Hi Khaled0111, thank you too for your detailed and honest review!
- UnjCode, the popup that appears after clicking the "?" button does not tell you what the UniCode is or what it is used for. You'll have to wait till the last step to get that information.
We will add this information.
- Checking address validity (taproot!), I tried different addresses' formats and changed few of their characters and, indeed, the form detects when you enter an invalid address. But when I provided a valid P2TR address I picked randomly from a block explorer, the form said it's invalid! I believe a service designed mainly to enhance users' privacy must support taproot (for payout addresses).
We have considered taproot addresses in the development, however there must be still a mistake. We will fix this very soon.
- The warning message in that page says: "the fees range from 1% to 3% and are randomly generated as soon as an incoming payment is detected"!
Why do you generate the fees after detecting the incoming transaction? Someone might accuse you of charging fees depending on the transaction amount ( the higher the amount the higher the fees)! You should either let the user customize the fees manually or generate and publish it from the start of the session.
As described in our pricing page, the fees are generated between 1-3% with 4 decimals. It doesn't depend on anything, but is randomly generated.
- The warning message says that only funds send within the remaining time will be accepted but it doesn't say what will happen to funds send after that, will it be lost or it can be recovered? the same for sent funds below the minimum amount (0.001btc)? What will happen if someone send coins, your system detects it while it's still unconfirmed, then the user replaces it by bumping the fees thinking he is helping speed up the process?
Every user will contact us in the support section to get an update on his mixing order. So when a mistake happens, which should not, as we are clearly mentioning the conditions on the website, he will contact us and we either process the mixing order or send the user a refund.
- Letter of Guarantee, both LoyceV and DarkStar_ are correct, verifying the signed message shouldn't be that complicated and the message should include the date when it was generated.
Also, you should publish your public key somewhere else other than on your website. You can upload it to public key servers or post it on your ann thread here. This will help in case your servers get compromised and the attacker publish his public key instead of yours.
The aim of the LoG isn't only to allow restoring a session but, and most importantly, to verify that the deposit address was generated by you. So validating the signed message and having the public key on your website doesn't mean anything.
Regarding the letter of Guarantee, we will add the date to the file and also we will add the public key to several other places, such as Github and more.
- The warning message, again, in this page says that the payout may take longer than the preset transfer delay if the CoinJoin hasn't been completed yet and the transaction fees will be charged to the customer. You had to be transparent about this from the beginning (remember that I didn't reed your ToS).
We will consider it showing it in the first steps of the mixing process but it's also mentioned in the pricing page. Normally, users check the pricings before creating a mixing order.
I'm not an expert when it comes to blockchain analysis But when I looked up the payout transaction on a block explorer, I saw that the inputs used (UTXOs) by that transaction were created before I made the deposit transaction (this is not always true for all orders). So, this means there is no direct link between the coins I sent and the mixed coins I received, at least not through UniJoin.
As NeuroticFish mentioned, we prepare coins that are coinjoined already to accelerate the mixing process for our users. In the end, the funds are anonymous and there is no link between sender and receiver. Also, CoinJoin technology is used.
Thank you again for your detailed feedback, it helps us a lot to improve our service!