NDAO-0001 Do not reveal progress of vote

In the most recent DAO vote, it was clear that the vote was biased by the the count of yes/no being revealed prior to the end of the vote.

While all votes were counted, ultimately the vote was decided at the last moment by a single voter. While it is beneficial for this information to be known, it’s not the way elections function and I am sure there is good reason behind this.

It’s clear we can improve this system, putting this proposal forth to begin discussion about this idea and how we might accomplish it.

Should a zero-knowledge proof system be used? How can we ensure that no one who votes can see it, including the platform?

it does feel like zk is an important part of things

I feel a bit robbed from how that vote turned out, after the time we all spent discussing the proposal

That said, I’m not sure that vote secrecy is the right solution…

it’s not the way elections function and I am sure there is good reason behind this.

It could just be secrecy of political voters and historical reasons. So please, provide sources for your statement!

While all votes were counted, ultimately the vote was decided at the last moment by a single voter.

It felt a bit like Ebay auction bidding, where the best strategy is last second bidding, so maybe we could learn from auctions.

For example, we can extend the vote by a certain amount of time (one day?) if last vote changed the result. We can also put more safeguards to prevent malicious exploits of extensions.

Phroi

One issue I noticed is that it seems possible to change your vote at any time before the count ends—for example, someone could vote “Yes” first and then switch to “No” at the last moment. This free option can create misleading signals and encourage strategic timing. It’s better to keep all discussions and idea exchanges before voting begins. During the voting period, each eligible voter should have only one chance to cast a vote, which cannot be changed once submitted. The voting period should focus solely on casting and counting votes.

ZKPs could help protect voter privacy, but I believe aggregate results and progress should remain transparent throughout the voting period.

I see an underlying implicit assumption: this immutable vote happens on-chain. Unless we also exclude newly created UTXO, an off-chain system would have no way to actually enforce this requirement.

Side Note: for example, even DAO deposits can be timed appropriately to be withdrawn and then deposited again under a different address/user during the last moments of a vote. This without even considering the emergence of iCKB-alike DApps that take instant ownership of deposits for a fee.

Back to us, Voting lasts pretty long due too to its decentralized nature, so it is only natural for new information to emerge during voting. Such information could change completely voters mind.

I would personally also consider blurring the line between discussion and voting, to let voters signal their approval for a proposal at the very moment changes are discussed and made.

Phroi

Good catch! A possible fix is to allow only deposits older than 3 days (for example) to vote. This change also adds another benefit (I think): the number of eligible votes is determined before voting begins.

I agree that new information can always emerge during the voting period. There are alternative ways to handle this, such as adding a review/cooldown phase after voting ends and allowing counter proposals to be submitted with higher barriers/requirements. Here I prefer explicit mechanisms over implicit “allowing vote changes at any time”, since that adds unnecessary flexibility by letting votes change even when no new information has been revealed.

I agree with most of your reasoning, but I’m concerned that allowing counterproposals could create a bureaucratic bottleneck. The DAO’s goal should be to streamline decision-making and execution. Agility should be one of Nervos’s key advantages over larger networks; if it wants to thrive rather than just survive, it must double down on that strength.

A culture of agility and experimentation lets the DAO adapt fast, learn from outcomes, and keep improving. The quicker we can test and deploy ideas, the stronger and more resilient the ecosystem becomes. Nervos shouldn’t mirror the complexity of larger networks with endless debates, it should outpace them through smarter, faster, leaner execution.

I agree, it could be too much for early stages.

Hi everyone, I wanted to share two reflections I’ve had after this whole v1.1 process:

• This vote had the highest turnout in the DAO’s history, which proves that our community is still absolutely capable of mobilizing for governance. However, as we saw with the voter “Trust” (who only found out about the vote via a WeChat article a few days before the end), this flow of governance action requires a good information flow as a prerequisite.

• The Metaforo exploit, whether or not it ultimately distorted the vote, might prove that even if we don’t change a single v1.0 rule, the community needs a safer governance tool we can trust.

我自己在过去1个多月推进1.1的过程中，其实有两点感触蛮深的:

1. 这次投票的高参与度，说明社区依然能组织起治理的行动流。就像Trust他虽然一开始投了NO，但也坦诚是在通过我们各种渠道的信息沟通，才看到这个投票。所以治理的行动流需要良好的信息流作为前提保障

2. metaforo存在的漏洞无论是否造成了投票被扭曲，都说明即使完全不改1.0的规则，社区也需要一个更安全的治理工具

Thanks

@BuildUnion I’m so glad that you expressed so well this point: it’s one of the core values of next-gen Community DAO explorations. Given this need for agility and experimentation, I’d be shoked if anyone were to push for an onchain-first approach.

I’d also like to address the other point of @janx comment: by restricting voting to old enough cells we are walking the line between Predictability vs Inclusiveness. I’d personally choose Inclusiveness. That said, we need experimentation.

@zz_tovarishch given your personal experience, would you like to make an additional comment relevant to this discussion? Shortly, how voting should be in your opinion?

• Secret vs Observable?
• On-chain vs off-chain?
• Predictable vs Inclusive?
• Bureaucratic vs Agile?

Phroi

Thanks for the questions, Phroi. Let me give my preliminary thinking for each dimension:

1. Secret vs Observable?

Observable.

Visibility creates deliberation value and signaling mechanisms that we actually need. I believe this vote’s 600m+ turnout proves the point somehow: when people see their voice matters and can gauge community reception, engagement increases.

Yes, visibility also enables strategic manipulation and last-moment sniping. But here’s the key judgment: hiding the process only makes power imbalances less transparent, not less real. Large holders can swing votes at the last moment regardless of whether the count is visible. The difference is whether we see it happening or not.

I figure the root issue is power asymmetries, which are intrinsic to token-weighted voting (or PoS). The solution isn’t obscuring this fact through vote secrecy. It’s either accepting what PoS governance fundamentally is, or introducing counterbalancing mechanisms.

For instance, reputation-based weighting could complement token weight. Imagine factoring in contributions like projects built, GitHub commits, ecosystem development. Though I recognize this creates new problems: gamification risks (people farming reputation like tasks), loss of intrinsic motivation for building, and potential for reputation cartels. And @Hanssen actually pushed back hard on this idea when I discussed it with her, arguing it would strip development of its aesthetic value, LoL. But the principle stands: if we want to dilute plutocratic concentration, we need alternative sources of governance legitimacy beyond pure capital.

On the tactical level, the auction-style extension mechanism you mentioned works well: if votes in the final X hours change the outcome, automatically extend the voting period until results stabilize. This preserves visibility’s information value while reducing pure timing strategy payoffs. Additionally, quadratic voting might be another solution.

2. Predictable vs Inclusive?

Inclusive.

DAO legitimacy doesn’t derive from predictable outcomes or known voter pools. It comes from genuine stakeholder participation.

@janx 's 3-day deposit threshold aims for predictability but achieves it through exclusion. But, setting time barriers means using procedural rules to exclude potentially the most informed participants on any given proposal.

Why does this matter? Because DAO networks differ fundamentally from hierarchical organizations. Traditional structures are pyramidal. Information ideally flows upward to leaders or long-tenured decision-makers. But DAOs are flat, porous, multi-nodal networks. Someone who just joined might hold vastly more relevant information on a specific issue than a long-time holder (who hasn’t engaged with this particular topic).

If we start erecting technical barriers to participation, that might fundamentally weaken DAO governance legitimacy.

3. On-chain vs Off-chain?

I figure this actually includes two separate questions:

3.1. Should votes be changeable?
Yes.

Information transmission and comprehension take time. When new information emerges during voting (which is inevitable given the duration and DAO’s structure features), people should be able to update their positions. The vote should be a confirmation of deliberation, not a snapshot frozen in ignorance.

3.2. Should it be on-chain?

This is where Metaforo failed us. The platform couldn’t provide sufficient audit trail to verify whether vote weight was double-spent.

So I prefer a pragmatic path: off-chain execution for agility, but on-chain proofs for accountability. Like, every vote action (including changes) gets its hash or proof posted on-chain in real-time. This creates a permanent, verifiable record without sacrificing operational speed. Full on-chain migration can wait until the system matures and we’ve experimented enough to know what we actually need.

