Seems like clients don’t verify that signatures actually come from that hardcoded key (which they are definitely able to do). Until that is done clients are still vulnerable to a coordinator tagging attack.
Discussion
have you also verified about the signatures
or are you just taking floppy's word for it?
Ya `unblind` is called w/o signature verification. Easy fix http://ashicodepbnpvslzsl2bz7l2pwrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashigaru-Terminal/src/commit/0bbed17ea5130bcf2aec5af6d3cc93f54aa9d871/darkjar/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L206-L214
Gotcha
thanks for the link