IOTA is a cryptocurrency targeting the internet of things. It purports to be scalable, decentralized, and feeless. Unfortunately it is none of those things.

In this article I attempt to summarize the numerous technical, social, and ethical problems surrounding the IOTA project, The IOTA Foundation, and the IOTA developers.

If you have suggestions for improvement or additional references, please open a pull-request or issue here.

Table of Contents

1. Issues

1.1. Centralization

IOTA is fully centralized. All IOTA transactions must be approved by a server run by The IOTA Foundation called "The Coordinator". [1]

The Coordinator exists to prevent denial-of-service attacks and double spends. The IOTA Foundation claims that at some point the coordinator can be phased out, but these claims are not credible due to the intractable nature of these issues. [2]

Since all transactions must be approved by a single server, run by a single entity, IOTA is not decentralized. Additionally, The Coordinator is a single point of failure, and has been shut down intentionally by The IOTA Foundation to halt activity on the network. [3]

The source code of The Coordinator has not been released, making it impossible to audit it for vulnerabilities, correctness, or fairness. [4]

1.2. Tip Selection Attack Vectors

IOTA transactions are arranged in a directed acyclic graph, with each transaction referencing two previous transactions by hash. [5]

The choice of which transactions to reference is a matter of local policy, and thus nodes have enormous leeway in the shape of the graph that they construct, and which tips they select.

The functionality of the network depends on transactions getting confirmed in a timely fashion, even in the presence of malicious or selfish nodes. The IOTA developers claim that nodes will converge on a tip-selection strategy which confirms new transactions quickly, however this has not been proven to be the case. [6]

1.3. Ternary Overhead

Several algorithms in IOTA are implemented using balanced ternary, as opposed to binary. Balanced ternary is slightly more efficient, in theory, than binary, due to radix economy.

However, in practice this gain in efficiency is more than offset by the overhead incurred by the need to translate ternary into binary for execution on commodity hardware and software.

And, since vast majority of hardware fabrication facilities and technology are based on binary logic, a ternary computer more efficient than its binary counterpart will likely never materialize.

1.4. Non-fungible Tokens

A transaction’s position within the DAG, and other factors, may make that transaction’s outputs more or less valuable than other transactions.

Because of this, nodes will likely have to enforce additional local policies on which transactions to accept, which negatively impacts the fungibility of IOTA transaction outputs.

Outputs that have been included in a Coordinator milestone are more valuable than those that haven’t, since The Coordinator is the current arbiter of truth in the IOTA system. Thus, if The Coordinator refuses to approve a transaction, its outputs are effectively worthless.

Similarly, transaction outputs that appear in a snapshot [7] are more valuable than those that do not. Additionally, whatever entities control what transactions are included in a snapshot have enormous power are an additional centralization factor. For an example, if transactions are deemed to be "spam" and are not included in an snapshot, their outputs will be worthless.

If IOTA adopts some kind of sharding mechanism, outputs will be more or less valuable on the basis of whether or not they are known to a particular shard. Outputs may have value within a shard, but be worthless outside of that shard.

1.5. Broken Custom Hash Function

IOTA used a custom hash function called Curl, which was later found to be insecure. [8] [9]

Although this vulnerability was patched, the choice to use a custom hash function was grossly incompetent, and reflecting extremely poorly on the judgment of the IOTA developers.

Creating a cryptographically secure hash function is extremely difficult and furthermore unnecessary, as good hash functions are freely available. That Curl was eventually found to be vulnerable was an entirely predictable and avoidable outcome.

The vulnerability in Curl required The IOTA Foundation to take custody of user funds, requiring users to to follow a byzantine reclamation process to get them back, with many users still unable to access their funds. [10]

1.6. Intentional Vulnerabilities

The IOTA developers have intentionally injected vulnerabilities into their open source code in an attempt to discourage copying. [11]

The code that they released was represented to be complete and free of known issues. The intentional inclusion of severe vulnerabilities in such code is plainly fraud. [12] [13]

1.7. No Recourse Against Spam

No global transaction limit is enforced in IOTA, making it vulnerable to malicious participants generating a high enough volume of transactions to overwhelm the network. If the network becomes popular, nodes will likely be overwhelmed by non-malicious participants that simply generate a high volume of transactions. [2]

IOTA is intended to be run on nodes with low power, compute, memory, disk, and network bandwidth, and such nodes will be easily overwhelmed by even a modest number of transactions. [14]

1.8. Non-zero Transaction Fees

IOTA transactions do not pay an explicit fee. [5] However, this does not mean that IOTA transactions are free.

