Skip to main content

Transaction Malleability | Bitcoin Glossary | Mapping Bitcoin

Transaction Malleability

Security

Also known as: tx malleability, malleability

A vulnerability where a transaction's ID could be changed without invalidating the transaction by modifying the signature data. SegWit fixed this issue by moving witness data outside the transaction hash calculation, enabling reliable transaction chaining for the Lightning Network.

Overview

Transaction malleability was a long-standing vulnerability in Bitcoin where a third party (or even the transaction signer) could modify the signature data in a transaction without invalidating it, causing the transaction ID to change. While the modified transaction would still transfer the same amount to the same recipient, the changed TXID broke any dependent transactions that referenced the original ID.

How It Worked

In pre-SegWit transactions, the signature (scriptSig) was included in the data that was hashed to produce the TXID. Because ECDSA signatures have multiple valid encodings for the same authorization, the signature bytes could be altered while remaining cryptographically valid:

Original Transaction:
  TXID: abc123...
  scriptSig: [signature_A]   <-- Can be modified
  Outputs: 1 BTC to Alice

Malleated Transaction:
  TXID: def456...             <-- Different TXID!
  scriptSig: [signature_A']  <-- Different encoding, still valid
  Outputs: 1 BTC to Alice    <-- Same payment

Why It Was a Problem

  • Transaction chaining: Any transaction that referenced the original TXID as an input would become invalid if the malleated version was mined instead.
  • Exchange exploits: Attackers could withdraw from exchanges, malleate the TXID, and claim the withdrawal never arrived — leading the exchange to re-send funds.
  • Lightning Network impossibility: Payment channels require reliable chains of pre-signed transactions. Malleability made this unsafe, as a malleated funding transaction would invalidate all subsequent commitment transactions.

The SegWit Fix

SegWit solved transaction malleability by moving witness data (signatures) to a separate structure that is not included in the TXID calculation:

Pre-SegWit:  TXID = Hash(version + inputs + scriptSig + outputs + locktime)
                                            ^^^^^^^^^^
                                            Malleable!

SegWit:      TXID = Hash(version + inputs + outputs + locktime)
             Witness data committed separately (not in TXID)

This fix was the critical prerequisite for building the Lightning Network, which relies on chains of pre-signed transactions with predictable TXIDs.

Historical Significance

The Mt. Gox exchange famously cited transaction malleability as a factor in its collapse in 2014, though subsequent investigations revealed that malleability was not the primary cause of their losses. Nevertheless, the incident brought widespread attention to the vulnerability and motivated the development of SegWit.

Related Terms

SegWitProtocol

Segregated Witness, a soft fork upgrade activated in 2017 that separates (segregates) signature data (witness) from transaction data. SegWit fixes transaction malleability, enables the Lightning Network, increases effective block capacity, and reduces fees for compliant transactions.

WitnessProtocol

The signature and other data required to satisfy a transaction input's spending conditions, segregated from the main transaction data in SegWit transactions. Witness data is committed in the block but discounted in fee calculations, incentivizing SegWit adoption.

Transaction ID (TXID)Protocol

A unique 256-bit hash that identifies a specific Bitcoin transaction, computed by double SHA-256 hashing the serialized transaction data. TXIDs are used to reference transactions in inputs, block explorers, and application programming interfaces.

Lightning NetworkLightning

A Layer 2 payment protocol built on top of Bitcoin that enables instant, low-cost transactions through a network of bidirectional payment channels. Payments are routed through multiple channels using HTLCs, settling on the Bitcoin blockchain only when channels are opened or closed.