From 30d4cb00a4ae548d23a58b1b0771b7e81b5700d4 Mon Sep 17 00:00:00 2001
From: Salvatore Ingala <6681844+bigspider@users.noreply.github.com>
Date: Mon, 15 Sep 2025 17:27:24 +0200
Subject: [PATCH 1/7] Add binana json for CHECKCONTRACTVERIFY

---
 src/binana/checkcontractverify.json | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 src/binana/checkcontractverify.json

diff --git a/src/binana/checkcontractverify.json b/src/binana/checkcontractverify.json
new file mode 100644
index 000000000000..0358a1fa2045
--- /dev/null
+++ b/src/binana/checkcontractverify.json
@@ -0,0 +1,9 @@
+{
+    "binana": [2025, 443, 0],
+    "deployment": "CHECKCONTRACTVERIFY",
+    "scriptverify": true,
+    "scriptverify_discourage": true,
+    "opcodes": {
+        "CHECKCONTRACTVERIFY": "0xbb"
+    }
+}

From ef309920e4888810da6120c4d7aeee729f29abc5 Mon Sep 17 00:00:00 2001
From: Salvatore Ingala <6681844+bigspider@users.noreply.github.com>
Date: Sun, 2 Mar 2025 22:50:20 +0100
Subject: [PATCH 2/7] consensus: Cross-input script validation framework

Adds a framework for validation checks that persist an individual
input's script validation, allowing to persist state across the
evaluations of multiple inputs of a transaction.

This will be used for the amount logic of OP_CHECKCONTRACTVERIFY,
that performs amount checks that are aggregate across multiple inputs.

It could also be used for other applications, like batch validation
and cross-input Schnorr signature aggregation.
---
 src/script/interpreter.cpp           | 24 ++++++-------
 src/script/interpreter.h             | 51 ++++++++++++++++++++++++++--
 src/test/script_p2sh_tests.cpp       |  4 ++-
 src/test/transaction_tests.cpp       |  3 +-
 src/test/txvalidationcache_tests.cpp | 28 ++++++++++-----
 src/validation.cpp                   | 19 ++++++++---
 src/validation.h                     |  6 ++--
 7 files changed, 102 insertions(+), 33 deletions(-)

diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp
index 0617c424cbbd..c6001ee3b298 100644
--- a/src/script/interpreter.cpp
+++ b/src/script/interpreter.cpp
@@ -469,7 +469,7 @@ static bool EvalChecksigFromStack(const valtype& sig, const valtype& msg, const
     return true;
 }
 
-bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror)
+bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror, TransactionExecutionData* tx_exec_data)
 {
     static const CScriptNum bnZero(0);
     static const CScriptNum bnOne(1);
@@ -1397,10 +1397,10 @@ bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript&
     return set_success(serror);
 }
 
-bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror)
+bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, TransactionExecutionData* tx_exec_data)
 {
     ScriptExecutionData execdata;
-    return EvalScript(stack, script, flags, checker, sigversion, execdata, serror);
+    return EvalScript(stack, script, flags, checker, sigversion, execdata, serror, tx_exec_data);
 }
 
 namespace {
@@ -2141,7 +2141,7 @@ std::optional<bool> CheckTapscriptOpSuccess(const CScript& exec_script, script_v
     return std::nullopt;
 }
 
-static bool ExecuteWitnessScript(const Span<const valtype>& stack_span, const CScript& exec_script, script_verify_flags flags, SigVersion sigversion, const BaseSignatureChecker& checker, ScriptExecutionData& execdata, ScriptError* serror)
+static bool ExecuteWitnessScript(const Span<const valtype>& stack_span, const CScript& exec_script, script_verify_flags flags, SigVersion sigversion, const BaseSignatureChecker& checker, ScriptExecutionData& execdata, TransactionExecutionData* tx_exec_data, ScriptError* serror)
 {
     std::vector<valtype> stack{stack_span.begin(), stack_span.end()};
 
@@ -2160,7 +2160,7 @@ static bool ExecuteWitnessScript(const Span<const valtype>& stack_span, const CS
     }
 
     // Run the script interpreter.
-    if (!EvalScript(stack, exec_script, flags, checker, sigversion, execdata, serror)) return false;
+    if (!EvalScript(stack, exec_script, flags, checker, sigversion, execdata, serror, tx_exec_data)) return false;
 
     // Scripts inside witness implicitly require cleanstack behaviour
     if (stack.size() != 1) return set_error(serror, SCRIPT_ERR_CLEANSTACK);
@@ -2214,7 +2214,7 @@ static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, c
     return q.CheckTapTweak(p, merkle_root, control[0] & 1);
 }
 
-static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, script_verify_flags flags, const BaseSignatureChecker& checker, ScriptError* serror, bool is_p2sh)
+static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, script_verify_flags flags, const BaseSignatureChecker& checker, ScriptError* serror, bool is_p2sh, TransactionExecutionData* tx_exec_data = nullptr)
 {
     CScript exec_script; //!< Actually executed script (last stack item in P2WSH; implied P2PKH script in P2WPKH; leaf script in P2TR)
     Span stack{witness.stack};
@@ -2233,14 +2233,14 @@ static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion,
             if (memcmp(hash_exec_script.begin(), program.data(), 32)) {
                 return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH);
             }
-            return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror);
+            return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, tx_exec_data, serror);
         } else if (program.size() == WITNESS_V0_KEYHASH_SIZE) {
             // BIP141 P2WPKH: 20-byte witness v0 program (which encodes Hash160(pubkey))
             if (stack.size() != 2) {
                 return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH); // 2 items in witness
             }
             exec_script << OP_DUP << OP_HASH160 << program << OP_EQUALVERIFY << OP_CHECKSIG;
-            return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror);
+            return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, tx_exec_data, serror);
         } else {
             return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH);
         }
@@ -2280,7 +2280,7 @@ static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion,
                 exec_script = CScript(script.begin(), script.end());
                 execdata.m_validation_weight_left = ::GetSerializeSize(witness.stack) + VALIDATION_WEIGHT_OFFSET;
                 execdata.m_validation_weight_left_init = true;
-                return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::TAPSCRIPT, checker, execdata, serror);
+                return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::TAPSCRIPT, checker, execdata, tx_exec_data, serror);
             }
             if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION) {
                 return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION);
@@ -2299,7 +2299,7 @@ static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion,
     // There is intentionally no return statement here, to be able to use "control reaches end of non-void function" warnings to detect gaps in the logic above.
 }
 
-bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, script_verify_flags flags, const BaseSignatureChecker& checker, ScriptError* serror)
+bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, script_verify_flags flags, const BaseSignatureChecker& checker, ScriptError* serror, TransactionExecutionData* tx_exec_data)
 {
     static const CScriptWitness emptyWitness;
     if (witness == nullptr) {
@@ -2339,7 +2339,7 @@ bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const C
                 // The scriptSig must be _exactly_ CScript(), otherwise we reintroduce malleability.
                 return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED);
             }
-            if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/false)) {
+            if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/false, tx_exec_data)) {
                 return false;
             }
             // Bypass the cleanstack check at the end. The actual stack is obviously not clean
@@ -2384,7 +2384,7 @@ bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const C
                     // reintroduce malleability.
                     return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED_P2SH);
                 }
-                if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/true)) {
+                if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/true, tx_exec_data)) {
                     return false;
                 }
                 // Bypass the cleanstack check at the end. The actual stack is obviously not clean
diff --git a/src/script/interpreter.h b/src/script/interpreter.h
index e334ed445fcc..82b987ce315a 100644
--- a/src/script/interpreter.h
+++ b/src/script/interpreter.h
@@ -14,12 +14,14 @@
 #include <script/script_error.h> // IWYU pragma: export
 #include <script/verify_flags.h> // IWYU pragma: export
 #include <span.h>
+#include <sync.h>
 #include <uint256.h>
 
 #include <bit>
 #include <cstddef>
 #include <cstdint>
 #include <optional>
+#include <unordered_map>
 #include <vector>
 
 class CScript;
@@ -267,6 +269,49 @@ struct ScriptExecutionData
     std::optional<XOnlyPubKey> m_internal_key = std::nullopt;
 };
 
+/** The state of the script interpreter that persists across inputs of a single transaction.
+ *
+ * As access happens across different worker threads, it is crucial that access to this struct
+ * is properly synchronized. Code accessing its members must hold the m_mutex lock. */
+struct TransactionExecutionData {
+    const CTransaction* m_tx;
+    Mutex m_mutex;
+
+    // members related to the validation state of this transaction
+    // that need to persist across inputs will be added here,
+    // protected by m_mutex.
+
+    TransactionExecutionData(const CTransaction* tx)
+        : m_tx(tx)
+    {
+        assert(tx != nullptr); // Ensure the transaction pointer is valid
+    }
+};
+
+/** Creates and stores TransactionExecutionData instances for each transaction. */
+class TransactionExecutionDataStore {
+private:
+    Mutex m_mutex;
+    std::unordered_map<const CTransaction*, std::unique_ptr<TransactionExecutionData>> m_store GUARDED_BY(m_mutex);
+
+public:
+    TransactionExecutionDataStore() = default;
+
+    // Retrieves the TransactionExecutionData for the given transaction.
+    // If it does not exist, it creates a new instance.
+    TransactionExecutionData* getOrCreate(const CTransaction* tx) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex) {
+        LOCK(m_mutex);
+        auto it = m_store.find(tx);
+        if (it != m_store.end()) {
+            return it->second.get();
+        }
+        auto newData = std::make_unique<TransactionExecutionData>(tx);
+        TransactionExecutionData* newDataPtr = newData.get();
+        m_store[tx] = std::move(newData);
+        return newDataPtr;
+    }
+};
+
 /** Signature hash sizes */
 static constexpr size_t WITNESS_V0_SCRIPTHASH_SIZE = 32;
 static constexpr size_t WITNESS_V0_KEYHASH_SIZE = 20;
@@ -415,9 +460,9 @@ uint256 ComputeTapbranchHash(Span<const unsigned char> a, Span<const unsigned ch
  *  Requires control block to have valid length (33 + k*32, with k in {0,1,..,128}). */
 uint256 ComputeTaprootMerkleRoot(Span<const unsigned char> control, const uint256& tapleaf_hash);
 
-bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* error = nullptr);
-bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* error = nullptr);
-bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, script_verify_flags flags, const BaseSignatureChecker& checker, ScriptError* serror = nullptr);
+bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* error = nullptr, TransactionExecutionData* tx_exec_data = nullptr);
+bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* error = nullptr, TransactionExecutionData* tx_exec_data = nullptr);
+bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, script_verify_flags flags, const BaseSignatureChecker& checker, ScriptError* serror = nullptr, TransactionExecutionData* tx_exec_data = nullptr);
 
 size_t CountWitnessSigOps(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, script_verify_flags flags);
 
diff --git a/src/test/script_p2sh_tests.cpp b/src/test/script_p2sh_tests.cpp
index b46411185cdf..4d6e85503c75 100644
--- a/src/test/script_p2sh_tests.cpp
+++ b/src/test/script_p2sh_tests.cpp
@@ -121,7 +121,9 @@ BOOST_AUTO_TEST_CASE(sign)
         {
             CScript sigSave = txTo[i].vin[0].scriptSig;
             txTo[i].vin[0].scriptSig = txTo[j].vin[0].scriptSig;
-            bool sigOK = !CScriptCheck(txFrom.vout[txTo[i].vin[0].prevout.n], CTransaction(txTo[i]), signature_cache, 0, SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_STRICTENC, false, &txdata)().has_value();
+            auto imm_txTo = CTransaction(txTo[i]);
+            TransactionExecutionData tx_exec_data(&imm_txTo);
+            bool sigOK = !CScriptCheck(txFrom.vout[txTo[i].vin[0].prevout.n], imm_txTo, signature_cache, 0, SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_STRICTENC, false, &txdata, &tx_exec_data)().has_value();
             if (i == j)
                 BOOST_CHECK_MESSAGE(sigOK, strprintf("VerifySignature %d %d", i, j));
             else
diff --git a/src/test/transaction_tests.cpp b/src/test/transaction_tests.cpp
index 8b22f7570bdc..c6f88fb046b4 100644
--- a/src/test/transaction_tests.cpp
+++ b/src/test/transaction_tests.cpp
@@ -533,6 +533,7 @@ BOOST_AUTO_TEST_CASE(test_big_witness_transaction)
 
     // check all inputs concurrently, with the cache
     PrecomputedTransactionData txdata(tx);
+    TransactionExecutionData tx_exec_data(&tx);
     CCheckQueue<CScriptCheck> scriptcheckqueue(/*batch_size=*/128, /*worker_threads_num=*/20);
     CCheckQueueControl<CScriptCheck> control(&scriptcheckqueue);
 
@@ -550,7 +551,7 @@ BOOST_AUTO_TEST_CASE(test_big_witness_transaction)
 
     for(uint32_t i = 0; i < mtx.vin.size(); i++) {
         std::vector<CScriptCheck> vChecks;
-        vChecks.emplace_back(coins[tx.vin[i].prevout.n].out, tx, signature_cache, i, SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS, false, &txdata);
+        vChecks.emplace_back(coins[tx.vin[i].prevout.n].out, tx, signature_cache, i, SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS, false, &txdata, &tx_exec_data);
         control.Add(std::move(vChecks));
     }
 
diff --git a/src/test/txvalidationcache_tests.cpp b/src/test/txvalidationcache_tests.cpp
index 581d98db9d70..105cfd6e6ea0 100644
--- a/src/test/txvalidationcache_tests.cpp
+++ b/src/test/txvalidationcache_tests.cpp
@@ -24,6 +24,7 @@ bool CheckInputScripts(const CTransaction& tx, TxValidationState& state,
                        const CCoinsViewCache& inputs, script_verify_flags flags, bool cacheSigStore,
                        bool cacheFullScriptStore, PrecomputedTransactionData& txdata,
                        ValidationCache& validation_cache,
+                       TransactionExecutionDataStore &tx_exec_store,
                        std::vector<CScriptCheck>* pvChecks,
                        bool is_consensus = false) EXCLUSIVE_LOCKS_REQUIRED(cs_main);
 
@@ -143,7 +144,8 @@ static void ValidateCheckInputsForAllFlags(const CTransaction &tx, script_verify
             // WITNESS requires P2SH
             test_flags |= SCRIPT_VERIFY_P2SH;
         }
-        bool ret = CheckInputScripts(tx, state, &active_coins_tip, test_flags, true, add_to_cache, txdata, validation_cache, nullptr);
+        TransactionExecutionDataStore tx_exec_store;
+        bool ret = CheckInputScripts(tx, state, &active_coins_tip, test_flags, true, add_to_cache, txdata, validation_cache, tx_exec_store, nullptr);
         // CheckInputScripts should succeed iff test_flags doesn't intersect with
         // failing_flags
         bool expected_return_value = !(test_flags & failing_flags);
@@ -153,13 +155,15 @@ static void ValidateCheckInputsForAllFlags(const CTransaction &tx, script_verify
         if (ret && add_to_cache) {
             // Check that we get a cache hit if the tx was valid
             std::vector<CScriptCheck> scriptchecks;
-            BOOST_CHECK(CheckInputScripts(tx, state, &active_coins_tip, test_flags, true, add_to_cache, txdata, validation_cache, &scriptchecks));
+            TransactionExecutionDataStore tx_exec_store2;
+            BOOST_CHECK(CheckInputScripts(tx, state, &active_coins_tip, test_flags, true, add_to_cache, txdata, validation_cache, tx_exec_store2, &scriptchecks));
             BOOST_CHECK(scriptchecks.empty());
         } else {
             // Check that we get script executions to check, if the transaction
             // was invalid, or we didn't add to cache.
             std::vector<CScriptCheck> scriptchecks;
-            BOOST_CHECK(CheckInputScripts(tx, state, &active_coins_tip, test_flags, true, add_to_cache, txdata, validation_cache, &scriptchecks));
+            TransactionExecutionDataStore tx_exec_store2;
+            BOOST_CHECK(CheckInputScripts(tx, state, &active_coins_tip, test_flags, true, add_to_cache, txdata, validation_cache, tx_exec_store2, &scriptchecks));
             BOOST_CHECK_EQUAL(scriptchecks.size(), tx.vin.size());
         }
     }
@@ -216,14 +220,16 @@ BOOST_FIXTURE_TEST_CASE(checkinputs_test, Dersig100Setup)
 
         TxValidationState state;
         PrecomputedTransactionData ptd_spend_tx;
+        TransactionExecutionDataStore tx_exec_store;
 
-        BOOST_CHECK(!CheckInputScripts(CTransaction(spend_tx), state, &m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_DERSIG, true, true, ptd_spend_tx, m_node.chainman->m_validation_cache, nullptr));
+        BOOST_CHECK(!CheckInputScripts(CTransaction(spend_tx), state, &m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_DERSIG, true, true, ptd_spend_tx, m_node.chainman->m_validation_cache, tx_exec_store, nullptr));
 
         // If we call again asking for scriptchecks (as happens in
         // ConnectBlock), we should add a script check object for this -- we're
         // not caching invalidity (if that changes, delete this test case).
         std::vector<CScriptCheck> scriptchecks;
-        BOOST_CHECK(CheckInputScripts(CTransaction(spend_tx), state, &m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_DERSIG, true, true, ptd_spend_tx, m_node.chainman->m_validation_cache, &scriptchecks));
+        TransactionExecutionDataStore tx_exec_store2;
+        BOOST_CHECK(CheckInputScripts(CTransaction(spend_tx), state, &m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_DERSIG, true, true, ptd_spend_tx, m_node.chainman->m_validation_cache, tx_exec_store2, &scriptchecks));
         BOOST_CHECK_EQUAL(scriptchecks.size(), 1U);
 
         // Test that CheckInputScripts returns true iff DERSIG-enforcing flags are
@@ -285,7 +291,8 @@ BOOST_FIXTURE_TEST_CASE(checkinputs_test, Dersig100Setup)
         invalid_with_cltv_tx.vin[0].scriptSig = CScript() << vchSig << 100;
         TxValidationState state;
         PrecomputedTransactionData txdata;
-        BOOST_CHECK(CheckInputScripts(CTransaction(invalid_with_cltv_tx), state, m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY, true, true, txdata, m_node.chainman->m_validation_cache, nullptr));
+        TransactionExecutionDataStore tx_exec_store;
+        BOOST_CHECK(CheckInputScripts(CTransaction(invalid_with_cltv_tx), state, m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY, true, true, txdata, m_node.chainman->m_validation_cache, tx_exec_store, nullptr));
     }
 
     // TEST CHECKSEQUENCEVERIFY
@@ -313,7 +320,8 @@ BOOST_FIXTURE_TEST_CASE(checkinputs_test, Dersig100Setup)
         invalid_with_csv_tx.vin[0].scriptSig = CScript() << vchSig << 100;
         TxValidationState state;
         PrecomputedTransactionData txdata;
-        BOOST_CHECK(CheckInputScripts(CTransaction(invalid_with_csv_tx), state, &m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_CHECKSEQUENCEVERIFY, true, true, txdata, m_node.chainman->m_validation_cache, nullptr));
+        TransactionExecutionDataStore tx_exec_store;
+        BOOST_CHECK(CheckInputScripts(CTransaction(invalid_with_csv_tx), state, &m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_CHECKSEQUENCEVERIFY, true, true, txdata, m_node.chainman->m_validation_cache, tx_exec_store, nullptr));
     }
 
     // TODO: add tests for remaining script flags
@@ -374,13 +382,15 @@ BOOST_FIXTURE_TEST_CASE(checkinputs_test, Dersig100Setup)
 
         TxValidationState state;
         PrecomputedTransactionData txdata;
+        TransactionExecutionDataStore tx_exec_store;
         // This transaction is now invalid under segwit, because of the second input.
-        BOOST_CHECK(!CheckInputScripts(CTransaction(tx), state, &m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS, true, true, txdata, m_node.chainman->m_validation_cache, nullptr));
+        BOOST_CHECK(!CheckInputScripts(CTransaction(tx), state, &m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS, true, true, txdata, m_node.chainman->m_validation_cache, tx_exec_store, nullptr));
 
         std::vector<CScriptCheck> scriptchecks;
         // Make sure this transaction was not cached (ie because the first
         // input was valid)
-        BOOST_CHECK(CheckInputScripts(CTransaction(tx), state, &m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS, true, true, txdata, m_node.chainman->m_validation_cache, &scriptchecks));
+        TransactionExecutionDataStore tx_exec_store2;
+        BOOST_CHECK(CheckInputScripts(CTransaction(tx), state, &m_node.chainman->ActiveChainstate().CoinsTip(), SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS, true, true, txdata, m_node.chainman->m_validation_cache, tx_exec_store2, &scriptchecks));
         // Should get 2 script checks back -- caching is on a whole-transaction basis.
         BOOST_CHECK_EQUAL(scriptchecks.size(), 2U);
     }
diff --git a/src/validation.cpp b/src/validation.cpp
index 6cbf39aa8272..87a9ac3415c2 100644
--- a/src/validation.cpp
+++ b/src/validation.cpp
@@ -141,6 +141,7 @@ bool CheckInputScripts(const CTransaction& tx, TxValidationState& state,
                        const CCoinsViewCache& inputs, script_verify_flags flags, bool cacheSigStore,
                        bool cacheFullScriptStore, PrecomputedTransactionData& txdata,
                        ValidationCache& validation_cache,
+                       TransactionExecutionDataStore& tx_exec_store,
                        std::vector<CScriptCheck>* pvChecks = nullptr,
                        bool is_consensus = false)
                        EXCLUSIVE_LOCKS_REQUIRED(cs_main);
@@ -427,8 +428,10 @@ static bool CheckInputsFromMempoolAndCache(const CTransaction& tx, TxValidationS
         }
     }
 
+    TransactionExecutionDataStore tx_exec_store;
+
     // Call CheckInputScripts() to cache signature and script validity against current tip consensus rules.
-    return CheckInputScripts(tx, state, view, flags, /*cacheSigStore=*/ true, /*cacheFullScriptStore=*/ true, txdata, validation_cache, /*pvChecks=*/nullptr, /*is_consensus=*/true);
+    return CheckInputScripts(tx, state, view, flags, /*cacheSigStore=*/ true, /*cacheFullScriptStore=*/ true, txdata, validation_cache, tx_exec_store, /*pvChecks=*/nullptr, /*is_consensus=*/true);
 }
 
 namespace {
@@ -1250,7 +1253,8 @@ bool MemPoolAccept::PolicyScriptChecks(const ATMPArgs& args, Workspace& ws)
 
     // Check input scripts and signatures.
     // This is done last to help prevent CPU exhaustion denial-of-service attacks.
-    if (!CheckInputScripts(tx, state, m_view, scriptVerifyFlags, true, false, ws.m_precomputed_txdata, GetValidationCache(), /*pvChecks=*/nullptr, /*is_consensus=*/false)) {
+    TransactionExecutionDataStore tx_exec_store;
+    if (!CheckInputScripts(tx, state, m_view, scriptVerifyFlags, true, false, ws.m_precomputed_txdata, GetValidationCache(), tx_exec_store, /*pvChecks=*/nullptr, /*is_consensus=*/false)) {
         // Detect a failure due to a missing witness so that p2p code can handle rejection caching appropriately.
         if (!tx.HasWitness() && SpendsNonAnchorWitnessProg(tx, m_view)) {
             state.Invalid(TxValidationResult::TX_WITNESS_STRIPPED,
@@ -2127,7 +2131,7 @@ std::optional<std::pair<ScriptError, std::string>> CScriptCheck::operator()() {
     const CScript &scriptSig = ptxTo->vin[nIn].scriptSig;
     const CScriptWitness *witness = &ptxTo->vin[nIn].scriptWitness;
     ScriptError error{SCRIPT_ERR_UNKNOWN_ERROR};
-    if (VerifyScript(scriptSig, m_tx_out.scriptPubKey, witness, m_flags, CachingTransactionSignatureChecker(ptxTo, nIn, m_tx_out.nValue, cacheStore, *m_signature_cache, *txdata), &error)) {
+    if (VerifyScript(scriptSig, m_tx_out.scriptPubKey, witness, m_flags, CachingTransactionSignatureChecker(ptxTo, nIn, m_tx_out.nValue, cacheStore, *m_signature_cache, *txdata), &error, m_tx_execdata)) {
         return std::nullopt;
     } else {
         auto debug_str = strprintf("input %i of %s (wtxid %s), spending %s:%i", nIn, ptxTo->GetHash().ToString(), ptxTo->GetWitnessHash().ToString(), ptxTo->vin[nIn].prevout.hash.ToString(), ptxTo->vin[nIn].prevout.n);
@@ -2174,6 +2178,7 @@ bool CheckInputScripts(const CTransaction& tx, TxValidationState& state,
                        const CCoinsViewCache& inputs, script_verify_flags flags, bool cacheSigStore,
                        bool cacheFullScriptStore, PrecomputedTransactionData& txdata,
                        ValidationCache& validation_cache,
+                       TransactionExecutionDataStore& tx_exec_store,
                        std::vector<CScriptCheck>* pvChecks,
                        bool is_consensus)
 {
@@ -2212,6 +2217,8 @@ bool CheckInputScripts(const CTransaction& tx, TxValidationState& state,
     }
     assert(txdata.m_spent_outputs.size() == tx.vin.size());
 
+    TransactionExecutionData *tx_exec_data = tx_exec_store.getOrCreate(&tx);
+
     for (unsigned int i = 0; i < tx.vin.size(); i++) {
 
         // We very carefully only pass in things to CScriptCheck which
@@ -2221,7 +2228,7 @@ bool CheckInputScripts(const CTransaction& tx, TxValidationState& state,
         // spent being checked as a part of CScriptCheck.
 
