 |
February 12, 2014, 03:46:28 PM |
|
The SHA256 signature of a transaction serves as it txid. It is NOT malleable. However, the data inside a transaction message is somewhat arbitraty. Although the inputs, the outputs, and the amouts are signed by the sender (and are thus not changeable without invalidating the transaction), one can append some other arbitrary data to the transaction, while keeping it valid. Althoug the effect of the transaction is going to be the same (a certain amount chosen by the sender is going to be sent to the receiver), the associated txid is going to be different.
Thus it is NOT a double spend attact. One CANNOT take your coins without knowing your private key, nor one CANNOT send the same coin to two different persons.
However one should NOT use the txid as a way to uniquely identify a transaction. It should instead use a combinaison of inputs, outputs and amount to acertain that the transaction went trought (or not).
MtGox did not do that, they used txid. Some users exploited that, and claimed their withdrawal failed to their costumer service, when in fact it went trough but with a different txid than what MtGox tought. MtGox then wrongly resend a transaction.
It was not a double spend, it was a double send.
|
