2. The implementers apparently do not understand cryptosystem basics: A. At first they used RSA to directly encrypt messages one block at a time. This is not how RSA is supposed to be used, rather it is supposed to be used for encrypting a session key that is used for symmetrically encrypting/decrypting payload data. This is like running RSA in ECB mode to encrypt payload data. First of all you don't use RSA to encrypt payload data and second of all you don't use ECB mode. This is a very bad cryptosystem implementation, probably about as bad as possible while still using secure primitives. B. They had no authentication at first either. It is pretty apparent from their initial effort that they are not qualified to implement a security critical system, and even though they are apparently making some fundamental changes, the fact that they fucked up so badly on their first try is not confidence instilling. The mistakes they made at first would not have been made by someone who had read an introductory book on cryptosystem engineering. C. They are relying on proof of work, which is probably helpful, but not something that should be relied on very much. Read the paper proof of work proven not to work, for example. D. They used the same RSA key for signatures and encryption, commonly known as improper use of RSA E. Now that they have switched from RSA to ECC, in order to address their improper use of RSA, they still appear to be using ECC weirdly/inappropriately. For example it seems as if they are using long term ECDH public keys for shared secret derivation, but they should be using ephemeral keys for this on a per message basis. F. What is up with their message structure? So the public signing key is encrypted with the message? What? Why not use message authentication codes and sign messages with the long term EC private key with ECDSA? Are they using ephemeral public signing keys and long term public secret derivation public keys?! That is not a good way to use ECC (actually it is the opposite of how it should be), they are not understanding how to use it right. If their public signing keys are not ephemeral why are they including them encrypted with every message?? If they are ephemeral, what is the point of an ephemeral signing key, did they mean to use message authentication codes?