I know there are a few sites which credit at 0 confirms. If you are a site owner doing this, you are vulnerable to the transaction malleability problem which is appearing in the press right now.
Your attack will work like this:
- You credit a user's deposit at 0 confirms.
- An attacker changes the hash and retransmits the transaction, which somehow gets into a block.
- You see this as a new transaction, because the TXID is different.
- You credit the user again for the same transaction.
- You are in trouble.
Be aware.
Cheers, Paul.