IOTA nodes must dedicate significant power, compute resources, and die space to perform the proof-of-work needed to generate transactions and process incoming transactions.

Also, since the incentive for a transaction to be confirmed is unclear, a node may be required to pay a permanode, a node in another shard, or a central issuer of snapshots to confirm a transaction.

Thus, even if a node pays no explicit fee for its transactions, it may pay significant implicit fees, and thus the claim that IOTA transactions are free of fees is only superficially true, and false in every sense that matters. [15]

1.9. The Internet of Things Does Not Exist

IOTA is built for a global network of embedded devices communicating over mesh networks. This network does not currently exist and does not seem likely to exist. Currently manufactured IoT devices connect through the internet, and no compelling reason to believe that this may change exists.

1.10. Premature Use of Post-Quantum Cryptography

IOTA uses cryptography that cannot be broken by quantum computers. [5] The use of such cryptography, specifically Winternitz signatures, leaves IOTA users vulnerable to loss of funds if they ever reuse an address. This attack has already been seen in practice, with one user reportedly losing $30,000 USD worth of IOTA. [16]

As quantum computers large enough to threaten existing cryptosystems do not exist and may not exist for many decades, this use of post-quantum cryptography comes with no tangible benefit.

1.11. Poor Wallet Security

The IOTA wallet requires users to manually enter an 81 character seed, instead of securely generating one. This led users to use malicious online seed generators, leading to the theft of almost $4 million of user funds. [17]

1.12. Unusable Network and Wallet

Users have reported numerous issues with the IOTA network and wallet software. These include unusable software, a slow and unusable network, loss of funds, and an inability to move funds. [18] [19] [20] [21] [22] [23] [24] [25] [26]

1. IOTA is centralized, Eric Wall
2. IOTA Doesn’t Scale, Kay Kurokawa
3. GUI v2.5.2: Latest Release with IOTA Reclaim Tool, Dominik Schiener
4., Why is the coordinator source code not public?
5. IOTA Whitepaper, Serguei Papov
6. Why I find Iota deeply alarming, Nick Johnson
7. Prepare for the January 28, 2018 IOTA Snapshot (updated), Ralf Rottmann
8. IOTA Vulnerability Report: Cryptanalysis of the Curl Hash Function Enabling Practical Signature Forgery Attacks on the IOTA Cryptocurrency, Ethan Heilman, Neha Narula, Thaddeus Dryja, and Madars Virza
9. Breaking IOTA’s Curl Hash Function, Ethan Heilman
10. GUI Wallet: Phase Two of the Reclaim process, Dominik Schiener
11. CFB’s letters to Neha Narula’s team during their analysis of Curl-P hash function, Sergey Ivancheglo
12. Tweet, Peter Todd
13. Issue with IOTA, Reddit Comment, Vitalik Buterin
14. Tweet, Nick Johnson
15. Our response to "A Cryptocurrency Without a Blockchain Has Been Built to Outperform Bitcoin", Joi Ito
16. User reports $30,000 worth of IOTA stolen due weakness of IOTA’s post-quantum signature scheme to address reuse
17. Tweet, Nic Carter
18. IOTA: A Tangled Mess, John Ratcliff
19. IOTA: Cannot be used for IoT. Loss of funds may occur, Andreas Brekken
20. My IOTA disappointment and a warning to others, UnitTwopointZero
21. IOTA Wallet is terrible/unusable, winghaven
22. IOTA cryptocurrency is a scam, here’s 10 good reasons why, Android Advance
23. Light Wallet 2.3.1 unusable, Fabrizio Ranieri
24. Iota light wallet is completely unusable, mindblown
25. Tweet, John Ratcliff
26. Tweet, Max Kaplan