current position:Home>The other side of Dao: bribery in the chain and the rise of dark Dao

The other side of Dao: bribery in the chain and the rise of dark Dao

2022-02-03 12:06:53 DAOrayaki

author :DAOrayaki

Blockchain seems to be the perfect technology for online voting . They can act as “ Bulletin board ”, That is, it has been assumed in decades of electronic voting research ( But never really realized ) Global ledger . What is more wonderful is that , Blockchain makes smart contracts possible , It can autonomously execute on chain elections , And exclude the electoral body .

But unfortunately , Smart contracts are not just for elections , At the same time, it is also for buying and bribery (vote-buying) Created good conditions . In this post , We will explain how and why .

As a case study , We will introduce a fully implemented 、 For the popular chain CarbonVote Simple bribery attack of the system . We will also discuss how trusted hardware can achieve more powerful buyout Technology , These technologies seem difficult to solve even under the most advanced encrypted voting protocol .

Last , We've introduced a kind of thing called Dark DAO( The dark DAO, Decentralized dark organization ) A new form of attack , Don't go with “Dark DAO” confusion , It's like DAO Should not be associated with The DAO Same confusion . The dark DAO It's a decentralized cartel , It's opaque ( That is to say “ In the dark ”) Buy tickets on the chain . We propose a method based on Intel SGX Specific embodiments of .

In such an attack , Maybe no one , even to the extent that DAO The creator of the , Can be determined DAO Number of participants 、 The total amount of money committed for the attack or the exact logic of the attack : for example , The dark DAO Can attack token items such as Tezos, Secretly collect their tokens , Until it reaches some hidden threshold , Then tell its members to short . Darkness like this DAO It also has the unique ability to perform information asymmetry by sending, for example, a repudiated short notice : Internal cartel members will be able to verify short signals , But they themselves can produce false signals that look real , And send it to outsiders .

Trust minimized ticket buying and darkness DAO The existence of primitives , It means that all users voting on the chain are vulnerable to chaebols and coercive forces 、 Manipulation and control . This directly means that all online voting schemes , If users can generate their own keys outside the trusted environment , Will inherently degenerate into a chaebol system . This model is generally recognized as inferior to the democratic model , This agreement attempts to approach the democratic model in the chain .

All our schemes and attacks are carried out without considering identity control , Allow user behavior to be freely traded . This means a scheme that relies on the user generated key bound to the user's identity , Such as uPort or Circles, In essence and fundamentally, it is also vulnerable to arbitrary manipulation by the chaebol . Our scheme can also be reused to attack the blockchain of equity certificate or work certificate , And profit from it , And this has a serious security impact on all blockchains .

Today's blockchain voting mechanism

Now , Blockchain voting plans abound .Votem Is an end-to-end verifiable voting scheme , Allow mobile devices to vote , And use blockchain as a place to safely publish and count election results . Popular smart contracts IDE Remix An election management smart contract is provided as its training example .

Voting on the chain faces many challenges , This includes privacy 、 Delay and expansion . These are not unique to the voting mechanism itself , And all this can be overcome in the end . Voting to buy out is another matter .

In the political system , Buying votes is a common and corrosive form of election fraud , There is a long history of undermining electoral integrity around the world . Sometimes , The cost of buying off is only equivalent to a glass of beer . thankfully , As scholars have observed , The normal market mechanism usually collapses in buying tickets , There are three reasons. . First , Buying tickets is a crime in most cases . In the U.S. , Under federal law , This will face punishment . secondly , In the case of secret voting , It's hard to enforce compliance . Voters can ostensibly accept your bribes ( Simply drink your beer ), Then vote secretly according to your preferences . Third , Even if voters do sell their votes , There is no guarantee that the other party will pay .

There will be no such obstacles in the blockchain system . Using equally powerful election management tools : Intelligent contract , Can effectively run the buy-out market . As usual , The complexity of pseudonyms and jurisdiction provides the basis for prosecution ( some ) guarantee .

Generally speaking , Electronic voting schemes are in some ways more difficult to prevent fraud than personal voting , And it has been the subject of academic interest for many years .David Chaum A basic building block was introduced earlier , Provide anonymous hybrid networks for messages , These messages can be sent anonymously by participants and receive receipts containing . This end-to-end verifiable voting system , Users can check whether their votes are calculated correctly without sacrificing privacy , It's not just the field of theorists , And it has actually been used for binding elections .

