Quote
As a consequence of their weird ternary obsession, the following inputs all produce the same Kerl hash:
GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFE IZ
GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFE IH
GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFE IQ
This is a consequence of always zeroing out the last “trit” before passing the input to Keccak-384.
GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFE IZ
GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFE IH
GYOMKVTSNHVJNCNFBBAH9AAMXLPLLLROQY99QN9DLSJUHDPBLCFFAIQXZA9BKMBJCYSFHFPXAHDWZFE IQ
This is a consequence of always zeroing out the last “trit” before passing the input to Keccak-384.
TL;DR - IOTA's previous hash function was backdoored, and after some controversy they changed it to their own version of SHA-3, but it's vulnerable to hash collisions because of their strange choice of encoding.
I don't track what's going on with IOTA too much, but they have a strong tendency of doing these huge security mistakes and introducing critical design flaws, and people who get caught in their hype need to be aware of it.