社区声明：关于 DAO V1.1 平台上线

Today, @phroi published a thorough code review of the DAO V1.1 platform. We want to address the community directly.
今天 Phroi 发布了一份针对 DAO V1.1 平台的完整代码审计报告。我们在此正式向社区回应。

We acknowledge the following facts:
我们确认以下事实：

• Phroi raised the voter whitelist concern on January 27. The team is committed to removing it before the mainnet launch. As of today, the commitment was only partially filled, as there are two whitelist mechanisms as specified in David’s post. Also, Phroi’s follow-up on Nervos Talk (post #115, March 7) went unanswered for over a week. This is a failure in our communication and coordination, and we take full responsibility.

• Phroi 于1月27日提出了投票白名单的问题。团队当时承诺在主网上线前移除。截至今天，该承诺只完成了部分兑现, 具体原因见此贴. 而且 Phroi 在 Nervos Talk 上的跟进（#115，3月7日）也超过一周未获回应。这是我们在沟通和协调上的失误，我们对此负全部责任。

• The audit report identified issues beyond the whitelist, including unauthenticated API endpoints, test code left in production, and the absence of an independent verification tool for vote tallies. These findings are legitimate. The dev team has begun addressing them. Here is the current progress.

• 审计报告指出的问题不仅限于白名单，还包括未认证的 API 端点、生产环境中残留的测试代码，以及缺少独立的投票计票验证工具。这些发现属实。开发团队已开始处理，目前处理结果见此贴。

What we are doing:
我们的应对方案：

• The March 16 mainnet launch is postponed. The platform has not yet met the delivery standard for Milestone 2 (Mainnet Launch and Trial Operation) as defined in the approved V1.1 proposal. The public testing period described below is part of the process to bring the deliverables to an acceptable state for community review.

• 3月16日的主网上线暂缓。平台尚未达到 V1.1 提案中 Milestone 2（主网上线与试运行）的交付标准。下述公开测试期是推动交付物达到社区验收标准的过程之一。

• The platform will be available soon for a 4-week public testing period starting this week. We invite all community members to participate as testers.

• 用于为期4周的社区测试平台将在本周发布给社区。我们邀请所有社区成员参与测试。

• The dev team will work with community contributors to build an independent chain-reading audit tool, so that vote results can be verified without trusting the platform operator.

• 开发团队将与社区贡献者合作开发一个独立的链上审计工具，使投票结果可以在不依赖平台运营者的情况下被独立验证。

• At the end of the testing period, the steward team will submit a Milestone 2 verification report. The community will review the platform’s readiness through the existing milestone acceptance process under V1.0 rules.

• 测试期结束后，物业团队将提交 Milestone 2 验收报告。社区将按照 V1.0 规则下现有的里程碑验收流程，审核平台是否达到上线标准。

Regarding AMA:
关于AMA：

• The AMA will proceed as scheduled, but the agenda is adjusted. It will focus on a transparent walkthrough of the audit findings, what has been fixed, what is still in progress, and the testing period plan outlined above. The leadership and dev team will be present to answer technical questions directly.

• AMA 将按原定时间进行，但议程调整。重点将围绕审计报告的发现进行透明说明：哪些已修复、哪些仍在处理中，以及上述测试期计划。领导团队和开发团队将出席，直接回答技术问题。

• Going forward, we will use this thread as a single, dedicated place, the central hub for all feedback, questions, and issue tracking during the public testing period. All findings from Phroi’s audit will be listed here, along with their current resolution status.

• 未来我们将使用本帖作为测试期间所有反馈、问题和进度追踪的集中入口。Phroi 审计报告中的所有发现将逐项列出并标注处理状态。

• We want to thank Phroi for investing significant personal time and effort into this review. This is exactly the kind of community participation that makes the DAO stronger. We are committed to earning the community’s trust through actions, not assurances.

• 我们感谢 Phroi 投入大量个人时间和精力完成这次审查。这正是让 DAO 变得更强的社区参与方式。我们将通过行动而非承诺来赢得社区的信任。

DAO V1.1 Proposal & Steward Team
DAO V1.1 提案和物业团队

Hey CKB community,

We hosted an AMA today regarding the latest DAO v1.1 situation. You can find the detailed transcript discussion here.

在今天举行的AMA中，我们主要讨论了最近的 DAO v1.1 版本的相关情况。详细的讨论记录可以在这里查看。

To summarize:

• We will start a one-month public review phase for the platform today. We strongly encourage the community to participate in the testing so we can eliminate as many bugs as possible. The testnet is: https://ccfdao.dev

• 从今天起，我们将开启为期一个月的平台公测阶段。我们强烈鼓励大家积极参与测试，帮助我们尽可能多地发现并修复漏洞。测试网链接是：https://ccfdao.dev

• For a better testing experience, we encourage each tester to send us their wallet address + DID (not the DID document, just the ID), so you can also test the steward team’s proposal management panel. The voting period for the testnet is set to 50 blocks.

• 为了获得更好的测试体验，我们建议每位测试者将您的钱包地址和 DID（去中心化身份标识，不是 DID 文档，只是 ID 本身）发送给我们。这样您也可以同时测试物业团队（Steward Team）的提案管理面板。测试网的投票周期目前设置为 50 个区块。

• The core dev team will post their design decisions behind the whitelist mechanism so the whole community has a chance to discuss whether it’s a suitable tradeoff or not.

• 核心开发团队后续将会发布关于白名单机制背后的设计思路，让整个社区有机会一起讨论这个方案是否合适。

• The dev team has addressed the bugs listed in Phroi’s post. You can find the codes here:
  – Backend: GitHub - CCF-DAO1-1/app_view · GitHub
  – Frontend: GitHub - CCF-DAO1-1/ckb-fund-dao-ui: CKB Community Fund DAO v1.1 Frontend · GitHub

• 开发团队已经修复了 Phroi 帖子中列出的漏洞。相关代码在这里：
  – 后端：GitHub - CCF-DAO1-1/app_view · GitHub
  – 前端：GitHub - CCF-DAO1-1/ckb-fund-dao-ui: CKB Community Fund DAO v1.1 Frontend · GitHub

• For better communication going forward, we encourage the community:
  – For general discussion: Use this post.
  – For bugs: Submit issues to the above-mentioned GitHub repos.
  – For support: @ for support in your comment for this post. You can find each person’s responsibility below.

