Bitcoin Covenants Part 3: How SIGHASH_ANYPREVOUT Lets Signatures Work Across UTXOs

Bitcoin’s covenant toolbox keeps growing. Part 3 of Cointelegraph Research’s series walks through SIGHASH_ANYPREVOUT — proposed in BIP 118 — which is basically a new SIGHASH flag value, not a new opcode.

Here’s the core idea. Normally when you sign a Bitcoin transaction, your signature is locked to one specific UTXO — a particular transaction ID and output index. Change the outpoint and the signature breaks. ANYPREVOUT removes that binding.

The flag comes in two flavors. SIGHASH_ANYPREVOUT excludes the outpoint from what gets signed, but still commits to the amount and scriptPubKey of the UTXO being spent. SIGHASH_ANYPREVOUTANYSCRIPT goes further — it drops the amount and scriptPubKey too, meaning the signature isn’t tied to the locking script at all.

Why does this matter? Because it enables signature reuse. Say you pre-sign a transaction to send 0.5 BTC from a specific address. With ANYPREVOUT, that same signature can spend a different UTXO later — as long as it’s also 0.5 BTC and sitting at the same address. The private key could even be gone by then. The catch: if the new UTXO has more than 0.5 BTC, the excess goes to miners unless you built in a change output.

This rebinding property is what makes ANYPREVOUT useful for Lightning, vaults, and layer-2 protocols. Same pre-signed transaction, multiple possible on-chain UTXOs, no need for new signatures each time.

There are risks. Signature replay is the big one — the same signature could spend a different UTXO than you intended. This gets worse with certain flag combinations. But these scenarios mostly require deliberate misuse or bad protocol design.

Up next in the series: OP_CHECKSIGFROMSTACK and OP_CAT — the supporting tools that extend what Bitcoin script can express.