It doesn't make a difference if Coinfirm is involved, the Sybil attack could be detected and interpreted as a malicious coordinator by clients the exact same way.
I'm reading the coin approval part, from the Wasabi's coin verification unit test[1]:
Code:
0. Assume a third party (coinVerifier) which will approve coins, and a list with 5 coins (outputs). 1. Create an empty list which will contain the "naughty coins". 2. For each coin, request it to the third party. 3. If coin is not approved, add it to the list and go to step 2 until no other coins are left.
Could you explain how the Sybil attack will be detected? To me it seems like the coordinator makes an http request to the third party (as shown in here[2]), and simply proceeds to the coinjoin, given the naughty coin list that was authorized by the third party.