As all the ww-address transactions take place on Whirlwind and are not associated with the Bitcoin network, the question then arises how safe or secure is the database is that contains all the details of the addresses and transactions. Is it encrypted at REST?
The databases (backend and the 3 signers) only contain the encrypted Note public addresses and their balances, no sensitive information about deposits/withdrawals or pay to note transfers. Whenever a user performs an action it has to be validated by the backend and all 3 signers individually. These proofs are deleted immediately after their use.
Whirlwind is based on a backend + validator (signer) model. The backend interacts with users by generating deposit addresses and processing withdrawals, while the validators (signers) validate all of the backend's actions. Whenever a withdraw transaction is being sent, the signatures must be retrieved from all validators which are able to verify the transaction is correct.
When a user deposits BTC using the Note method, the backend sends the deposit hash to the validators and they assign credit to the Note’s public key. When the user wants to withdraw his BTC, he must send a signature to the backend which will process this. This signature will also be sent to the validators which will check it and remove credit from the note’s public key and whitelist the receiving addresses.
If an attacker compromises the backend server, he would not be able to forge user Note signatures in order to fool a validator to send him funds, because only the users have access to the Note’s private keys. Again, the proofs are deleted after their use.
Thanks for the explanation. Once again, How is an average Joe supposed to know who is new to mixing and wants to mix their coins? The I Button says You can share this public address with other users to receive payments. Don't you think it will be better to write a warning there, like do not send your Bitcoin to this address? However, the address is invalid, and I guess people won't be able to send Bitcoin to this address.
That appears only if you select No(Create only) when asked if you want to deposit now, but I understand your point and we will adjust the wording and info buttons to explain the process better.
As You said, These are Legacy Bitcoin addresses. I searched my address on Blockchain, and it seems it is valid. For testing purposes, I've sent a few Satoshis. I am not sure if it has anything to do with Whirlwind. I am curious if it's reached whirlwind. Since it's a small amount and doesn't meet the minimum deposit requirement, It won't appear in my balance. But I am curious if Whirlwind received the transaction.
https://blockchair.com/bitcoin/address/12xmfzikTonuQc3iw7Xezvd9qwHibxryRjThat is probably your Legacy Bitcoin address corresponding to your Note private key, it's not the deposit address. Whirlwind on-chain Bitcoin deposit addresses start with 'bc', as a rule of thumb if you are not on a page where you can download a Letter of Guarantee for the deposit you are not in the right place. Understood your point and we will make the process easier to understand for new users.