Privacy pools sever the on-chain link between deposit and withdrawal, but offer no defense when an adversary coerces the holder in person—the "5 wrench attack. " The tempting fix builds a decoy spending path into the withdrawal circuit. We show this class of design is unsound under spend-identifier accounting: when one economic note can produce two or more independent spendable identifiers and the contract deduplicates per identifier with no shared consumed-state, the note is withdrawn once per identifier and pool solvency breaks. The failure is one of value-safety accounting, not of the proof system, hash, or selector. The corrective is a single invariant—one note, one spend—which also indicates where deniability belongs: off the spend path, at the wallet. Our contribution is not a new hidden-wallet mechanism but this value-safety separation. The safe construction moves deniability to the wallet via two economically independent notes from independent secrets, sharing no seed and no protocol-introduced cryptographic link: a coerced user surrenders a credible decoy while the real note stays untouched. We give a general impossibility (Proposition 1) and its constructive counterpart (Theorem 1), and report evidence as a negative-test matrix separating real-verifier guarantees V from in-circuit ones C. The guarantee is plausible deniability bounded by anonymity-set size and metadata, not unconditional unlinkability.
Alejandro Jaime (Wed,) studied this question.