CoinClear

IOTA

4.2/10

DAG-based IoT payment network with ambitious vision but plagued by centralization (Coordinator), governance crises, and unproven adoption.

Updated: February 16, 2026AI Model: claude-4-opusVersion 1

Overview

IOTA was founded in 2015 by David Sonstebo, Sergey Ivancheglo, Dominik Schiener, and Serguei Popov. Instead of a blockchain, IOTA uses the Tangle, a directed acyclic graph (DAG) where each transaction confirms two previous transactions. The design promised feeless, scalable machine-to-machine microtransactions for the IoT economy.

IOTA has been dogged by controversies throughout its history: a homegrown cryptographic hash function (Curl) was found to have critical vulnerabilities by MIT researchers in 2017, co-founder Sonstebo was ousted after governance disputes in 2020-2021, and the network has relied on a centralized Coordinator node for its entire existence. The IOTA 2.0 (Coordicide) effort aims to remove the Coordinator dependency, which has been the project's central promise for years. Shimmer was launched as a staging network to test these changes before mainnet deployment. Current leadership under Dominik Schiener has attempted to professionalize operations, but the organization continues to face credibility challenges stemming from its turbulent history.

Technology

The Tangle is architecturally novel: transactions form a DAG rather than a linear chain, theoretically enabling parallel processing and throughput that increases with network activity. Transactions are feeless. The Stardust upgrade introduced tokenization, NFTs, and smart contract capabilities via ShimmerEVM, an EVM-compatible chain anchored to the Tangle.

However, the Coordinator is the critical issue. It is a centralized node run by the IOTA Foundation that issues milestone transactions to provide finality. Without the Coordinator, the Tangle cannot reliably reach consensus on its own. This makes IOTA functionally centralized despite its distributed-sounding architecture. IOTA 2.0 proposes replacing the Coordinator with a leaderless consensus protocol using a committee-based approach and a mana reputation system, but full Coordicide has been delayed multiple times over many years.

The Curl hash function controversy in 2017 was damaging: MIT DCI researchers found vulnerabilities that could have enabled forgery of digital signatures and token theft. IOTA switched to standard cryptographic primitives afterward, but the incident raised serious questions about the team's cryptographic judgment. Building custom cryptography, rather than using well-audited standard algorithms, is a red flag in security-critical systems.

Security

IOTA's security history is concerning. The Curl vulnerability could have enabled token theft if exploited before discovery. The Coordinator is a single point of failure: if it stops, the network halts entirely. This happened in February 2020 for 11 days after the Trinity wallet hack, during which approximately $2 million in IOTA was stolen. The IOTA Foundation shut down the entire network for nearly two weeks while addressing the breach, an action that would be impossible on a truly decentralized network.

Post-Stardust security has improved with standard cryptographic libraries and the Ed25519 signature scheme. However, the Coordinator dependency means IOTA has not yet proven its security in a fully decentralized state. Smart contract capabilities via ShimmerEVM introduce additional attack surface. The Shimmer staging network has experienced bugs and issues typical of early networks. Until Coordicide ships and the network operates independently for an extended period, IOTA's decentralized security claims remain theoretical. The 11-day halt is a lasting stain on its security record.

Adoption

IOTA's IoT adoption thesis has not materialized at meaningful scale. Early partnerships with Bosch, Volkswagen, and Jaguar Land Rover generated headlines but resulted in limited production deployments, mostly proof-of-concepts that were quietly discontinued or never scaled beyond demos. The IOTA Foundation has EU research grant partnerships (EBSI, various smart city pilots in European municipalities), but these are typically experimental rather than production-grade.

The Shimmer staging network has a small DeFi and NFT ecosystem with limited activity. Transaction volume on the main Tangle is modest and has not shown sustained growth. The Foundation has pivoted messaging toward digital identity, supply chain traceability, and data marketplace use cases, but traction remains limited across all verticals. The gap between IOTA's ambitious vision and actual real-world IoT deployment remains vast after a decade of development. The IoT industry has largely adopted centralized cloud platforms (AWS IoT, Azure IoT Hub, Google Cloud IoT) rather than decentralized protocols for device communication and payments. This market reality poses an existential question: does the IoT industry actually need or want a decentralized payment layer, or is this a solution in search of a problem?