Benaloh and Tuinstra Later work questioned the electronic voting plan , Point out that they provide voters with a copy of “ Receipt ”, Provides encrypted proof of a given voting method . This will allow extremely efficient buying and coercion , This is clearly an unwelcome attribute . The author defines a new attribute , That is, the receipt is free , To describe a voting scheme in which such encryption proof is impossible .Juels、Catalano and Jakobsson Further work simulates a more powerful forced opponent , Show that even a plan without a receipt is not enough to prevent coercion and the purchase of votes . This work defines a new security definition for the voting scheme , be called “ Forced resistance ”, Provides a protocol , Malicious parties cannot successfully coerce users in a way that may change the election results .

At work ,Juels They point out that ,“ The security of our construct depends on ...... The key pair is generated by a trusted third party , perhaps , Depending on the interaction between participants 、 Computationally secure key generation protocol ". such " Trusted key generation "、" A trusted third party " or " Trusted settings " The hypothesis is the standard in the academic literature of anti coercion voting programs . Unfortunately , These requirements are not translated into a no permission model , In this model , Nodes can walk back and forth at any time , Without knowing each other in advance . this ( In a way ) Naturally, it means that users generate their own keys in all such deployed systems , And can not take advantage of trusted multi-party key generation or any centralized key service arbiter .

Today's blockchain space , With predictable results , Will continue its tradition of ignoring decades of research , And choose the most naive form of voting : Calculate token weighted voting directly in the way of nouveau riche , Stored in plain text on the chain . Unfortunately , It is unclear whether a better vote than this tyranny can be achieved on the chain . We show that , The no permission model is fundamentally bad for voting . Despite any identity based or tier 2 mitigation attempts , All unauthorized voting systems ( Or a scheme that allows users to generate their own keys in an untrusted environment ) Are vulnerable to the same style of ticket buying and coercion attacks . Many ticket buying attacks can also be used to intimidate , Bind users to specific voting choices by force .


“ Your online voting is very good ……”

It is worth noting that ,Vitalik Buterin This part discusses the seriousness of bribery attacks in such agreements , But no specific mechanism is provided . This article describes the voting 、 Buy as 、 A friction free mechanism useful for coercion and advanced coordination , The meaning of these specific mechanisms is discussed .

Different characteristics of attack

Consider a very simple voting scheme : A token holder can get one vote for each token he holds , And can constantly change their votes , Until an end block number . We will use this simple “EZVote” Scheme to build intuition about how our attack works in any on chain voting mechanism .

There are several possible escalation attacks in this scheme .

(1) Simple smart contract

The simplest low coordination attack on the on chain voting system involves buying smart contracts . Such smart contracts will simply be based on a provable vote on an option ( Or vote , Or abstain if the vote is not anonymous ) Pay the user . stay EZVote in , A smart contract can be a simple contract , Put your ERC20 Keep until after the end date , Vote for , Then return it to you ; All guarantees in the contract can be enforced by the underlying blockchain .

The advantage of this scheme is that it only needs the trust assumptions inherent in the underlying system , But there are also big drawbacks . One side , It is possible to disclose how many votes were purchased after the election , Because this is necessary to deal with the payment flow in today's smart contract system . Besides , The natural nature of the bribery platform makes it subject to interest in maintaining the underlying platform / Review of all parties involved in system health .

Depending on the voting scheme and the nature of the underlying agreement , There may be some ways to solve these shortcomings . for example , Voters can provide ring signatures to voting buyers (ring signature), Prove that they are on the list of voters who voted yes in exchange for payment . We keep the implementation details and generality of these schemes open .

generally speaking , Any mechanism for private smart contracts can also be used for private voting to buy , Address the commonality of attacks based on smart contracts ; In cryptography , The equivalent is to vote the buyer and the seller through MPC Generate the key for fund storage together , Sign two deals : The transaction of agreeing to vote and releasing funds to the voting seller at the end of the interval . Only after having a guaranteed refund and payment transaction , The voting seller will transfer the funds to the key .

This looks similar to previous work on distributed certificate generation , Added security analysis to ensure fairness . The simple implementation of this scheme will prevent users from using their funds for other purposes during voting ( Such behavior is possible , But it requires the cooperation of voting buyers ; perhaps , You can use trusted / Bonded custodian ).

