Finance:IOTA (technology)

From HandWiki
Jump to: navigation, search

IOTA is an open-source distributed ledger and cryptocurrency designed for the Internet of things (IoT).[1] It uses a directed acyclic graph to store transactions on its ledger, motivated by a potentially higher scalability over blockchain based distributed ledgers.[1] IOTA does not use miners to validate transactions, instead, users that issue a new transaction must approve two previous transactions and perform a small amount of proof of work.[2] Transactions can therefore be issued without fees, facilitating microtransactions.[2]

IOTA has been criticized due to its unusual design, of which it is unclear whether it will work in practice.[3] The network currently achieves consensus through a coordinator node, operated by the IOTA foundation.[4] As the coordinator is a single point of failure, the network is currently centralized.[5]

IOTA has been the subject of multiple phishing, scamming, and hacking attempts, which resulted in the thefts of user tokens and extended periods of downtime.[6][7]


The IOTA ledger was created in 2015 by David Sønstebø, Dominik Schiener, Sergey Ivancheglo, and Serguei Popov.[8] Initial development was funded by an online public crowdsale, with the participants buying the IOTA value token with other digital currencies.[1] Approximately 1300 BTC were raised, corresponding to approximately 500,000 USD at that time, and the total token supply was distributed pro-rata over the initial investors. The IOTA network went live in 2016.[9]

IOTA foundation

In 2017, early IOTA token investors donated 5% of the total token supply for continued development and to endow what became later became the IOTA foundation.[1] In 2018, the IOTA Foundation was chartered as a Stiftung in Berlin, with the goal to assist in the research and development, education and standardisation of IOTA technology.[10] The IOTA foundation is a board member of International Association for Trusted Blockchain Applications (INATBA),[11] and founding member of the trusted-IoT alliance[12] and mobility open blockchain initiative (MOBI),[13] to promote blockchain and distributed ledgers in regulatory approaches, the IoT ecosystem and mobility.


The Tangle

The Tangle is the moniker used to describe IOTAs directed acyclic graph (DAG) transaction settlement and data integrity layer.[1] It is structured as a string of individual transactions that are interlinked to each other and stored through a network of node participants.[14] The Tangle does not have miners validating transactions, rather, network participants are jointly responsible for transaction validation, and must confirm two transactions already submitted to the network for every one transaction they issue.[15] Transactions can therefore be issued to the network at no cost, facilitating micropayments.[15] To avoid spam, every transaction requires computational resources based on Proof of Work (PoW) algorithms, to find the answer to a simple cryptographic puzzle.[16]

IOTA supports both value and data transfers.[2] A second layer protocol provides encryption and authentication of messages, or data streams, transmitted and stored on the Tangle as zero-value transactions.[16] Each message holds a reference to the address of a follow-up message, connecting the messages in a data stream, and providing forward secrecy.[16] Authorised parties with the correct decryption key can therefore only follow a datastream from their point of entry.[16] When the owner of the data stream wants to revoke access, it can change the decryption key when publishing a new message.[16] This provides the owner granular controls over the way in which data is exchanged to authorised parties.[16]

IOTA token

The IOTA token is a unit of value in the IOTA network.[17] There is a fixed supply of 2,779,530,283,277,761 iota tokens in circulation on the IOTA network. IOTA tokens are stored in IOTA wallets protected by an 81-character seed, similar to a password.[18] To access and spend the tokens, IOTA provides a cryptocurrency wallet.[6] A hardware wallet can be used to keep credentials offline while facilitating transactions.[18]

Coordinator node

IOTA requires a majority of honest actors to prevent network attacks.[1] However, as the concept of mining does not exist on the IOTA network, it is unlikely that this requirement will always be met. Therefore, consensus is currently obtained through referencing of transactions issued by a special node operated by the IOTA foundation, called the coordinator.[4] The coordinator issues zero value transactions at given time intervals, called milestones.[4] Any transaction, directly or indirectly, referenced by such a milestone is considered valid by the nodes in the network. The coordinator is an authority operated by the IOTA foundation and as such single point of failure for the IOTA network, which makes the network highly centralized.[5]


IOTA is traded on digital currency exchanges such as Bitfinex[19], and listed under the MIOTA ticker symbol for the cryptocurrency. Like other digital currencies, IOTA’s token value has soared and fallen.[20] The token’s valuation fell back to $1 billion in early 2018 as a wider crypto rout sent currencies sinking.[21] In 2019 the IOTA token missed out entirely and was down on the year.[22]

Applications and testbeds

Proof-of-concepts building on IOTA technology are being developed in the automotive and IoT industry by corporates as Volkswagen and Bosch.[20][21] IOTA is applied in smart city testbeds, including development of community grids and local trade of energy.[23] Jaguar Land Rover is testing software that will allow drivers of its cars to earn the IOTA cryptocurrency as a reward for sharing data.[24][25] In project Alvarium, formed under the Linux Foundation, IOTA is used as an immutable storage and validation mechanism.[26][27] STMicroelectronics has provided IOTA middleware for their STM32-based boards.

