Security
Access to Assets
IOTA uses two key mechanisms to secure access to assets. First, the asset owner must cryptographically prove knowledge of their private key tied to their account address to use or transfer an asset. Thus, account keys must be securely stored and used. Second, access to assets, which are represented as Move objects in a smart contract, follows the object ownership model of the Move language. The Move VM enforces ownership rules and ensures that no bytecode execution can violate them. The only potential risks stem from logic errors within smart contracts. Once a transaction reaches consensus and is committed to the ledger, any modified or created assets are persistently updated and available for further use.
The set of validators changes periodically and is determined by the amount of locked and delegated IOTAs held.
Delegated PoS Consensus Mechanism
IOTA employs a delegated Proof-of-Stake (dPoS) mechanism to select validators (nodes that help secure and operate the network) for each epoch. Users can lock and delegate their IOTA tokens to vote for validators, granting them voting power. Validators are chosen based on the number of delegated tokens, and any node with sufficient support can become a validator.
Validators and Consensus Protocol
The IOTA consensus protocol is run by a set of independent validators. All validators follow the same protocol and participate in transaction validation, using their delegated voting power to reach consensus. The consensus protocol produces a consistently ordered stream of transactions, ensuring system reliability and security. It is designed to be Byzantine fault tolerant (BFT), meaning transactions will still be processed even if up to one-third of validators attempt to disrupt execution or violate protocol guarantees.
Additionally, all transactions in IOTA are publicly available and auditable to verify that asset modifications are correctly executed.
Rewards for Validators and Stakers
Validators receive incentives through a fixed inflation of 767,000 IOTA tokens per epoch. These tokens are distributed to validators and their delegators based on specific rules, such as the validator's commission rate and total stake. Transaction fees are burned and do not contribute to validator rewards. Staked tokens remain secure and cannot be seized by validators or other participants. For more details, refer to the staking and rewards documentation.
Accountability and Rotation of Validators
Validators must operate reliably and follow protocol rules. If validators attempt to censor transactions or act maliciously, they can be replaced. However, it is not solely the users’ responsibility to detect malicious behavior—protocol mechanisms and cryptographic guarantees ensure that validators cannot arbitrarily alter or block transactions.
Addresses and Keys
To access and manage assets on IOTA, users must hold the corresponding private key. This key must be kept secret, as even a majority of malicious validators cannot access assets without it.
Each private key corresponds to a public address on the IOTA network. Users can generate multiple addresses, and sending an asset to an address automatically creates it. Since transactions are irreversible once they reach finality, users should always verify recipient addresses before sending assets.
Asset Types and Logic
The type and logic of any asset on the IOTA network are defined within smart contracts. While some core contracts are embedded in the protocol, most smart contracts are developed externally. IOTA smart contracts are immutable, allowing for third-party audits and preventing post-deployment modifications.
The Move language enforces strong security guarantees by integrating asset security and smart contract verification at its core. Additionally, Move's capability objects provide a robust mechanism for defining access control and permissioned asset usage.
Shared Assets
Move allows for shared assets that, while publicly accessible, can have restricted usage enforced by the defining smart contract. Developers can specify which addresses have permission to interact with shared assets.
Transaction Finality
Certification and Finalization
When a transaction is submitted in IOTA, validators must collectively agree on its validity. Once agreement is reached, they issue a cryptographic certificateA certificate is the mechanism proving a transaction was approved or certified. Validators vote on transactions, and aggregators collect a Byzantine-resistant majority of these votes into a certificate and broadcasts it to all IOTA validators, thereby ensuring finality. confirming its correctness. Even if some validators act maliciously, the transaction can still be finalized by a supermajority of honest validators. This ensures that transactions cannot be invalidated or blocked by a small group of malicious actors.
Gas and Transaction Execution
Every transaction incurs a gas fee for computational processing. A transaction either executes successfully or fails. Failures can result from smart contract errors or insufficient gas. If a transaction succeeds, its effects are permanently recorded on the IOTA network. If it fails, no changes occur, but some gas fees are still deducted to mitigate spam attacks. For more details, see the gas and gas fees documentation.
Submitting Transactions
Users can submit transactions directly or use third-party services. These services cannot generate transactions on behalf of users since they do not have access to private keys. However, they can confirm transaction finalization by collecting validator signatures. A transaction is considered final once it has accumulated sufficient validator signatures, ensuring its irreversibility.
Auditing and Privacy
Reading Assets and Transaction History
IOTA full nodes provide access to asset balances and transaction histories. Validators generate cryptographic proofs verifying every transaction that contributed to an asset’s current state. Users can request and verify these proofs to ensure all transactions were correctly executed and consensus was followed.
Public Auditability
All transactions and assets on IOTA are publicly viewable, ensuring auditability. However, users can maintain pseudonymity by utilizing multiple addresses. Third-party custodial services can further enhance privacy by managing assets on behalf of users. Additionally, privacy-preserving smart contracts can be developed to add extra confidentiality layers.