DAO v1.1 Public Testing Report

Current Status

The proposal team sincerely thanks the people who have participated in this one-month testing period. Five people have provided code-related feedback: @phroi, @woodbury.bit, and three other community members who formed a testing group in Discord.

The community testing group is still working on UI/UX testing and constantly produces valuable reports; the dev team is also fixing them as soon as they can.

Bug Fixing Table

Bugs from the numbers 18 to 30 are reported by community testers, and they are logged and tracked through GitHub issues

Related Posts

Below are links to various posts on the ongoing DAO v1.1 debate. This is another attempt to group together increasingly fractionalized communication so the community can know what has happened:

1. The DAO v1.1 Proposal (you can find early discussions of the design): https://talk.nervos.org/t/dis-community-fund-dao-v1-1-web5-community-fund-dao-v1-1-web5-optimization-proposal/8973

2. After a premature attempt to launch the platform, @phroi provides the following feedback:
   https://talk.nervos.org/t/dao-v1-1-whitelist-and-beyond-community-led-code-review/10091/1

3. The proposal team’s response to Phroi’s post:
   https://talk.nervos.org/t/statement-on-dao-v1-1-platform-launch/10096

4. In fear of the gradual emotionalized debate, @terrytai closed the previous post:
   https://talk.nervos.org/t/statement-on-dao-v1-1-platform-launch/10096/44

5. Terry opened another post, and later got closed by @matt_ckb (probably also due to emotionalized debate):
   https://talk.nervos.org/t/thoughts-on-the-statement-dao-v1-1-platform-launch/10174

Going forward

The debate is still happening around the whitelist design; there’s no set date yet for the official delivery of M2. The obvious next step is to fix the bugs revealed by the community first, but as for how the proposal can move forward, the proposal team is willing to work with anyone who sincerely wants to push it forward.

Attention

The proposal team has also noticed some unwanted behavior towards the steward team. They encourage everyone in the community to keep the conversation respectful, focus on solving problems, and make valuable things happen. They also want to express their sincere thanks to the steward team: @_magicsheep, @nightlantern, and @zz_tovarishch for their work during this bumpy time.

Sincerely,
Haoyang - Member of the Steward Team

I noticed that the is one attack vector I mentioned quite a few times, but not mentioned here:

1. An undetectable malicious attacker takes control of voting infrastructure (these things happen)
2. Voter try to vote on a proposal of crucial importance (it could be a meta-rule change or stewards electtion)
3. Attacker selectively do not send the whitelist inclusion proof to voter
4. Voter cannot vote
5. Attacker wins vote
6. Voter tries to prove that he was prevented from voting
7. Community Audit tool cannot prove that he was denied voting

@_magicsheep if you remember we talked about it on January, right before a DAO v1.1 AMA: Telegram: View @NervosNetwork

May I ask how was this attack addressed or documented?

Love & Peace, Phroi

PS:

• On-Chain Tally: DAO v1.1 Limits and a Deposit-Paired Voting Proposal
• Declassified: DAO v1.1 Telegram Files

不好意思，在原有设备上遇到一些奇怪的格式问题，我现在更换了设备，需要重新编辑已有的帖子。

我不否认dao 1.1系统中有很多中心化的服务，但是它与dao1.0(metaforo)有细微但是本质的区别。

以dao1.1提案投票过程中遇到的重复投票问题为例：

• metaforo那次危机，如果不是有人根据其他线索发现有重复投票的问题，基金会通过metaforo后台调取了投票的数据，这个问题很容易悄无声息的掩盖过去。
• 但是在dao1.1中，任何一个社区成员都可以独立发现这次投票有问题。无需额外的线索，无需后台管理权限，只依赖链上数据。

dao1.1 如何做到这一点，可以参考 去中心化与可审计性
为了方便理解，可以参考 Optimistic Rollup 的概念。dao1.1的中心化服务器类似某种fast path，用户可以随时fall back到slow path。

I apologize for encountering some strange formatting issues on the original device. I have now switched to a different device and need to re-edit the existing post.

I do not deny that there are many centralized services in the DAO 1.1 system, but it has subtle yet essential differences from DAO 1.0 (Metaforo).

Taking the duplicate voting issue encountered during the DAO 1.1 proposal voting process as an example:

• In the Metaforo crisis, if someone had not discovered the duplicate voting problem based on other clues, and the foundation had not retrieved the voting data through the Metaforo backend, this issue could easily have been quietly covered up.
• However, in DAO 1.1, any community member can independently detect that something was wrong with this vote. No additional clues are needed, no backend administrative privileges are required—only on-chain data is relied upon.