• 为了方便后续沟通，我们建议社区：
  – 常规讨论：使用本帖。
  – 报告漏洞：向上述 GitHub 仓库提交 Issue。
  – 寻求支持：请在本帖评论中 @ 相关人员。以下为相关人员分工。

• Responsibilities:
  – @_magicsheep : Currently responsible for the DAO v1.1 day-to-day operation. @ him for anything. (目前负责 DAO v1.1 的日常运营。有任何问题都可以 @ 他)
  – @NightLantern : Steward team member. (物业团队成员)
  – @zz_tovarishch : Familiar with Metaforo and the DAO v1.1 rules. (熟悉 Metaforo和 DAO v1.1 的规则)
  – @david-fi5box : Core dev and architecture designer of the DAO v1.1 platform. (DAO v1.1 平台的核心开发者和架构设计师)

Also, based on the previous participation rate, we noticed that live AMAs are not the best way to reach the community. So we will use this post to host weekly text-based AMAs until the public testing period ends (2026.04.16).

另外，根据之前的参与情况，我们发现实时 AMA 可能不是触达社区的最佳方式。因此，在公测期结束前（2026 年 4 月 16 日），我们将每周在本帖中举办文字版 AMA。

Thanks for all the attention from the community.
感谢社区的持续关注

DAO V1.1 Proposal & Steward Team
DAO V1.1 提案和物业团队

感谢团队暂停主网上线并开启公开测试。我认为这是一个负责任的决定，也说明社区提出的担忧已经被认真对待。你们在声明中承认了 whitelist（即以白名单作为准入条件，而非完全开放的无需许可参与）、未认证 API、生产环境残留测试代码，以及缺少独立计票验证工具等问题，并决定先进入 4 周公开测试，这一步我认可。

不过，我还是想继续请教几个我比较关心的问题。
在我理解里，当前争议的核心已经不只是一些具体 bug，而是 DAO 的投票资格边界是否仍然会事实上受到后台流程的影响。如果 whitelist 白名单仍然是实际准入条件，而社区又暂时还不能在不信任平台运营方的前提下独立复算资格集合与计票结果，那么很多人的顾虑其实还没有真正消除。

所以我比较想看到的是更明确的说明：
第一，whitelist 的最终方向是什么，是保留、弱化，还是移除？
第二，独立审计工具预计会在什么阶段给社区可用版本？
第三，在这 4 周公开测试结束前，团队是否会给出一份清晰的整改清单和时间表，让社区知道哪些是已经修复的，哪些还在讨论中？

我只是觉得，对于一个治理系统来说，代码公开本身并不等于治理可信；更关键的是资格规则、计票过程和最终结果，能否被社区独立验证。只要这条闭环还没有完全建立，社区继续保持谨慎，我觉得是合理的。

Thanks for postponing the mainnet launch and opening a public testing period. I think that was the right decision, and I appreciate that the concerns raised by the community are being taken seriously.

That said, I still have a few questions.
For me, the core issue is no longer just a few bugs, but whether the voting eligibility boundary is still effectively influenced by backend-controlled processes. If the whitelist (rather than a truly decentralized and permissionless system) remains an actual access condition, and the community still cannot independently reconstruct eligibility and tally results without trusting the operator, then the main governance concern may not yet be resolved.

So I would really appreciate more clarity on three points:

1. What is the final direction of the whitelist mechanism?
2. When will the independent audit tool be available for community use?
3. Before the 4-week testing period ends, can the team provide a concrete remediation checklist and timeline?

I simply think that for a governance system, open code alone is not enough — eligibility rules, tally flow, and final results should also be independently verifiable by the community. Until that loop is fully in place, I think continued caution is reasonable.

哈咯，感谢支持！

1. 关于whitelist：这个机制目前还是处于保留的状态，开发团队的 @david-fi5box 已经准备好了一份详细的技术说明文档介绍这里面的trade off，预计明天会发布出来，到时候我们十分欢迎社区对设计思路进行讨论。
2. 关于审计工具：技术团队会提供详细的技术解释（文档），但是工具需要由社区主导开发，不然依然无法解决conflict of interest的问题（提案团队自己开发工具验证自己的解决方案）。
3. 关于整改清单：是的，在测试结束前我们会发布一份问题修复清单便于社区验证系统是否经过了详尽的修复。

你说的对，代码公开很重要，但它只是第一步，独立验证的能力才是能让社区放心的解决方案，提案团队也正在为此做积极的准备。

Hey, thank you for your support!

1. Regarding the whitelist : This mechanism is currently still reserved. @david-fi5box from the development team has prepared a detailed technical explanation document outlining the trade-offs involved. It is expected to be released tomorrow, and we warmly welcome the community to discuss the design approach then.
2. Regarding the auditing tools : The technical team will provide a detailed technical explanation (documentation), but the tools themselves need to be developed and led by the community. Otherwise, the conflict-of-interest issue cannot be resolved (i.e., the proposal team developing the tools to verify its own solutions).
3. Regarding the rectification list : Yes, before the testing concludes, we will release a list of issue fixes to facilitate the community in verifying whether the system has undergone thorough remediation.

You’re right that making the code public is important, but it is only the first step. The ability to conduct independent verification will truly reassure the community, and the proposal team is actively preparing to make it possible.

