Blockchain Semantics Insights
Business Case | Deep Tech | Announcements | Blockchain Glossary |
How is Transaction malleability a potential threat to Blockchain?By Swati Keswani | May 30, 2018, 8:03 a.m. GMT
Transaction malleability is an attack that lets someone change the unique ID of a Bitcoin transaction before it is confirmed on the Bitcoin network. The change makes it possible for someone to pretend that a transaction didn't happen if all the right conditions are in place.
The user's digital signatures used as part of the hash to 'sign' the transaction are meant to be in a certain format. That format wasn't always properly checked by Bitcoin exchanges and wallets. This meant that a badly-formatted one could be introduced, and still accepted. Altering the signature in this way makes it possible to create different hashes for the same transaction.
Let’s look how this attack would work by taking an example. Let's say there is a Bitcoin exchange called X, and Adam has Bitcoins sitting in that exchange. Adam decides to withdraw his coins and asks the exchange to send the Bitcoins to his address. When X sends them, this automatically creates a transaction, which is transmitted for mining so that it can be included in the Bitcoin Blockchain.
But Adam pretends that X never sent them. He uses the transaction malleability flaw to reproduce X's original transaction, tweaking the signature slightly to produce a different hash. He then retransmits that transaction, with the different ID.
There is a chance that Adam's transaction will be confirmed on the Blockchain first. One way to get it confirmed faster it to give a high fee to lure miners. If that happens, the network will assume that transaction is valid, and won't record X's. Adam can then complain to X that he didn't receive the coins. When X checks for her transaction ID in the Blockchain, he won't find it and might try to send more Bitcoins, meaning that the exchange is out of pocket.
This attack was executed in the real world as well. The collapse of the largest bitcoin exchange at the time, Tokyo-based MtGox, March 2014 came to wide public attention. People say an explanation is still needed for the confusing irony that somehow in the Blockchain, a public transparent ledger, coins can disappear and still remain lost months later. The company said it had been hacked, and that the fraud was a result of a problem known as a “transaction malleability bug”- the bug allowed the malicious user to double-spend, transferring bitcoins into their accounts. Analysts remain unsure if MtGox was an externally perpetrated hack or an internal embezzlement.