## Introduction
Transaction Malleability is a vulnerability in the Bitcoin system that allows an attacker to change the unique identifier of a transaction before it is confirmed on the network. This change may cause the transaction to appear to not exist, creating the possibility of a double deposit or double withdrawal. In this article we will look at the mechanisms of this attack, its consequences and defense methods.
## Signature compliance
### ASN.1 and DER
The first form of malleability lies in the signatures themselves. Each signature has exactly one ASN.1 octet representation encoded in DER. However, OpenSSL, the library used for cryptographic operations in Bitcoin, does not strictly adhere to this standard. This means that the signature can be changed in such a way that it is still considered valid, but its presentation will be different.
### ECDSA and signature modification
For each ECDSA signature (r,s), there is an equivalent signature (r, -s (mod N)) that is also valid for the same message. This allows an attacker to change the signature without affecting its validity, resulting in a change in the transaction ID.
## ScriptSig flexibility
### Signature algorithm
The signature algorithm used in Bitcoin does not sign ScriptSig to create the signature. This means that additional data can be added and pushed onto the stack before the required signatures and public keys. For example, you can add an OP_DROP command to leave the stack exactly the same as before before scriptPubKey is executed.
### Impact on transaction ID
Changing the ScriptSig can cause the transaction ID to change, allowing an attacker to pretend that the transaction did not occur. This is especially dangerous in the case of Bitcoin exchanges, where it can be used for double deposits or double withdrawals.
## Protection methods
### Testing the flexibility of the signature library
One method of defending against a transaction flexibility attack is to check the signature library used to ensure that it is flexible. For example, moving to the use of strong DER signatures, as proposed in BIP-0066, can significantly reduce the risk of attack.
### Protocol changes
Another method of protection is to make changes to the Bitcoin protocol itself. For example, implementing Segregated Witness (SegWit) allows signatures to be separated from transaction data, making it impossible to change the transaction ID by changing the signature.
## Conclusion
A transaction flexibility attack poses a serious threat to the Bitcoin system by allowing attackers to change transaction IDs and make it appear that they did not exist. This can lead to financial losses and undermine trust in the system. However, there are security techniques, such as using strong DER signatures and implementing SegWit, that can significantly reduce the risk of this attack. It is important that Bitcoin developers and users are aware of this vulnerability and take steps to prevent it.
## Links
1. Transaction Malleability
2. BIP-0066: Strong DER Signatures
3. EIP-2: Homestead Hard Fork Changes