Can someone or whirlwind please respond on this part from my review-

I don't know if this is intentional from whirlwind or not. Here's my mixing-
1. my addy to WHIRLWIND1 address
2. WHIRLWIND1 sent BTC to their X address
3. And sent me BTC to my desired address from address X (same address from the 2nd step)

Again,
1. Used Notes- sent BTC from my address to WHIRLWIND2 address.
2. WHIRLWIND2 sent BTC to X (same as previous)
3. When I withdrew, they again sent me BTC from address X
Does it work this way? I don't think so. Basically, it's like MY btc to whirlwind and the same BTC is being sent to me.
I felt like I was sent my BTC.

I'm not a guy who used a mixer a lot of time. I used it mostly just to check out how it works. I have tested a few mixers including ChipMixer and all of those were to get an experience of how the process work in individual site.
May I know what I'm missing? My bad if this is a very much stupid question I had though I think it wasn't.

I went through his report and altough I'm sure we already fixed the issues outlined by him, I will still try to get him to do a paid review for your confirmation.

Coinmixer.se (the service used as example in the report) works like most mixers on the market today, and they all have the same big issues in common:
1.Maximum delay time is limited
2.Maximum amount of output addresses is limited
3.No option to have higher outputs than inputs
4.Use of mixing codes

These issues make it possible for anyone to perform blockchain analysis with relative ease. The privacy set (number of deposits your output transaction could have originated from) which is the most important figure in my opinion, is reduced to only the transactions that were performed during the time limits imposed by the "maximum delay". And since you also know the maximum number of output transactions each deposit has, it's not that difficult to deanonymize it.

We solve all these issues by introducing the Note mechanism. Let's see how the above issues apply to Whirlwind:
1.Maximum delay time is unlimited
2.Maximum amount of output addresses is unlimited
3.Outputs can be higher than inputs (combine Notes)
4.We don't use mixing codes

Since the user has the option to deposit and withdraw whenever he likes and we don't impose a limit, blockchain analysis becomes useless. In the case of coinmixer.se it's written in the report that they had about ~1000 deposit transactions a week. If we assume we'll have the same, then the privacy set of Whirlwind will grow by 1000 every week.

After 10 weeks every output transaction could originate from any of the 10,000 deposits into Whirlwind, and this figure will only grow as time goes on. With other mixers it doesen't matter how many deposits they have in total, the privacy set doesen't increase.

The use of mixing codes by a service confirms that the privacy set is very weak and introduces other risks since it can link your transactions. If a mixer does what it's supposed to do, it shouldn't matter if you get 'your own coins' back because anyone that ever used the service could have withdrawn those coins.