Is witness script itself malleable?

[polaker]

With segwit, now the transaction id is not malleable. However, I could still modify the witness part during relaying and make the modified transaction still valid. Am I missing something here?

A potential attack is to make the block size larger by making the witness script larger?

[1715605082]

1715605082

[1715605082]

1715605082

[1715605082]

1715605082

[1715605082]

1715605082

[achow101]

Yes, the scriptWitness is malleable.

While you could malleate a transaction to be larger, I'm not sure why you would. You can't change the fee that is paid by that transaction, so your malleated one would have a lower fee rate than the original, so it would most likely be rejected in favor of the original. That also means that the malleated transaction is less likely to show up in a block than the original transaction. Additionally, such malleation would make the transaction non-standard, so most nodes would discard it regardless of whether they had seen the original.

[polaker]

Yes, the scriptWitness is malleable.

While you could malleate a transaction to be larger, I'm not sure why you would. You can't change the fee that is paid by that transaction, so your malleated one would have a lower fee rate than the original, so it would most likely be rejected in favor of the original. That also means that the malleated transaction is less likely to show up in a block than the original transaction. Additionally, such malleation would make the transaction non-standard, so most nodes would discard it regardless of whether they had seen the original.

Since the original transaction and the malleated transaction have the same transaction id, the mempool will accept the first it receives, right? Will mempool compare the fee rate for transactions with the same id?

Users do not have any motivation to malleate the transaction. Just some malicious relaying node could do that. I admit that it's not a big issue in practice.

[achow101]

Since the original transaction and the malleated transaction have the same transaction id, the mempool will accept the first it receives, right? Will mempool compare the fee rate for transactions with the same id?

Ah, yes, that's right. Because they have the same txid, they would be treated as the same transaction even though the contents are different. So if a node received the malleated one first, it would ignore the correct one later, and vice versa.

[gmaxwell]

The fact that witnesses are push only makes the witnesses for many common scripts non-malleable, but you're correct for other scripts.

One of the motivations for annex in taproot is being able to later add a field that sets the weight of a transaction (which must be greater than or equal to the actual weight) which gets covered by a signature to address the point you were thinking of, among other reasons.