Trusted hardware purchases

A more worrisome voting buy attack scenario involves the use of trusted hardware , for example Intel SGX. Such hardware has a key function called remote proof . Essentially , If Alice and Bob stay Internet Communication on , be SGX The implemented trusted computing allows Alice towards Bob Prove that she is running a piece of code .

Trusted hardware is often seen as a way to prove that the code you're running isn't malicious : for example , It's in DRM Is used to prove that users will not copy files that are only temporarily authorized to them , Like a movie . contrary , We will use trusted hardware to bind cryptocurrency users , Pay or force them to use cryptocurrency wallets based on trusted hardware , These hardware can prove to limit the space they allow behavior ( for example , By forcing them not to vote in some way in the election ) Or allow the buyer to trust the least but restrict the use of the user's key ( For example, voting buyers can force users to sign “ I vote A”, But you can't steal or spend users' money ).

The easiest way to use this technology for voting purchases is simply to allow users to prove that they are running the voting buyer's malicious wallet code in exchange for payment , Both parties protect through remote authentication technology .

The easiest way to use such technology to buy off is to allow users to prove that they are running malicious wallet code of voting buyers in exchange for payment , Both parties protect through remote authentication technology .

In our “EZVote” Example , The user only needs to use the load in Intel SGX Cryptocurrency wallet on , Run the program for voting buyers .SGX Will assure users that the wallet will never steal users' money ( Unless the buyer votes in collusion with Intel ). Users can prove that they can use the wallet to do everything they can do with an ordinary Ethereum wallet , Including transferring their money ( Although they won't be paid in this case ). Users run their wallets , There is no need to trust third parties to control or secure their funds . Users may not even need to trust Intel or trusted hardware vendors to keep their money safe , Because they can compile their wallets !

When a predefined trigger condition occurs , In this way SGX The program will automatically vote on... According to the order of the voting buyer EZVote Vote , And send a receipt to the voting buyer . The buyer itself will run a SGX enclave , The enclave maintains the total number of all users who claim to have voted in favour , And their address list . In view of the trust in the Singapore Stock Exchange , The buyer does not need to check the complete list of member users or know the total pledge amount . At the end of the vote , Voting buyers' enclaves will pay all users who do not have mobile funds or change their votes . This will go through enclave Regularly release Merkle Root to complete , Summarize users to pay on the chain , Provide each user with evidence that they will eventually receive payment . Users can include in the published Merkle Proof in history , Demand payment after a certain period of time expires . In some voting designs that are particularly vulnerable ,SGX enclave You can simply pre collect the user's “ agree! ” Vote as a deal 、 Post at the end of the vote and provide them with payment to improve their efficiency .

Hidden trusted hardware cartels (Dark DAO)

When trusted hardware and DAO When combined with the concept of , There will be more worrying attacks , Thus, a distrust organization aiming at manipulating cryptocurrency voting (trustless organization).


A basic darkness  DAO Example

The figure above outlines a possible architecture . The buyer will run SGX Enclave network to support DAO, These enclaves themselves implement consensus agreements ( Dark clouds are shown here to indicate that they are not visible from the outside ). Users will communicate with this enclave network , And provide evidence that they are running “ Buy bribes ”( for example ) Ethereum wallet , The current balance is X A coin . This “ Evil wallet ” Prove that the attack code paid by the buyer is running , The buyer proves that the code they run guarantees to pay the user at the end of the attack ( May be used in conjunction with smart contract based protocols , Enhanced vitality and honesty in the encryption economy ).

The buyer can track the total amount of money promised to vote through the system , Use the privacy function built in the Singapore Stock Exchange to hide this fact from the outside world . Users can get demonstrable expenses by participating in such a system , In the decentralized exchange based on the Singapore Stock Exchange, it is similar to all or no settlement of property . The buyer can get a verifiable guarantee , That is, customers will never issue a vote that contradicts the voting policy they want .

What makes such an organization dark is , The buyer doesn't have to tell anyone ( Maybe even themselves ) Disclose how many users are involved in the system . The system can simply accumulate users , Pay the user to run the attacker's custom wallet Software , Until a certain threshold for activating an attack is reached ( For example, coins held by such software ); In this way , There is no need to detect failed attempts . More damaging is , The personal incentive of any small user clearly points to joining the system . If small users think their votes don't matter , They may be rewarded without perceiving a marginal decline . This is especially true in chain voting , Experience has observed very low turnout . Non voting users may be ideal targets for selling votes .