感谢回复，也感谢你们愿意继续解释这部分设计思路。

存在投票白名单，在我看来是一个原则问题。
我期待的是基于公开规则的自由参与，而不是一个需要预先准入的投票体系。只要投票资格边界仍然依赖白名单机制，社区就很难消除对人为控制空间的担忧。

如果白名单真的是核心架构的一部分，那它应该体现在最早的系统设计说明和治理讨论里；如果它直到上线前才被系统化解释，那问题就不只是设计本身，而是设计透明度和治理流程顺序都出了问题。
况且，在我看来，去中心化治理基础设施最核心的投票资格层，本就不应建立在白名单准入逻辑之上。

Metaforo 更符合“自由投票”的直觉，但它的老问题也说明，不能只靠事后人工剔除重复票。
DAO1.1 试图解决这个问题，却把系统进一步推向了“前置准入”。在我看来，相比事后纠偏，一个由白名单控制的前置准入体系，反而会带来更大的治理疑虑。

Thank you for the reply, and also thank you for continuing to explain this part of the design thinking.

The existence of a voting whitelist is, in my view, a matter of principle.
What I expect is free participation based on open rules, rather than a voting system that requires prior admission. As long as the boundary of voting eligibility still depends on a whitelist mechanism, it will be difficult for the community to dispel concerns about human-controlled discretion.

If the whitelist is truly part of the core architecture, then it should have been clearly reflected in the earliest system design documentation and governance discussions; if it is only being systematically explained right before launch, then the problem is no longer just the design itself, but also the transparency of the design and the sequencing of the governance process.
Moreover, in my view, the most fundamental voting eligibility layer of decentralized governance infrastructure should not be built on a whitelist-based admission logic in the first place.

Metaforo aligns more closely with the intuition of free voting, but its past issues also show that repeated voting cannot simply be handled through manual exclusion afterward.
DAO1.1 is trying to solve that problem, but in doing so it pushes the system further toward “pre-admission.” In my view, compared with post-hoc correction, a whitelist-controlled pre-admission system creates even greater governance concerns.

Hey woodbury,

Here is a document prepared by @david-fi5box , maybe this can explain some of the thinkings behind the current voting system design:

感谢补充这篇文档。我认真读了以后，反而觉得我的核心疑问更明确了。

我现在的理解很简单：在 DAO1.1 里，投票不是“谁满足公开规则就能直接投”，而是“先进入一份名单，才能投”。
因为文档已经明确写了，DAO1.1 实际上采用的是 restricted vote：smt_root_hash 在实际使用中是 required，合约会先验证投票地址是否在 voter list 里。也就是说，不在这份名单里，就算你有真实的 CKB 质押，也进不了投票环节。

所以，对我来说，问题已经不只是 “whitelist 这个名字好不好听”，而是：

这份名单，到底只是机械生成的资格快照，还是后台在实现层面仍然保留了手动影响它的能力？

这正是我现在最想确认的点。

因为 @phroi 的代码审查里有一句非常关键的话：

“Anyone with database access can… Directly UPDATE the vote_whitelist table to add or remove addresses”

@phroi 后面还把这个过程解释得很具体：
如果有人能访问数据库，就可以等 nightly whitelist cron job 跑完后，直接改 vote_whitelist 表，增删地址；之后新创建的 vote 会引用修改后的名单，被移除的人去调用 /api/vote/prepare 时，就会收到 “Not in the whitelist”。这当然不等于已经发生了操控，但它说明一个更关键的问题：

当前公开文档解释了名单按什么规则生成，却没有充分证明当前实现已经在技术上排除了后台手动影响名单的可能。

这也是为什么我觉得，把 whitelist 改叫 voter list，并没有改变事情的本质。
只要链上合约验证的仍然是“你是否在这份预先生成的名单里”，那治理逻辑就已经从“符合公开规则即可参与”，变成了“先被纳入资格集合，才可以参与”。
这不是术语问题，而是治理结构问题。

进一步说，如果 whitelist / voter list 真的是核心架构的一部分，那么它就应该在最早的系统设计说明和治理讨论里被明确提出，并接受充分讨论。
如果它直到接近上线时，才被系统化解释为一个 design trade-off，那么问题就不只是设计本身，而是设计透明度和治理流程顺序都出了问题。

另外，我也想补充一点关于你们提到的 independent chain-reading audit tool。

我理解，团队说会和社区贡献者一起开发一个独立的链上审计工具，这当然比完全由提案团队单独开发更好。
但在我看来，“有社区贡献者参与”本身还不自动等于“已经足够独立”。

真正关键的是：

1. 这些社区贡献者具体是谁，是否具有足够的独立性；
2. 工具最终由谁主导，谁定义验证范围，谁掌握解释权；
3. 代码和规则是否会完全开源；
4. 社区是否能够自己运行这个工具，独立重建 voter list、重算 smt_root_hash、重算 tally，并复现相同结果。

如果这个工具只是团队自己开发、自己发布、自己解释，那么它仍然没有从根本上消除同样的信任问题。
所以在我看来，这样的工具至少需要做到：代码开源、规则公开、社区可自行运行、独立贡献者可以复现相同结果。
只有这样，它才更接近真正意义上的 “independent audit tool”，而不只是平台方提供的一个查看工具。

我也想顺便补一句：
如果这仍然是一个 still under testing / public review 的系统，我也希望团队能更明确地说明：

1. 整体测试到底是谁做的？有没有公开的测试用例和测试报告？
2. 测试环境和生产环境现在是否已经完全分离？对应的 URL、API、合约地址分别是什么？
3. 为什么社区测试者还要先承担 450+ CKB 的 DID 成本，才能真正参与完整测试流程？

这些问题虽然是次级问题，但也都会影响社区对系统是否已经准备好正式上线的判断。

所以，我现在最核心的想法其实很简单：

如果投票资格边界仍然依赖一份预先生成的名单，那么团队除了说明这份名单“按什么规则生成”，还应该进一步说明并证明：当前实现是否真的已经排除了后台人工 override、数据库改表、临时替换 root、或者在 proof 准备阶段人为影响名单的可能。

同样，即使审计工具由开发团队与社区贡献者共同完成，团队也仍然需要进一步说明：这个工具是否足够独立、是否可以由社区自行运行、以及是否真的能在不依赖平台运营方的前提下完成验证。

如果这些问题还没有被明确回答和证明，那么在我看来，核心争议就仍然没有真正解决。

Thank you for sharing this document. After reading it carefully, my core concern actually became clearer.

