Whirlpool client proves ownership of the registered input by signing always the same message, which is the pool denomination (e.g., "0.025btc"). This means that a coordinator can use the received ownership proofs to attack every other coordinator.
To prevent this and also prevent the same signature from being used to prove ownership of a different UTXO with the same scriptPubKey, a simple solution could be to commit to the outpoint, the mix ID, and the coordinator URI in addition to the poolId.
Yes, this was discussed a bit on the mailing list. I'll dig up a link later, if you didn't see it.
Oops I didn't know that it was a known issue.
Actually I just read your message again. What you're saying is way more specific!
Really, the message is *just* the denomination!? That's pretty bad.
(The thread I'm referring to was more general, it didn't cover exactly that: https://groups.google.com/g/bitcoindev/c/CbfbEGozG7c/m/oJTF8wqRDgAJ )
Yes, it is **just** the denomination. It is in the code and also documented:
