Merkle Tree Malleability
Merkle Malleability (CVE-2012-2459)
The Duplication Rule for odd transaction counts introduced a subtle vulnerability known as Merkle Tree Malleability. This vulnerability allowed an attacker to create different transaction sets that resulted in the exact same Merkle Root.
1. The Vulnerability
Because the last transaction is duplicated ($H_{CC} = Hash(H_C + H_C)$), a block containing 3 transactions $(A, B, C)$ could theoretically have the same Merkle Root as a block containing 4 transactions $(A, B, C, C)$.
- Block 1: $(A, B, C)$ -> $H_{CC}$ is generated by rule.
- Block 2: $(A, B, C, C)$ -> $H_{CC}$ is generated because there are naturally 4 TXs.
Both blocks would have the exact same Merkle Root, making the block header valid for both.
2. The Attack Scenario
An attacker could take a valid block and "mutate" it by adding duplicate transactions. While the block wouldn't be valid for mining (due to duplicate TXIDs), it could cause Node Confusion. 1. A node receives the mutated block. 2. It sees the Merkle Root matches the header. 3. It adds the block to its "invalid block" cache. 4. When the real block arrives, the node sees the same Merkle Root, thinks it's the invalid block it already saw, and rejects the legitimate block.
This could be used to perform a Denial of Service (DoS) attack against the network.
3. The Fix: CVE-2012-2459
To fix this, Bitcoin nodes now perform a strict check during block validation. If a block contains duplicate transactions (specifically, if the transaction list contains identical TXIDs), the block is permanently rejected.
4. Modern Merkle Verification
Today, the verification process in VerifyMerkleRoot in the Bitcoin source code includes:
* Checking for duplicate leaf nodes.
* Ensuring the tree height matches the transaction count.
* Validating the computed root against the header.
[!NOTE] This is why you will never see the same transaction twice in a single block. Not only is it economically redundant, it is a cryptographic security violation that would prevent the block from ever being accepted.
In the final section, we will build a Python Merkle Tree Builder to calculate roots for ourselves.
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: