Not quite long ago (just about a year, to be a bit more precise), there were articles floating all around, describing the tussle between IOTA’s development team and MIT’s Digital Currency Initiative team regarding collisions produced by the curl-P hashing algorithm that was being used by IOTA to sign transactions. The claim was that, since the signature scheme in IOTA Reference Implementation was operating on hashes of the message portion (which consisted of the amount of transaction and sender and receiver addresses), the signing process depended on the collision resistance of curl-P. This could potentially be exploited by a hacker to obtain valid signatures for a forged transaction. In other words, since two different message portions could be hashed to the same value, the signatures valid for the first (intended transaction) and the second (forged) transaction would be the same, which could then be broadcasted on the network to create unwanted transactions and hence, steal funds. (Signatures for a transaction can be easily queried. I can say that from my experience of designing a [wallet](https://github.com/utkarsh009/heliota) for iota).
To get have a closer look at the claims, I’ll be using a formal paper published in this regard.

Formal Paper

Do note that the emails related to this issue were leaked and can be found here.
Leaked Emails

A look at the formal research paper depicting the vulnerabilities

The paper is quite simple for a layman to read and you can simply glide through the paper. I don’t really think that anybody would have trouble reading and thoroughly understanding it, unless you’re really bad at basic mathematical operations, like addition, subtraction, multiplication etc.
However, for those who are really weak at it, I’d like to provide a few corrections (that were probably printing mistakes) and explanations, after all, it isn’t really a good idea to rush out to your peers and end up looking like Ocasio-Cortez.

An important thing to notice here is that this:

This theorem seeks to show that the absorption phase merely reorders the constituents of individual states of a sponge. It does so by proving that transform is indeed bijective (since the cardinality of domain and range is the same, they simply need to prove that it is injective). I’d like to point out that the method used for finding cycles of a desired length is much better and intuitive than the regular method of DFS traversals that some of the low grade colleges ask the students to memorise and never forget to include it in the exam papers. The same exact question is also asked as in interviews of some giant tech companies. If the solution is already out there, why ask for it?

This lemma is a bit fucked up and they’ve mixed the words together, often using wrong words. So I’ve decided to put it down once again.

Similarly, replace ‘j’ with ‘j+1’, in the final result, to get the other congruency. The point to be made here is that given two states of sponges, s(k) and s(k+1), the relation that determines the value at position ‘j’ in s(k+1) can be inverted to get the positions that were affected by a change in ‘j’. This ‘differential’ propagates through the states of the sponge.

The encircled 231 is actually 359 (because that’s what bijection implies). Also, you can calculate and see that the resulting decimal is obtained when you divide 359 by 729. Anyways, just in case you were suspicious, I simply verified it. The results are shown below.

Conclusion

I’d finally like to conclude that curl-P is not a safe cryptographic hash function, as stated in the paper. On the positive side, the IOTA development team doesn’t claim it to be one either (according to the leaked emails). It was designed to allow practical collisions. Since they have since switched to kerl from curl-P for the purpose of signing, it doesn’t pose any practical threats.
Source