The dark DAO Operators can attack the choice that the buyer actually opposes , Use it as a potential false marking operation or smear campaign to further muddy the water ; for example ,Bob You can run a program that is conducive to Alice Of Dark DAO, In order to make Bob Legalize the election results that he thought he might lose . Activation threshold 、 Payment schedule 、 Comprehensive attack strategy 、 Number of users in the system 、 The total amount promised to the system can be kept confidential or selectively or globally disclosed , Make this kind of DAO Finally, it can be adjusted according to the structural incentive changes .

Because the organization exists outside the chain , Therefore, cartels of block producers or other system participants cannot be detected 、 Review or block attacks .

Such a dark organization has several direct practical disadvantages . First and foremost , To be in Intel SGX Upper use , Intel license required , This is unlikely to happen for malware . Besides ,Intel SGX Side channel in 、 Hidden software backdoor or platform attack Dark DAO Any audit of the wallet could weaken the plan , Although with the continuous progress and development of trusted hardware , The cost of such attacks is likely to increase significantly . Final , We hope other trusted hardware can provide Intel SGX Remote authentication function , This means that such attacks will not require SGX; That's what we're going to do “SGX” And “ Trusted hardware ” Reasons for interchangeability . for example , In some Android Remote authentication can be realized on the security processor . Proof of confidentiality of any remote device and any of our hardware solutions .

Attacks on classic schemes :CarbonVote and EIP999

To prove the effectiveness of these ballot buying strategies , Let's first look at the governance critical coin system implemented in the existing cryptocurrency system . Perhaps the most important such vote is DAO CarbonVote. The operation of this vote is very simple : Account remittance to an address to vote for , The other voted against . Each address is a contract , Recorded votes at a given address . then CarbonVote The front end will count the number of votes , And display all affirmative votes and / Or the net balance of the negative vote account . The subsequent vote replaced the previous vote , Allow users to change their minds . At the end of the vote , Take a snapshot of the support , And used to measure community sentiment . This voting method is reused for other controversial ecosystem issues , Include EIP-186.

In this framework, a possible trust minimization voting to buy smart contracts involves the use of hosting ; The user sends Ethernet to ERC20 The token contract , The contract holds ether until the end of the vote . For every etheric coin they deposit , Users will get 1 individual VOTECOIN.

The contract is pre programmed to vote for... At the end of the vote , hold 100% User Ethereum . After the vote , Every VOTECOIN Any token can be returned in full to the original etheric coin that created it . Users get back their original ether coins , And any bribes that voting buyers want to pay them for the service .

We have implemented a complete open source proof of concept for such contracts , Make it possible for any voting buyer to submit to the BRIBEPOOL Funding . Users can temporarily lock their... In the contract Ether Come from BRIBEPOOL payment , And can be withdrawn at the end of the target vote 100% Of Ether. Attacks can be made in advance from BRIBEPOOL Paid to the voting seller ( Once they lock the token , Voting is guaranteed ), Over time, as a bonus , Or both .

by DAO Carbonvote Voting code for purchasing Ethereum smart contract

Users can also lock their Ether And then sell them VOTECOIN, Basically make VOTECOIN Become a token vote to buy derivatives . then , Voting sellers can immediately offload any risk of capital lock-in to parties who are indifferent to the voting results : Because of every ERC20 Are programmed to ensure the final receipt of all original ETH, This basically translates from underlying assets to derivative assets dedicated to voting in a predefined way . If nonnegative returns are guaranteed , Buyers who are not interested in voting results should always lock in their ETH, And basically you can choose to uninstall later to other buyers who are also not interested . If BRIBEPOOL In addition to paying dividends in advance , Will be paid over time VOTECOIN, These derivative tokens can even be used to speculate on the success of the attack itself .

This smart contract can be implemented by using such as Town Crier To simplify ( You can also combine multiple Oracle machines 、 Forecast the market, etc ). because CarbonVote The system will be in Etherscan Publish the results, including the full voter log , So it's relatively simple to use any external network to grab a Oracle machine to check someone's voting method , If the votes included in the final snapshot match the buyer's preferences , Then pay .

You can also easily use similar Dark DAO Model of . Each user only needs to run one wallet , At some time after each transfer transaction , It will also be in CarbonVote Vote in the way you want ( In fact, this may become the standard behavior of many wallets ). Users can only be paid after such voting is registered , Therefore, users are encouraged to ensure that this voting transaction is included in the chain . The network cannot determine the given CarbonVote How many votes are produced by such voting to buy cartels , And how much is legal .

Inherent in any of these plans is the ability to minimize trust when pooling assets into multiple voting buyers ; Bribery smart contracts can simply allow anyone to pay BRIBEPOOL payment , The structure of the network of the new stock exchange can be similarly open to participation .

Some programs , for example EIP999 vote , There are more serious problems . In these programs , If the user votes twice , Then choose a later vote . A simple and serious attack is to simply collect users' information about “ yes ” and “ no ” Signature of the vote , Send spam to the selected signature at the end of the election period , And rely on the ability to overwhelm the blockchain to ensure that most of these votes continue . perhaps , Because contract Deployers can vote for all funds in a given contract , Another attack is simply forcing users to use contract based wallets during voting , The wallet is deployed by the buyer , They can then arbitrarily control the voting rights of all funds locked in the contract , Without having to keep these funds .

Bitcoin is not immune . Bitcoin communities often rely on coin voting , And a similar buy-out scheme can be applied ( Such as Ethereum smart contract in this work , or Dark DAO style ; Bitcoin itself does not provide native support for sufficiently rich contracts to buy votes ).

Beyond voting —— Attack consensus

Savvy readers may point out , All unlicensed blockchains essentially rely on some form of unlicensed voting , That is, the consensus algorithm itself . Every time the blockchain reaches a global consensus on some attributes of the state , What happens is essentially done in an unlicensed setting ( Usually coins or PoW weighting ) vote .

In these cases ,“ Buy off ” Some explorations have been made , It may not be surprising . for example , Smart contracts on Ethereum can be used to pass reviews 、 History revises or inspires empty blocks to attack Ethereum and other blockchains . This attack directly affects the workload proof vote itself , Bribe miners according to their weighted work . There is little reason to believe that proof of interest systems will be protected from similar attacks , Especially when there is a complex proxy voting structure , The incentives for these structures may not be clear , Its formal analysis may be incomplete or non-existent .

Explore with us... For buying votes Dark DAO A related disturbing concept is what we call “Fishy DAO”, To classic Flash Game name . In this ( Super fun !) In the game , You start with a small fish . The rules are simple ; You can eat smaller competitor fish , But you can't eat fish the same as you or bigger than you . You get bigger after every meal , Until you finally ( If you're lucky ) Grow to dominate the ocean . One doesn't need Flash And add a modern similar game to the network is


It's like Fishy, But small fish can also ally with big fish !

Fishy DAO Similar to the above will be used Dark DAO Technology to do the same thing for blockchain . Use SGX,Fishy DAO Members can receive non transferable when the attack threshold is reached (DAO Members can verify the authenticity of the message , But non members cannot judge whether the message is forged ) The notice of , Allow them to short money markets shortly before such attacks . Every time the blockchain Fishy DAO All attacks are Fishy DAO Brought some profits , Even a failed attack is accompanied by propaganda that makes Fishy DAO Because of the pursuit of profit, but may be immoral ( In some frameworks ) And infamous . If Fishy DAO Failed to reach the required threshold ,Fishy DAO Will only disappear and return its participants , Maybe but not necessarily burn some of their money to encourage them to recruit .

Fishy DAO need Dark DAO technology , It's like public execution with smart contracts , The observable participation rate will provide a market signal for the price of the underlying blockchain , Making attacks unprofitable by allowing risk pricing . It is DAO Encrypted executable information asymmetry between members and wider ecosystem participants , Make this attack possible .

Other applications

Please note that ,Dark DAO The impact goes far beyond the above scope . for example , One Dark DAO The purpose is to purchase the basic income identity of users in a profitable way , Pay in advance at a small fee to obtain the user's regular basic income payment . Or a Dark DAO, By renting... From users with good credit ( With minimal trust restrictions ) This type of key , Credit check as a key based identity . Or an evil mine Dark DAO, It can be proved that the attack is based on ASIC The workload proves that cryptocurrency , The size of its attack pool may not be detectable , Unstoppable .