Decentralization

IOTA's centralization is its most glaring weakness. The Coordinator makes the IOTA Foundation the effective operator of the network, with the ability to halt, censor, or control transaction ordering. The Foundation also controls development direction, token grants, and ecosystem funding. The governance disputes of 2020-2021, including co-founder Sonstebo's ousting, exposed centralized decision-making vulnerabilities and organizational dysfunction.

IOTA 2.0's Coordicide aims to fix this with a committee-based consensus protocol using mana (a reputation and weight system), but the timeline has slipped repeatedly. The Shimmer network serves as a testbed but itself runs with centralized components. Until Coordicide ships on mainnet and proves stable over time, IOTA is a centralized network run by a German nonprofit. This is not a minor criticism. It undermines the fundamental value proposition of using a distributed ledger. A centralized DAG offers limited advantages over a traditional database.

Tokenomics

IOTA has a total supply of approximately 4.6 billion MIOTA, all created at genesis with no mining. Initial distribution was via a public crowdsale in 2015. There is no inflation and no staking rewards in the current design. Transaction fees are zero. The Shimmer (SMR) token was airdropped to IOTA holders as a staging network incentive, adding some value but creating a complex multi-token ecosystem.

The token's utility is primarily as a transfer-of-value medium for the IoT use case. With no fees, no staking, and minimal DeFi, MIOTA's value capture mechanism is limited to speculative demand on the IoT thesis. Assembly, a planned smart contract network, was later folded into the mainnet roadmap, adding further complexity and confusion to the tokenomics picture.

The lack of clear value accrual mechanics beyond speculation is a structural weakness. Unlike staking tokens that offer yield or fee-burning tokens that create deflationary pressure, MIOTA has no mechanism to reward holders or reduce supply. If the IoT thesis does not materialize, the token has no fallback utility to support demand.

Risk Factors

  • Coordinator centralization: The network is not decentralized until Coordicide completes and proves stable.
  • Unproven thesis: IoT machine-to-machine payments have not materialized at any meaningful scale after a decade.
  • Governance instability: Co-founder ousting, community disputes, and organizational turmoil have plagued the project.
  • Technical debt: Custom cryptography controversies, multiple protocol rewrites, and staging complexity add risk.
  • Competition: Helium, Chainlink, and general-purpose L1/L2s compete in IoT and data markets.
  • Network halt precedent: The 2020 shutdown for 11 days demonstrated critical fragility.
  • Coordinator dependency: The single most important risk; if Coordicide fails, IOTA's thesis collapses entirely.

Conclusion

IOTA has an ambitious and intellectually interesting vision: feeless DAG-based payments for the machine economy. The Tangle architecture is genuinely novel. However, years of centralized operation, governance crises, technical controversies, and unproven adoption severely undermine confidence. IOTA 2.0 and Coordicide represent existential milestones. Until they ship and prove themselves in production, IOTA remains a research project operating as a centralized network for over a decade. The IoT payments thesis is compelling in theory but may be far ahead of reality, and IOTA's credibility may not survive another round of delays.

After more than a decade, IOTA's central question remains unanswered: can a feeless DAG achieve decentralized consensus and find product-market fit in IoT? The answer to both parts of this question will determine whether IOTA becomes a footnote in crypto history or eventually vindicates its unconventional approach.

The Shimmer staging network and IOTA 2.0 testnet represent the last best chance to prove the thesis. If Coordicide launches successfully and the Tangle operates without the Coordinator for an extended period without major incidents, IOTA could see a dramatic revaluation. If it fails or delays further, the project will have spent over a decade and hundreds of millions in funding without delivering on its core promise of decentralized, feeless IoT payments.

Sources

  • IOTA Foundation documentation and engineering blog
  • IOTA 2.0 (Coordicide) research papers and specifications
  • MIT DCI Curl vulnerability disclosure (2017)
  • Trinity wallet hack post-mortem (February 2020)
  • Shimmer network documentation and explorer
  • EU grant and partnership announcements (EBSI, smart city pilots)
  • Messari IOTA research profile
  • CoinGecko IOTA market data
  • Bosch XDK and Volkswagen partnership post-mortems
  • IOTA Foundation governance and organizational restructuring announcements
  • IOTA 2.0 testnet performance data and analysis
  • Serguei Popov Tangle whitepaper and academic citations