4. Bureaucratic vs Agile?

Agile, but agility requires two prerequisites:

1. Robust information flow: Let information circulate fully, let arguments develop completely, let community discourse surface the real stakes and tradeoffs.
2. Reliable action flow: The mechanisms we discussed above, verifiable on-chain proofs, preventing vote weight manipulation, auction-style extensions, and even, to a broader part, the milestone check mechanism, all serve one purpose: ensuring the integrity and accountability of the voting/governance process itself.

These are just my initial thoughts, curious to hear what others think.

感谢Phroi的提问。我对每个维度的初步思考如下：

1. 秘密还是可见？

可见。

可见性创造了我们真正需要的审议价值和信号机制。这次投票600m+的参与度某种程度上证明了这一点：当人们看到自己的声音有分量，能感知社区的接收度时，参与度会提升。

可见性确实也会带来策略性操纵和最后时刻狙击。但关键判断在于：隐藏进程只是让权力失衡变得不透明，而不是让它消失。大户无论投票进程是否可见，都能在最后时刻改变结果。区别只在于我们能否看见这件事发生。

我认为根本问题是权力不对称，这是代币加权投票（或PoS）的内在特征。解决方案不是通过投票保密来掩盖这个事实，而是要么接受PoS治理的本质，要么引入制衡机制。

比如，声誉加权可以作为代币权重的补充。想象一下把项目贡献、GitHub提交、生态建设等因素纳入考量。虽然我知道这会带来新问题：游戏化风险（刷声誉任务化）、内在建设动力的丧失、声誉卡特尔的可能。@Hanssen 当时和我讨论这个想法时就强烈反对，她认为这会剥夺开发的美感，哈哈。但原则仍然成立：如果我们想稀释财阀集中，就需要纯资本之外的其他治理合法性来源。

战术层面，你提到的拍卖式延时机制很有效：如果最后X小时内的投票改变了结果，自动延长投票期直到结果稳定。这既保留了可见性的信息价值，又降低了纯时机策略的收益。此外，二次方投票也可能是另一个解决方案。

2. 可预测还是包容？

包容。

DAO的合法性不来自可预测的结果或已知的投票者池，而来自真实的利益相关方参与。

@janx 提议的3天存款门槛追求可预测性，但通过排除来实现。设置时间门槛意味着用程序性规则来排除可能是某个提案上信息最充分的参与者。

为什么这很重要？因为DAO在根本上不同于科层组织。传统的公司、国家等结构是金字塔式的，信息理想情况下向上流动到领导者或资深决策者那里。但DAO是扁平、多孔、多节点的网络。刚加入的人可能在某个具体议题上掌握的相关信息，远多于一个没有关注这个议题的老持有者。

如果我们开始设置技术性参与门槛，这可能会从根本上削弱DAO治理的合法性。

3. 链上还是链下？

我认为这实际上包含两个独立的问题：

3.1. 投票应该可改吗？
应该。

信息传递和理解需要时间。当投票期间出现新信息时（考虑到投票时长和DAO的结构特征，这不可避免），人们应该能更新自己的立场。投票应该是审议的确认，而不是在无知中冻结的快照。

3.2. 应该在链上吗？

这正是Metaforo让我们失望的地方。平台无法提供足够的审计追踪来验证投票权重是否被双花。

所以我倾向于务实路径：链下执行保持敏捷，链上证明保证问责。比如，每个投票行为（包括改票）的哈希或证明实时上链。这创造了永久可验证的记录，同时不牺牲操作速度。完全链上化可以等系统成熟、我们充分实验知道真正需要什么之后再考虑。

4. 官僚还是敏捷？

敏捷，但敏捷需要两个前提：

1. 充分的信息流：让信息充分流通，让论证充分展开，让社区讨论浮现真正的利害关系和权衡。
2. 可靠的行动流：我们前面讨论的这些机制，可验证的链上证明、防止投票权重操纵、拍卖式延时，甚至更广义的里程碑检查机制，都服务于同一个目的：确保投票/治理过程本身的完整性和问责性。

抛砖引玉，期待大家的看法。