Here’s an explanation of the malleability issue of Bitcoin and what it really means for you.
Let’s say you hire Jane Plumber to fix your sink for $100. After Jane completes her work, you write a check for $100, sign it, and send to Jane, thinking nothing of it.
Found this article valuable? Want to show your appreciation? Here are some options:
a) Visit my sponsors to let them know you appreciate them helping me run this site.
b) Donate Bitcoins! I love Bitcoins, and you can donate if you'd like by clicking the button below.
c) Spread the word! To the left, you should find links to sharing this article on your favorite social media sites. I'm an attention junkie, so sharing is caring in my book!
Upon receiving the check, Jane annotates the check in some insignificant manner, for example by stamping it or writing a note that it has been received. She then sends the check to the bank to get the $100 deposited.
In Bitcoin, the check is analogous to a transaction. It is a signed statement from you that you want to transfer an amount to someone else. To declare that you intend to do so, you publish a cryptographically unique signature, or in this analogy a unique image, so that anyone can see that you intend to pay Jane $100.
All of these images or transactions are stored in the Bitcoin blockchain which is a public ledger of all transactions made by anyone. In this analogy each transaction is a picture of a check, a check signed by you, but that can be published to the public ledger by anyone who has that check.
As such, when Jane annotates the check, she can also publish the annotated image of the check. The annotated check does exactly the same thing; it withdraws $100 from your account and transfers to Jane. However, because of the annotations, the image that Jane publishes is different from the one you publish.
Although there are two check images published, only one of the images will be accepted by the bank or in this case the Bitcoin network. The details of how this happens is beyond the scope of this explanation, but involves a transaction history which ensures that you cannot give away the same dollar twice.
However, a malicious attacker can exploit this if you are a bit naive. If Jane’s image is the one accepted, Jane can call you and say that she never received the check. When you then go into the public ledger and search for your original image, it is nowhere to be found because it was Jane’s image that got accepted.
If you are naive, you may then write Jane a new check, and she can withdraw your $100 twice, once for each check you sent her.
If this happened outside of Bitcoin, it would be very simple to check whether Jane was telling the truth. You can simply check your bank statement and see whether the charge for the personal check has been posted to your account. If so, Jane is lying and you can simply ignore her request.
In fact, even in Bitcoin, if someone claims that they have not received the funds you sent, it would be easy to check the balance of your address to see whether the funds are gone and thus have been sent. You may not find your original transaction, but you will find the transaction that sent the money and you could present that to Jane as evidence that the money has left your account and has been received in her account.
The malleability component of Bitcoin is the protocol’s ability to interpret the intent of the check, so to speak, even if it has been annotated with certain pieces of information or decoration. It is still the same check designed to do the same thing, but it looks a bit different than when you originally signed it.
Please also note that although you can make simple changes to a check or Bitcoin transaction, any change that is of importance, such as the sum you want to pay or to whom you send the money, can not be changed. If you attempt this, Bitcoin requires a new signature from you, and it’s not as easy as just copying the signature from a paper check.