You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are several problems in anonymous voting flow that need to be addressed.
a. In ./server/contracts/OneVote.sol, there are several issues:
There are unused imports that should be removed for cleaner code.
The vote function does not check for any conditions before registering the vote from the user, which could lead to potential issues.
The function name addProposal is incorrect/irrelevant and should be renamed to addCandidate for clarity.
The use of an old semaphore contract is noted. It is recommended to replace this with @semaphore-protocol/contracts/ to ensure the use of the latest and audited contracts.
b. In server/contracts/VotingProcess.sol:
All function names containing proposal are incorrect/irrelevant and need to be updated for consistency and clarity.
c. On the client side, we can implement zk (zero-knowledge) voting using the packages provided by semaphore-protocol. It offers functions for generating proofs and adding user identity to the Merkle tree (ensuring they are eligible to vote). The package handles the heavy lifting, eliminating the need to manually store user identity commitments. Another important reason for using semaphore-protocol is its proven track record, having been tested and used by a community of developers in the zk space.
d. For the voting flow to be truly anonymous, it is not recommended to directly call the vote function from the client using the user's address. This is because, even though the vote call is not directly linked to users wallet address, when the vote function is executed and the number of votes for a certain candidate is incremented, it can be traced back to the caller's wallet and, hence, to the user. To address this, a middle layer like relayers or backend can be used to call the vote function on the smart contract. The user's wallet should only be used while generating proof, which will go from the backend to the smart contract to be verified. This approach ensures the user remains truly anonymous.
The text was updated successfully, but these errors were encountered:
There are several problems in anonymous voting flow that need to be addressed.
a. In
./server/contracts/OneVote.sol, there are several issues:votefunction does not check for any conditions before registering the vote from the user, which could lead to potential issues.addProposalis incorrect/irrelevant and should be renamed toaddCandidatefor clarity.@semaphore-protocol/contracts/to ensure the use of the latest and audited contracts.b. In
server/contracts/VotingProcess.sol:proposalare incorrect/irrelevant and need to be updated for consistency and clarity.c. On the client side, we can implement zk (zero-knowledge) voting using the packages provided by
semaphore-protocol. It offers functions for generating proofs and adding user identity to the Merkle tree (ensuring they are eligible to vote). The package handles the heavy lifting, eliminating the need to manually store user identity commitments. Another important reason for usingsemaphore-protocolis its proven track record, having been tested and used by a community of developers in the zk space.d. For the voting flow to be truly anonymous, it is not recommended to directly call the
votefunction from the client using the user's address. This is because, even though the vote call is not directly linked to users wallet address, when thevotefunction is executed and the number of votes for a certain candidate is incremented, it can be traced back to the caller's wallet and, hence, to the user. To address this, a middle layer like relayers or backend can be used to call thevotefunction on the smart contract. The user's wallet should only be used while generating proof, which will go from the backend to the smart contract to be verified. This approach ensures the user remains truly anonymous.The text was updated successfully, but these errors were encountered: