded through a centralized server in unencrypted form, Iagon has full access to user data, creating major privacy and data-protection risks, and therefore undermining any claims of being GDPR-compliant.
Relevant GDPR violations based on official sources:
● Article 5(1)(f) – Personal data must be processed securely, ensuring confidentiality and integrity.
● Article 32 – Mandates encryption, resilience, availability, and regular testing based on the risk level.
● Article 9 – Covers sensitive data like health, biometric, genetic, political views, etc., requiring enhanced protection.
● Recital 39 – Emphasizes lawful, fair, transparent processing, with confidentiality safeguards.
● Recital 83 – Encourages evaluating processing risks and adopting appropriate safeguards, such as encryption.
In Conclusion:
Iagon has repeatedly marketed themselves as decentralized, secure, and compliant; but the facts show otherwise. What exists today is a centralized, insecure, non-compliant system that falls far short of what was promised to Nuvola as a partner & the broader Cardano community.
Nuvola’s Next Steps:
Nuvola will now be exploring legal remedies against Iagon for misrepresentation with respect to partnership and investment. Going forward Nuvola will not have any association, partnership or collaboration with iagon or any of its products and services.
We entered into a partnership on March 27th, 2024, and invested in iagon under the belief that their network was decentralized, private, and GDPR-compliant, as they repeatedly marketed it to be. The reports from independent audits conclude otherwise. Iagon’s misleading statements have left us no choice but to take formal action to protect our community, partners, and investments.
Community Call to Action
The community deserves truth, not deception. In order to find the truth and properly assess iagon, we encourage the Cardano community to:
● Review the current public audit reports in F13 & request full un-redacted audit reports & transparency regarding audit costs (funded by Cardano).
● Request for an update on the current development state of iagon and use of Catalyst funds.
● Share the facts, links, and reports so no one else is misled.
Cardano Founding Entities & Committees Call to Action:
Given the seriousness of these findings, which raise concerns that run counter to the values of transparency, integrity, and trust on which Cardano was founded, we respectfully call on , , and to initiate a thorough and independent investigation.
We feel deeply for those innocently involved in the confusion coming from this situation, but this is a truth that had to surface. At Nuvola we stand by integrity, transparency and devotion to always do right by everyone in the Cardano community. This is one of the hardest decisions we ever had to make but we know that ultimately, greater good will come from this.