On February 11, 2020, the Eclipse Foundation and IOTA Foundation jointly launched the Tangle EE (Enterprise Edition) Working Group.[2] Tangle EE is aimed at enterprise users that can take IOTA technology and enable larger organizations to build applications on top of the project, where the Eclipse Foundation will provide a vendor-neutral governance framework .[28]

IOTA foundation has faced criticism in response to their announcements of partnerships. In 2017, IOTA released the data marketplace, a pilot for a market where connected sensors or devices can store, sell or purchase data.[29][30] The cryptocurrency community was critical towards the announcement of the data marketplace over the extent of the involvement of the participants of the data marketplace.[31] Izabelle Kaminska criticized the Jaguar press release, as "the impact of the release across the media space was decidedly one presenting the service as a fait accompli", and "our interpretation is that it's very unlikely Jaguar will be bringing a smart-wallet-enabled earn-cryptocurrency-as-you-drive offering to the marketplace any time soon."[32]

Vulnerabilities and attacks

DCI Curl-P-27 vulnerability disclosure

On September 8th, 2017, researchers Ethan Heilman from Boston University and Neha Nerula et al. from MIT's Digital Currency Initiative (DCI) reported on potential security flaws with IOTA's Curl-P-27 hash function.[3] The authors were able to quickly create messages of the same length which hash to the same value with Curl-P-27, breaking the function’s collision resistance. Using this collision attack, they could generate signature forgeries in IOTA.[3] In response to the disclosure, the IOTA Foundation changed the hash function in the node reference implementation from Curl-P-27 to Kerl (a trinary adaption of SHA-3) on August 7th 2017.[33] According to IOTA cofounder Sergey Ivancheglo, the DCI found the protocol's purposefully placed form of copy protection.[3][34] The “practical attack” demonstrated by the DCI researchers only works in a limited number of improbable situations that would affect a negligible number of IOTA users, mostly thanks to a closed-source and centralized solution called the “Coordinator” that helps secure the network.[33]

The IOTA foundation received considerable backlash in their handling of the incident.[33] FT Alphaville reported legal posturing by an IOTA Founder against a security researcher for his involvement in the DCI report, as well as instances of aggressive language levelled against a Forbes contributor and other unnamed journalists covering the DCI report.[34] The Center for Blockchain Technologies at the University College London severed ties with the IOTA Foundation in late April 2018 due to legal threats against security researchers involved in the report.[35]

Former MIT media lab director, Joi Ito raised flags about the IOTA management team saying that IOTA's Sergey Ivancheglo gave “two conflicting explanations” for the security bug.[36] Multicoin capital co-founder Kyle Samani wrote that IOTA has “one of the worst mgmt teams in crypto.”[36]

Dan Guido, CEO from Trail of Bits said “DCI made some rookie mistakes too, and this is generally why, in other industries, security researchers will hand off bugs to a vulnerability coordinator, like a CERT, to report on their behalf”.[37] Venture Capitalist Jamie Burke told, “IOTA has issues, largely around their communications, but we believe in the vision and we believe in the innovation”.[21]

13 or M attack and reclaim

In October 2017, after the IOTA developers transitioned from using Curl-P-27 to using Kerl, an unrelated vulnerability called the 13 or M attack was discovered, a bug that put the IOTA tokens of certain users at risk by partially revealing a portion of the private key generated for specific addresses.[3] This would have made it easier for malicious attackers to potentially “brute force” hack the remainder of those addresses’ private keys and thereby steal the tokens.[3] The IOTA Foundation patched this vulnerability by requiring that if a message hash to be signed includes a 13, then the user must alter the message until no 13s are present in the digest.[3] As an additional remediation step, the IOTA developers transferred potentially compromised funds to addresses under its control, providing a process for users to later apply to the IOTA Foundation in order to reclaim their funds[3]