         // Verify signature
-        CScriptCheck check(txdata.m_spent_outputs[i], tx, validation_cache.m_signature_cache, i, flags, cacheSigStore, &txdata);
+        CScriptCheck check(txdata.m_spent_outputs[i], tx, validation_cache.m_signature_cache, i, flags, cacheSigStore, &txdata, tx_exec_data);
         if (pvChecks) {
             pvChecks->emplace_back(std::move(check));
         } else if (auto result = check(); result.has_value()) {
@@ -2601,6 +2608,8 @@ bool Chainstate::ConnectBlock(const CBlock& block, BlockValidationState& state,
 
     CBlockUndo blockundo;
 
+    TransactionExecutionDataStore tx_exec_store;
+
     // Precomputed transaction data pointers must not be invalidated
     // until after `control` has run the script checks (potentially
     // in multiple threads). Preallocate the vector size so a new allocation
@@ -2670,7 +2679,7 @@ bool Chainstate::ConnectBlock(const CBlock& block, BlockValidationState& state,
             std::vector<CScriptCheck> vChecks;
             bool fCacheResults = fJustCheck; /* Don't cache results if we're actually connecting blocks (still consult the cache, though) */
             TxValidationState tx_state;
-            if (fScriptChecks && !CheckInputScripts(tx, tx_state, view, flags, fCacheResults, fCacheResults, txsdata[i], m_chainman.m_validation_cache, parallel_script_checks ? &vChecks : nullptr, /*is_consensus=*/true)) {
+            if (fScriptChecks && !CheckInputScripts(tx, tx_state, view, flags, fCacheResults, fCacheResults, txsdata[i], m_chainman.m_validation_cache, tx_exec_store, parallel_script_checks ? &vChecks : nullptr, /*is_consensus=*/true)) {
                 // Any transaction validation failure in ConnectBlock is a block consensus failure
                 state.Invalid(BlockValidationResult::BLOCK_CONSENSUS,
                               tx_state.GetRejectReason(), tx_state.GetDebugMessage());
diff --git a/src/validation.h b/src/validation.h
index e04d340660f5..d39e0add8023 100644
--- a/src/validation.h
+++ b/src/validation.h
@@ -21,6 +21,7 @@
 #include <policy/feerate.h>
 #include <policy/packages.h>
 #include <policy/policy.h>
+#include <script/interpreter.h>
 #include <script/script_error.h>
 #include <script/sigcache.h>
 #include <script/verify_flags.h>
@@ -338,10 +339,11 @@ class CScriptCheck
     bool cacheStore;
     PrecomputedTransactionData *txdata;
     SignatureCache* m_signature_cache;
+    TransactionExecutionData *m_tx_execdata;
 
 public:
-    CScriptCheck(const CTxOut& outIn, const CTransaction& txToIn, SignatureCache& signature_cache, unsigned int nInIn, script_verify_flags flags, bool cacheIn, PrecomputedTransactionData* txdataIn) :
-        m_tx_out(outIn), ptxTo(&txToIn), nIn(nInIn), m_flags(flags), cacheStore(cacheIn), txdata(txdataIn), m_signature_cache(&signature_cache) { }
+    CScriptCheck(const CTxOut& outIn, const CTransaction& txToIn, SignatureCache& signature_cache, unsigned int nInIn, script_verify_flags flags, bool cacheIn, PrecomputedTransactionData* txdataIn, TransactionExecutionData* tx_execdata) :
+        m_tx_out(outIn), ptxTo(&txToIn), nIn(nInIn), m_flags(flags), cacheStore(cacheIn), txdata(txdataIn), m_signature_cache(&signature_cache), m_tx_execdata(tx_execdata) { }
 
     CScriptCheck(const CScriptCheck&) = delete;
     CScriptCheck& operator=(const CScriptCheck&) = delete;

From 42e3c9b08bf8121048c01aeb7726e583e4f079d3 Mon Sep 17 00:00:00 2001
From: Salvatore Ingala <6681844+bigspider@users.noreply.github.com>
Date: Mon, 3 Mar 2025 01:46:29 +0100
Subject: [PATCH 3/7] consensus: Add OP_CHECKCONTRACTVERIFY

---
 src/pubkey.cpp                           |  34 +++++
 src/pubkey.h                             |   6 +
 src/script/interpreter.cpp               | 173 ++++++++++++++++++++++-
 src/script/interpreter.h                 |  45 +++++-
 src/script/script.cpp                    |   2 +-
 src/script/script_error.cpp              |   8 ++
 src/script/script_error.h                |   6 +
 test/functional/test_framework/script.py |   5 +-
 8 files changed, 266 insertions(+), 13 deletions(-)

diff --git a/src/pubkey.cpp b/src/pubkey.cpp
index 02b732d77ac2..06569b01197b 100644
--- a/src/pubkey.cpp
+++ b/src/pubkey.cpp
@@ -273,6 +273,40 @@ std::optional<std::pair<XOnlyPubKey, bool>> XOnlyPubKey::CreateTapTweak(const ui
     return ret;
 }
 
+bool XOnlyPubKey::CheckDoubleTweak(const XOnlyPubKey& naked_key, const std::vector<unsigned char>& data, const uint256* merkle_root) const
+{
+    int parity;
+    secp256k1_xonly_pubkey internal_xonly;
+    if (data.empty()) {
+        // No data tweak; the internal key is the naked key
+        if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &internal_xonly, naked_key.data())) return false;
+    } else {
+        // Compute the sha256 of naked_key || data
+        uint256 data_tweak = (HashWriter{} << naked_key << MakeUCharSpan(data)).GetSHA256();
+        secp256k1_xonly_pubkey naked_key_parsed;
+        if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &naked_key_parsed, naked_key.data())) return false;
+        secp256k1_pubkey internal;
+        if (!secp256k1_xonly_pubkey_tweak_add(secp256k1_context_static, &internal, &naked_key_parsed, data_tweak.data())) return false;
+        if (!secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_static, &internal_xonly, &parity, &internal)) return false;
+    }
+    secp256k1_xonly_pubkey expected_xonly;
+    if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &expected_xonly, m_keydata.data())) return false;
+    if (merkle_root != nullptr) {
+        // Compute the taptweak based on merkle_root
+        unsigned char pubkey_bytes[32];
+        secp256k1_xonly_pubkey_serialize(secp256k1_context_static, pubkey_bytes, &internal_xonly);
+        XOnlyPubKey internal_key = XOnlyPubKey(pubkey_bytes);
+        uint256 tweak = internal_key.ComputeTapTweakHash(merkle_root);
+        secp256k1_pubkey result;
+        if (!secp256k1_xonly_pubkey_tweak_add(secp256k1_context_static, &result, &internal_xonly, tweak.begin())) return false;
+        secp256k1_xonly_pubkey result_xonly;
+        if (!secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_static, &result_xonly, &parity, &result)) return false;
+        return secp256k1_xonly_pubkey_cmp(secp256k1_context_static, &result_xonly, &expected_xonly) == 0;
+    } else {
+        // If merkle_root is nullptr, compare internal_xonly with expected_xonly
+        return secp256k1_xonly_pubkey_cmp(secp256k1_context_static, &internal_xonly, &expected_xonly) == 0;
+    }
+}
 
 bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
     if (!IsValid())
diff --git a/src/pubkey.h b/src/pubkey.h
index 012c98262c28..ab2276864946 100644
--- a/src/pubkey.h
+++ b/src/pubkey.h
@@ -282,6 +282,12 @@ class XOnlyPubKey
     /** Construct a Taproot tweaked output point with this point as internal key. */
     std::optional<std::pair<XOnlyPubKey, bool>> CreateTapTweak(const uint256* merkle_root) const;
 
+    /** Verify that this key is obtained from the x-only pubkey `naked` after applying in sequence:
+     * - the tweak with `data` (this tweak is skipped if `data` is empty);
+     * - the taptweak with `merkle_root` (unless it's null).
+     */
+    bool CheckDoubleTweak(const XOnlyPubKey& naked_key, const std::vector<unsigned char>& data, const uint256* merkle_root) const;
+
     /** Returns a list of CKeyIDs for the CPubKeys that could have been used to create this XOnlyPubKey.
      * This is needed for key lookups since keys are indexed by CKeyID.
      */
diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp
index c6001ee3b298..6083b2c85d78 100644
--- a/src/script/interpreter.cpp
+++ b/src/script/interpreter.cpp
@@ -16,6 +16,15 @@
 
 typedef std::vector<unsigned char> valtype;
 
+//! Flag to mark an OP_CHECKCONTRACVERIFY as referring to an input.
+const int CCV_MODE_CHECK_INPUT = -1;
+//! Flag to specify that an OP_CHECKCONTRACVERIFY which refers to an output, with the default amount logic.
+const int CCV_MODE_CHECK_OUTPUT = 0;
+//! Flag to specify that an OP_CHECKCONTRACVERIFY which refers to an output does not check the output amount.
+const int CCV_MODE_CHECK_OUTPUT_IGNORE_AMOUNT = 1;
+//! Flag to specify that an OP_CHECKCONTRACVERIFY referring to an output deducts the amount of its output from the current input amount for future calls.
+const int CCV_MODE_CHECK_OUTPUT_DEDUCT_AMOUNT = 2;
+
 namespace {
 
 inline bool set_success(ScriptError* ret)
@@ -1218,6 +1227,51 @@ bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript&
                 }
                 break;
 
+                case OP_CHECKCONTRACTVERIFY:
+                {
+                    // OP_CHECKCONTRACTVERIFY is only available in Tapscript
+                    if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
+
+                    // we expect at least the flag to be on the stack
+                    if (stack.empty())
+                        return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
+
+                    // initially, read only a single parameter at the top of stack
+                    int flags = CScriptNum(stacktop(-1), fRequireMinimal).getint();
+                    if (flags < -1 || flags > CCV_MODE_CHECK_OUTPUT_DEDUCT_AMOUNT) {
+                        // undefined values of the flags; keep OP_SUCCESS behavior
+                        // in order to enable future upgrades via soft-fork
+                        stack = { {1} };
+                        return set_success(serror);
+                    }
+
+                    // all currently defined versions require exactly 5 stack elements
+
+                    // (data index pk taptree flags -- )
+                    if (stack.size() < 5)
+                        return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
+
+                    valtype& data = stacktop(-5);
+                    int index = CScriptNum(stacktop(-4), fRequireMinimal).getint();
+                    valtype& pk = stacktop(-3);
+                    valtype& taptree = stacktop(-2);
+
+                    if (!pk.empty() && pk != std::vector<unsigned char>{0x81} && pk.size() != 32) {
+                        return set_error(serror, SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_ARGS);
+                    }
+
+                    if (!checker.CheckContract(flags, index, pk, data, taptree, execdata, serror, tx_exec_data)) {
+                        return false; // serror is set
+                    }
+
+                    popstack(stack);
+                    popstack(stack);
+                    popstack(stack);
+                    popstack(stack);
+                    popstack(stack);
+                }
+                break;
+
                 case OP_CHECKMULTISIG:
                 case OP_CHECKMULTISIGVERIFY:
                 {
@@ -2098,6 +2152,117 @@ bool GenericTransactionSignatureChecker<T>::CheckDefaultCheckTemplateVerifyHash(
         return HandleMissingData(m_mdb);
     }
 }
+
+template <class T>
+bool GenericTransactionSignatureChecker<T>::CheckContract(int mode, int index, const std::vector<unsigned char>& pubkey, const std::vector<unsigned char>& data, const std::vector<unsigned char>& taptree, ScriptExecutionData& execdata, ScriptError* serror, TransactionExecutionData* tx_exec_data) const
+{
+    assert(execdata.m_internal_key.has_value());
+    assert(execdata.m_taproot_merkle_root.has_value());
+    assert(tx_exec_data != nullptr);
+
+    if (!(txdata->m_bip341_taproot_ready && txdata->m_spent_outputs_ready)) {
+        return HandleMissingData(m_mdb);
+    }
+
+    bool use_current_taptree = taptree.size() == 1 && taptree.data()[0] == 0x81;
+    bool use_current_pubkey = pubkey.size() == 1 && pubkey.data()[0] == 0x81;
+
+    uint256 merkle_tree;
+    const uint256 *merkle_tree_ptr = nullptr;
+    if (taptree.empty()) {
+        // no taptweak, leave nullptr
+    } else if (use_current_taptree) {
+        merkle_tree_ptr = &execdata.m_taproot_merkle_root.value();
+    } else if (taptree.size() == 32) {
+        merkle_tree = uint256(taptree);
+        merkle_tree_ptr = &merkle_tree;
+    } else {
+        return set_error(serror, SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_ARGS);
+    }
+
+    XOnlyPubKey initialXOnlyKey;
+    if (use_current_pubkey) {
+        initialXOnlyKey = execdata.m_internal_key.value();
+    } else if (pubkey.empty()) {
+        initialXOnlyKey = XOnlyPubKey::NUMS_H;
+    } else {
+        initialXOnlyKey = XOnlyPubKey{Span<const unsigned char>{pubkey.data(), pubkey.data() + 32}};
+    }
+
+    if (index == -1) {
+        index = nIn;
+    }
+
+    auto indexLimit = (mode == CCV_MODE_CHECK_INPUT ? txTo->vin.size() : txTo->vout.size());
+    if (index < 0 || index >= static_cast<int>(indexLimit)) {
+        return set_error(serror, SCRIPT_ERR_CHECKCONTRACTVERIFY_OUT_OF_BOUNDS);
+    }
+
+    CScript scriptPubKey = (mode == CCV_MODE_CHECK_INPUT) ? txdata->m_spent_outputs[index].scriptPubKey : txTo->vout.at(index).scriptPubKey;
+
+    if (scriptPubKey.size() != 1 + 1 + 32 || scriptPubKey[0] != OP_1 || scriptPubKey[1] != 32) {
+        return set_error(serror, SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_ARGS);
+    }
+
+    const XOnlyPubKey finalXOnlyKey{Span<const unsigned char>{scriptPubKey.data() + 2, scriptPubKey.data() + 34}};
+
+    if (!finalXOnlyKey.CheckDoubleTweak(initialXOnlyKey, data, merkle_tree_ptr)) {
+        return set_error(serror, SCRIPT_ERR_CHECKCONTRACTVERIFY_MISMATCH);
+    }
+
+
+    if (!execdata.m_ccv_amount_init) {
+        execdata.m_ccv_amount = amount;
+        execdata.m_ccv_amount_init = true;
+    }
+
+    {
+        LOCK(tx_exec_data->m_mutex);
+        if (tx_exec_data->m_error.has_value()) {
+            // an error related to tx_exec_data already occurred while validating the transaction
+            return set_error(serror, tx_exec_data->m_error.value());
+        }
+
+        switch (mode) {
+            case CCV_MODE_CHECK_OUTPUT:
+                if (tx_exec_data->m_ccv_output_checked_deduct[index]) {
+                    tx_exec_data->m_error = SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_AMOUNT;
+                    return set_error(serror, SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_AMOUNT);
+                }
+                tx_exec_data->m_ccv_output_checked_default[index] = true;
+
+                tx_exec_data->m_ccv_output_min_amount[index] += execdata.m_ccv_amount;
+                execdata.m_ccv_amount = 0;
+                if (txTo->vout[index].nValue < tx_exec_data->m_ccv_output_min_amount[index]) {
+                    tx_exec_data->m_error = SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_AMOUNT;
+                    return set_error(serror, SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_AMOUNT);
+                }
+                break;
+            case CCV_MODE_CHECK_OUTPUT_IGNORE_AMOUNT:
+                // amount checking is disabled
+                break;
+            case CCV_MODE_CHECK_OUTPUT_DEDUCT_AMOUNT:
+                if (tx_exec_data->m_ccv_output_checked_default[index] || tx_exec_data->m_ccv_output_checked_deduct[index]) {
+                    tx_exec_data->m_error = SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_AMOUNT;
+                    return set_error(serror, SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_AMOUNT);
+                }
+                tx_exec_data->m_ccv_output_checked_deduct[index] = true;
+                // subtract amount from input
+                if (txTo->vout[index].nValue > execdata.m_ccv_amount) {
+                    tx_exec_data->m_error = SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_AMOUNT;
+                    return set_error(serror, SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_AMOUNT);
+                }
+                execdata.m_ccv_amount -= txTo->vout[index].nValue;
+
+                break;
+            default:
+                break;
+        }
+    }
+
+    return true;
+}
+
 // explicit instantiation
 template class GenericTransactionSignatureChecker<CTransaction>;
 template class GenericTransactionSignatureChecker<CMutableTransaction>;
@@ -2199,7 +2364,7 @@ uint256 ComputeTaprootMerkleRoot(Span<const unsigned char> control, const uint25
     return k;
 }
 
