“Fool me twice…”

In 1826, Joseph Smith, the founder of the Mormon faith, was convicted of conning people into paying him to “glass look”, which involves putting a magic rock into the hat, and then looking into the hat to divine the location of buried treasure.

Four years later, he wrote the Book of Mormon, which he claimed to have “translated” from inscriptions written on magical golden plates (which nobody ever saw). He translated these inscriptions into English by putting a magical rock into a hat, and then looking into it.

South Park made a documentary about it

It’s safe to assume that the original followers of the Mormon religion probably weren’t aware that their prophet was a convicted conman, but you have to wonder what kind of cognitive dissonance current Mormons must use to be aware of this fact and not completely lose their faith.

I wonder the same thing about the fervent supporters of the IOTA cryptocurrency (current market cap of $11 billion), but let’s give them the benefit of the doubt and assume they don’t know the full story.

IOTA Was Broken “On Purpose”

If you’re not familiar with the IOTA cryptocurrency , its main selling point is that transactions between users are processed via very “cheap” proof-of-work hashing algorithm — requiring far less computing power than processing blocks on the Ethereum or Bitcoin blockchains, thus enabling much faster transaction times.

Since Ethereum and Bitcoin’s processor-intensive hashing algorithms were purposely built as a security measure to prevent block spamming, a lot of people are skeptical of IOTA’s ability to be secure once its central coordinator server is removed, and it becomes truly decentralized. This skepticism resulted in MIT’s Digital Currency Initiative to take a closer look at the project’s code.

The MIT team’s findings, and the IOTA team’s responses, are where we get into Mormon territory.

The MIT team discovered of a huge vulnerability in the IOTA code. Specifically, IOTA’s cryptographic hashing function, which the IOTA team wrote themselves, could easily generate the exact same output from two different inputs— what’s known as a hashing collision. Since the custom hashing function was used for cryptographic signing of IOTA transactions, the vulnerability could be used by an attacker to forge a user’s digital signature (and potentially stealing his funds), once the currency became decentralized.

Once MIT’s findings were made public, rather than admitting to their error, the IOTA team claimed that their broken hashing function was broken on purpose to prevent copycat cryptocurrencies.

They claimed that because the IOTA tangle (its distributed ledger) is protected from fraud by a central server, run by the IOTA team, called the Coordinator, that IOTA didn’t need a secure hashing function. The IOTA team claims that they’ll shut down this Coordinator server once there are enough individuals processing IOTA transactions that the network isn’t vulnerable to a 33% attack, at which point IOTA will become truly decentralized (like Bitcoin, Ethereum, and Litecoin).

However, if a copycat tried to use IOTA’s source code in a truly decentralized manner (without a central Coordinator server), the IOTA team could exploit the hashing vulnerability to destroy the copycat currency. Such an action sounds pretty evil (and definitely illegal), but if you believe this bug was made on purpose, then it’s the natural conclusion.

The IOTA team claimed that such measures were necessary because they were worried that a copycat currency would “ruin the reputation of honest projects”.

In other words, the IOTA team thought the best way of preserving their reputation was for a copycat cryptocurrency, using IOTA’s own source code, to implode in a massive hack…that the IOTA team would be responsible for.

Believing this “broken on purpose” explanation also means that the IOTA team planned to replace the broken hashing code some time before they turned off their Coordinator server. But remember, according to the IOTA team, turning off the Coordinator server can’t happen until there’s a large number of individuals processing IOTA transactions — probably not the best time to hard fork your code and replace its core hashing function!

The Simplest explanation is probably the Correct one

Looking at the sequence of events only paints IOTA in a worse light.

The IOTA team didn’t release the “hashing algorithm was broken on purpose” explanation until September 2017.

However, a month earlier, they actually hard forked IOTA to remove the broken hashing function, shortly after the MIT team informed them of the bug’s existence, but before MIT made their findings public.

At the time, the IOTA team provided a very different explanation for why the hashing function was replaced:

This earlier explanation from the IOTA team makes no mention of purposely broken code nor any mention of copy protection at all. In fact, in this explanation it was the IOTA team that reached out to the MIT team, rather than the other way around.

But if the IOTA team planted the vulnerabilities on purpose for “copy protection”, as they later claimed, then why would they have reached out to the MIT team, which would only expose said vulnerabilities? Wasn’t the whole point of the purposely broken code to create a hidden time bomb for whatever team had the audacity to build on top of IOTA’s open source, publicly released, code?

It all makes no sense. Either the IOTA team was lying in August 2017 or September 2017.

A popular distillation of Ockham’s Razor is “the simplest explanation is usually the correct one.”

So here’s the Ockham’s Razor explanation of what happened:

The MIT team discovered that IOTA’s hashing function was incredibly vulnerable to attacks if the currency ever became truly decentralized. The MIT team reported these findings to the IOTA team. The IOTA team hard forked their code to replace the broken hashing function and then told their supporters that it was all part of a code vetting process that they themselves initiated. Later, the MIT team released their findings to the public, which garnered a lot of negative press for IOTA. The IOTA team, rather than owning their error, claimed that the hashing function was broken on purpose to save face (apparently apathetic to how the development community would respond to the idea of a hidden time bomb purposely added to open source code on Github).

I think the simple explanation is a lot more likely.

However, now that you know the whole story, if you’d still rather accept IOTA’s convoluted, contradictory explanation, then nobody can say you weren’t warned.

You’ll only have yourself to blame if the platform collapses due to one of its many, many, many other red flags.