Cryptocurrency is crawling with ambitious visions for the future.
Indeed, one of the most hyped ways in which the technology could come to proliferate is through its union with a concept called the internet of things (IoT), whereby nearly everything (think watches, refrigerators and automobiles) is connected to the internet and as such, âtalksâ to each other. For instance, a sensor on your milk carton in the refrigerator might notice that youâre down to the last cup and send out an order to the local grocery store.
The project IOTA is garnering quite a bit of attention for adding cryptocurrency-inspired technology to this use case, turning it into a more open market.
Indeed, at tech meetups in New York City, itâs not uncommon to hear developers remark that IOTAâs underpinning technology, the âblockchainless blockchain,â or the so-called âtangle,â is the future of the blockchain space.
Not only is IOTA touted as a way to upend the silos of the current centralized system, streamlining business in terms of time and cost, but also as a way to rid the blockchain industry of all that plagues it â such as the technologyâs scaling issues, which cause transaction backlogs and high fees and the massive amounts of energy the technologyâs architecture consumes.
âThe obvious thing is that [IOTA] is the first project that went beyond blockchain. Got rid of miners. In the process we solved the main pain points of transactions â no fees,â said IOTA co-founder David Sonstebo, in an interview with CoinDesk.Â
These bold claims appear bolstered by partnerships with large enterprises and agencies, including Volkswagen and the City of Taipei in Taiwan.
Yet, the IOTA team of 150 developers, cryptographers and others canât always keep their stories straight, and have other times dealt poorly with criticism, especially as it relates to security holes in its architecture.
As such, experts question whether many of IOTAâs ideas will actually work in practice and if they donât, whether current investors and users, which are supporting a $2.7 billion network by market cap, will be left out of luck.
âItâs pretty horrifying. The horrifying thing is their market cap is so high,â said Aviv Zohar, a crypto researcher and senior lecturer at The Hebrew University.
Since researchers have pointed out so many holes in IOTA already, he expects more to come, and the IOTA bashing to continue.
Zohar told CoinDesk:
âIOTA is a currency I love to hate.â
Zohar isnât alone there.
The negativity surrounding IOTAâs tech started in September after an investigation by researchers from MITâs Digital Currency Initiative (DCI) found what they argue is a vulnerability in the projectâs code.
According to the researchers, IOTA developers used a hash function created in-house (called P-Curl) to secure data within the system, a huge no-no among cryptographers, who argue itâs preferred to use the highly studied and scrutinized functions that already exist today.
But IOTA developers say, in fact, the decision was intentional â designed to prevent anyone from copying their open-source software.
Researchers, though, have shot back, arguing that doesnât make much sense since the basis of open-source software is that it is given to the broader developer community to be freely copied.
âThe IOTA developers havenât been able to explain to me why they think their insecure hash function is safe,â tweeted Matthew Green, a cryptography professor at John Hopkins.
But things escalated even further from there.
âHe should be scared, there are lawyers working on that already,â tweeted IOTA co-founder Sergei Ivancheglo, threatening Boston Universityâs Ethan Heilman, one of the researchers who reported the hash function vulnerability.
During the Financial Crypto 2018 conference at the end of February, Ivanchegloâs tweet was a major discussion point. While nerdy debates turning vicious is nothing new for the cryptocurrency space, security researchers argue that threatening lawsuits can severely undermine the industry.
As UCLÂ computer science researcher Sarah Azouvi told CoinDesk:
âThe founder suing researchers is very, very concerning. Researchers try to measure and try to make things more secure. It could have a serious impact if people are afraid to report bugs.â
While it doesnât appear any IOTA users have lost money because of the custom-made hash function, some IOTA users lost a substantial amount of their cryptocurrency â to the tune of $4 million â in what some industry observers argue is sheer incompetence on behalf of the IOTA team.
IOTAâs official wallet didnât have whatâs called a âseed generatorâ to help users produce keys for controlling their coins.
