Thoughts on Iota
This post was originally written as a Reddit comment in r/ethereum and r/iota. by Sunny Aggarwal in June 2017. It is being reposted here.*
I’ve been following and writing about Iota for quite some time now. I even gave a technical presentation on the whitepaper back in February that you can check out here. Over the past few days, I’ve also spent an unhealthy amount of time on the #tanglemath channel of the Iota slack trying to learn more information from discussing with some of the core devs. So let me tell you a little bit about what I have learned.
So, I’ve had much discussion with the devs on this topic, and we are still trying to come to a conclusion. However, at this moment at least, I personally don’t buy Iota’s promise of being a fee-less system. Instead of transaction fees, in order to publish a transaction to the network, you need to confirm two previous transactions (there are no blocks) and then do a small amount of PoW to be able to publish the transaction (pretty much the Hashcash style of spam prevention). However, the system also depends on the same Proof of Work for the economic security of the system. What I am still having some trouble understanding is how the Proof of Work can be easy enough that IoT devices will have the ability to do it for their own transactions but still be hard enough to prevent 33% attacks or Denial of Service attacks on the system. From what I know, Iota has two major solutions to this.
The first involves the suggested tip selection algorithm. In the protocol, they present a tip selection algorithm called the Monte Carlo Markov Chain and claim the system is secure if the majority of honest users use this algorithm. However, I haven’t seen any evidence or proof yet to suggest that this tip selection algorithm is the optimal tip selection algorithm for a selfish user to use. If there exists a more optimal selfish strategy, I think we must operate under the assumption that the majority of users will use the optimal strategy over the MCMC.
However, even if most users use the MCMC, I’m worried that there may exist a tip selection strategy that a malicious actor with a decent amount of hash power can use to perform targeted Denial of Service attacks (by purposefully spamming to outrun and thus orphan someone else’s transactions). This strategy can be beneficial in order to deny service of the Tangle to someone until they pay you a fee to let them go through. The whitepaper covers the MCMC’s protections against double spends, but not against Denial of Service. Note that I do not know if such a strategy is possible or not, but my hunch is that it is. Iota’s solution to this, however, is the use of a meshnet-like network topology. In order to achieve this, it requires manual peer finding and doesn’t offer automatic peer finding (hence the need to find peers on Slack). The idea is that an attacker with even an immense amount of hashing power to publish many spam transactions would get blacklisted by their peers if they think the they are spamming too much. And the idea is that the manual peer finding makes it too hard to use sybils. However, conflating the p2p layer with the consensus safety in such a way seems like a bad idea, and I personally think this adds way too much friction to make it usable as a permissionless system.
Their entire idea of a fee-less system assumes that everyone does the Proof of Work for their own transactions aka everyone provides computational power to the network proportional to their usage of the network. However, if you think about it, that’s also true for normal blockchains. For this example, let’s use Bitcoin just for simplicity as all transactions cost the same. In Bitcoin, if you made 10% of all transactions (paying 10% of all transaction fees), but also provided 10% of all hashing power, you’d also be the block winner for about 10% of the blocks. Amortized over time, this would roughly earn you 10% all of all transaction fees in the network, basically getting you to a net zero on transaction fee costs. However, the reason that this is not the case is that there is a discrepancy between the distribution of the usage of the network and the distribution of available computational power. Because this discrepency doesn’t just disappear, it gives me the intuition that there is an economic attack vector possible without the transaction fees (I don’t know what it is yet).
As u/ethereum_alex mentions, without mining rewards, there is no incentive for someone to be actively providing security to the system at all times. Thus, an attacker doesn’t have to outpower the entire honest computational power of the network, but just the honest computational power of the network actively making transactions at any given time (u/aminok explains this here). They could just wait for a drop in transaction throughput at off-peak hours and then launch an attack that can overpower the honest input flow.
Essentially my big point when considering Iota is that you need to think about what the economic and security purposes for things like transaction fees and mining rewards existing in Bitcoin and Ethereum are. Then you must ask yourself, where does Iota get the same security guarantees if not from the economics of mining rewards and transactions fees.
I personally think that the Spectre protocol is a more realistic usage of DAGs because it presents a systematic system for deciding pairwise ordering between two transactions (important for deciding which of a double spend transaction to accept) and doesn’t forego the things that provide blockchain its security like blocks and miners.
And now sorry if I sound like I’m putting Iota down too much. Don’t get me wrong, the Tangle is an extremely interesting technology. I just think it possibly could be put to better use as a permissioned second-layer micro-transaction solution amongst a number of semi-trusted devices on top of blockchains like Ethereum than be used as a stand-alone “public” ledger and currency. In this sense, it’s more similar to state channel networks due to its lack of total transaction ordering and thus difficulty in doing generlized smart contracts. I think these two are more akin than anything and would love to see an analysis comparing the two.
All opinions in this post are Sunny Aggarwal’s and do not represent the views of Nate Rush, the other contributor to this blog, or any organizations that Sunny is a part of or is affiliated with.