-static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, const std::vector<unsigned char>& program, const uint256& tapleaf_hash, std::optional<XOnlyPubKey>& internal_key)
+static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, const std::vector<unsigned char>& program, const uint256& tapleaf_hash, std::optional<XOnlyPubKey>& internal_key, std::optional<uint256>& merkle_root)
 {
     assert(control.size() >= TAPROOT_CONTROL_BASE_SIZE);
     assert(program.size() >= uint256::size());
@@ -2209,9 +2374,9 @@ static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, c
     //! The output pubkey (taken from the scriptPubKey).
     const XOnlyPubKey q{program};
     // Compute the Merkle root from the leaf and the provided path.
-    const uint256 merkle_root = ComputeTaprootMerkleRoot(control, tapleaf_hash);
+    merkle_root = ComputeTaprootMerkleRoot(control, tapleaf_hash);
     // Verify that the output pubkey matches the tweaked internal pubkey, after correcting for parity.
-    return q.CheckTapTweak(p, merkle_root, control[0] & 1);
+    return q.CheckTapTweak(p, merkle_root.value(), control[0] & 1);
 }
 
 static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, script_verify_flags flags, const BaseSignatureChecker& checker, ScriptError* serror, bool is_p2sh, TransactionExecutionData* tx_exec_data = nullptr)
@@ -2271,7 +2436,7 @@ static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion,
                 return set_error(serror, SCRIPT_ERR_TAPROOT_WRONG_CONTROL_SIZE);
             }
             execdata.m_tapleaf_hash = ComputeTapleafHash(control[0] & TAPROOT_LEAF_MASK, script);
-            if (!VerifyTaprootCommitment(control, program, execdata.m_tapleaf_hash, execdata.m_internal_key)) {
+            if (!VerifyTaprootCommitment(control, program, execdata.m_tapleaf_hash, execdata.m_internal_key, execdata.m_taproot_merkle_root)) {
                 return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH);
             }
             execdata.m_tapleaf_hash_init = true;
diff --git a/src/script/interpreter.h b/src/script/interpreter.h
index 82b987ce315a..194160b34b8f 100644
--- a/src/script/interpreter.h
+++ b/src/script/interpreter.h
@@ -244,6 +244,10 @@ struct ScriptExecutionData
     bool m_tapleaf_hash_init = false;
     //! The tapleaf hash.
     uint256 m_tapleaf_hash;
+    //! The taproot internal key.
+    std::optional<XOnlyPubKey> m_internal_key = std::nullopt;
+    //! The merkle root of the taproot tree.
+    std::optional<uint256> m_taproot_merkle_root = std::nullopt;
 
     //! Whether m_codeseparator_pos is initialized.
     bool m_codeseparator_pos_init = false;
@@ -265,24 +269,45 @@ struct ScriptExecutionData
     //! The hash of the corresponding output
     std::optional<uint256> m_output_hash;
 
-    //! The taproot internal key. */
-    std::optional<XOnlyPubKey> m_internal_key = std::nullopt;
+    //! Whether m_ccv_amount is initialized.
+    bool m_ccv_amount_init = false;
+    //! Residual amount of the current input according to CHECKCONTRACTVERIFY semantics.
+    CAmount m_ccv_amount;
 };
 
 /** The state of the script interpreter that persists across inputs of a single transaction.
  *
  * As access happens across different worker threads, it is crucial that access to this struct
- * is properly synchronized. Code accessing its members must hold the m_mutex lock. */
+ * is properly synchronized. Code accessing its members must hold the m_mutex lock.
+ * Currently only used for OP_CHECKCONTRACTVERIFY. */
 struct TransactionExecutionData {
     const CTransaction* m_tx;
     Mutex m_mutex;
 
-    // members related to the validation state of this transaction
-    // that need to persist across inputs will be added here,
-    // protected by m_mutex.
+    // If an error occurs during the evaluation of a condition related to the access to this
+    // struct, it must be stored here.
+    // The caller _must_ check if this field has value immediately after acquiring the lock,
+    // and return the corresponding script error if it does.
+    // This makes sure that the checks are idempotent if repeated with the same instance
+    // of TransactionExecutionData. This is necessary because the checks might mutate the
+    // state of the struct, and the check might be repeated multiple times.
+    std::optional<ScriptError> m_error GUARDED_BY(m_mutex) = std::nullopt;
+
+    // For each output, the minimum amount of that output in order for the transaction
+    // to be considered valid. Accumulated during the evaluation of OP_CHECKCONTRACTVERIFY
+    // with the 'default' semantics.
+    std::vector<CAmount> m_ccv_output_min_amount GUARDED_BY(m_mutex);
+    // Set to true if this output has been checked with OP_CHECKCONTRACTVERIFY
+    // with the 'default' semantics.
+    std::vector<bool> m_ccv_output_checked_default GUARDED_BY(m_mutex);
+    // Set to true if this output has been checked with OP_CHECKCONTRACTVERIFY
+    // with the 'deduct' semantics.
+    std::vector<bool> m_ccv_output_checked_deduct GUARDED_BY(m_mutex);
 
     TransactionExecutionData(const CTransaction* tx)
-        : m_tx(tx)
+    : m_ccv_output_min_amount(tx ? tx->vout.size() : 0, 0),
+      m_ccv_output_checked_default(tx ? tx->vout.size() : 0, false),
+      m_ccv_output_checked_deduct(tx ? tx->vout.size() : 0, false)
     {
         assert(tx != nullptr); // Ensure the transaction pointer is valid
     }
@@ -380,6 +405,11 @@ class BaseSignatureChecker
         return false;
     }
 
+    virtual bool CheckContract(int mode, int index, const std::vector<unsigned char>& pubkey, const std::vector<unsigned char>& data, const std::vector<unsigned char>& taptree, ScriptExecutionData& execdata, ScriptError* serror, TransactionExecutionData* tx_exec_data) const
+    {
+        return false;
+    }
+
     virtual ~BaseSignatureChecker() = default;
 };
 
@@ -418,6 +448,7 @@ class GenericTransactionSignatureChecker : public BaseSignatureChecker
     bool CheckLockTime(const CScriptNum& nLockTime) const override;
     bool CheckSequence(const CScriptNum& nSequence) const override;
     bool CheckDefaultCheckTemplateVerifyHash(const Span<const unsigned char>& hash) const override;
+    bool CheckContract(int mode, int index, const std::vector<unsigned char>& pubkey, const std::vector<unsigned char>& data, const std::vector<unsigned char>& taptree, ScriptExecutionData& ScriptExecutionData, ScriptError* serror, TransactionExecutionData* tx_exec_data) const override;
 };
 
 using TransactionSignatureChecker = GenericTransactionSignatureChecker<CTransaction>;
diff --git a/src/script/script.cpp b/src/script/script.cpp
index 1bb0d4a07812..2ee2cb17c2f5 100644
--- a/src/script/script.cpp
+++ b/src/script/script.cpp
@@ -370,7 +370,7 @@ bool IsOpSuccess(const opcodetype& opcode)
     return opcode == 80 || opcode == 98 || (opcode >= 126 && opcode <= 129) ||
            (opcode >= 131 && opcode <= 134) || (opcode >= 137 && opcode <= 138) ||
            (opcode >= 141 && opcode <= 142) || (opcode >= 149 && opcode <= 153) ||
-           (opcode >= 187 && opcode <= 254);
+           (opcode >= 188 && opcode <= 254);
 }
 
 bool CheckMinimalPush(const std::vector<unsigned char>& data, opcodetype opcode) {
diff --git a/src/script/script_error.cpp b/src/script/script_error.cpp
index 8f49cd783c8a..fb98018bd8c4 100644
--- a/src/script/script_error.cpp
+++ b/src/script/script_error.cpp
@@ -115,6 +115,14 @@ std::string ScriptErrorString(const ScriptError serror)
             return "OP_CHECKMULTISIG(VERIFY) is not available in tapscript";
         case SCRIPT_ERR_TAPSCRIPT_MINIMALIF:
             return "OP_IF/NOTIF argument must be minimal in tapscript";
+        case SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_ARGS:
+            return "Invalid arguments for OP_CHECKCONTRACTVERIFY";
+        case SCRIPT_ERR_CHECKCONTRACTVERIFY_OUT_OF_BOUNDS:
+            return "Index of input/output out of bounds in OP_CHECKCONTRACTVERIFY";
+        case SCRIPT_ERR_CHECKCONTRACTVERIFY_MISMATCH:
+            return "Mismatching contract data or program";
+        case SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_AMOUNT:
+            return "Incorrect amount for OP_CHECKCONTRACTVERIFY";
         case SCRIPT_ERR_OP_CODESEPARATOR:
             return "Using OP_CODESEPARATOR in non-witness script";
         case SCRIPT_ERR_SIG_FINDANDDELETE:
diff --git a/src/script/script_error.h b/src/script/script_error.h
index fd10bf91451b..21899147e556 100644
--- a/src/script/script_error.h
+++ b/src/script/script_error.h
@@ -81,6 +81,12 @@ typedef enum ScriptError_t
     SCRIPT_ERR_TAPSCRIPT_CHECKMULTISIG,
     SCRIPT_ERR_TAPSCRIPT_MINIMALIF,
 
+    /* CHECKCONTRACTVERIFY */
+    SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_ARGS,
+    SCRIPT_ERR_CHECKCONTRACTVERIFY_OUT_OF_BOUNDS,
+    SCRIPT_ERR_CHECKCONTRACTVERIFY_MISMATCH,
+    SCRIPT_ERR_CHECKCONTRACTVERIFY_WRONG_AMOUNT,
+
     /* Constant scriptCode */
     SCRIPT_ERR_OP_CODESEPARATOR,
     SCRIPT_ERR_SIG_FINDANDDELETE,
diff --git a/test/functional/test_framework/script.py b/test/functional/test_framework/script.py
index 0a33838b1276..37db777fbaa3 100644
--- a/test/functional/test_framework/script.py
+++ b/test/functional/test_framework/script.py
@@ -254,6 +254,8 @@ def __new__(cls, n):
 # BIP 342 opcodes (Tapscript)
 OP_CHECKSIGADD = CScriptOp(0xba)
 
+OP_CHECKCONTRACTVERIFY = CScriptOp(0xbb)
+
 OP_CHECKSIGFROMSTACK = CScriptOp(0xcc)
 OP_INTERNALKEY = CScriptOp(0xcb)
 
@@ -372,6 +374,7 @@ def __new__(cls, n):
     OP_NOP9: 'OP_NOP9',
     OP_NOP10: 'OP_NOP10',
     OP_CHECKSIGADD: 'OP_CHECKSIGADD',
+    OP_CHECKCONTRACTVERIFY: 'OP_CHECKCONTRACTVERIFY',
     OP_INVALIDOPCODE: 'OP_INVALIDOPCODE',
 })
 
