A Seattle crack addict is more likely to steal my money than Asigaru devs.
Discussion
I am not saying the opposite.
# You have to understand the context here: FOSS and decentralization
Listen, when you install a Bitcoin wallet and send money to it, you are trusting the wallet's developers not to steal your money. This is because developers can take your money if they want to. Developers don't need to exploit vulnerabilities!
Even when other developers can audit the code from time to time, the user cannot assume that there will always be someone reviewing the code for each new release, so in summary: there is trust in the development team, and that's always the case.
Now, given that the user already fully trusts the dev team, and it is the same dev team that develops and runs the coordinator, the user doesn't have any reason to feel any extra worry.
However, Whirlpool is an open source software project, and that means that anyone can compile the code and run a Whirlpool coordinator. If I understood correctly from the Ashigaru team announcement, they are moving into a decentralization strategy where others can host a coordinator. In this case, users would expect the Whirlpool client to protect them from an untrustworthy coordinator.
There are also many other scenarios that I could use to illustrate why minimizing the level of trust in the coordinator is something good, and I hope the Ashigaru team implements those measures in future releases.
Ok so we agree that funds can't be swept by the devs and only upon the USER iniatiation of a Tx0 COULD there be, NOT that there IS, a malicious fee COULD in theory be made by the coordinator BUT there isn't any code that we have identified thay allows for the fee to be altered, it just isn't hard coded into the client Ashigaru Terminal.
If my above statement represents truth then we haven't established yet by what means, in the code, the fee CAN be changed.
Futhermore I believe so much of the framework for your line of arguement is based on the architecture of other coinjoin implementations. While yes it may be true that others can create X, Y or Z alternative implemantations of Whirlpool coordibators they also need to have a client that will communicate to it and be able to attract trust and lquidity.
Whirlpool requires a coordinator and connections to Dojo's. We don't want a bunch of different coordinators. We want the coordinator to either run in a true decentralized manner... meaning the coodination occurs by the users.. NOT via multiple coordinators and pools. The coordination will occur via user's Dojo's talking to eachother.
Whirlpool users aren't wanting multiple pools of liquidity. We want a single big pool to hide in. This is why there was never a fork of Samourai or Whirlpool before. No client or coordinator could compete. Sparrow joined the same pool they didn't release their own coordinator.
This initial release will be updated and improved. The goal is clearly a robust attack resistent and decentralized coordination over soroban with dojo's. I agree with actions to trust minimize like creating a new wallet just for whirpool and only sending pool size plus fees UTXO's to it.
> Ok so we agree that funds can't be swept by the devs
No, I stated exactly the opposite. I said that wallet developers can sweep users' wallets and users simply trust developers. There are very few wallets with tons of developers and eyes reviewing everything all the time; the rest of the projects have very few maintainers and almost no external reviewers.
> BUT there isn't any code that we have identified thay allows for the fee to be altered, it just isn't hard coded into the client Ashigaru Terminal.
The server decides the coordination fee and the client doesn't verify it —pthat's the point.
> Whirlpool requires a coordinator and connections to Dojo's. We don't want a bunch of different coordinators.
Okay, I get it. I misunderstood the decentralization part then. If there would not be other —potentially malicious— coordinators, then it makes no sense to protect the user from them. In fact, it makes no sense to verify anything coming from the server, only messages from the users should not be trusted.
> We want the coordinator to either run in a true decentralized manner... meaning the coodination occurs by the users.. NOT via multiple coordinators and pools. The coordination will occur via user's Dojo's talking to eachother.
Thanks for sharing, it is a really fantastic goal, but in that case it would be even more important to develop a defensive mentality where external inputs need to be verified and not blindly trusted.
Sweeping implies that funds sent to a deposit address in Ashigaru Terminal can be taken by devs without an action by the user. This is simply not true.
Perhaps theoretically as you are describing, UPON THE USER INITIATING a Tx0 then the fee MAY be able to be manipulated to equal the entire Tx0. That is very different from simply having a deposit wallet drained without a user action. Do you understand the difference?
You still haven't shown the code that would allow the coordinator to alter the fee.
When you initiate the tx0 in Ashigaru Terminal it displays the tx0 fee and the structure of the transaction you are about to broadcast.
After you broadcast the tx you can see in a different wallet software (or mempool[dot] space) if it indeed matched what the Ashigaru Terminal wallet said would be the fee.
If it did not match then you can do an CPFP back to your deposit account. Crisis averted.
