Ashigaru's Whirlpool can steal your money. This is something I mentioned in passing in a previous note, but it is important to develop in some detail.

Basically, it is the Whirlpool server that tells the client how much it must pay, and the client trusts that blindly. This allows the server to instruct clients to pay as much as it wants.

But why not simply check that the coordination fee is the promised 5%? Because Samourai had "discount codes" (scode) designed to allow some users to pay lower coordination fees. These codes were opaque to the client and only understandable by the server. This means that the client had no way to know how much it had to pay and it had to be the server the one that makes the math. As a side note, it seems these "discounts" were not verified and could even be negative.

Fortunately, it seems the Ashigaru team removed the "discounts" functionality, which is the right thing to do. The next step should be to hardcode the 5% coordination fee on the client.

It would also be good to clean the code and remove all what it is not being used anymore because all the variables and messages are still there making the auditting much harder.