Seed-generator scam

On Januari 2018 more than 10 million USD worth of IOTA tokens were stolen from users that used an online seed-creator, a password that protects their ownership of IOTA tokens.[6] The seed-generator scam was the largest fraud in IOTA history to date, with several hundred people affected.[38] One year later, in Januari 2019, the UK and German law enforcement agencies arrested a 36-year old man from Oxford, England.[18] Matthias Krekeler, of the State Criminal Police in Hesse, said the arrest was only possible thanks to the "sophisticated collaboration of international authorities", and the investigation had been helped by "IOTA community members".[39]

Trinity wallet attack incident

On November 26, 2019 a hacker discovered a vulnerability in Trinity, a mobile and desktop wallet managed by the IOTA foundation.[7] The attacker compromised over 50 IOTA seeds, resulting in the theft of approximately 2 Million USD worth in IOTA tokens.[7] The attack vector was opened via integration of a third party payment service, called MoonPay.[7] The attacker was able to intercept DNS queries with a compromised Cloudflare API key, and managed to have his own malicious version rolled out instead of the third-party code.[7] On February 10, 2020 MoonPay noticed the hack, resolved the vulnerability in its API, yet did not disclose the hack to the community.[7] With the route of attack now gone, the hacker started clearing the funds from the 50 compromised seeds on February 11, 2020.[7] After receiving reports that hackers were stealing funds from user wallets, the IOTA Foundation shut down the coordinator, a node in the IOTA network that puts the final seal of approval on any IOTA currency transaction, on February 12, 2020.[40][41] The never-before-seen move was meant to prevent hackers from executing new thefts, but also had the side-effect of effectively shutting down the entire IOTA cryptocurrency.[40]

As the hack may have affected any user of the desktop versions of Trinity who opened the wallet between December 17 and February 17, the IOTA Foundation presented a 10-day seed migration period before restarting the coordinator.[7] Users at-risk were given seven days to migrate their potentially compromised seed to a new seed, until March 7, 2020. The coordinator was restarted on March 10, 2020.[42]


IOTA promises to achieve the same benefits that blockchain-based DLTs bring - decentralization, distribution, immutability and trust - but remove the downsides of wasted resources associated with mining as well as transaction costs.[1] However, several of the design features of IOTA are unusual, and it is unclear whether they work in practice.[43][5][3]

Network consensus and coordinator node

The security of IOTA's consensus mechanism against double-spending attacks is unclear, as long as the network is immature.[14] Essentially, in the IoT, with heterogeneous devices having varying levels of low computational power, sufficiently strong computational resources will render the tangle insecure.[14] This is a problem in traditional proof-of-work blockchains as well, however, they provide a much greater degree of security through higher fault tolerance and transaction fees.[14] At the beginning, when there is a lower number of participants and incoming transactions, a central coordinator is needed to prevent an attack on the IOTA tangle.[14]

Critics have opposed role of the coordinator for being the single source of consensus in the IOTA network. Polychain Capital founder Carlson-Wee, says “IOTA is not decentralized, even though IOTA makes that claim, because it has a central “coordinator node” that the network needs to operate. If a regulator or a hacker shut down the coordinator node, the network would go down.”[36] During the Trinity attack incident, the IOTA foundation shutdown the coordinator to prevent further thefts, thereby demonstrating that the network is not decentralized in its current state.[7][36][5] Last year the IOTA Foundation announced that it would like to operate the network without a coordinator in the future, but implementation of this is still in an early development phase.[7][5]

Quantum resistance and address re-use

IOTA is resistant against quantum computer attacks, due to its use of the Winternitz One Time Signature (WOTS) scheme, which is quantum resistant.[44] Due to IOTA’s choice of one-time signature scheme, spending from an address multiple times drastically reduces the security of the funds at that address, because it exposes portions of the private key associated with the address.[44]

Stolen funds due to the 13 or M attack were initially suspected to be the result of address reuse, only later to be identified as a result of a broken key derivation function, found Willem Pinckaers, a researcher of security firm Lekkertech.

Ternary implementation

For potential efficiency reasons, IOTA's data structures uses a balanced ternary implementation; instead of bits, it uses trits (−1, 0, 1).[3] With all existing hash designs being binary, a ternary prototype called Curl-P had been developed, instead of the well-studied alternatives that underpin other digital coins.[33] However, efficient cryptanalytic attacks on Curl-P have been devised, implying that it cannot be considered a strong cryptographic hash function.[45] After vulnerabilities were detected in Curl-P, the hashing algorithm was changed to Kerl, which is considered safe.[33] However, as a binary design Kerl is not inherently suitable for direct implementation on ternary platforms and a drop-in replacement, called Troika, is currently developed.[46][45]

