transactions, which move bitcoins from one address to another, must be signed by the sending address.

however, not all parts of a transaction are signed. modifying those parts allows one to create a valid transaction with the same bitcoin transferring effect, but with a different overall hash.

the hash of the entire transaction is used as a transaction id.

so a modified transaction would have a different id.

some bitcoin management software (a wallet) loses track of transfers, because those transfers don't occur under the transaction-id it expected.

the implication is that some bitcoin services could get confused about who they've successfully sent bitcoins to.

an attacker could socially engineer a "robbery" by transmitting a mutation of an official withdrawal transaction, then appealing to the helpdesk of that service that their withdrawal never went through. it did go through - just under a different transaction id.

checking transaction hashes for acceptance into the blockchain was a stupid idea to begin with. clearly the data in a transaction is malleable without affecting the signature. given that mtgox already were using non-canonical transactions, they should have been aware of this.

a transaction only becomes immutable once it has been included in the blockchain. after this point, searching for a tx by hash is ok.

calling this a bug of the bitcoin protocol is akin to saying that array decay in C is a bug in the language spec. it is known, and and has been talked about for a long time. in both cases.

More seriously, if the software was set up to retransmit bitcoin after a "failed" transfer, then that service could be exploited automatically. Mostly, this wasn't a social attack. The seriousness was that many services were set up to retransmit automatically, and did lose a lot of money automatically.

Thanks for taking the time to explain this, I've been curious myself.

Do you know why scripts aren't signed? I don't fully understand bitcoin but it seems like they're an integral part of the transaction.

scriptSig (the second part of the script) contains the signature - it can't sign itself, but you can add other opcodes to it and that allows malleability.

I'm still not sure what's the best way to defend against that, so I posted a "Ask HN" here: https://news.ycombinator.com/item?id=7246381

Any help is appreciated

Instead of relying on transaction hashes, you need to scan the blockchain for any transaction involving the addresses you care about.

Transaction hashes are a misnomer -- the hash is a has of the message, NOT of the transaction. Many messages match one transaction.

I found this explanation, also from the same blog and also posted here, to be quite clear: http://www.righto.com/2014/02/bitcoin-transaction-malleabili...

Discussion: https://news.ycombinator.com/item?id=7232175

I think it also serves to give a visual confirmation of just how much bullshit "transaction malleability" is when used as an excuse for the theft of 4,500BTC from SR2: http://www.deepdotweb.com/2014/02/13/silk-road-2-hacked-bitc...

Discussion on HN: https://news.ycombinator.com/item?id=7234010

There was quite a good explanation posted to HN 5 days ago: http://cryto.net/~joepie91/blog/2014/02/10/why-mtgox-is-full...

(discussion: https://news.ycombinator.com/item?id=7211286)