Thanks to Phroi for sharing the code review report. Since the promise to remove the whitelist stemmed from a misunderstanding, I won’t repeat those points here. Please see my replies in repost above.
On the overall technical approach, we follow CKB’s philosophy “Don’t trust, just verify”.
Due to CKB’s cell model, a fully on-chain voting system is nearly impossible
So our goal isn’t trustless, it’s verifiability.
Below are point-by-point responses to the specific technical issues raised:
3.1 The contract supports empty smt_proof to allow anyone to vote because the vote contract was designed as a general-purpose contract. In the CCFDAO context, only non-empty smt_proof is supported. VoteMeta is created by the proposer, but CCFDAO verifies that the smt_proof value matches the platform’s records—independent audit tools can easily detect discrepancies.
4.1 audit tool can detect it
4.2 audit tool can detect it
4.3 CCFDAO has checks in place for Sybil attacks, but we’ll re-verify the specific scenarios listed in the report.
4.4 for test, has removed
4.5 for test, has removed
4.6 for test, has removed
4.7 for test, has removed
4.8 audit tool can detect it
4.9 audit tool can detect it
4.10 audit tool detect 4.8 need it, so audit tool can rebuild merkel tree
5.1 Users can set a new key via the CKB wallet associated with their DID.
5.2 for test, has removed
5.3 fixed
5.4 for test, has removed
5.5 todo fix
5.6 fixed
Finally, the audit tool is a critical part of this project, but due to scheduling constraints, this work was deprioritized. We’ll expedite its development. Community contributions are also welcome to ensure its independence.