For how DAO 1.1 achieves this, please refer to Decentralization and Auditability

For easier understanding, you may refer to the concept of Optimistic Rollup. The centralized servers in DAO 1.1 function similarly to a kind of “fast path,” and users can fall back to the “slow path” at any time.

For the specific scenario you mentioned, users can construct the voter list from on-chain data and generate the SMT proof they need themselves, then directly submit the voting transaction—completely without relying on DAO 1.1’s centralized server.

DAO 1.1’s centralized server functions as a fast path—users can always fall back to the slow path if needed.

To put it simply, you can think of it like Optimistic Rollup.

1. Where was this scenario documented?
2. Does the front-end currently allow for this scenario?
3. Reconstructing the whitelist is a feat in itself, are you currently publishing the whitelist somewhere?

Just post a link for each of these, I’ll be happy to review

Phroi

1. please refer to Decentralization and Auditability
2. This tool is not located in the DAO 1.1 frontend, but rather in the community’s independent audit tools. Independent audit tools must possess independence, so we hope to have them community-led in development. The coordination has not yet been completed, so development has not started. However, during the testing of the aforementioned independent audit solution, we developed an internal version. If needed, we can open-source it as a reference implementation.
3. Users do not need to rely on the voter list published by DAO 1.1. See https://docs.ccfdao.org/en/docs/developer-docs/architecture/decentralization#detailed-verification-process steps 6-10

This is the current state of documentation: https://github.com/CCF-DAO1-1/ccfdao-v1.1-docs/tree/12a6e8e15c0ebfdfbe42215cae40badde6b1e5c7

I’m well familiar with those links: they provide a high level overview of whitelist lifecycle, but they don’t even contain nearly enough details to implent an independent audit tool. Also, they do not currently describe this well known attack and its solution.

Forgetting for a second the documentation issue:

1. Does it also mean that a user can vote from any interface he prefers?
2. Does this imply that users will need to develop their own full stack to vote in that scenario?

For reference: @david-fi5box team seems to be assuming that, to work around this issue (created by the inclusion of whitelist into the design), a user needs to develop a stack that costed already more than 100k USD to develop. All this also assumes the user has such expertise.

Phroi

We are talking about DAO v1.1 every day and this is the first time you mentioned this tool.

Any other crucial information being withhold from the Community?

Let’s assume this tool minimizes trust assumptions by:

1. Running locally
2. Being easy to set-up
3. Depending exclusively on on-chain data (via local full node)
4. Not depending on operator controlled services
5. Allowing Whitelist generation
6. Allowing Whitelist audit
7. Allowing Whitelist proof of inclusion generation
8. Allowing Voting
9. Allow Vote auditing

It would be great news!!

Such tool could change the discussion:

• From: DAO v1.1 should not ship at all due to operator-controlled Voting services centralization
• To: DAO v1.1 could ship once such tool is delivered (& audited) and DAO v1.1 team passes the Metarule vote deriving from eligibility restriction due to Whitelist (OFC Whitelist still represents a long term abuse vector and there are other issues)

Publish the tool and let me audit it,
Phroi

One question, though: why is a project passing your audits deemed “good enough to publish”?

Community audits are obviously welcome, but under what circumstances can we change a proposal’s milestone delivery from “pending” to “accepted”? This is not only about DAO v1.1, but it’s also crucial for future proposals. In the future, can I also ask other proposers to pass my audits before their milestones are deemed acceptable?

If there’s a role assigned to you explicitly or implicitly to do this, then I guess it would be better for you to publicly state it. Otherwise, this situation actually confirms my concerns expressed in this post, “who represents the community?” and “how to verify milestone?”.

BTW, it’s actually quite good to see that there are finally some semi-rules determining the acceptance of a milestone; I’m just concerned that these rules are set arbitrarily.

We really seem to be getting bogged down here lately.

The name of the project is DAO 1.1, which to me means an incremental step forward, not perfection from the get go.

I don’t think eliminating voting exploits was even a part of the original proposal, because it was only during the vote for DAO 1.1 that we had some type of exploit (that we knew about anyway).

Obviously we all knew Metaforo wasn’t ideal, but I thought that the big step forward in that regard was that the new platform would be community owned and managed, so that any issues could be dealt with quickly and transparently, it wasn’t to perfect DAO voting systems.

So as long as the potential exploits are known and there’s enough people here with the ability to understand them and be on the lookout, then I think this is good enough for the team to move forward with their main goals of increasing participation and improving the experience of both project proposers and community voters.

