These vulnerabilities stem from fundamental issues within the protocols themselves, which have been overlooked rather than newly discovered. Specifically, the critique highlights a persistent trust issue between users and the coordinators of these wallets, with an assertion that the coordinators' rent-seeking behavior and apparent incompetence exacerbate the problem. This skepticism is rooted in personal involvement in the design and implementation of WabiSabi, a protocol intended for use in Wasabi Wallet and GingerWallet, which was ultimately abandoned due to concerns over its fitness for purpose.

In detailing the vulnerabilities, it's evident that both the Whirlpool and WabiSabi protocols suffer from a critical flaw where a malicious coordinator can fully deanonymize transactions. For Whirlpool, this vulnerability hinges on the manipulation of blind signing keys, allowing a server to link transaction outputs to inputs by providing unique RSA keys for each input during the transaction confirmation phase. This method effectively undermines the privacy guarantees promised by the protocol. The documentation and discussions surrounding these findings are accessible, offering a comprehensive breakdown of the technical aspects (GitHub repository).

WabiSabi's predicament is similarly tied to the integrity of key consistency. The protocol operates on the premise that clients register Bitcoin UTXOs independently, with input registration requests including BIP-322 ownership proofs that commit to specific round IDs. However, the possibility of inconsistent round IDs being issued to clients creates a vector for partitioning and subsequent deanonymization. Despite attempts to rectify these issues through changes in how ownership proofs are distributed among clients, the core problems—stemming from the lack of effective verification and control mechanisms over the public keys used for proof verification—remain unaddressed.

Further compounding the problem are the broader implications of poor coin selection practices, timing of input registrations, and inadequate Tor circuit management, all of which potentially amplify the risk of targeted deanonymization attacks. Additionally, the reliance on JSON and HTTP in the protocol introduces variability in data serialization that could further compromise privacy.

The discussion also touches on the economic incentives designed into the system through coordination fees and the anonymous credential mechanism. Originally intended to ensure fair compensation for coordinating transactions, these mechanisms fell short of preventing thefts of user funds, highlighting a significant oversight in ensuring both privacy and financial security for users.

This summary underscores a critical dialogue within the Bitcoin development community regarding the balance between innovation in privacy-enhancing technologies and the imperative to uphold rigorous standards of security and user trust. The ongoing scrutiny and debate exemplify the challenges faced in evolving cryptocurrency protocols to meet the demands of privacy-conscious users while mitigating the risks of exploitation and misuse.