@@ -969,7 +972,7 @@ def taproot_construct(pubkey, scripts=None, *, keyver=None, treat_internal_as_in
     return TaprootInfo(CScript([OP_1, tweaked]), pubkey, negated + 0, tweak, leaves, h, tweaked, keyver)
 
 def is_op_success(o):
-    if o in [OP_CAT, OP_CHECKSIGFROMSTACK, OP_INTERNALKEY]:
+    if o in [OP_CAT, OP_CHECKSIGFROMSTACK, OP_INTERNALKEY, OP_CHECKCONTRACTVERIFY]:
         return False
 
     return o == 0x50 or o == 0x62 or o == 0x89 or o == 0x8a or o == 0x8d or o == 0x8e or (o >= 0x7e and o <= 0x81) or (o >= 0x83 and o <= 0x86) or (o >= 0x95 and o <= 0x99) or (o >= 0xbb and o <= 0xfe)

From 51f54463719da5729a0cfc9d91feb1a2de2b104b Mon Sep 17 00:00:00 2001
From: Salvatore Ingala <6681844+bigspider@users.noreply.github.com>
Date: Thu, 11 Dec 2025 17:37:13 +0100
Subject: [PATCH 4/7] consensus: Add sigops budget for OP_CHECKCONTRACTVERIFY

---
 src/script/interpreter.cpp | 10 ++++++++++
 src/script/script.h        |  9 +++++++++
 2 files changed, 19 insertions(+)

diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp
index 6083b2c85d78..dbece06213fd 100644
--- a/src/script/interpreter.cpp
+++ b/src/script/interpreter.cpp
@@ -2164,6 +2164,16 @@ bool GenericTransactionSignatureChecker<T>::CheckContract(int mode, int index, c
         return HandleMissingData(m_mdb);
     }
 
+    // Implement the sigops/witnesssize ratio test.
+    // Each tweak contributes equally.
+    assert(execdata.m_validation_weight_left_init);
+    int n_tweaks = (!taptree.empty()) + (!data.empty());
+    int64_t validation_weight = n_tweaks * VALIDATION_WEIGHT_PER_CCV_TWEAK;
+    execdata.m_validation_weight_left -= validation_weight;
+    if (execdata.m_validation_weight_left < 0) {
+        return set_error(serror, SCRIPT_ERR_TAPSCRIPT_VALIDATION_WEIGHT);
+    }
+
     bool use_current_taptree = taptree.size() == 1 && taptree.data()[0] == 0x81;
     bool use_current_pubkey = pubkey.size() == 1 && pubkey.data()[0] == 0x81;
 
diff --git a/src/script/script.h b/src/script/script.h
index 391fe23ddabb..428999fdea7e 100644
--- a/src/script/script.h
+++ b/src/script/script.h
@@ -64,6 +64,15 @@ static constexpr int64_t VALIDATION_WEIGHT_PER_SIGOP_PASSED{50};
 // How much weight budget is added to the witness size (Tapscript only, see BIP 342).
 static constexpr int64_t VALIDATION_WEIGHT_OFFSET{50};
 
+// Validation weight per OP_CHECKCONTRACTVERIFY with 1 tweak (Tapscript only, see BIP 443).
+// TODO: figure out what is the right weight.
+// Rationale for 25: while CheckDoubleTweak with 2 tweaks costs about 60% more than a
+// Schnorr sig check, caching could be implemented so that the same input/output is checked
+// several times. The cost with a single tweak is half of that. The cost of hashing is
+// negligible in comparison, as it is bound by MAX_SCRIPT_ELEMENT_SIZE bytes. The rest of
+// the opcode evaluation is negligible.
+static constexpr int64_t VALIDATION_WEIGHT_PER_CCV_TWEAK{25};
+
 template <typename T>
 std::vector<unsigned char> ToByteVector(const T& in)
 {

From ab532802a8d50bc9e484bc9d61f77d3c3d7ad45e Mon Sep 17 00:00:00 2001
From: Salvatore Ingala <6681844+bigspider@users.noreply.github.com>
Date: Sun, 9 Jul 2023 22:35:19 +0200
Subject: [PATCH 5/7] test: Add functional tests for OP_CHECKCONTRACTVERIFY

---
 .../functional/feature_checkcontractverify.py | 723 ++++++++++++++++++
 test/functional/test_framework/script.py      |  12 +-
 test/functional/test_runner.py                |   1 +
 3 files changed, 735 insertions(+), 1 deletion(-)
 create mode 100755 test/functional/feature_checkcontractverify.py

