As it is, if one node is compromised or malicious, what stops it from hosing up darksend? Sure, that TX will fall out of the memory pool and eventually be not a sent transaction according to my client, but how about something that actively avoids the incident? Why shouldn't all clients hosting the full chain also be darksend nodes? For that matter, why is darksend optional? Why aren't all sends done in that manner automatically? Input volume, yes...
The idea of masternodes is to create a very expensive network similar to mining, where users invest money to make money. If you decide to be malicious, the only power you have is to not allow transactions for that 2.5 minutes, in which case you forfeit the money the network will pay you.
If all nodes were able to do it, the network would be vulnerable to sybil attacks. See my conversation with Anonymint.
Really the concept sounds great -- I guess what I am really worried about is DOS attacks on the Master nodes. Some people will do due diligence, but I am betting that most won't (don't know how) and the result will be that DRK suffers a black eye because one person brings down Darksend for a time.
What protections are there against this other than urging master nodes owners to read up on net security?
Once we get the logo picked, I'll get me a shot glass or beer glass. Fill it with black sambuca or a Guinness lol 