Thread

Claiming Ashigaru Whirlpool can steal funds is not quite correct. If I grant you your claim, then what you propose is more that the coordinator potentially charge a different fee than the 5% of the pool size when the USER initiates a Tx0. The coordinator can't simply sweep a user's wallet as your claim of potential theft seems to imply. If the Scode function of alternate fees was removed, by what mechanism does the coordinator have to charge a different fee than what is displayed in the terminal?

> The next step should be to hardcode the 5% coordination fee on the client Why not accept the coordinator's fee, as long as it's <= 5%?

5% is ridiculous. 0.5% is about right.

A Seattle crack addict is more likely to steal my money than Asigaru devs.

It is a flat fee per pool. If you send 0.25BTC into the 0.025BTC pool your fee is still 125k sats.

Gotcha. 👍🏻

Do it!

I am not saying the opposite. # You have to understand the context here: FOSS and decentralization Listen, when you install a Bitcoin wallet and send money to it, you are trusting the wallet's developers not to steal your money. This is because developers can take your money if they want to. Developers don't need to exploit vulnerabilities! Even when other developers can audit the code from time to time, the user cannot assume that there will always be someone reviewing the code for each new release, so in summary: there is trust in the development team, and that's always the case. Now, given that the user already fully trusts the dev team, and it is the same dev team that develops and runs the coordinator, the user doesn't have any reason to feel any extra worry. However, Whirlpool is an open source software project, and that means that anyone can compile the code and run a Whirlpool coordinator. If I understood correctly from the Ashigaru team announcement, they are moving into a decentralization strategy where others can host a coordinator. In this case, users would expect the Whirlpool client to protect them from an untrustworthy coordinator. There are also many other scenarios that I could use to illustrate why minimizing the level of trust in the coordinator is something good, and I hope the Ashigaru team implements those measures in future releases.

My note is extremely clear and it doesn't allow you to imply that the coordinator can sweep a user's wallet. Exactly, by not verifying the info the client opens the door to a malicious coordinator to potentially charge a different fee than the 5% (steal). You could agree with me that removing the Scode was the correct thing to do, right? Could you agree also that checking how much fee a user has to pay is the correct thing to do? Or, do you prefer to let that to the users?

Ok so we agree that funds can't be swept by the devs and only upon the USER iniatiation of a Tx0 COULD there be, NOT that there IS, a malicious fee COULD in theory be made by the coordinator BUT there isn't any code that we have identified thay allows for the fee to be altered, it just isn't hard coded into the client Ashigaru Terminal. If my above statement represents truth then we haven't established yet by what means, in the code, the fee CAN be changed. Futhermore I believe so much of the framework for your line of arguement is based on the architecture of other coinjoin implementations. While yes it may be true that others can create X, Y or Z alternative implemantations of Whirlpool coordibators they also need to have a client that will communicate to it and be able to attract trust and lquidity. Whirlpool requires a coordinator and connections to Dojo's. We don't want a bunch of different coordinators. We want the coordinator to either run in a true decentralized manner... meaning the coodination occurs by the users.. NOT via multiple coordinators and pools. The coordination will occur via user's Dojo's talking to eachother. Whirlpool users aren't wanting multiple pools of liquidity. We want a single big pool to hide in. This is why there was never a fork of Samourai or Whirlpool before. No client or coordinator could compete. Sparrow joined the same pool they didn't release their own coordinator. This initial release will be updated and improved. The goal is clearly a robust attack resistent and decentralized coordination over soroban with dojo's. I agree with actions to trust minimize like creating a new wallet just for whirpool and only sending pool size plus fees UTXO's to it.

> Ok so we agree that funds can't be swept by the devs No, I stated exactly the opposite. I said that wallet developers can sweep users' wallets and users simply trust developers. There are very few wallets with tons of developers and eyes reviewing everything all the time; the rest of the projects have very few maintainers and almost no external reviewers. > BUT there isn't any code that we have identified thay allows for the fee to be altered, it just isn't hard coded into the client Ashigaru Terminal. The server decides the coordination fee and the client doesn't verify it —pthat's the point. > Whirlpool requires a coordinator and connections to Dojo's. We don't want a bunch of different coordinators. Okay, I get it. I misunderstood the decentralization part then. If there would not be other —potentially malicious— coordinators, then it makes no sense to protect the user from them. In fact, it makes no sense to verify anything coming from the server, only messages from the users should not be trusted. > We want the coordinator to either run in a true decentralized manner... meaning the coodination occurs by the users.. NOT via multiple coordinators and pools. The coordination will occur via user's Dojo's talking to eachother. Thanks for sharing, it is a really fantastic goal, but in that case it would be even more important to develop a defensive mentality where external inputs need to be verified and not blindly trusted.

When you enter the pool you do it manually., right? There you have to see if the entry fee is acceptable or not. I do not see the need for the percentage to be duplicated in the wallet.

nostr:npub1ak68qfcjj7k95c0jwleu69x72nr8adwv6g80pkwl9xlps6zmkqzqrxy8fx clarified this and the idea is to not support multiple coordinators. There will be one coordinator developed, maintained and run by the same team that Ashigaru users already trust. This means that nobody needs to worry about the coordinator charging a coordination fee other than the promised 5%.

Sweeping implies that funds sent to a deposit address in Ashigaru Terminal can be taken by devs without an action by the user. This is simply not true. Perhaps theoretically as you are describing, UPON THE USER INITIATING a Tx0 then the fee MAY be able to be manipulated to equal the entire Tx0. That is very different from simply having a deposit wallet drained without a user action. Do you understand the difference? You still haven't shown the code that would allow the coordinator to alter the fee.

When you initiate the tx0 in Ashigaru Terminal it displays the tx0 fee and the structure of the transaction you are about to broadcast. After you broadcast the tx you can see in a different wallet software (or mempool[dot] space) if it indeed matched what the Ashigaru Terminal wallet said would be the fee. If it did not match then you can do an CPFP back to your deposit account. Crisis averted.

Don't you mean RBF instead?👀

I haven't checked if RBF is enabled for the tx0, iirc the Samourai tx0 had RBF disabled.