diff --git a/test/functional/feature_checkcontractverify.py b/test/functional/feature_checkcontractverify.py
new file mode 100755
index 000000000000..ef457f97bef3
--- /dev/null
+++ b/test/functional/feature_checkcontractverify.py
@@ -0,0 +1,723 @@
+#!/usr/bin/env python3
+# Copyright (c) 2025 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+"""
+Test OP_CHECKCONTRACTVERIFY
+"""
+
+from abc import ABC, abstractmethod
+from dataclasses import dataclass
+import hashlib
+from typing import Any, Dict, List, Optional, Tuple, Union
+
+from test_framework import script, key
+from test_framework.test_framework import BitcoinTestFramework, TestNode
+from test_framework.p2p import P2PInterface
+from test_framework.wallet import MiniWallet, MiniWalletMode
+from test_framework.script import (
+    CScript,
+    OP_CHECKCONTRACTVERIFY,
+    OP_RETURN,
+    OP_TRUE,
+    TaprootInfo,
+)
+from test_framework.messages import CTransaction, COutPoint, CTxInWitness, CTxOut, CTxIn
+from test_framework.util import assert_equal, assert_raises_rpc_error
+
+# Modes for OP_CHECKCONTRACTVERIFY
+CCV_MODE_CHECK_INPUT: int = -1
+CCV_MODE_CHECK_OUTPUT: int = 0
+CCV_MODE_CHECK_OUTPUT_IGNORE_AMOUNT: int = 1
+CCV_MODE_CHECK_OUTPUT_DEDUCT_AMOUNT: int = 2
+
+
+# x-only public key with provably unknown private key defined in BIP-341
+NUMS_KEY: bytes = bytes.fromhex(key.H_POINT)
+
+
+# ======= Utility Classes & Functions =======
+
+TapLeaf = Tuple[str, CScript]
+TapTree = Union[TapLeaf, List["TapTree"]]
+
+
+def flatten_scripts(tree: TapTree) -> List[TapLeaf]:
+    result = []
+    if isinstance(tree, list):
+        assert len(tree) == 2
+        result.extend(flatten_scripts(tree[0]))
+        result.extend(flatten_scripts(tree[1]))
+    else:
+        assert isinstance(tree, tuple) and len(tree) == 2
+        result.append(tree)
+    return result
+
+
+class AugmentedP2TR(ABC):
+    """
+    An abstract class representing a Pay-to-Taproot script with (possibly) some embedded data.
+    While the exact scriptPubKey can only be produced once the embedded data is known, the taptree
+    and the "naked internal key" are decided in advance.
+    """
+
+    def __init__(self, naked_internal_pubkey: bytes):
+        assert len(naked_internal_pubkey) == 32
+
+        self.naked_internal_pubkey = naked_internal_pubkey
+
+    @abstractmethod
+    def get_scripts(self) -> TapTree:
+        raise NotImplementedError("This must be implemented in subclasses")
+
+    def get_script(self, clause_name: str):
+        for name, clause_script in flatten_scripts(self.get_scripts()):
+            if name == clause_name:
+                return clause_script
+        raise ValueError(f"Clause {clause_name} not found")
+
+    def get_taptree(self) -> bytes:
+        # use dummy data, since it doesn't affect the merkle root
+        return self.get_tr_info(b'').merkle_root
+
+    def get_tr_info(self, data: bytes = b'') -> TaprootInfo:
+        if len(data) == 0:
+            internal_pubkey = self.naked_internal_pubkey
+        else:
+            data_hash = hashlib.sha256(
+                self.naked_internal_pubkey + data).digest()
+
+            internal_pubkey, _ = key.tweak_add_pubkey(
+                self.naked_internal_pubkey, data_hash)
+        return script.taproot_construct(internal_pubkey, [self.get_scripts()])
+
+    def get_tx_out(self, value: int, data: bytes = b'') -> CTxOut:
+        return CTxOut(nValue=value, scriptPubKey=self.get_tr_info(data).scriptPubKey)
+
+
+class P2TR(AugmentedP2TR):
+    """
+    A class representing a Pay-to-Taproot script, without any embedded data.
+    """
+
+    def __init__(self, internal_pubkey: bytes, scripts: TapTree):
+        super().__init__(internal_pubkey)
+        self.scripts = scripts
+
+    def get_scripts(self) -> TapTree:
+        return self.scripts
+
+    def get_tr_info(self, data: bytes = b'') -> TaprootInfo:
+        if data != b'':
+            raise ValueError("P2TR does not support embedded data")
+        return super().get_tr_info(data)
+
+    def get_tx_out(self, value: int, data: bytes = b'') -> CTxOut:
+        if data != b'':
+            raise ValueError("P2TR does not support embedded data")
+        return super().get_tx_out(value, data)
+
+
+class PrivkeyPlaceholder:
+    """
+    A placeholder for a witness element that will be replaced with the
+    corresponding Schnorr signature.
+    """
+
+    def __init__(self, privkey: key.ECKey):
+        self.privkey = privkey
+
+
+@dataclass
+class CcvInput:
+    txid: str
+    vout_index: int
+    amount: int
+    contract: AugmentedP2TR
+    data: bytes
+    leaf_name: str
+
+    # excluding the control block and the script
+    wit_stack: List[Union[bytes, PrivkeyPlaceholder]]
+
+    nSequence: int = 0
+
+
+def create_tx(
+    inputs: List[CcvInput],
+    outputs: List[CTxOut],
+    *,
+    version: int = 2,
+    nLockTime: int = 0
+) -> CTransaction:
+    """
+    Creates a transaction with the given inputs and outputs.
+    Inputs are spending UTXOs that might or might not have data
+    embedded with OP_CHECKCONTRACTVERIFY.
+
+    The witness is constructed by replacing each PrivkeyPlaceholder with a signature
+    constructed with its private key (using SIGHASH_DEFAULT), and then appending the
+    control block and the leaf script, per BIP-341.
+    """
+    tx = CTransaction()
+    tx.version = version
+    tx.nLockTime = nLockTime
+    tx.vin = []
+    tx.wit.vtxinwit = []
+
+    in_txouts = []
+
+    for inp in inputs:
+        txin = CTxIn(COutPoint(int(inp.txid, 16), inp.vout_index),
+                     nSequence=inp.nSequence)
+        tx.vin.append(txin)
+
+        # Retrieve leaf script & control block
+        tr_info = inp.contract.get_tr_info(inp.data)
+
+        in_txouts.append(
+            CTxOut(nValue=inp.amount, scriptPubKey=tr_info.scriptPubKey))
+
+        leaf_script = tr_info.leaves[inp.leaf_name].script
+        control_block = tr_info.controlblock_for_script_spend(inp.leaf_name)
+        wit_stack = inp.wit_stack.copy()
+        wit_stack.extend([leaf_script, control_block])
+
+        wit = CTxInWitness()
+        wit.scriptWitness.stack = wit_stack
+        tx.wit.vtxinwit.append(wit)
+
+    tx.vout = outputs
+
+    # For each input, if any witness stack element is a PrivkeyPlaceholder, replace with the
+    # actual signature. This assumes signing with SIGHASH_DEFAULT.
+    for i in range(len(tx.vin)):
+        for j in range(len(tx.wit.vtxinwit[i].scriptWitness.stack)):
+            if isinstance(tx.wit.vtxinwit[i].scriptWitness.stack[j], PrivkeyPlaceholder):
+                contract = inputs[i].contract
+                clause = inputs[i].leaf_name
+                privkey: key.ECKey = tx.wit.vtxinwit[i].scriptWitness.stack[j].privkey
+                sigmsg = script.TaprootSignatureHash(
+                    tx, in_txouts, input_index=i, hash_type=0,
+                    scriptpath=True, leaf_script=contract.get_script(clause),
+                )
+                sig = key.sign_schnorr(privkey.get_bytes(), sigmsg)
+                tx.wit.vtxinwit[i].scriptWitness.stack[j] = sig
+
+    return tx
+
+
+# ======= Contract definitions =======
+
+
+class EmbedData(P2TR):
+    """
+    An output that can only be spent to a `CompareWithEmbeddedData` output, with
+    its embedded data passed as the witness.
+    """
+
+    def __init__(self, ignore_amount: bool = False):
+        super().__init__(
+            NUMS_KEY,
+            (
+                "forced",
+                CScript([
+                    # witness: <data>
+                    0,  # index
+                    0,  # use NUMS as the naked pubkey
+                    CompareWithEmbeddedData().get_taptree(),  # output Merkle tree
+                    CCV_MODE_CHECK_OUTPUT_IGNORE_AMOUNT if ignore_amount else 0,  # mode
+                    OP_CHECKCONTRACTVERIFY,
+                    OP_TRUE
+                ])
+            )
+        )
+
+
+class CompareWithEmbeddedData(AugmentedP2TR):
+    """
+    An output that can only be spent by passing the embedded data in the witness.
+    """
+
+    def __init__(self):
+        super().__init__(NUMS_KEY)
+
+    def get_scripts(self) -> TapTree:
+        return (
+            "check_data",
+            CScript([
+                # witness: <data>
+                -1,  # index: check current input
+                0,   # use NUMS as the naked pubkey
+                -1,  # use taptree of the current input
+                CCV_MODE_CHECK_INPUT,  # check input
+                OP_CHECKCONTRACTVERIFY,
+                OP_TRUE
+            ])
+        )
+
+
+class SendToSelf(P2TR):
+    """
+    A utxo that can only be spent by sending the entire amount to the same script.
+    The output index must match the input index.
+    """
+
+    def __init__(self):
+        super().__init__(
+            NUMS_KEY,
+            ("send_to_self", CScript([
+                # witness: <>
+                0,   # no data tweaking
+                -1,  # index: check current output
+                -1,  # use internal key of the current input
+                -1,  # use taptree of the current input
+                CCV_MODE_CHECK_OUTPUT,  # all the amount must go to this output
+                OP_CHECKCONTRACTVERIFY,
+                OP_TRUE
+            ]))
+        )
+
+
+class SplitFunds(P2TR):
+    """
+    An output that can only be spent by sending part of the fund to itself,
+    and all the remaining funds to the P2TR address with NUMS pubkey.
+    """
+
+    def __init__(self):
+        super().__init__(
+            NUMS_KEY,
+            (
+                "split", CScript([
+                    # witness: <>
+                    0,   # no data tweaking
+                    0,   # index
+                    -1,  # use internal key of the current input
+                    -1,  # use taptree of the current input
+                    # check output, deduct amount from input
+                    CCV_MODE_CHECK_OUTPUT_DEDUCT_AMOUNT,
+                    OP_CHECKCONTRACTVERIFY,
+
+                    0,   # no data tweaking
+                    1,   # index
+                    0,   # NUMS pubkey
+                    0,   # no taptweak
+                    # check output, all remaining amount must go to this output
+                    CCV_MODE_CHECK_OUTPUT,
+                    OP_CHECKCONTRACTVERIFY,
+
+                    OP_TRUE
+                ])
+            )
+        )
+
+
+def ccv(mode=0, index=0, data=0, pk=0, tree=0):
+    return CScript([
+        data,
+        index,
+        pk,
+        tree,
+        mode,
+        OP_CHECKCONTRACTVERIFY,
+    ])
+
+
+class TestCCVSuccess(P2TR):
+    """
+    A utxo with hardcoded parameters to test the OP_SUCCESS behavior for the mode.
+    """
+
+    def __init__(self, **kwargs):
+        super().__init__(NUMS_KEY, [
+            ("spend", CScript([
+                *ccv(**kwargs),
+                OP_RETURN  # make sure that the script execution fails if it reaches here
+            ]))
+        ])
+
+
+class TestCCVFail(P2TR):
+    """
+    A utxo with hardcoded parameters to test the failure cases for invalid parameters.
+    """
+
+    def __init__(self, **kwargs):
+        super().__init__(NUMS_KEY, [
+            ("spend", CScript([
+                *ccv(**kwargs),
+                OP_TRUE  # make sure that the script execution succeeds if it reaches here
+            ]))
+        ])
+
+
+# ======= Tests =======
+
+
+class CheckContractVerifyTest(BitcoinTestFramework):
+    def set_test_params(self):
+        self.num_nodes = 1
+        self.extra_args = [
+            [
+                # Use only one script thread to get the exact reject reason for testing
+                "-par=1",
+                # TODO: figure out changes to standardness rules
+                "-acceptnonstdtxn=1",
+                # TODO: remove when package relay submission becomes a thing.
+                "-minrelaytxfee=0",
+                "-blockmintxfee=0",
+            ]
+        ]
+        self.setup_clean_chain = True
+
+    def run_test(self):
+        wallet = MiniWallet(self.nodes[0], mode=MiniWalletMode.RAW_OP_TRUE)
+        node = self.nodes[0]
+        node.add_p2p_connection(P2PInterface())
+
+        # Generate some matured UTXOs to spend into vaults.
+        self.generate(wallet, 200)
+
+        self.test_ccv(node, wallet, data=b'\x42'*32, ignore_amount=False)