My understanding is now very simple: in DAO1.1, voting is no longer “whoever satisfies the open rules can vote directly,” but rather “you must first be included in a list in order to vote.”
The documentation now makes this explicit: DAO1.1 is using a restricted-vote model in practice. smt_root_hash is required in actual usage, and the contract first checks whether the voting address is included in the voter list. In other words, if you are not in that list, then even real CKB deposits do not get you into the voting process.

So for me, the issue is no longer whether the word “whitelist” sounds too centralized. The real question is:

Is this list merely a mechanically generated eligibility snapshot, or does the backend still retain implementation-level ability to influence it manually?

That is the point I most want clarified.

Because @phroi’s code review contains one especially important line:

“Anyone with database access can… Directly UPDATE the vote_whitelist table to add or remove addresses”

@phroi then explains the flow more concretely:
if someone has database access, they can wait until the nightly whitelist cron job finishes, then directly modify the vote_whitelist table by adding or removing addresses; any subsequent vote creation would then reference the modified list, and a removed user calling /api/vote/prepare would get “Not in the whitelist.” This is of course not proof that manipulation has already happened, but it points to a more important issue:

the current public documentation explains how the list is supposed to be generated, but it does not yet sufficiently prove that the current implementation has technically eliminated backend-side manual influence over that list.

That is also why I do not think renaming “whitelist” to “voter list” changes the substance of the issue.
As long as the on-chain contract still checks whether a voter is included in a pre-generated list, the governance logic has already shifted from “whoever satisfies open rules can participate” to “whoever is first admitted into the eligibility set can participate.”
That is not a terminology issue. It is a governance-structure issue.

Going one step further: if the whitelist / voter list is truly part of the core architecture, then it should have been made explicit in the earliest system design documentation and governance discussions, and subjected to full debate at that stage.
If it is only being systematically explained near launch as a design trade-off, then the problem is no longer just the design itself, but also the transparency of the design and the sequencing of the governance process.

I would also like to add one more point regarding the independent chain-reading audit tool mentioned by the team.

I understand that the team says it will work together with community contributors to build such a tool, and that is certainly better than having the proposal team build it entirely on its own.
However, in my view, the mere fact that “community contributors” are involved does not automatically mean the tool is already sufficiently independent.

What matters more is:

1. who those community contributors actually are, and whether they have sufficient independence;
2. who ultimately leads the tool, defines the verification scope, and holds interpretive authority;
3. whether the code and verification rules will be fully open-source and transparent;
4. whether the community will be able to run the tool independently, reconstruct the voter list, recompute the smt_root_hash, recompute the tally, and reproduce the same results on its own.

If the tool is still developed, released, and interpreted primarily by the team itself, then the same trust problem is not fundamentally removed.
So in my view, such a tool must at minimum be: open-source, rule-transparent, runnable by the community, and reproducible by independent contributors.
Only then would it be closer to a truly independent audit tool, rather than simply another platform-provided viewing tool.

I would also add one more point.
If this is still a system under testing / public review, then I also hope the team can clarify the following more explicitly:

1. Who actually performed the overall testing, and is there any public test plan or test report?
2. Are the test environment and production environment now fully separated, and what are the corresponding URLs, APIs, and contract addresses?
3. Why must community testers first bear the 450+ CKB DID cost in order to meaningfully participate in the full testing workflow?

These may be secondary questions, but they also affect whether the community can reasonably view the system as ready for formal launch.

So my core point is actually very simple:

If voting eligibility still depends on a pre-generated list, then in addition to explaining how that list is “supposed” to be generated, the team should also explain and demonstrate whether the current implementation has truly eliminated manual override, database-level list modification, temporary root replacement, or human intervention during proof preparation.

Likewise, even if the audit tool is developed jointly by the dev team and community contributors, the team should still further clarify whether that tool is truly independent, whether it can be run by the community itself, and whether it can actually verify results without reliance on the platform operator.

If these questions have still not been clearly answered and demonstrated, then in my view the core controversy has not actually been resolved.

附录：DAO1.1第一步发起提案字体反色BUG | Appendix: Font Contrast Bug in Step 1 of DAO1.1 Proposal Submission

image364×334 27.1 KB

哈咯感谢参与测试！

1. 关于白名单设计思路的问题：目前的设计方案所采取的trade-off是开发团队经过讨论确定的，这当然不意味着它就是最好的，所以这次公开测试的主要目的就是希望社区了解这后面的trade-off，如果社区有人可以提出更好的设计方案（比如Phroi在另一个帖子里提到他准备提出一个新的方案）我们可以一起讨论。

2. 关于社区验证工具：此工具将由社区主导开发。

3. 关于核心问题1: 社区独立验证工具存在的意义之一就是社区可以不依赖开发团队的任何承诺自行进行验证。

4. 关于测试成本问题：为了尽可能逼真的模拟最终产品，目前的版本部署在CKB主网上，这样当公开测试结束后开发团队只需要切换域名即可，避免了进一步修改环境产生的社区不信任和其它问题。

Thank you for participating in the testing!

1. Regarding the whitelist design approach : The trade-off in the current design was determined by the development team after discussion. This doesn’t mean it’s the best possible solution, so a key goal of this public test is to help the community understand the trade-offs involved. If anyone in the community can propose a better design (for example, Phroi mentioned in another post that they are planning to suggest a new approach), we can discuss it together.

2. Regarding the community verification tool : This tool will be developed under the leadership of the community.

3. Regarding Core Question 1 : One of the purposes of having an independent community verification tool is to allow the community to conduct verifications on their own without relying on any commitments from the development team.

4. Regarding testing costs : To simulate the final product as realistically as possible, the current version is deployed on the CKB mainnet. This way, once the public testing is complete, the development team only needs to switch the domain, avoiding further environmental changes that could lead to community distrust or other issues.