Although the IOTA Foundation detailed the most secure way to generate randomness, giving a list of all the websites that were secure for doing so, some users went to websites that werenât on the list â one being a scam that stored keys created on its site and eventually used those to steal funds.
âA lot of naive people gave their private keys away to this individual. This was a very unfortunate event,â IOTAâs Sonstebo said, calling the perpetrator a âscumbag.â
Yet, critics argue IOTA is victim shaming when, in fact, the projectâs foundation should have made sure its official wallet had a seed generator attached.
âItâs past Hanlonâs razor for me,â tweeted Tadge Dryja, a lightning network developer and crypto enthusiast, pointing to the aphorism, ââNever attribute to malice that which is adequately explained by stupidity.â
He continued, saying that he must âassume maliceâ since adding a seed generator is âabsolutely trivial,â requiring only a single line of code.
Speaking to the issues that arise when a cryptocurrency project doesnât provide seed generation tools to their users, Heilman told CoinDesk, âAlmost all cryptographic software is designed to generate secure random numbers for their users. Making users responsible for secure randomness generation is dangerous as users may use a bad source of randomness.â
IOTA co-founders are mixed on their responses to this event though.
Co-founder Dominik Schiener acknowledged that the user experience is far from ideal, but argued that IOTA shouldnât get lambasted for it since the user experience throughout the crypto community is inferior as a whole. While Sønstebø argued that the project wants to leave randomness generation up to the user so they have more control.
âWe leave it up to the individual to get their own randomness,â he said, adding:
âWe give them the liberty to do that. Youâre in crypto. The entire point is you donât have to trust anyone.â
That said, Sønstebø pointed out that IOTA would be launching a new wallet called Trinity in the coming weeks to address the issue. Not only will this wallet have a built-in random address generator, but the team is also planning to run its code through a security audit for good measure.
âIf your grandma smokes crack, then she should still be able to use it,â he said.
Another unique quirk of IOTA is itâs addressing scheme.
While the scheme was created to work even after the inception of quantum computers â powerful computers that could unwind much of the cryptography underlying cryptocurrency systems â itâs drawn criticism for the fact that users can only use an address once, otherwise it becomes susceptible to theft.
One Reddit user going by the name âguselbindelâ even claims this type of hack happened to him a couple months ago, leading him to lose $30,000.
And actually, the exploit goes further than that. In fact, Willem Pinckaers, a researcher at security firm Lekkertech found that even without using the public keys, they can be exploited.
âStill, the fact you canât reuse public keys safely is still batshit crazy,â blockchain consultant Peter Todd tweeted.
At their core, the criticisms of IOTA seem to be focused on the projectâs lofty ambitions, but less than ideal execution on those promises.
While IOTA advertises itself as a âpermissionlessâ and âscalableâ solution, there is some subtlety in those terms.
For instance, IOTA is a bit more centralized â with its development team having more authority over the protocol â than most cryptocurrency enthusiasts might like. Some IOTA users even figured that out the hard way, actually, when the IOTA Foundation discovered a technical vulnerability that put userâs funds at risk, and as such, seized trillions (yes with a âTâ) of IOTA coins from users.
The foundation eventually returned those coins after the vulnerability was patched, but the incident nonetheless left a lasting impression on some that IOTAâs developers have too much control.
Sonstebo even doesnât really deny this â despite the claims of decentralization made on the IOTA website and its marketing material.
âCurrently itâs semi-centralized,â he said. âThereâs a central coordinator node.â
IOTA nodes today can validate transactions without this coordinator node, but itâs less secure. As such, a significant amount of trust is put on the central coordinator node.
That said, IOTA developers are working on it.
Just as more bitcoin and other cryptocurrencies become more decentralized as adoption increases, so to will IOTA, Sonstebo said. And itâs important to note that IOTA isnât the only cryptocurrency that has sought to project a message that change is coming, with time.
He concluded:
âYou canât create a fully decentralized network overnight. You have to start somewhere.â
Iota coin image via Shutterstock