+        self.test_ccv(node, wallet, data=b'', ignore_amount=True)
+        self.test_ccv(node, wallet, data=b'\x42'*32, ignore_amount=True)
+        self.test_many_to_one(node, wallet)
+        self.test_send_to_self(node, wallet)
+        self.test_deduct_amount(node, wallet)
+        self.test_undefined_modes_opsuccess(node, wallet)
+        self.test_invalid_parameters(node, wallet)
+
+    def test_ccv(
+        self,
+        node: TestNode,
+        wallet: MiniWallet,
+        data,
+        ignore_amount: bool
+    ):
+        assert_equal(node.getmempoolinfo()["size"], 0)
+
+        #            tx1      tx2
+        # MiniWallet ==> S ==(data)==> T ==> OP_TRUE
+        #    S: tr(NUMS, CheckOutputContract(T, data))
+        #    T: tr(NUMS×data, CheckInputContract(data == 0x424242...))
+
+        T = CompareWithEmbeddedData()
+        S = EmbedData(ignore_amount=ignore_amount)
+
+        # Create UTXO for S
+
+        # If ignoring amount, the contract value (if any) can be used to pay for fees
+        # otherwise, we put 0 fees for the sake of the tests.
+        # In practice, package relay would likely be used to manage fees, when ready.
+        amount_sats = 100_000
+        fees = 1_000 if ignore_amount else 0
+
+        res = wallet.send_to(
+            from_node=node,
+            scriptPubKey=S.get_tr_info().scriptPubKey,
+            amount=amount_sats
+        )
+        tx1_txid = res['txid']
+        tx1_n = res['sent_vout']
+
+        # Create UTXO for T
+
+        tx2 = create_tx(
+            inputs=[CcvInput(tx1_txid, tx1_n, amount_sats,
+                             S, b'', "forced", [data])],
+            outputs=[T.get_tx_out(amount_sats - fees, data)]
+        )
+
+        if not ignore_amount:
+            # broadcast with insufficient output amount; this should fail
+            tx2.vout[0].nValue -= 1
+            self.assert_broadcast_tx(
+                tx2, err_msg='Incorrect amount for OP_CHECKCONTRACTVERIFY')
+            tx2.vout[0].nValue += 1
+
+        tx2_txid = self.assert_broadcast_tx(tx2, mine_all=True)
+
+        # create an output for the final spend
+        dest_ctr = P2TR(NUMS_KEY, [("true", CScript([OP_TRUE]))])
+
+        # try to spend with the wrong data
+        tx3_wrongdata = create_tx(
+            inputs=[CcvInput(tx2_txid, 0, amount_sats - fees, T,
+                             data, "check_data", [b'\x43'*32])],
+            outputs=[dest_ctr.get_tx_out(amount_sats - 2 * fees)]
+        )
+
+        self.assert_broadcast_tx(
+            tx3_wrongdata, err_msg="Mismatching contract data or program")
+
+        # Broadcasting with correct data succeeds
+        tx3 = create_tx(
+            inputs=[CcvInput(tx2_txid, 0, amount_sats - fees,
+                             T, data, "check_data", [data])],
+            outputs=[dest_ctr.get_tx_out(amount_sats - 2 * fees)]
+        )
+        self.assert_broadcast_tx(tx3, mine_all=True)
+
+    def test_many_to_one(
+        self,
+        node: TestNode,
+        wallet: MiniWallet
+    ):
+        assert_equal(node.getmempoolinfo()["size"], 0)
+
+        # Creates 3 utxos with different amounts and all with the same EmbedData script.
+        # Spending them together to a single output, the total amount must be preserved.
+
+        #               tx1,tx2,tx3       tx4
+        # MiniWallet ==> S1, S2, S3 ==> T ==> OP_TRUE
+        #   S1: tr(NUMS, CheckOutputContract(T, data))
+        #   S2: tr(NUMS, CheckOutputContract(T, data))
+        #   S3: tr(NUMS, CheckOutputContract(T, data))
+        #   T: tr(NUMS×data, CheckInputContract(data == 0x424242...))
+
+        data = b'\x42'*32
+        amounts_sats: List[int] = []
+
+        T = CompareWithEmbeddedData()
+        S = EmbedData()
+
+        tx_ids_and_n: List[Tuple[str, int]] = []
+        inputs = []
+        for i in range(3):
+            # Create UTXO for S[i]
+            amount_sats = 100_000 * (i + 1)
+            amounts_sats.append(amount_sats)
+
+            res = wallet.send_to(
+                from_node=node,
+                scriptPubKey=S.get_tr_info().scriptPubKey,
+                amount=amount_sats
+            )
+            tx_ids_and_n.append((res['txid'], res['sent_vout']))
+            inputs.append(CcvInput(
+                res['txid'], res['sent_vout'], amount_sats, S, b'', "forced", [data]
+            ))
+
+        # Create UTXO for T
+        outputs = [T.get_tx_out(sum(amounts_sats), data)]
+        tx4 = create_tx(inputs, outputs)
+
+        # broadcast with insufficient output amount; this should fail
+        tx4.vout[0].nValue -= 1
+        self.assert_broadcast_tx(
+            tx4, err_msg='Incorrect amount for OP_CHECKCONTRACTVERIFY')
+        tx4.vout[0].nValue += 1
+
+        # correct amount succeeds
+        self.assert_broadcast_tx(tx4, mine_all=True)
+
+    def test_send_to_self(
+        self,
+        node: TestNode,
+        wallet: MiniWallet
+    ):
+        assert_equal(node.getmempoolinfo()["size"], 0)
+
+        # Creates a utxo with the SendToSelf contract, and verifies that:
+        # - sending to a different scriptPubKey fails;
+        # - sending to an output with the same scriptPubKey works.
+
+        amount_sats = 10_000
+
+        C = SendToSelf()
+
+        res = wallet.send_to(
+            from_node=node,
+            scriptPubKey=C.get_tr_info().scriptPubKey,
+            amount=amount_sats
+        )
+        tx_id, n = (res['txid'], res['sent_vout'])
+
+        # Create UTXO for C
+        tx2 = create_tx(
+            inputs=[CcvInput(tx_id, n, amount_sats, C,
+                             b'', "send_to_self", [])],
+            outputs=[C.get_tx_out(amount_sats)]
+        )
+
+        # broadcast with insufficient output amount; this should fail
+        tx2.vout[0].nValue -= 1
+        self.assert_broadcast_tx(
+            tx2, err_msg='Incorrect amount for OP_CHECKCONTRACTVERIFY')
+        tx2.vout[0].nValue += 1
+
+        # broadcast with incorrect output script; this should fail
+        correct_script = tx2.vout[0].scriptPubKey
+        tx2.vout[0].scriptPubKey = correct_script[:-1] + \
+            bytes([correct_script[-1] ^ 1])
+        self.assert_broadcast_tx(
+            tx2, err_msg="Mismatching contract data or program")
+        tx2.vout[0].scriptPubKey = correct_script
+
+        # correct amount succeeds
+        self.assert_broadcast_tx(tx2, mine_all=True)
+
+    def test_deduct_amount(
+        self,
+        node: TestNode,
+        wallet: MiniWallet
+    ):
+        assert_equal(node.getmempoolinfo()["size"], 0)
+
+        # Tests the behavior of the CCV_MODE_CHECK_OUTPUT_DEDUCT_AMOUNT mode
+
+        #            tx1              tx2
+        # MiniWallet ==> SplitFunds() ==> SplitFunds(), P2TR(NUMS)
+
+        S = SplitFunds()
+
+        amount_sats = 10_000
+        recover_amount_sats = 3_000  # the amount that goes back to the same script
+
+        res = wallet.send_to(
+            from_node=node,
+            scriptPubKey=S.get_tr_info().scriptPubKey,
+            amount=amount_sats
+        )
+        tx1_txid, tx1_n = (res['txid'], res['sent_vout'])
+
+        # Create UTXO for S
+        tx2 = create_tx(
+            inputs=[CcvInput(tx1_txid, tx1_n, amount_sats,
+                             S, b'', "split", [])],
+            outputs=[
+                S.get_tx_out(recover_amount_sats),
+                CTxOut(
+                    nValue=amount_sats - recover_amount_sats - 1,  # 1 sat short, this must fail
+                    scriptPubKey=b'\x51\x20' + NUMS_KEY
+                )
+            ]
+        )
+
+        self.assert_broadcast_tx(
+            tx2, err_msg='Incorrect amount for OP_CHECKCONTRACTVERIFY')
+
+        tx2.vout[1].nValue += 1  # correct amount
+
+        self.assert_broadcast_tx(tx2, mine_all=True)
+
+    def test_undefined_modes_opsuccess(
+        self,
+        node: TestNode,
+        wallet: MiniWallet
+    ):
+        assert_equal(node.getmempoolinfo()["size"], 0)
+
+        # Tests that undefined modes immediately terminate the script successfully.
+
+        testcases = [
+            {"mode": -2},
+            {"mode": 3},
+        ]
+
+        amount_sats = 10_000
+        fees = 1_000
+
+        for testcase in testcases:
+            C = TestCCVSuccess(**testcase)
+
+            res = wallet.send_to(
+                from_node=node,
+                scriptPubKey=C.get_tr_info().scriptPubKey,
+                amount=amount_sats
+            )
+            tx_id, n = (res['txid'], res['sent_vout'])
+
+            # Create UTXO for C
+            tx2 = create_tx(
+                inputs=[CcvInput(tx_id, n, amount_sats, C, b'', "spend", [])],
+                outputs=[CTxOut(
+                    nValue=amount_sats - fees,
+                    scriptPubKey=P2TR(
+                        NUMS_KEY, [("true", CScript([OP_TRUE]))]).get_tr_info().scriptPubKey
+                )]
+            )
+
+            # it should succeed
+            self.assert_broadcast_tx(tx2, mine_all=True)
+
+    def test_invalid_parameters(
+        self,
+        node: TestNode,
+        wallet: MiniWallet
+    ):
+        assert_equal(node.getmempoolinfo()["size"], 0)
+
+        # Tests that invalid parameters, that cause the Script validation to fail
+
+        testcases: List[Dict[str, Any]] = [
+            {"pk": -2},
+            {"pk": 1},
+            {"pk": b'\x42'*31},
+            {"pk": b'\x42'*33},
+            {"pk": b'\x42'*64},
+            {"tree": -2},
+            {"tree": 1},
+            {"tree": b'\x42'*31},
+            {"tree": b'\x42'*33},
+        ]
+
+        amount_sats = 10_000
+        fees = 1_000
+
+        for testcase in testcases:
+            C = TestCCVFail(**testcase)
+
+            res = wallet.send_to(
+                from_node=node,
+                scriptPubKey=C.get_tr_info().scriptPubKey,
+                amount=amount_sats
+            )
+            tx_id, n = (res['txid'], res['sent_vout'])
+
+            # Create UTXO for C
+            tx2 = create_tx(
+                inputs=[CcvInput(tx_id, n, amount_sats, C, b'', "spend", [])],
+                outputs=[CTxOut(
+                    nValue=amount_sats - fees,
+                    scriptPubKey=P2TR(
+                        NUMS_KEY, [("true", CScript([OP_TRUE]))]).get_tr_info().scriptPubKey
+                )]
+            )
+
+            # it should fail
+            self.assert_broadcast_tx(
+                tx2, err_msg='Invalid arguments for OP_CHECKCONTRACTVERIFY')
+
+    # taken from OP_VAULT PR's functional test
+
+    def assert_broadcast_tx(
+        self,
+        tx: CTransaction,
+        mine_all: bool = False,
+        err_msg: Optional[str] = None
+    ) -> str:
+        """
+        Broadcast a transaction and facilitate various assertions about how the
+        broadcast went.
+        """
+        node = self.nodes[0]
+        txhex = tx.serialize().hex()
+        txid = tx.rehash()
+
+        if not err_msg:
+            assert_equal(node.sendrawtransaction(txhex), txid)
+        else:
+            assert_raises_rpc_error(-26, err_msg,
+                                    node.sendrawtransaction, txhex)
+
+        if mine_all:
+            self.generate(node, 1)
+            assert_equal(node.getmempoolinfo()["size"], 0)
+
+        return txid
+
+
+if __name__ == "__main__":
+    CheckContractVerifyTest(__file__).main()
diff --git a/test/functional/test_framework/script.py b/test/functional/test_framework/script.py
index 37db777fbaa3..37b5b4b968b2 100644
--- a/test/functional/test_framework/script.py
+++ b/test/functional/test_framework/script.py
@@ -934,7 +934,17 @@ def taproot_tree_helper(scripts):
 # - tweak: the tweak (32 bytes)
 # - leaves: a dict of name -> TaprootLeafInfo objects for all known leaves
 # - merkle_root: the script tree's Merkle root, or bytes() if no leaves are present
-TaprootInfo = namedtuple("TaprootInfo", "scriptPubKey,internal_pubkey,negflag,tweak,leaves,merkle_root,output_pubkey,keyver")
+class TaprootInfo(namedtuple("TaprootInfo", "scriptPubKey,internal_pubkey,negflag,tweak,leaves,merkle_root,output_pubkey,keyver")):
+    def __hash__(self):
+        return hash(str(self))
+
+    def controlblock_for_script_spend(self, script_name: str) -> bytes:
+        leaf = self.leaves[script_name]
+        return (
+            bytes([leaf.version + self.negflag]) +
+            self.internal_pubkey +
+            leaf.merklebranch
+        )
 