Network maturity

IOTA has seen several network outages as a result of bugs in the coordinator as well as DDoS attacks.[47][1] During the seed generator scam, a DDoS network attack was abused leaving initial thefts undetected.[38] To improve the network, IOTA Foundation is moving on with its plans for the Chrysalis project, a scheme designed to create an enterprise-ready blockchain solution.[41]


  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Anadiotis, George (2017-11-30). "A better blockchain: Bitcoin for nothing and transactions for free?" (in en). 
  2. 2.0 2.1 2.2 2.3 McKendrick, Joe. "Enter the Tangle, a blockchain designed specially for the Internet of Things" (in en). 
  3. 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 Heilman, Ethan; Narula, Neha; Tanzer, Garrett; Lovejoy, James; Colavita, Michael; Virza, Madars; Dryja, Tadge (2019). Cryptanalysis of Curl-P and Other Attacks on the IOTA Cryptocurrency. 
  4. 4.0 4.1 4.2 Cao, Bin; Li, Yixin; Zhang, Lei; Zhang, Long; Mumtaz, Shahid; Zhou, Zhenyu; Peng, Mugen (2019-07-10). "When Internet of Things Meets Blockchain: Challenges in Distributed Consensus". IEEE Network 33 (6): 133–139. doi:10.1109/MNET.2019.1900002. ISSN 1558-156X. Bibcode2019arXiv190506022C. 
  5. 5.0 5.1 5.2 5.3 5.4 Mix (2019-05-28). "IOTA wants to ditch its most centralized component, but the timeline is still murky" (in en-us). 
  6. 6.0 6.1 6.2 Marcel Rosenbach, Markus Böhm (2018-01-30). "Betrugsmaschen bei Kryptowährungen: Auf einmal ist alles weg" (in de). 
  7. 7.0 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 Kannenberg, Axel (2020-02-27). "IOTA cryptocurrency: Million dollar credit stolen, no payments possible (translated)". 
  8. Kahl, Stephan (2018-03-07). "22-Year-Old Behind $5 Billion Crypto Is Just Getting Started". 
  9. Chavez-Dreyfuss, Gertrude (2017-11-28). "Blockchain network IOTA teams up with Microsoft, others on data marketplace" (in en). Reuters. 
  10. "IOTA: Erste Krypto-Stiftung Deutschlands gegründet" (in de-DE). 2017-11-15. 
  11. O'Brien, Chris (2019-04-03). "EU launches blockchain association to accelerate distributed ledger technology adoption" (in en-US). 
  12. Osborne, Charlie (2017-09-19). "New alliance advocates the blockchain to improve IoT security, trust" (in en). 
  13. Russel, Jon (2018-05-02). "BMW, GM, Ford and Renault launch blockchain research group for automotive industry" (in en-US). 
  14. 14.0 14.1 14.2 14.3 14.4 Ali, Muhammad Salek; Vecchio, Massimo; Pincheira, Miguel; Dolui, Koustabh; Antonelli, Fabio; Rehmani, Mubashir Husain (2018-12-18). "Applications of Blockchains in the Internet of Things: A Comprehensive Survey". IEEE Communications Surveys & Tutorials 21 (2): 1676–1717. doi:10.1109/COMST.2018.2886932. ISSN 1553-877X. 
  15. 15.0 15.1 Makhdoom, Imran; Abolhasan, Mehran; Abbas, Haider; Ni, Wei (2019-01-01). "Blockchain's adoption in IoT: The challenges, and a way forward" (in en). Journal of Network and Computer Applications 125: 251–279. doi:10.1016/j.jnca.2018.10.019. 
  16. 16.0 16.1 16.2 16.3 16.4 16.5 Hawig, David; Zhou, Chao; Fuhrhop, Sebastian; Fialho, Andre S; Ramachandran, Navin (2019-06-14). "Designing a Distributed Ledger Technology System for Interoperable and General Data Protection Regulation–Compliant Health Data Exchange: A Use Case in Blood Glucose Data" (in en). Journal of Medical Internet Research 21 (6): e13665. doi:10.2196/13665. ISSN 1438-8871. PMID 31199293. 
  17. Marcel Rosenbach, Alexander Jung, Frank Dohmen (2018-01-22). "Kryptowährung: Bitcoin geht, Blockchain bleibt" (in de). 
  18. 18.0 18.1 18.2 Chavez-Dreyfuss, Gertrude (2019-01-30). "IOTA says bulk of $11 million stolen tokens found, hacker worked alone" (in en). Reuters. 
  19. Cheng, Evelyn (2017-06-14). "Major bitcoin exchanges hit by cyberattacks as record rally makes them a target" (in en). 
  20. 20.0 20.1 "New ways to trade data, New ways to trade data". The Economist. 2018-03-28. ISSN 0013-0613. 
  21. 21.0 21.1 21.2 Smith, Oliver (2018-08-16). "How Next Generation Crypto Investors Are Poised To Win, Even If Their Startups Lose" (in en). 
  22. Kharif, Olga (2019-05-14). "Bitcoin Adds Market Share in Recovery in Crypto Prices". 
  23. O'Brien, Chris (2019-08-30). "Norway unveils energy-positive building showcasing smart city potential" (in en-US). 
  24. O'Grady, Sean (2019-05-03). "Mobile piggy bank: Jaguar Land Rover's 'earn as you drive' concept" (in en). 
  25. Chavez-Dreyfuss, Gertrude (2019-04-29). "Jaguar Land Rover planning to allow helpful car drivers to earn cryptocurrency" (in en). Reuters. 
  26. Bantle, Ulrich (2019-10-31). "Linux Foundation gründet Data-Privacy-Projekt Alvarium" (in de-DE). 
  27. Agelini, Chris (2020-01-23). "How open, trusted edge can help improve data sharing and monetization" (in en-US). 
  28. Miller, Ron (2020-02-11). "Tangle EE project joins Eclipse Foundation to bring distributed ledger apps to enterprise" (in en-US). 
  29. Ponciano, Jonathan. "IOTA Foundation Launches Data Marketplace For 'Internet-Of-Things' Industry" (in en). 
  30. "IOTA launches IoT data marketplace, envisions devices autonomously buying and trading information" (in en-US). 2017-11-28. 
  31. Mix (2017-12-12). "IOTA clarifies it has no formal partnership with Microsoft [UPDATED"] (in en-us). 
  32. Kaminska, Izabella (2019-05-28). "Emperor has no clothes, Jaguar crypto press release edition". 
  33. 33.0 33.1 33.2 33.3 33.4 Daniel Oberhaus & Jordan Pearson (2018-03-02). "A $5 Billion Cryptocurrency Has Enraged Cryptographers" (in en). 
  34. 34.0 34.1 Kelly, Jemima (2018-08-25). "FUD, inglorious FUD". 
  35. Mix (2018-04-28). "University College London (UCL) severs ties with IOTA Foundation" (in en-us). 
  36. 36.0 36.1 36.2 36.3 Kauflin, Jeff (2018-01-03). "IOTA Rose 464% In 2017, But Buyer Beware: Experts Have Major Security Concerns". 
  37. Peck, Morgen. "Cryptographers Urge People to Abandon IOTA After Leaked Emails" (in en). 
  38. 38.0 38.1 Cimpanu, Catalin. "Europol arrests UK man for stealing €10 million worth of IOTA cryptocurrency" (in en). 
  39. "Oxford man arrested over £8.7m cryptocurrency theft" (in en-GB). BBC News. 2019-01-23. 
  40. 40.0 40.1 Cimpanu, Catalin. "IOTA cryptocurrency shuts down entire network after wallet hack" (in en). 
  41. 41.0 41.1 Osborne, Charlie. "Bisq Bitcoin exchange slams on the brakes after exploit of critical security flaw, crypto theft" (in en). 
  42. Kannenberg, Axel (2020-03-02). "Nach Trinity-Hack: IOTA stellt Migrationstool für kompromittierte Seeds bereit" (in de). 
  43. Evans, Jon (2018-08-10). "Cryptocurrency insecurity: IOTA, BCash and too many more" (in en-US). 
  44. 44.0 44.1 Sarfraz, Umair; Alam, Masoom; Zeadally, Sherali; Khan, Abid (2019-01-15). "Privacy aware IOTA ledger: Decentralized mixing and unlinkable IOTA transactions" (in en). Computer Networks 148: 361–372. doi:10.1016/j.comnet.2018.11.019. ISSN 1389-1286. 
  45. 45.0 45.1 Kölbl, Stefan; Tischhauser, Elmar; Derbez, Patrick; Bogdanov, Andrey (2019-08-27). "Troika: a ternary cryptographic hash function" (in en). Designs, Codes and Cryptography 88 (1): 91–117. doi:10.1007/s10623-019-00673-2. ISSN 0925-1022. 
  46. Beedham, Matthew (2018-12-20). "IOTA is dishing out shares of $220K bounty — if you can crack its new hash function" (in en-us). 
  47. Williams-Grut, Oscar (2018-02-09). "The 22-year-old founder of a cryptocurrency worth $5 billion tells us what it's like to run a crypto company as the market goes wild". 

External links