哈哈。
麻烦帮我看看我的理解对不对？

目前 DAO1.1 的问题，好像不是“系统能不能跑起来”，而是社区还没有办法在不依赖平台方的前提下独立验证投票系统的公正性，所以才需要社区主导开发审计工具。
如果按这个逻辑理解，那么在审计工具还没有上线，或者还没有等效的社区独立验证能力之前，DAO1.1 是否就还不具备正式上线所需要的治理可信度？

那这样一来，后面的关联问题就很多了。比如：

1. 如果测试报告和测试用例都还没有公开，系统是怎么验收的？
2. 如果连验收都还说不清，那现在是不是等于直接拿接近生产的系统去试错？

我作为散户，其实最在乎的不是你们用了多少技术词汇，而是：
投票到底公不公平，能不能被社区独立验证。
散户最在乎的，其实就是投票公平性。

PS： 我以前打 Unicorn 的时候，上线时用 Neuron 钱包铸造 Unicorn 的流程完全没有测试过，根本不可用。结果每次尝试都会消耗 CKB，但铸造还是失败，前后烧了不少 CKB。后来 Unicorn 说会退款，但到现在我的钱包里依然没有看到退款。
所以我现在对“先上线再说、后面再修”这类逻辑，会天然比较谨慎。哎。

说到这里，我其实也不想再反复追问同一个问题了。
我只是希望，后面的回应能够更多落在实现层和验证层本身，这样社区也能更容易判断这些问题到底有没有真正被解决。

最后，也向 @phroi 致意！是你的认真和严谨，才能让我思考这些问题。

Haha.
Could you please help me check whether my understanding is correct?

It seems to me that the core issue with DAO1.1 is not whether the system can technically run, but whether the community can independently verify the fairness of the voting system without relying on the platform operator. That seems to be exactly why a community-led audit tool is being proposed.

If that logic is correct, then before the audit tool is actually available — or before there is any equivalent form of community-independent verification — does DAO1.1 really have the level of governance credibility required for formal launch?

Once I think about it this way, many related questions follow.

For example:

1. If the test report and test cases have still not been made public, then how was the system actually accepted?
2. If even the acceptance process is still unclear, then are we effectively using a near-production system to trial and error in real conditions?

As a retail participant, what I care about most is not how many technical terms are used, but this:

Is the voting actually fair, and can that fairness be independently verified by the community?

That is what retail participants care about most: the fairness of the vote.

PS: When Unicorn launched, the Unicorn minting flow through the Neuron wallet did not have any test, was basically unusable. Every attempt consumed CKB, but the mint still failed, and I ended up burning quite a lot of CKB. Later Unicorn said refunds would be issued, but to this day I still have not seen any refund in my wallet.
So I am naturally cautious about this kind of logic: launch first, fix later. Sigh.

At this point, I honestly do not want to keep repeating the same question again and again.
I only hope that future responses can focus more directly on the implementation and verification issues themselves, so that the community can more easily judge whether these concerns have actually been resolved.

Finally, I also want to express my respect to @phroi.
It is your seriousness and rigor that helped me raise these questions more clearly.

DAO v1.1 Bug Fixing Report

Issues and Fixes

Thanks to the community member @phroi for the voluntary work. More bugs of the DAO v1.1 platform have been uncovered and listed here

The table below shows the current progress on bug fixes; the numbers in the first column correspond to those in Phroi’s original post.

Additionally, since community members @woodbury.bit and @phroi both raised concerns about the system design’s centralization risk, the proposal team proposes a possible countermeasure in the last section of this post.

On Issue 5.1 (Browser-only key storage)

Before reaching the current solution, the proposal team also considered the following options:

1. Same as Bluesky: Store sign key in a centralized PDS. Rejected due to high centralization risk.
2. Reuse existing CKB wallet: Two possible ways have been considered.
   • Set a dedicated key derivation path: Use the user’s existing ckb address to derive a sign key. Rejected because wallets do not support customized private key derivation paths for security reasons.
   • Deterministic signature: Use the user’s existing ckb address to sign a pre-determined message, and use the hash of the signature as the sign key. Rejected because ckb does not require the signature algorithm used by wallets to be deterministic.
3. Use one DID document to manage multiple sign keys: Create a new sign key each time a user uses the same DID on a new device. Rejected due to the complex key maintenance procedure, requiring on-chain transactions when adding/deleting keys, and poor compatibility with the AT protocol.
4. Similar to Google: Key backup service. Rejected due to high centralization risk.

After the above discussions, the proposal team had to make a trade-off between user experience and security, which led to the current solution: store the sign key in the user-controlled browser’s local storage.

The Original Context of DAO v1.1 Proposal

It is important for the community to understand the proposal’s scope and its goals - a small step forward to a better governance system. So the proposal team highlighted some crucial information from the original proposal below.

The Problems v1.1 Tried to Solve

Five challenges were identified in the original DAO v1.1 proposal. Three of them are listed here, which are most relevant to the current debates happening around the platform.

• Problem 1: Lack of institutionalized operational processes
• Problem 2: Fragmented governance tools
• Problem 3: Lack of information dissemination channels

The DAO v1.1 was never meant to be the final solution for CKB governance; it is a “small step forward,” as stated in the original proposal. The v1.1 platform is an attempt to provide a unified tool to help the community govern DAO proposals (Problems 2 + 3). The steward team is meant to provide guidance and assist the community during the entire proposal process (Problem 1).

However, the effects of Problem 1, combined with those of Problem 3, have already been shown. The discussion about the DAO v1.1 M2 delivery has been scattered across different Nervos Talk posts and Discord and Telegram channels.

The proposal team acknowledges that bugs are preventing the v1.1 platform from being launched, even as a trial run, and is providing active fixes based on community feedback (as shown in the Issues vs. Fixes table).

But, 1) as a result of lacking a formal procedure for evaluating deliveries (the exact problem the v1.1 platform meant to solve), the proposal team and the community have gradually come to a deadlock; 2) as a result of lacking information dissemination channels, some community members might feel unheard of or abandoned in the discussion, even though the problems have been answered in detail in other places.

The Steward Team

The steward team’s role has been described, debated, and modified in the original proposal. The steward team also prepared a document, “Steward Operation Manual,” to help the community understand the steward teams’ responsibilities.