 # A TaprootLeafInfo object has the following fields:
 # - script: the leaf script (CScript or bytes)
diff --git a/test/functional/test_runner.py b/test/functional/test_runner.py
index 6defca85eea3..217d8eaa8313 100755
--- a/test/functional/test_runner.py
+++ b/test/functional/test_runner.py
@@ -398,6 +398,7 @@
     'wallet_timelock.py',
     'p2p_permissions.py',
     'feature_blocksdir.py',
+    'feature_checkcontractverify.py',
     'wallet_startup.py',
     'feature_remove_pruned_files_on_startup.py',
     'p2p_i2p_ports.py',

From a9e220366df906b4b24e92bb369c1f37f258f583 Mon Sep 17 00:00:00 2001
From: Salvatore Ingala <6681844+bigspider@users.noreply.github.com>
Date: Thu, 6 Feb 2025 00:23:56 +0100
Subject: [PATCH 6/7] test: Add functional tests for a vault construction based
 on CHECKCONTRACTVERIFY

---
 .../feature_checkcontractverify_vaults.py     | 477 ++++++++++++++++++
 test/functional/test_runner.py                |   1 +
 2 files changed, 478 insertions(+)
 create mode 100755 test/functional/feature_checkcontractverify_vaults.py

diff --git a/test/functional/feature_checkcontractverify_vaults.py b/test/functional/feature_checkcontractverify_vaults.py
new file mode 100755
index 000000000000..1bbc8abb6c82
--- /dev/null
+++ b/test/functional/feature_checkcontractverify_vaults.py
@@ -0,0 +1,477 @@
+#!/usr/bin/env python3
+# Copyright (c) 2025 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://opensource.org/licenses/mit-license.php.
+"""
+Tests a vault construction based on OP_CHECKCONTRACTVERIFY.
+
+The vaults are functionally very similar to the ones defined in BIP-345, except that
+the withdrawal transaction must send the entire amount to a single P2TR output.
+"""
+
+from typing import Optional
+
+from test_framework import key, script
+from test_framework.test_framework import BitcoinTestFramework, TestNode
+from test_framework.p2p import P2PInterface
+from test_framework.wallet import MiniWallet, MiniWalletMode
+from test_framework.script import (
+    CScript,
+    OP_1, OP_CHECKCONTRACTVERIFY, OP_CHECKSEQUENCEVERIFY, OP_CHECKSIG, OP_DROP,
+    OP_DUP, OP_PICK, OP_SWAP, OP_TRUE
+)
+from test_framework.messages import CTransaction, CTxOut
+from test_framework.util import assert_equal, assert_raises_rpc_error
+
+from feature_checkcontractverify import (
+    P2TR, AugmentedP2TR, CCV_MODE_CHECK_INPUT, CCV_MODE_CHECK_OUTPUT, CCV_MODE_CHECK_OUTPUT_DEDUCT_AMOUNT,
+    CcvInput, PrivkeyPlaceholder, TapTree, create_tx, NUMS_KEY
+)
+
+
+unvault_privkey = key.ECKey()
+unvault_privkey.set(
+    b'y\x88\xe19\x11_\xf6\x19L#\xb7t\x9c\xce\x1c\x08\xf6\xdf\x1a\x01W\xc8\xc1\x07\x8d\xb9\x14\xf1\x91\x89c\x8b', True)
+unvault_pubkey_xonly = unvault_privkey.get_pubkey().get_bytes()[1:]
+
+recover_privkey = key.ECKey()
+recover_privkey.set(
+    b'\xdcg\xd3\x9f\xc5\x0c/\x82\x06\x01\\T\x8f\xd2\xb6\x90\xddJ\xe5:\xbc\xddJ\rV\x1c\xe2\x07\xb0\xdd7\x89', True)
+recover_pubkey_xonly = recover_privkey.get_pubkey().get_bytes()[1:]
+
+
+class Vault(P2TR):
+    """
+    A UTXO that can be spent either:
+    - with the "recover" clause, sending it to a PT2R output that has recover_pk as the taproot key
+    - with the "trigger" clause, sending the entire amount to an Unvaulting output, after providing a 'withdrawal_pk'
+    - with the "trigger_and_revault" clause, sending part of the amount to an output with the same script as this Vault, and the rest
+      to an Unvaulting output, after providing a 'withdrawal_pk'
+    - with the alternate_pk using the keypath spend (if provided; the key is NUMS_KEY otherwise)
+    """
+
+    def __init__(self, alternate_pk: Optional[bytes], spend_delay: int, recover_pk: bytes, unvault_pk: bytes):
+        assert (alternate_pk is None or len(alternate_pk) == 32) and len(
+            recover_pk) == 32 and len(unvault_pk) == 32
+
+        self.alternate_pk = alternate_pk
+        self.spend_delay = spend_delay
+        self.recover_pk = recover_pk
+        self.unvault_pk = unvault_pk
+
+        unvaulting = Unvaulting(alternate_pk, spend_delay, recover_pk)
+
+        # witness: <sig> <withdrawal_pk> <out_i>
+        trigger = ("trigger",
+                   CScript([
+                       # data and index already on the stack
+                       0 if alternate_pk is None else alternate_pk,  # pk
+                       unvaulting.get_taptree(),  # taptree
+                       CCV_MODE_CHECK_OUTPUT,
+                       OP_CHECKCONTRACTVERIFY,
+
+                       unvault_pk,
+                       OP_CHECKSIG
+                   ])
+                   )
+
+        # witness: <sig> <withdrawal_pk> <trigger_out_i> <revault_out_i>
+        trigger_and_revault = (
+            "trigger_and_revault",
+            CScript([
+                0, OP_SWAP,   # no data tweak
+                -1,  # current input's internal key
+                -1,  # current input's taptweak
+                CCV_MODE_CHECK_OUTPUT_DEDUCT_AMOUNT,  # revault output
+                OP_CHECKCONTRACTVERIFY,
+
+                # data and index already on the stack
+                0 if alternate_pk is None else alternate_pk,  # pk
+                unvaulting.get_taptree(),  # taptree
+                CCV_MODE_CHECK_OUTPUT,
+                OP_CHECKCONTRACTVERIFY,
+
+                unvault_pk,
+                OP_CHECKSIG
+            ])
+        )
+
+        # witness: <out_i>
+        recover = (
+            "recover",
+            CScript([
+                0,  # data
+                OP_SWAP,  # <out_i> (from witness)
+                recover_pk,  # pk
+                0,  # taptree
+                CCV_MODE_CHECK_OUTPUT,
+                OP_CHECKCONTRACTVERIFY,
+                OP_TRUE
+            ])
+        )
+
+        super().__init__(NUMS_KEY if alternate_pk is None else alternate_pk, [
+            trigger, [trigger_and_revault, recover]])
+
+
+class Unvaulting(AugmentedP2TR):
+    """
+    A UTXO that can be spent either:
+    - with the "recover" clause, sending it to a PT2R output that has recover_pk as the taproot key
+    - with the "withdraw" clause, after a relative timelock of spend_delay blocks, sending the entire amount to a P2TR output that has
+      the taproot key 'withdrawal_pk'
+    - with the alternate_pk using the keypath spend (if provided; the key is NUMS_KEY otherwise)
+    """
+
+    def __init__(self, alternate_pk: Optional[bytes], spend_delay: int, recover_pk: bytes):
+        assert (alternate_pk is None or len(alternate_pk)
+                == 32) and len(recover_pk) == 32
+
+        self.alternate_pk = alternate_pk
+        self.spend_delay = spend_delay
+        self.recover_pk = recover_pk
+
+        super().__init__(NUMS_KEY if alternate_pk is None else alternate_pk)
+
+    def get_scripts(self) -> TapTree:
+        # witness: <withdrawal_pk>
+        withdrawal = (
+            "withdraw",
+            CScript([
+                OP_DUP,
+
+                -1,
+                0 if self.alternate_pk is None else self.alternate_pk,
+                -1,
+                CCV_MODE_CHECK_INPUT,
+                OP_CHECKCONTRACTVERIFY,
+
+                # Check timelock
+                self.spend_delay, OP_CHECKSEQUENCEVERIFY, OP_DROP,
+
+                # Check that the transaction output is as expected
+                0,  # no data
+                0,  # output index
+                2, OP_PICK,  # withdrawal_pk
+                0,  # no taptweak
+                CCV_MODE_CHECK_OUTPUT,
+                OP_CHECKCONTRACTVERIFY,
+
+                # withdrawal_pk is left on the stack on success
+            ])
+        )
+
+        # witness: <out_i>
+        recover = (
+            "recover",
+            CScript([
+                0,  # data
+                OP_SWAP,  # <out_i> (from witness)
+                self.recover_pk,  # pk
+                0,  # taptree
+                CCV_MODE_CHECK_OUTPUT,
+                OP_CHECKCONTRACTVERIFY,
+                OP_TRUE
+            ])
+        )
+
+        return [withdrawal, recover]
+
+
+# We reuse these specs for all the tests
+vault_contract = Vault(
+    alternate_pk=None,
+    spend_delay=10,
+    recover_pk=recover_pubkey_xonly,
+    unvault_pk=unvault_pubkey_xonly
+)
+unvault_contract = Unvaulting(
+    alternate_pk=None,
+    spend_delay=10,
+    recover_pk=recover_pubkey_xonly
+)
+
+
+class CheckContractVerifyVaultTest(BitcoinTestFramework):
+    def set_test_params(self):
+        self.num_nodes = 1
+        self.extra_args = [
+            [
+                # Use only one script thread to get the exact reject reason for testing
+                "-par=1",
+                # TODO: figure out changes to standardness rules
+                "-acceptnonstdtxn=1",
+                # TODO: remove when package relay submission becomes a thing.
+                "-minrelaytxfee=0",
+                "-blockmintxfee=0",
+            ]
+        ]
+        self.setup_clean_chain = True
+
+    def run_test(self):
+        wallet = MiniWallet(self.nodes[0], mode=MiniWalletMode.RAW_OP_TRUE)
+        node = self.nodes[0]
+        node.add_p2p_connection(P2PInterface())
+
+        # Generate some matured UTXOs to spend into vaults.
+        self.generate(wallet, 200)
+
+        # Run the original end-to-end Vault flow.
+        self.test_vault_e2e(node, wallet)
+        # Test spending two Vault outputs in one transaction.
+        self.test_trigger_and_revault(node, wallet)
+        # Test spending the Unvaulting output using the 'recover' clause.
+        self.test_unvault_recover(node, wallet)
+
+    def test_vault_e2e(
+        self,
+        node: TestNode,
+        wallet: MiniWallet,
+    ):
+        """
+        Demonstrates a simple Vault flow:
+         1) Create a Vault output
+         2) Trigger into Unvault output
+         3) Attempt early withdrawal (fail)
+         4) Wait spend_delay blocks
+         5) Attempt withdrawal to a wrong pubkey (fail)
+         6) Complete the withdrawal
+        """
+        ######################################
+        # Create the Vault UTXO
+        ######################################
+        vault_amount = 50_000
+        vault_txout = CTxOut(
+            vault_amount, vault_contract.get_tr_info().scriptPubKey)
+        res = wallet.send_to(
+            from_node=node,
+            scriptPubKey=vault_txout.scriptPubKey,
+            amount=vault_txout.nValue
+        )
+        vault_txid, vault_vout = res["txid"], res["sent_vout"]
+        self.generate(node, 1)
+
+        ######################################
+        # Step 2: Trigger → Unvault
+        ######################################
+
+        withdrawal_pk = b'\x01' * 32
+
+        tx_trigger = create_tx(
+            inputs=[CcvInput(
+                vault_txid, vault_vout, vault_amount,
+                vault_contract,
+                b'',
+                "trigger",
+                # [unvault_signature, unvault_pk, out_i]
+                [PrivkeyPlaceholder(unvault_privkey),
+                 withdrawal_pk, script.bn2vch(0)]
+            )],
+            outputs=[
+                unvault_contract.get_tx_out(vault_amount, withdrawal_pk),
+            ],
+        )
+
+        trigger_txid = self.assert_broadcast_tx(tx_trigger, mine_all=True)
+
+        ######################################
+        # Step 3: Attempt early withdrawal (fail)
+        ######################################
+
+        withdraw_amount = vault_amount
+        withdrawal_inputs = [CcvInput(
+            trigger_txid, 0, withdraw_amount,
+            unvault_contract,
+            withdrawal_pk,
+            "withdraw",
+            [withdrawal_pk],
+            nSequence=vault_contract.spend_delay
+        )]
+
+        tx_withdraw = create_tx(
+            inputs=withdrawal_inputs,
+            outputs=[
+                CTxOut(withdraw_amount, CScript([OP_1, withdrawal_pk]))
+            ],
+        )
+
+        # This should fail, as the timelock is not satisfied yet
+        self.assert_broadcast_tx(tx_withdraw, err_msg="non-BIP68-final")
+
+        ######################################
+        # Step 4: Wait spend_delay blocks
+        ######################################
+        self.generate(node, vault_contract.spend_delay)
+
+        ######################################
+        # Step 5: Attempt withdrawal to a wrong pubkey
+        ######################################
+        tx_withdraw_wrong = create_tx(
+            inputs=withdrawal_inputs,
+            outputs=[
+                CTxOut(withdraw_amount, CScript([OP_1, b'\x02' * 32]))
+            ],
+        )
+        self.assert_broadcast_tx(
+            tx_withdraw_wrong, err_msg="Mismatching contract data or program")
+
+        ######################################
+        # Step 6: Complete the withdrawal
+        ######################################
+        self.assert_broadcast_tx(tx_withdraw, mine_all=True)
+
+    def test_trigger_and_revault(self, node: TestNode, wallet: MiniWallet):
+        """
+        Test creating two different Vault outputs and spending them together into one Unvaulting output.
+        One input uses the 'trigger' clause and the other uses the 'trigger_and_revault' clause.
+        """
+
+        withdrawal_pk = b'\x01' * 32
+
+        # Create two Vault outputs with different amounts.
+        vault_amount1 = 40_000
+        vault_amount2 = 50_000
+
+        withdrawal_amount = 60_000
+        revault_amount = vault_amount1 + vault_amount2 - withdrawal_amount
+
+        res1 = wallet.send_to(
+            from_node=node,
+            scriptPubKey=vault_contract.get_tr_info().scriptPubKey,
+            amount=vault_amount1
+        )
+        vault1_txid, vault1_vout = res1["txid"], res1["sent_vout"]
+
+        res2 = wallet.send_to(
+            from_node=node,
+            scriptPubKey=vault_contract.get_tr_info().scriptPubKey,
+            amount=vault_amount2
+        )
+        vault2_txid, vault2_vout = res2["txid"], res2["sent_vout"]
+
+        self.generate(node, 1)  # confirm both vault outputs
+
+        # Create a transaction that spends both vault outputs into a single Unvaulting output.
+        # For the first input, use the 'trigger' clause.
+        # For the second input, use the 'trigger_and_revault' clause.
+        tx_trigger = create_tx(
+            inputs=[
+                CcvInput(
+                    vault1_txid, vault1_vout, vault_amount1,
+                    vault_contract,
+                    b'',
+                    "trigger",
+                    [PrivkeyPlaceholder(unvault_privkey),
+                     withdrawal_pk, script.bn2vch(0)]
+                ),
+                CcvInput(
+                    vault2_txid, vault2_vout, vault_amount2,
+                    vault_contract,
+                    b'',
+                    "trigger_and_revault",
+                    [PrivkeyPlaceholder(unvault_privkey),
+                     withdrawal_pk, script.bn2vch(0), script.bn2vch(1)]
+                )
+            ],
+            outputs=[
+                unvault_contract.get_tx_out(withdrawal_amount, withdrawal_pk),
+                vault_contract.get_tx_out(revault_amount)
+            ],
+        )
+
+        self.assert_broadcast_tx(tx_trigger, mine_all=True)
+
+    def test_unvault_recover(self, node: TestNode, wallet: MiniWallet):
+        """
+        Test spending a Vault output to create an Unvaulting output and then
+        spending the Unvaulting output using the 'recover' clause.
+        """
+
+        withdrawal_pk = b'\x01' * 32
+        vault_amount = 50_000
+
+        # Create the Vault output.
+        vault_txout = CTxOut(
+            vault_amount, vault_contract.get_tr_info().scriptPubKey)
+        res = wallet.send_to(
+            from_node=node,
+            scriptPubKey=vault_txout.scriptPubKey,
+            amount=vault_txout.nValue
+        )
+        vault_txid, vault_vout = res["txid"], res["sent_vout"]
+        self.generate(node, 1)
+
+        # Spend the Vault output using the 'trigger' clause to produce an Unvaulting output.
+        tx_trigger = create_tx(
+            inputs=[CcvInput(
+                vault_txid, vault_vout, vault_amount,
+                vault_contract,
+                b'',
+                "trigger",
+                [PrivkeyPlaceholder(unvault_privkey),
+                 withdrawal_pk, script.bn2vch(0)]
+            )],
+            outputs=[
+                unvault_contract.get_tx_out(vault_amount, withdrawal_pk)
+            ],
+        )
+        unvault_txid = self.assert_broadcast_tx(tx_trigger, mine_all=True)
+
+        inputs = [CcvInput(
+            unvault_txid, 0, vault_amount,
+            unvault_contract,
+            withdrawal_pk,
+            "recover",
+            [script.bn2vch(0)]
+        )]
+
+        # Recovering to the wrong pubkey should fail.
+        tx_recover_wrong = create_tx(
+            inputs=inputs,
+            outputs=[
+                CTxOut(vault_amount, CScript([OP_1, NUMS_KEY]))
+            ],
+        )
+        self.assert_broadcast_tx(
+            tx_recover_wrong, err_msg="Mismatching contract data or program")
+
+        # Now correctly spend the Unvaulting output using the 'recover' clause.
+        tx_recover = create_tx(
+            inputs=inputs,
+            outputs=[
+                CTxOut(vault_amount, CScript([OP_1, recover_pubkey_xonly]))
+            ],
+        )
+        self.assert_broadcast_tx(tx_recover, mine_all=True)
+
+    # taken from OP_VAULT PR's functional test
+
+    def assert_broadcast_tx(
+        self,
+        tx: CTransaction,
+        mine_all: bool = False,
+        err_msg: Optional[str] = None
+    ) -> str:
+        """
+        Broadcast a transaction and facilitate various assertions about how the
+        broadcast went.
+        """
+        node = self.nodes[0]
+        txhex = tx.serialize().hex()
+        txid = tx.rehash()
+
+        if not err_msg:
+            assert_equal(node.sendrawtransaction(txhex), txid)
+        else:
+            assert_raises_rpc_error(-26, err_msg,
+                                    node.sendrawtransaction, txhex)
+
+        if mine_all:
+            self.generate(node, 1)
+            assert_equal(node.getmempoolinfo()["size"], 0)
+
+        return txid
+
+
+if __name__ == "__main__":
+    CheckContractVerifyVaultTest(__file__).main()
diff --git a/test/functional/test_runner.py b/test/functional/test_runner.py
index 217d8eaa8313..71e3e599cb7d 100755
--- a/test/functional/test_runner.py
+++ b/test/functional/test_runner.py
@@ -399,6 +399,7 @@
     'p2p_permissions.py',
     'feature_blocksdir.py',
     'feature_checkcontractverify.py',
+    'feature_checkcontractverify_vaults.py',
     'wallet_startup.py',
     'feature_remove_pruned_files_on_startup.py',
     'p2p_i2p_ports.py',

From f2b542cf957f5ebd81dd77750747a2e9df1e8228 Mon Sep 17 00:00:00 2001
From: Salvatore Ingala <6681844+bigspider@users.noreply.github.com>
Date: Fri, 12 Dec 2025 23:07:31 +0100
Subject: [PATCH 7/7] bench: Add a simple benchmark for OP_CHECKCONTRACTVERIFY

---
 src/bench/CMakeLists.txt             |  1 +
 src/bench/op_checkcontractverify.cpp | 44 ++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 src/bench/op_checkcontractverify.cpp

diff --git a/src/bench/CMakeLists.txt b/src/bench/CMakeLists.txt
index 16eb29250f50..06b61aa68f80 100644
--- a/src/bench/CMakeLists.txt
+++ b/src/bench/CMakeLists.txt
@@ -34,6 +34,7 @@ add_executable(bench_bitcoin
   mempool_eviction.cpp
   mempool_stress.cpp
   merkle_root.cpp
+  op_checkcontractverify.cpp
   parse_hex.cpp
   peer_eviction.cpp
   poly1305.cpp
diff --git a/src/bench/op_checkcontractverify.cpp b/src/bench/op_checkcontractverify.cpp
new file mode 100644
index 000000000000..29f3e7c19671
--- /dev/null
+++ b/src/bench/op_checkcontractverify.cpp
@@ -0,0 +1,44 @@
+// Copyright (c) 2025 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <bench/bench.h>
+#include <pubkey.h>
+#include <script/interpreter.h>
+#include <script/script.h>
+
+typedef std::vector<unsigned char> valtype;
+
+static void DoubleTweak(benchmark::Bench& bench)
+{
+    const XOnlyPubKey naked_key{ParseHex(
+        "50929B74C1A04954B78B4B6035E97A5E078A5A0F28EC96D547BFEE9ACE803AC0")};
+
+    const std::vector<unsigned char> data(MAX_SCRIPT_ELEMENT_SIZE, 0x42);
+
+    const uint256 merkle_root{ParseHex(
+        "E79925EF2A0DF8D2C0C08BFA7474D016384C5FC64C51EFC5E950AA1A97B88B61")};
+
+    const XOnlyPubKey result_key{ParseHex(
+        "F2DFC709E477C8D73A3625BC05C370B196703E466EB8655977FF69807EEF8F0E")};
+
+    bench.unit("ccv_doubletweak").run([&] {
+        bool ret = result_key.CheckDoubleTweak(naked_key, data, &merkle_root);
+        assert(ret);
+    });
+
+    const XOnlyPubKey schnorr_key{ParseHex(
+        "F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9")};
+    const valtype msg{ParseHex(
+        "0000000000000000000000000000000000000000000000000000000000000000")};
+    const valtype sig{ParseHex(
+        "E907831F80848D1069A5371B402410364BDF1C5F8307B0084C55F1CE2DCA821525F66A4A85EA8B71E482A74F382D2CE5EBEEE8FDB2172F477DF4900D310536C0")};
+
+    bench.unit("verify").run("schnorr-good-verify", [&] {
+        auto ret = schnorr_key.VerifySchnorr(uint256(msg), sig);
+        assert(ret);
+    });
+}
+
+
+BENCHMARK(DoubleTweak, benchmark::PriorityLevel::HIGH);