everytime i send btc to my customer, i also send notification of the txid. so now this practice should be avoided because huge chance that txid can be altered? and we should not store the txid into our database?
what should we do as merchant/developer to anticipate this malleability issue?
You can still rely on txid, but ONLY AFTER SEVERAL CONFIRMATIONS
Confirmation is the king: not just for the safety of the fund, but also for the reliability of txid
Wait - I thought that this wasn't true. I thought that the altered transaction might be accepted to the block chain before the original one does, and so you can have a situation where the service thinks it didn't go through, but in fact the attacker DID get the BTC. If the attacker does that multiple times, they could withdraw an unbounded amount from the service.