• Description in proposal: Section 3.A
• Steward Operation Manual: Steward Operation Manual (Draft) - Google ドキュメント

The first three-person steward team serves only a transitional role for the first year, handling complex situations like the one we are currently in. After that, the steward team would be selected and voted on by the community. This was also described in detail in the proposal, which has passed the meta-rule change voting.

Core Design Philosophy

The three core philosophies are:

• Unified experience: to solve the fragmented tooling issue.
• Transparency: coordinated by the steward team to let the community know what happens in the full lifecycle of a proposal.
• Data ownership: web5-based identity solution.

Deliverable Checklist

The core deliverables of M2 described in the proposal are listed here, so the community can have a focused discussion to push this project forward:

• (Implemented) Enhancement of homepage functionality, including a data overview dashboard, proposal search, and status filtering.
• (Implemented) Launch of the milestone-based proposal governance feature.
• (Implemented) Completion of the Stewards Team and Governance Rules information pages.
• (In progress) The first round of bug fixes and UI/UX optimizations based on community feedback.
• (In progress) A feature-complete platform stably deployed in the mainnet production environment.

Milestone Evaluation

Since the CKB governance is transitioning from v1.0 to v1.1, with the new rule not yet in effect, the milestone evaluation will follow the v1.0 procedure. Since there is no specific process for milestone evaluation under the v1.0 rule, the proposal team will publish the M2 report (after Apr.17) to the community for evaluation. In case of a dispute, the final arbitration power lies with the Committee, not with the steward team or any members of the proposal team.

Regarding Centralization

The platform has already entered the third week of a 4-week public testing, and the proposal team is working to fix bugs; however, there is another issue they’d like the whole community to discuss.

Deployment and Maintenance

The proposal team is willing to cover deployment and maintenance themselves. However, since the community has raised concerns about potential manipulation, the proposal team is also open to funding a third party to manage deployment and maintenance.

Proper Maintenance Process

Even if the community feels comfortable letting the proposal team handle maintenance, it’s still important to establish a clear process for community members who want to contribute to the codebase. The proposal team would like to hear the community’s suggestions on this matter.

Sincerely,
Haoyang - The Steward Team

DAO v1.1 修复报告

问题与修复

感谢社区成员 @phroi 的志愿工作。更多关于 DAO v1.1 平台的错误已被发现并列出 在此。

下表展示了当前的修复进度；第一列中的编号与 Phroi 原始帖子中的编号相对应。

此外，由于社区成员 @woodbury.bit 和 @phroi 都对系统设计的中心化风险提出了担忧，提案团队在本帖的最后一部分提出了一个可能的应对措施。

关于问题 5.1（仅限浏览器的密钥存储）

在达成当前解决方案之前，提案团队也考虑了以下选项：

1. 与 Bluesky 相同：将签名密钥存储在中心化的 PDS 中。因中心化风险过高而被拒绝。
2. 复用现有的 CKB 钱包：考虑了两种可能的方式。
   • 设置专用的密钥派生路径：使用用户现有的 ckb 地址派生签名密钥。因钱包出于安全考虑不支持自定义私钥派生路径而被拒绝。
   • 确定性签名：使用用户现有的 ckb 地址对预先确定的消息进行签名，并将签名的哈希值作为签名密钥。因 ckb 不要求钱包使用的签名算法具有确定性而被拒绝。
3. 使用一个 DID 文档管理多个签名密钥：每次用户在新设备上使用同一个 DID 时创建一个新的签名密钥。因密钥维护流程复杂、添加/删除密钥需要链上交易、以及与 AT 协议兼容性差而被拒绝。
4. 类似谷歌的方案：密钥备份服务。因中心化风险过高而被拒绝。

经过上述讨论，提案团队不得不在用户体验和安全性之间做出权衡，从而得出了当前的解决方案：将签名密钥存储在用户可控的浏览器本地存储中。

DAO v1.1 提案的原始背景

让社区了解该提案的范围及其目标——朝着更好的治理系统迈出的一小步——非常重要。因此，提案团队在下方强调了原始提案中的一些关键信息。

v1.1 试图解决的问题

原始 DAO v1.1 提案中确定了五个挑战。此处列出其中三个，它们与当前围绕该平台发生的讨论最为相关。

• 问题 1：缺乏制度化的运营流程
• 问题 2：治理工具碎片化
• 问题 3：缺乏信息传播渠道

DAO v1.1 从来都不是 CKB 治理的最终解决方案；正如原始提案所述，它只是“迈出的一小步”。v1.1 平台试图提供一个统一的工具来帮助社区治理 DAO 提案（问题 2 + 3）。物业团队则旨在在整个提案过程中提供指导并协助社区（问题 1）。

然而，问题 1 和问题 3 的影响已经显现。关于 DAO v1.1 M2 交付的讨论分散在不同的 Nervos Talk 帖子以及 Discord 和 Telegram 频道中。

提案团队承认，代码bug阻碍了 v1.1 平台的启动（即使是试运行），并且正在根据社区的反馈积极提供修复（如“问题与修复”表格所示）。

但是，1) 由于缺乏评估交付成果的正式程序（这正是 v1.1 平台试图解决的问题），提案团队与社区逐渐陷入僵局；2) 由于缺乏信息传播渠道，一些社区成员可能会感到自己的声音未被听取或在讨论中被忽视，即使相关问题已在其他地方得到详细解答。

物业团队

物业团队的角色在原始提案中已被描述、辩论和修改。物业团队还准备了一份文件《物业团队操作手册》，以帮助社区理解物业团队的职责。

• 提案中的描述：第 3.A 节
• 物业团队操作手册：Steward Operation Manual (Draft) - Google ドキュメント

首届三人物业团队仅在头一年担任过渡角色，处理像当前我们所处的这类复杂情况。此后，物业团队将由社区选拔和投票产生。这一点在已通过元规则变更投票的提案中也有详细描述。