PS: @phroi I’m not having a crack at you here, I personally really appreciate you being here to bring these issues to light, but I also think there comes a time when ‘close enough is good enough’ and we need to keep moving forward.

Hey @_magicsheep & @Yeti

Let’s also remember that the DAO V1.1 about to be launched on 16 March had:

1. Centralization issues deriving from Whitelist
2. A double counting vulnerability, similar to Mod Hack
3. A SQL injection
4. Many more issues

Status:

• 2, 3, 4 have been mostly addressed
• 1. is currently not addressed

The tool you just revealed could finally address (part of) 1. Mentioning its existance without releasing leaves 1 still unaddressed.

So to reply:

• You don’t need to pass my audit and you could choose a less strict auditor.
• On my side, I will release a public audit of such tool once you open-source it.
• Keeping the tool closed-source does not help DAO v1.1 positioning.

Allowing a Fair Vote is the basic of Voting Systems.

Not perfection defined as: attacker being able to take control of crucial votes like Meta Rule changes and Stewards elections. See: DAO v1.1 Public Testing Report - #2 by phroi

In good consience, I need to take every possible step to make sure that this doesn’t happen.

Phroi

My deep thanks to you for your efforts and what you do. We may not reach perfection, but we do not want to accept errors that can be avoided. Thank you once again. Best regards.

Statement:

As an ordinary community member, I explicitly authorize and entrust @Phroi to act on my behalf in reviewing, questioning, and auditing DAO V1.1 and its related verification tools.

This statement represents my personal position only, not that of the entire community. But it also means that @Phroi is not speaking for “no one” — he is speaking, at minimum, for community members like me who want independent review and technical scrutiny before acceptance.

This authorization remains valid until I publicly state otherwise.

Woodbury.bit

声明：

作为社区普通成员，我在此明确表示：就 DAO V1.1 及其相关验证工具的审计、审阅与技术评估事项，我个人认可并支持 @Phroi 代表我提出问题、进行质询、审阅相关设计与实现。

此表态仅代表我个人立场，不代表整个社区；但至少说明，@Phroi 并非“无权质疑”或“纯属个人自说自话”，因为他确实代表了我这样的社区成员对该系统的审计诉求。

本授权/委托持续有效，直至我本人另行公开声明撤回为止。

Woodbury.bit

Of course, but what is involved in this attack and how likely is it to happen undetected?

Is this team under it’s current proposal required to close every conceivable loophole no matter how unlikely?

Pretty sure part of the Community already expressed this persespective:

• @ebdalezyz_aljhny
• @woodbury.bit
• @matt_ckb
• @neon.bit (feel free to correct me)
• … (many others)
• me

Taking a step back, I cannot require V1.1 Team to solve the issues (created by chosing this implementaion), as this is not something an auditor can decide. I can point vulnerabilities, errors and gaps.

@Yeti feel free to direct your question to:

• @zz_tovarishch (Transitional period coordinator)
• @terrytai (DAO v1.0 committee member)
• @janx (DAO v1.0 committee member)
• @Cipher (DAO v1.0 committee member)

I’m just trying to avoid another Force Bridge on DAO v1.1,
Phroi

Yes， that’s why it is “Slow Path“.

As Yeti pointed out, we must consider probabilities. Most of the time, voting works fine. Providing a fast path for likely scenarios and a slow path for edge cases is a reasonable and pragmatic decision.

Yes, this is indeed the first time I’ve explicitly proposed this tool. But let me clarify my earlier remarks. I called it an “internal version” and didn’t release it initially because it heavily reuses code from the existing DAO 1.1 centralized services.

Your understanding is correct—in the worst case, users are essentially running the DAO 1.1 service themselves.

I mentioned this in my earlier discussion with woodbury.bit: I’m unsure whether an internal audit tool can meet the community’s independence requirements. If people question the services built by the current dev team, wouldn’t they question an auditing tool built by the same team? That’s the coordination issue I referred to earlier.

Let me give you an overview of DAO 1.1’s current status. The project is stalled on two fronts.

First, the audit tool independence issue I just mentioned—we haven’t even started building it yet.

Second, Matt and Phroi are questioning whether we should pursue a full on-chain solution. That discussion is stuck on conflicting interpretations of the meta-rules, and I’m waiting for a final decision.

So this release covers only the core DAO 1.1 implementation—no standalone audit tool, no alternative solutions.

So if anyone has suggestions on these two issues, I propose opening a separate thread for discussion.

On the second issue, I think I’ve said everything I can say.

But on the first issue, we’re still pushing forward. We welcome anyone interested in discussing this or offering technical input.

Yes, this is also what I want—rather than spending a month debating alternative solutions.