Intro

Several sources of malleability are known:

  • Non-DER encoded ECDSA signatures Right now, the Bitcoin reference client uses OpenSSL to validate signatures. As OpenSSL accepts more than serializations that strictly adhere to the DER standard, this is a source of malleability. Since v0.8.0, non-DER signatures are no longer relayed already.

  • Non-push operations in scriptSig Any sequence of script operations in scriptSig that results in the intended data pushes, but is not just a push of that data, results in an alternative transaction with the same validity.

  • Push operations in scriptSig of non-standard size type The Bitcoin scripting language has several push operators (OP_0, single-byte pushes, data pushes of up to 75 bytes, OP_PUSHDATA1, OP_PUSHDATA2, OP_PUSHDATA4). As the later ones have the same result as the former ones, they result in additional possibilities.

  • Zero-padded number pushes In cases where scriptPubKey opcodes use inputs that are interpreted as numbers, they can be zero padded.

  • Inherent ECDSA signature malleability ECDSA signatures themselves are already malleable: taking the negative of the number S inside (modulo the curve order) does not invalidate it.

  • Superfluous scriptSig operations Adding extra data pushes at the start of scripts, which are not consumed by the corresponding scriptPubKey, is also a source of malleability.

  • Inputs ignored by scripts If a scriptPubKey starts with an OP_DROP, for example, the last data push of the corresponding scriptSig will always be ignored.

  • Sighash flags based masking Sighash flags can be used to ignore certain parts of a script when signing. New signatures by the sender The sender (or anyone with access to the relevant private keys) is always able to create new signatures that spend the same inputs to the same outputs.

References

  • https://en.bitcoin.it/wiki/Transaction_Malleability
  • https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki
  • https://bitcoin.org/en/developer-guide#standard-transactions
  • https://eklitzke.org/bitcoin-transaction-malleability
  • https://bitcointechtalk.com/transaction-malleability-explained-b7e240236fc7
  • https://www.blackhat.com/docs/us-14/materials/us-14-Chechik-Bitcoin-Transaction-Malleability-Theory-In-Practice.pdf
  • http://www.righto.com/2014/02/bitcoins-hard-way-using-raw-bitcoin.html
  • https://github.com/shirriff/bitcoin-code
  • http://www.righto.com/2014/02/bitcoin-mining-hard-way-algorithms.html
  • http://www.righto.com/2014/02/bitcoin-transaction-malleability.html
  • http://www.righto.com/2014/02/the-bitcoin-malleability-attack-hour-by.html
  • http://www.righto.com/2014/03/the-programming-error-that-cost-mt-gox.html
  • https://github.com/sipa/bitcoin/commit/87fe71e1fc810ee120a10063fdd26c3245686d54
  • https://github.com/bitcoinbook/bitcoinbook/blob/second_edition/ch03.asciidoc

A transaction ID is not authoritative until a transaction has been confirmed. Absence of a transaction hash in the blockchain does not mean the transaction was not processed. This is known as "transaction malleability," because transaction hashes can be modified prior to confirmation in a block. After confirmation, the txid is immutable and authoritative.