核心设计理念

三个核心理念是：

• 统一体验：解决工具碎片化问题。
• 透明度：由物业团队协调，让社区了解提案完整生命周期中发生的事情。
• 数据所有权：基于 Web5 的身份解决方案。

可交付成果清单

以下列出提案中描述的 M2 核心可交付成果，以便社区进行有针对性的讨论，推动该项目向前发展：

• （已交付） 增强首页功能，包括数据概览仪表板、提案搜索和状态筛选。
• （已交付） 推出基于里程碑的提案治理功能。
• （已交付） 完成物业团队和治理规则信息页面。
• （进行中） 根据社区反馈进行第一轮错误修复和 UI/UX 优化。
• （进行中） 一个功能完备的平台，稳定部署在主网生产环境中。

里程碑评估

由于 CKB 治理正在从 v1.0 过渡到 v1.1，新规则尚未生效，里程碑评估将遵循 v1.0 的流程。由于 v1.0 规则下没有具体的里程碑评估流程，提案团队将在 4 月 17 日之后将 M2 报告发布给社区进行评估。如果发生争议，最终仲裁权属于委员会，而不是物业团队或提案团队的任何成员。

关于中心化

该平台已进入为期 4 周公开测试的第三周，提案团队正在努力修复错误；然而，还有另一个问题他们需要整个社区共同讨论。

部署与维护

提案团队愿意自行承担部署和维护工作。但是，由于社区对潜在的操作风险提出了担忧，提案团队也对资助第三方来管理部署和维护持开放态度。

规范的维护流程

即使社区对由提案团队处理维护工作感到满意，为希望为代码库做出贡献的社区成员建立一个清晰的流程仍然很重要。提案团队希望听取社区对此事的建议。

Sincerely,
Haoyang - 物业团队

我认为chen yukang的从 DAO 存款中铸造（mint）一种不可转让的 sUDT 作为投票凭证 ，这个方案比目前的白名单机制更佳，原因如下：

Pre-RFC sUDT 方案（如果未来实现）：
你把 CKB 存入 DAO 后，一次性 mint 出不可转让的 voting sUDT，之后链上就能实时看到你的投票权重，投票更透明、去中心化程度高，还能委托给别人。适合长期、追求纯链上治理的用户。

当前 v1.1 机制：
你存入 DAO + 注册绑定 Web5 DID 后，系统通过数据库快照给你权重。操作简单，但权重和最终结果统计依赖后端，不是完全实时链上读取。

one additional thing to add here, there were 2 benchmarks done to check the feasibility of utilizing large sparse merkle trees on-chain (simulated up to 131,072 records), under this design 1 record would be needed per DAO deposit. The benchmarks turned out to be surprisingly reasonable.

note these are the cycles values at the max– at smaller sizes, the cycle count would be much lower

first pass: 7 million cycles https://github.com/nervosnetwork/sparse-merkle-tree/pull/58 h/t @xjd
second pass: 1.7 million cycles sparse-merkle-tree/bench-optimize-context.md at bench-optimize/mar27 · nervosnetwork/sparse-merkle-tree · GitHub h/t @quake

for your reference the cycle limit of a CKB block is 3.5 billion cycles.

Cell contention of writing to the sparse merkle tree cell becomes more of an issue but that is a very different problem to solve (which can be approached with different strategies). And because DAO operations are relatively slow, should be no problem to address.

1. Why does the testnet connect to the mainnet wallet?
   

2. Submit proposal and returnPage Not Found

image850×554 9.02 KB

3. How to switch accounts？
   

4. Clicking the heart and share doesn't respond
   

image2074×974 79.3 KB

5. Refresh the page, and the previous comments will disappear
   

没用的，ckb这类链就是这样的，一个地址持有的ckb数量都是要链外钱包和浏览器算的。

你从链上只能查到一堆live cell，要自己加起来才能知道自己有多少ckb。

dao的质押和赎回的操作的特征非常明显，很容易就能过滤出来，跟UDT没啥区别。

但是问题是让每个客户端都去计算吗？那就相当于每个人都跑个indexer了

另外，说到新方案，我们也讨论过很多，我甚至提过直接做个polymarket的方案。

但是dao 1.1的前提就是元规则不能变，必须跟dao 1.0保持一致。

dao一开始决定用用户在nervosdao中的质押量作为投票权重，是因为在nvervosdao中质押的用户被认为是ckb长期主义的用户，这些才会关心ckb长远发展相关的议题。

事实上大部分在nervosdao中质押的用户是为了抵御ckb增发带来的通胀。

你可以到浏览器看质押总量是多少？再到metaforo看看参与投票的量有多少？

did是单独的一层过滤，跟前面说的dao的质押量没有关系。

因为dao 1.1使用web5技术，用户必须创建did才能登录dao 1.1进而进行投票等操作。

说白了跟metaforo的登录是一样的。

如果用户连投票系统都懒得登录，那他肯定不会参与投票啊。

另外dao1.1创建did没有任何门槛，有钱包就可以。跟metaforo的中心化服务登录比更加开放。

我给你举个例子你就清楚了。

dao 1.0就类似于地下六合彩。

dao1.1就类似于赌博类的链游，规则一点没变，只是把六合彩搬到链上了。

你说能不能不依赖平台方的前提下独立验证？那肯定可以啊，再烂的链游都可以做到这一点。

你说能不能保证公平性？我只能说这个跟技术没关系。

系统是怎么验收的？

链游肯定是按链游的功能去测试验收的。

审计工具不包含在链游的功能里。

你想，如果一个用户信任链游的运营方，那他直接用链游的网站就可以了，为什么还要用社区审计工具？如果用户不信任链游的运营方，链游运营方开发的审计工具肯定也不信任啊。

所以审计工具必定是社区独立开发的，不可能是跟链游一起开发的啊

it is pretty straightforward functionality for a wallet to know a UDT balance (or a CKB balance).

If a user signs a vote for their total of vUDT tokens and publishes it to the chain, it would be straightforward to audit the results of a vote. There is also likely a way to conduct the actual vote on-chain using these tokens.

