Bitcoin blog

The essence of Bitcoin is innovation that be related to remittance, asset holding rights, liberation, and freedom.

Transaction Malleability

The transaction can hold multiple transaction hashes while keeping the validity of the signature. So, double payment becomes possible by changing the expression without changing the meaning of the input script. This characteristic is called "Malleability".

Leading example of Mariability
For implementations that only validate with transaction hashes, It is interpret the transaction as floating in the air without being taken into the block chain. So, It is able to resend the transaction many times.
Let's see some examples of changing the TXID while actually maintaining the validity of the signature.

Example 1:Change the TXID by adding extra OP_CODE to ScriptSig
As mentioned above, when signing transaction data, the input script is excluded from the subject of signature(When signing, use the ScriptpubKey instead of ScriptSig). But, when generate TXID, contents are required ScriptSig.

Double payment becomes possible by changing add "OP_PUSH_DATA2(0x4d)" to origin script,the follow is one example.
0x48:push data of 72byte
0x41:push data of 65byte
0x4d:Push following 2-byte data
0x00:push 0 to stack

Although the TXID changes , the behavior of the script is exactly the same. there is no problem in verifying the signature.So it is possible to pretend that the transaction has not been completed and it use double payment from the original remittance.

※You can confirm that the signature is valid even if you add Unnecessary OP_CODE to the script from this site.

Example 2:Changed OP_CODE (Push_DATA) of ScripSig
The PUSH_DATA have multiple types as follow. Choose according to the number of bytes to be pushed.However, it is possible to use PUSH_DATA corresponding to a large number for a small number of bytes.

Same as Exsample 1. the TXID changes , the behavior of the script is exactly the same, and there is no problem in verifying the signature.

Example 3:The signature value S of ECDSA

The ECDSA take two signature values of r and s.The signature is valid even if plus and negative invert of signature value s.It can reverse plus and minus by subtracting s from n.

s = k -1 (z + dr) mod n

k:random number
z:massage hash
d:private key
r:digital signature value
n:Number of points existing on plane of the prime number

Example 4:Specify the range in which the signature is included by Sighash

SIGHASH ALL is used In generally. But when Using SIGHASH_NONE which does not include any signature at the output.Since it is possible to change the content of output any number of times,and the TXID will change.

・SIGHASH_ALL :Sign the reference destination and output of all inputs.
・SIGHASH_NONE:Sign all inputs but not sign to output.

Actual damage from Malleability
A large problem arises in Wallet due to Transaction Malleability too. A problem arises particularly with wallets that use only transaction ID to identify transactions. If a tampered transaction is captured and confirmed in the block before the correct transaction, the balance in Wallet will be mismatched. Then the correct transaction is considered double payment from the node and it will be processed as an invalid transaction.