You can also imagine , With identity , The identity system itself may have social security for buying behavior . for example , Some identity systems may allow users to appear in person to revoke or manage identities , This may evade the automatic technical protection measures against identity theft in the society . There are still ways to solve this problem : The classic solution to lending is through collateral . Potential enterprises like “ guarantee ” You can also use physics / Legal intimidation and contracts provide social repayment guarantees for users who cannot afford collateral . If this basic revenue system without license is deployed with the current market system , Payday loan and bail institutions will be very suitable for this kind of business , At least in the United States ( In many other places , There may be more unpopular institutions willing to step in and make appropriate cuts ).

Blockchain mechanism has large coordination space , harsh . All identity based schemes for voting or financial incentives should carefully consider the long-term viability of the underlying unlicensed model 、 Scalability and security implications .

Core insight

Maybe you are a scholar reading this article , Or an interested user , Want to know what all this means . From our above thought experiment , You can get some interesting 、 A very surprising insight ( See references ).

  • Electronic voting without permission * need * Trusted hardware . Perhaps the most surprising result is this . When users can generate their own keys (“ No license ” Required for the model ) In any model of , As mentioned above , Use trusted hardware , Low coordination bribery attacks are essentially possible . The only defense is more trusted hardware : Know that users can access their own key materials ( Therefore, you can't be coerced or bribed ), You need to ensure that users have seen their keys . Trusted hardware can set channels through trusted hardware tokens ( Similar to the government's use of electronic voting for democracy ) Or by SGX System to achieve this , The system ensures that any voter has disclosed their key materials to any operating system they are running . This essentially implements the kind of trusted setting that academic e-voting schemes have been using for years / Generate assumptions . obviously , In the presence of trusted hardware , Any vote requires this assumption , And without this assumption , It can be proved that you can buy through low friction / sell / Bribe / Coercion to vote , This is a surprising result , Have a serious impact on voting on the chain .
  • There is a lot of room for voting and coordination mechanisms , And people know little about it . Explore through specific examples of how to deal with , For example, smart contract voting and voting changes on Ethereum , Obviously , Extensive design decisions have fundamentally changed the incentive structure of the voting mechanism ( We are in the appendix below A These are discussed in ). These mechanisms are extremely complex , Through other coordination mechanisms ( Hardware based and trusted contracts DAO) Change its incentive structure . The characteristics of these mechanisms , Especially when multiple such mechanisms interact or are actively attacked by resource participants , People know little about it . Such mechanisms should not be used for direct chain decision-making in the short term
  • The same kind of voting purchase attack applies to any identity system . These attacks are not just about votes . Imagine an identity system , It gives users the right to pay the basic income every week . I can simply pay cash in advance to buy your identity , So as to buy the revenue share of the next year , If the time value of my money is lower than your time value , I really should do this ( As wealth asymmetry often implies ). This is true of any system involving identity : In the case of relatively low trust , Can constrain the behavior of user identity , And such constraints can be bought and sold on the open market . This has a serious and fundamental impact on the robustness of any on chain economic mechanism with license free identity components .
  • Chain voting has fundamentally degenerated into chaebol rule . Voting and democracy fundamentally depend on the assumption of secret ballot and exist only in the physical world (meatspace) Identity infrastructure . These assumptions will not continue to the blockchain , Make the same technology fundamentally broken in the unlicensed model . As long as users can generate their own keys ( See above ), External 、 Even trusted identity systems cannot solve this problem .
  • Governance based on hard bifurcation provides users with the only outlet to get rid of the rule of this chaebol . In view of the above , A natural question to ask is whether we have reached the era of chaebol rule . The answer is “ Maybe not ”. There is evidence that , Manage the temporary management of blockchains such as bitcoin and Ethereum 、 informal 、 The bifurcation based governance model actually provides strong user rights protection . In this model , Any upgrade must provide users with active choice , If you disagree with the rule change , User groups can choose to exit . On the other hand , Voting on the chain produces a natural default , Especially when used with inattentive or indifferent users , Will produce strong anti bifurcation inertia .
  • The interaction of multiple blockchains will destroy the incentive compatibility of all chains . What is important and critical is , What we explore Fishy DAO Type attack shows that , Multiple competing blockchains have the ability to fundamentally affect the internal balance of all such chains . for example , In a world with only one smart contract system Ethereum , Internal incentives may lead to a stable equilibrium . There are two players , The weak are encouraged to launch bribery attacks to destroy their competitors , This balance may be broken 、 Change and destroy . A key and surprising open research area is macroeconomic modeling of competition between blockchains , Learn more about how this internal equilibrium failed . We intuitively found that 〜 Identify key Black Swan events currently lurking in the complexity of blockchain governance and interoperability .

obviously , These need further exploration 、 Adjust and prove . But I think we provide at least some intuition , Explain why we believe that the above contents are tenable in the framework of principled analysis .