Aggregation of vUDT balance

We also can mint the vUDT’s into a single cell (since it is likely that the user will want to use a different key than the one used to manage their DAO deposits). This would ease the indexing burden, just put all the vUDTs in 1 cell. As new deposits are added to on-chain SMT (for uniqueness verification), the type script of the vUDT cell will only allow for increasing the balance if the SMT update is present in the same transaction.

one additional topic for consideration here. Publishing any signature to the chain for a DAO deposit would open those deposits to long range attacks from a quantum computer, this should be considered in any design.

哈哈，我的理解正相反。
投票系统的设计初衷之一，本来就应该是尽可能保障投票的公正性，并让这种公正性能够被独立验证。
从你的例子角度上，如果只考虑开奖公平性，地下六合彩要远高于中心化数据库控制的电子开奖系统。
如果公平性与可验证性都不在设计目标里，那我会很难理解，社区为什么还要投入资源去推动 DAO V1.1。

也正因为如此，我个人目前还是不认可 DAO1.1 这条路线。

第一，短期内我宁愿继续沿用老的 DAO V1.0 流程。
既然当前这套 DAO1.1 在关键环节上依然离不开中心化维护、中心化验证，那我个人反而觉得，还不如继续沿用之前 Metaforo.io 的投票系统，并继续由 Hannsen 个人负责审计和计票。
既然本质上都还是中心化路径，那么与其引入一套新的、责任边界并不清晰的体系，我个人反而更倾向于继续使用社区已经熟悉、也相对信任的人来承担这项工作。
至少这样做，责任边界是清楚的，真出了问题，也更容易追责和复盘。

第二，长期看，我更倾向于等待未来 Treasury 的映射模型。
对于当前资金规模仍然有限的 Community DAO，我个人觉得，没有必要先为它搭建一整套复杂、臃肿、效率又不高的治理模型。
如果未来 CKB 财库的设计真能往更底层、更公开规则的方向推进，比如 Chen Yukang 现在讨论的 Treasury 映射逻辑，那无论是效率、验证路径，还是整体治理可信度，我觉得都可能明显好于当前这套 DAO1.1 模型。

另外，我也想补一句很现实的话：
一个治理系统如果把权力集中起来，却不能把责任边界同时做清楚，那我很难放心。
我真正担心的，不只是“有没有中心化”，而是：
权力中心化了，但责任却去中心化了。
一旦未来真的出现名单、计票或验证层面的争议，到底由谁负责，社区是否能清楚追责？
如果这一点说不清，我就很难对这套系统建立足够信任。

还有一点，在我看来，DAO V1.1 理应成为未来物业团队的标杆项目。
如果连这个项目本身，在测试、验收、可验证性和责任边界这些最基础的问题上，都仍然存在这么多争议和疑问，那社区自然也会进一步担心：
以后又该如何用这样一套体系去管理、评审和监督其他提案项目？
如果作为“示范项目”的治理基础都还没有建立足够的信任，那它未来承担更广泛的监管和管理角色时，就会更难让人放心。

这只是我个人目前的意见。
我也愿意继续听听其他社区伙伴的看法。

Haha, my understanding is quite the opposite.

One of the core purposes of designing a voting system should be to safeguard the fairness of the vote as much as possible, and to make that fairness independently verifiable.
Using your own example, if we focus only on the fairness of the draw, then an underground lottery would actually be far more trustworthy than an electronic draw system controlled by a centralized database.
If fairness and verifiability are not part of the design goal, then I find it difficult to understand why the community should spend resources pushing DAO V1.1 forward in the first place.

That is also why, at least for now, I still do not support the DAO1.1 route.

First, in the short term, I would rather continue using the old DAO V1.0 process.
If the current DAO1.1 still ultimately depends on centralized maintenance and centralized verification at key points, then I personally feel it would be better to continue using the previous Metaforo.io voting process, with Hannsen continuing to audit and tally the votes.
If the path is still centralized in substance, then rather than introducing a new system with unclear responsibility boundaries, I would personally prefer to keep relying on someone the community already knows and relatively trusts to do that work.
At least in that case, the responsibility boundary is clearer, and if something really goes wrong, accountability and post-mortem review are also much easier.

Second, in the longer term, I would rather wait for a future Treasury mapping model.
For a Community DAO whose current fund size is still quite limited, I do not think it makes sense to first build an entire governance model that is so complex, bloated, and low in efficiency.
If the future CKB Treasury design can really move toward a more foundational and more openly rule-based direction — for example, the Treasury mapping logic currently being discussed by Chen Yukang — then in terms of efficiency, verification path, and overall governance credibility, I think it could be significantly better than the current DAO1.1 model.

I would also like to add one practical concern:
if a governance system centralizes power, but does not make responsibility boundaries equally clear, then I find it very difficult to trust it.
What worries me is not merely whether there is centralization, but that:
power becomes centralized, while responsibility becomes decentralized.
If future disputes arise around voter lists, tallying, or verification, who will actually be responsible, and will the community be able to hold anyone clearly accountable?
If that cannot be clearly answered, then I cannot build enough trust in this system.

There is one more point I want to add: in my view, DAO V1.1 should have been a benchmark project for the future steward/operations team.
If even this project itself still has so many disputes and open questions around the most basic issues — testing, acceptance, verifiability, and responsibility boundaries — then the community will naturally worry even more about a further question:
how can such a system later be relied on to manage, review, and supervise other proposal projects?
If the governance foundation of the “demonstration project” itself has not yet established sufficient trust, then it will be even harder for people to feel confident when it is later expected to take on a broader management or oversight role.

This is only my personal view at the moment.
I am also very willing to continue hearing the opinions of other community members.

Is there any draft regarding vUDT? I don’t see the possibility of implementation under the existing UDT RFC. Theoretically, it can definitely be achieved, but it would be a new asset standard with immeasurable complexity.

你理解错了吧

我说的是：

dao1.0 <–> 地下六合彩

dao1.1 <–> Fomo3D

Fomo3D当然比地下六合彩要更开放，更透明，可验证。

但是你说Fomo3D公平吗？

如果你觉得开放，透明，可验证就是公平性，那是我之前想多了

那回到主题，dao1.1比dao1.0更开放，更透明，而且可验证，那就已经实现了你说的公平性了。