Grin does not allow simultaneous duplicate utxo.
You cannot say that cut-through vulnerabilities could occur before the 1-week horizon, since the security model requires only a valid UTXO set and kernel history at the horizon.
This is illegal since it has an output P1_out equal to an input P1_in.
In Grin, after I spend an output P that I once received from Alice, Alice can publish another tx that recreates output P without my knowledge. Do I “own” this? That’s questionable, since I didn’t agree to receive it and would never recreate this old output myself. (It’s true that if I run a wallet restore, my wallet would find this recreated output and claim it as owned, not realizing that I spent its duplicate earlier.)
There seems to be little point in this replay attack by Alice, except for being able to claim “Haha! I was able to replay your tx by paying you twice”. Even if you consider that a vulnerability, then surely it’s a pretty benign one.
I would hesitate to complicate the consensus rules of Grin to safeguard us against payment replay attacks. At least until I can see how such attacks would do any actual damage. And especially if the new consensus rules break the desirable property that a tx in the mempool remains valid as long as its inputs are unspent.