Under are a couple of examples of witness malleability, together with the explanation why I imagine they’re now not legitimate:
DER Malleability
- For each DER signature with (r,s), there exists 2 legitimate ‘s’ values -> BIP146 requires low ‘s’ solely
scriptSig Malleability
-
Can add OP_NOP -> “scriptsig-not-pushonly” error
-
Can add OP_1 at begin of scriptSig -> “Stack measurement should be precisely one after execution” error
-
Can add, say, OP_PUSHDATA1 OP_0 -> “Information push bigger than essential” error
-
Can add OP_1 OP_DROP at begin of scriptSig -> “scriptsig-not-pushonly” error
In abstract, it seems the Bitcoin crew has accomplished a fairly good job of plugging the holes in non-segwit witness knowledge malleability, so I am not clear why one of many main advantages of segwit to this present day is listed as stopping malleability (I get that Segwit is a extra absolute answer to this downside, given the witness knowledge is not a part of txid and therefore txid is immutable).
The one causes I can consider why non-segwit malleability would stay a problem is that if among the witness malleability assault vectors listed above are nonetheless legitimate if a transaction is submitted on to miner (even when rejected by different nodes), or if a non-negligible portion of nodes nonetheless hadn’t up to date these software program modifications from 2016 and so on.