The trend of voting on the blockchain is inspired by the long voting and democratic tradition of mankind . Unfortunately , The protections we can use in the real world , For example, force private / May refuse to vote 、 Approximate attribution of identity control and widespread fraud , Not available in unlicensed models at all . When using the user generated public key , Online voting cannot provide any anti enforcement guarantee for these users . A well-designed voting plan is essential to quell ( And in many cases it does exacerbate ) Questions have little effect . The on chain voting scheme further complicates the incentive mechanism , Create unstable and chaotic incentive mechanisms , Can be trusted at any time through smart contracts or Dark DAO Vote to buy 、 Change the bribery and mourning plan .

We encourage communities to remain highly skeptical about the results of any online voting , Especially because online voting has become an important part of blockchain system decision-making . Designing mechanisms that can achieve new forms of abuse at a lower coordination cost than ever before should support the position that voting should be used for signals rather than decision-making , And various voting mechanisms should fill these roles . Without such protection , It is still possible for all online voting systems to buy through direct voting and participation , Even vote token and degenerate into rich rule .

Such attacks have a significant impact on the future security of all blockchain based voting systems .


We want to thank Patrick · McCurry (Patrick McCorry) Useful and comprehensive feedback throughout the life cycle of this article , And pioneering work in voting purchase and online voting systems .

We would also like to thank you Omer Shlomovits and István András Seres Helpful comments on earlier versions of this article .

appendix A— Differentiation indicators of voting on the chain

We notice that there are several different differentiation factors in the on chain voting system :

  • Voting ability to change : If users cannot change their votes , Any method of providing encrypted check receipts can be used to buy tickets for ordinary voting . Smart contracts can simply pre bribe users to get their votes , Now can never change . However , Most schemes allow users to change or withdraw their votes , This means that bribery requires some continuous time components ( Or after taking a snapshot of the vote ). Exponential spending over time provides an interesting solution , It can prevent coins from moving and encourage long-term signals , The payout bonus at the completion of voting is a tool that potential voting buyers can use , When the user is allowed to change the vote , Can be used to create a viable voting purchase plan .
  • Intelligent contract / Proxy vote : Who can vote for the funds stored in smart contracts ? This is an open question that puzzles the existing design ; The original CarbonVote Allow any contract that can call a function to vote and then change its mind .EIP999 Voting allows contract Deployers to vote on behalf of the contract , The decision was widely criticized as aimed at influencing the voting results . However , Neither of these designs seems ideal . in fact , Intuitively , It seems difficult for a single design to fairly capture all the hosting nuances in a smart contract : Smart contracts that hold funds can range from simple multi signature accounts to complex decentralized organizations with their own revenue streams and financial relationships between contracts . Which of these tokens have the right to vote , And how to distribute these rights fairly is still a completely unexplored philosophical requirement for building a fair voting system on the chain . Forcing contract authors to provide explicit functionality may also not be enough , Because the requirements of this function may change in the future , Not backward compatible ( Vote by chain or bifurcate ).
  • Repudiation / Provability : All the schemes discussed in this article have the function of making them especially suitable for ticket buying : They provide voters with some form of proof of trust , Through the chain log 、 Safe Web Status of interface or smart contract . Such schemes are particularly vulnerable to buy outs , Because they make it easy for smart contract logic to verify votes . Some traditional electronic voting schemes in the academic literature provide a feature called anti coercion . In these programs , Users can use the key they use to vote to change their mind after being forced , And voting does not belong to individual users . Generally speaking , Voting privacy issues associated with any type of long-term identity , Especially those who hold tokens , It's very serious . This fear will completely disqualify any serious voting system in the real world , And it may be appropriate to disqualify all deliberate on chain voting design criteria .

copyright notice
author[DAOrayaki],Please bring the original link to reprint, thank you.

Random recommended