Assuming design: https://gist.github.com/DavidBurkett/ba41f314b12566987dc9ba3534c6c773
Alice creates 2 outputs for Bob:
OB1 = { v1, Kr1 = B + HASH32(T_RECEIVE||t1)*G}
OB2 = { v2, Kr2 = B + HASH32(T_RECEIVE||t2)*G}
where v2 > v1.
Bob spends OB1 to Alice, creating output OA1 in tx1, and spends OB2 to Charlie, creating output OC in tx2:
tx1: {in: OB1; kern: k1; out: OA}
tx2: {in: OB2; kern: k2; out: OC}
Both transactions are broadcast at the same time.
Alice, a miner, sees both transactions, and realizes she has an opportunity to receive v2 coins instead of v1.
She modifies tx1, creating tx1':
tx1': {in: OB2; kern: k1; out: OA'}
where OA' consists a new commitment for v2 coins.
She knows the blinding factor of OB2, since she created it, so generating a new commitment and balancing the kernel excess is trivial.
She generates a new rangeproof for OA', committing to the same output data (i.e. {v'||n'||Ks||Kr||Ke||ρ}
) as OA
Now everything validates except for the stealth excess equation (i.e. t'*G = (ΣKs - ΣKr) - ΣE'
)
Alice does not know Kr1 or Kr2, but she does know the difference between the 2:
kr2 - kr1 = HASH32(T_RECEIVE||t2) - HASH32(T_RECEIVE||t1)
To make the stealth offset equation balance, she can just increase the stealth offset for tx1' by kr2 - kr1