Company updates

How to Identify Transaction Malleability Attack

, October 30, 2015

In the past month, we have experienced several attempts of transaction malleability attack against CEX.IO exchange. This is not the first round of attacks against the exchange, and, within our professional team, we always manage to detect such attacks very quickly, preventing losses.

Having greatly influenced Mt. Gox in 2014, it is a “new old” issue within the industry that can still create problems for Bitcoin network subjects, namely, Bitcoin exchanges, which could negatively affect Bitcoin ecosystem in general.

Therefore, we would like to share our experience and speak out on how to identify and fight off transaction malleability with an example of 2 transactions made on CEX.IO within the attack.

What is transaction malleability?

Transaction malleability is an attack that lets a person change Bitcoin transaction’s unique ID before confirmation on the Bitcoin network. This change makes it possible for the person to pretend that a transaction didn’t happen. In case of Bitcoin exchanges, it can be used to make a double deposit or double withdrawal.

However, it should not be confused with double spending, as the latter implies spending an amount of crypto coins once, and creating another transaction with the same coins (thus, they can be spent twice).

How to determine that you are under transaction malleability attack?

For example, a hacker requests a Bitcoin withdrawal from his account on an exchange and changes unique ID of the transaction.

Here are two transactions recently happened on CEX.IO. Let’s compare them by using transaction ID scripts on the blockchain.

transaction malleability

It is clear the signatures’ encoding have been changed, which led to altering script length, transaction and txid, without affecting transaction data.

Although the database of the exchange contains initial txid, it can happen that attacker’s transaction with altered txid will be confirmed in the blockchain first, while the original transaction will never be confirmed. This will allow hacker complain that the transaction is pending and claim compensation. More than one fake transaction can be made based on the original transaction.

How to fight off transaction malleability attack?

There is hardly a way to prevent such an attack automatically. However, there are at least two ways to avoid losses:

– required transaction confirmation
– manual verification of bitcoin withdrawals from exchanges.

In general, if an exchange notices suspicious pending transactions, it is already an alarm for something going wrong, and can serve as a signal of transaction malleability attack.

Related

Company updates

When my bank transfer clears (and when it’s time to ring the alarm)

Cryptocurrencies attract more and more new users. Research shows that there are more than 70 million crypto wallets in the world as of March 2021. And those are only non-custodial wallets. But how do you make crypto appear in your wallet? Often the most secure way to buy crypto is

Oct 13, 2021 | 13 min read
CEX.IO News Company updates

CEX.IO Receives In-Principle Decision from Gibraltar Regulator on the Path to DLT License

We are happy to share that CEX.IO has received “in-principle” status for the Distributed Ledger Technology (DLT) license issued by the Gibraltar Financial Services Commission (GFSC). This means that we are currently at the beginning of the final stage in the authorization process. To receive the license, it is

Mar 18, 2019 | 3 min read
Company updates

CEX.IO Adds PayPal as a Funding Option

CEX.IO is pleased to announce we are offering users the option to link existing PayPal accounts to their CEX.IO Wallet. By enabling PayPal as a funding source, we’re giving our users more options to fund their CEX.IO Wallet with fiat for crypto purchases on our platform. Users with existing PayPal accounts don’t need to add bank

Apr 14, 2022 | 2 min read