In this system, can't I create a taproot key with pubkey (xG+tH) contributing (xG+(t+v)H) to the curvetree, and use that to provide a false proof that I have t sats more than I ever had (and t+v sats more than I can spend, since such a pubkey is unspendable)?
I've written a blog with a proof of being a satoshi millionaire, that does not reveal where my funds are on-chain. Bukele and Coinbase take note pls :)
https://reyify.com/blog/privacy-preserving-proof-of-taproot-assets
Discussion
The tree is constructed publically (so both by the prover and the verifier, and whoever), from the public data of taproot pubkeys and sat values of the utxos. The privacy comes from the select-and-rerandomize algo, which makes a blinded version of the commitments xG + vH (in this application), adding rJ. So you can't claim a pubkey or amount that is different, and your knowledge of the private key is ensured by the proof of representation (see 3.6 in the paper).