TechScape: Why can’t crypto exterminate its bugs?

theguardian.com:

In February, Twitter user Brodan, an engineer at Giphy, noticed something odd about Bored Ape Yatch Club (BAYC), the premiere ape-based non-fungible token collection. A record intended to cryptographically prove the trustworthiness of the bored apes contained 31 identical entries, a situation that was supposed to be impossible. “There’s something super-suspicious about some of your apes,” Brodan wrote.

Six months later, when the newsletter Garbage Day brought it to wider attention, Brodan’s query still hadn’t been answered. The situation is all too common in the crypto industry and the wider open-source community, and raises the question of whether there’s something fundamentally wrong with the idea that a crowd of amateurs can effectively hold large projects to account.

The issue lies with an obscure record called the “provenance hash”. This is a record, published by BAYC’s creators Yuga Labs, that is intended to prove there was no monkey business (sorry) in the initial allocation of the apes. The problem the team had to solve is that some apes are rarer – and more valuable – than others. But in the initial “mint”, they were allocated randomly across the first 10,000 to apply. To prove they were distributed randomly, rather than a few valuable ones distributed to insiders, they published a provenance hash: a list of cryptographically generated signatures for each of the 10,000 apes, showing that the apes had been pre-generated and pre-assigned, without revealing what their characteristics were.

So far so good, except that 31 of those signatures were identical. Since the 31 apes they were assigned to were distinct, that means the provenance record for those apes was broken – and they could, theoretically, have been changed