Glossary
Signature Malleability
A flaw where a valid signature can be reshaped into a second, equally valid one without the private key, changing the transaction hash and enabling replay or double-processing bugs.
Every ECDSA signature has the form (r, s), and because of the curve's symmetry the pair (r, n - s) is an equally valid signature for the same message and key. An attacker who cannot forge a signature can still flip s to its complement, producing a second, different-looking signature — and, in systems that identify a transaction by the hash of its signed bytes, a different transaction ID for the same intent.
Bitcoin's early exposure to this — famously invoked as an excuse during the Mt. Gox collapse — and the threat it posed to naive on-chain replay protection led Ethereum's EIP-2 to require the low-s canonical form. In smart contracts, never treat a signature as a unique identifier: dedupe by an explicit nonce and verify with a vetted library such as OpenZeppelin's ECDSA, which rejects the malleable high-s variant.