I ran a CSFS experiment on Bitcoin Inquisition Signet and got a spend confirmed:
https://mempool.space/signet/tx/cc1b6d352f75348b6a52c7f5c68fc5caea2512423e08011e8f69a9bb85195f97
The tapscript is simply:
OP_CHECKSIGFROMSTACK
The witness provides (sig, msg, script, control_block).
Since (sig, msg) becomes public after spending, if another UTXO is later sent to the same script, anyone could reuse the exact same pair to spend it — because CSFS only enforces:
schnorr_verify(pubkey, msg, sig)
with no commitment to the spending transaction. By contrast, OP_CHECKSIG signatures commit to the input outpoint, so cross-UTXO reuse is impossible.
This leads to three questions:
- Is cross-UTXO signature reuse an intentional property of CSFS, or a risk that must be handled at the script level?
- What are the standard patterns to prevent unintended reuse — include the outpoint in
msg? combine withOP_CHECKSIG? - In oracle constructions where reuse is desirable (e.g., attesting “BTC > 100k”), is this the intended security model?
