Whirlpool client proves ownership of the registered input by signing always the same message, which is the pool denomination (e.g., "0.025btc"). This means that a coordinator can use the received ownership proofs to attack every other coordinator. To prevent this and also prevent the same signature from being used to prove ownership of a different UTXO with the same scriptPubKey, a simple solution could be to commit to the outpoint, the mix ID, and the coordinator URI in addition to the poolId.