Event logs of the first working POC
Sharing the dividend relation proof equation
Commit-reveal designs pt.2
DAO's are super disruptive, and governance is hot. What would happen if all votes in a DAO were anonymous? Would a meritocracy emerge from inhibition of voter coordination/buying?
What it does
You can attach any existing DAO to a ZKDAO contract, and realise fully-anonymous governance on proposals.
Votes submitted on proposals are anonymous. Like a usual DAO, proposals have a passing threshold of shareholder power.
"don't quote me on this, but it should work" (Paul Berg - AZTEC Engineer, 2019)
How we built it
With our bare hands:
Solidity, Truffle, Remix, JS, reading the AZTEC paper, Mocha unit tests
Challenges we ran into
- we had no idea of we were doing (seriously - zero knowledge of zero knowledge algorithms)
- documentation out of date / incomplete for AZTEC
- finding and harassing Tom & Paul from AZTEC (thank you very much)
- off-by-one, off-by-zero errors, JS wat's
- no REVERT reasons in general
Accomplishments that we're proud of
- implementing the first-ever ZKDAO
- being the 1st usage of AZTEC Cryptography Engine in the wild, and much to their dismay ;), a repurposing of their proofs for purposefully leaking information
- reverse-engineering AZTEC's dividend proof algorithm, which is currently not deployed. We had to dive into the proof engine, the test cases, and how the dividend relation is proven (za, zb).
- using a commit-reveal scheme to implement the double-voting constraint, as well as a really simple logic to change vote positions
- a simple nullification of submitted votes when shares are transferred (using note.noteHash as an additional commit)
What we learned
There are two constraints you must design for:
- double-voting - ensuring that a shareholder cannot vote twice (since your "shares" are private, they could do something like transfer and vote again)
- multiple proposals - being able to submit votes to multiple proposals
We represent a share in the DAO as an AZTEC ZK-note and represent a "vote" as a ZK proof of a % of that balance.
We can use the totalSupply of the original ERC20 share token to calculate the number of votes required to pass a proposal. We then repurpose the dividend proof to prove that a shareholder "votes" a % of the totalSupply of available votes, without revealing their total number of shares.
We learnt that you can use the AZTEC proofing engine without necessarily destroying/creating notes.
What's next for zkdao
- turning this POC into an MVP
- plug-n-play for existing DAO's
- stealth addresses by default