La malleability of the transactions of Bitcoin, is a kind of Denial of Service (DoS) attack, which allows an attacker to modify or alter the hash that identifies a transaction within the blockchain.
At first glance, this may not seem like a problem per se, as modifying the hash of a transaction, it would not affect it at all, and the transaction would be executed in the same way. However, the problem arises when the recipient of the transaction claims that he does not see the transaction reflected in his account. So you are suspicious of the user who performed the operation and of the system in general.
It is for this reason that the malleability of a transaction is a serious problem for the payment systems of cryptocurrencies, . A problem that many cryptocurrencies face and solve in various ways.
How does this attack occur?
Our Transactions en Bitcoin They are made up of one or more inputs and one or more outputs. The inputs are made up of a series of references that refer to the outputs of a previous transaction, and are known as unspent outputs (UTXO). For their part, the outputs contain the address to which the transaction was made, and the amount of funds that were transferred.
Each transaction made on the Bitcoin blockchain contains its own hash. This hash is unique and unrepeatable, and is used to identify or locate a particular transaction within the blockchain.
In this way, through the hash, miners can track and verify that a transaction has been added within a block. And therefore, validate that it is part of the blockchain.
Now, Until the validation and confirmation of that transaction is done, an attacker has the possibility to modify and alter the identifier hash of the transaction, without altering the digital signature. With this action, the attacker manages to hide the transaction and thus makes the issuer believe that the operation was not carried out. So a few hours later, he makes a claim to the issuer so that he can make the transfer again, claiming that he has not received the funds. At this point is where the attack or scam is executed. Since the attacker did receive the transferred funds, only they are not reflected with the hash (txid) that was registered in the service.
Feasibility of executing this attack
The main target of transactions malleability attacks are cryptocurrency exchanges or houses. Due to the high volume of operations and transactions that they handle on a daily basis, an attacker can take advantage of the situation.
In the case of a user who does not carry out as many transactions a day, it is highly unlikely that he will be the victim of this type of attack. Since when consulting the balance of your account you will see the debit of the transaction reflected. So you can see that if the transaction was made and verify that the destination address does have the funds transferred.
Mt Gox and the problem of transaction malleability
The numerous losses suffered by the famous and failed exchange cryptocurrency, Mt Gox, were caused as reported by the technical team and its CEO, Mark Karpeles, due to a problem of malleability of transactions. That they allowed various hackers and attackers to make claims for allegedly failed transactions. Which totaled approximately 850.000 stolen bitcoins. An unfortunate event that led to the bankruptcy of the exchange in 2014, and that left thousands of users angry and puzzled.
According to Karpelès, this was due to the malleability of the transactions. Karpeles argued that users were able to make multiple withdrawals of their funds, claiming that these had not been done, when in fact they were.
However, several investigations carried out determined that the bankruptcy of this exchange was not only due to an act of hacking, but also due to the manipulation of data by the team responsible for Mt Gox. In the report published by ArXiv The loss of bitcoins due to malleability of transactions is calculated not to exceed 400 units.