We explore the space of trust-minimizing coordination mechanisms for on-chain vote buying and exploitation in the permissionless model.
Blockchains seem like the perfect technology for online voting. They can act as “bulletin boards,” global ledgers that were hypothesized (but never truly realized) in decades of e-voting research. Better still, blockchains enable smart contracts, which can execute on-chain elections autonomously and do away with election authorities.
Unfortunately, smart contracts aren’t just good for running elections. They’re also good for buying them.
In this blog post, we’ll explain how and why. As an example, we’ll present a fully implemented, simple vote buying attack against the popular on-chain CarbonVote system. We’ll also discuss how trusted hardware enables even more powerful vote buying techniques that seem irresolvable even given state-of-the art cryptographic voting protocols.
Finally, we introduce a new form of attack called a Dark DAO, not to be confused with the “Dark DAO” the same way DAOs should not be confused with The DAO. A Dark DAO is a decentralized cartel that buys on-chain votes opaquely (“in the dark”). We present one concrete embodiment based on Intel SGX.
In such an attack, potentially nobody, not even the DAO’s creator, can determine the DAO’s number of participants, the total amount of money pledged to the attack, or the precise logic of the attack: for example, the Dark DAO can attack a currency like Tezos, covertly collecting coins until it reaches some hidden threshold, and then telling its members to short the currency. Such a Dark DAO also has the unique ability to enforce an information asymmetry by sending out, for example, deniable short notifications: members inside the cartel would be able to verify the short signal, but themselves could generate seemingly authentic false signals to send to outsiders.
The existence of trust-minimizing vote buying and Dark DAO primitives imply that users of all on-chain votes are vulnerable to shackling, manipulation, and control by plutocrats and coercive forces. This directly implies that all on-chain voting schemes where users can generate their own keys outside of a trusted environment inherently degrade to plutocracy, a paradigm considered widely inferior to democratic models that such protocols attempt to approximate on-chain.
All of our schemes and attacks work regardless of identity controls, allowing user actions to be freely bought and sold. This means that schemes that rely on user-generated keys bound to user identities, like uPort or Circles, are also inherently and fundamentally vulnerable to arbitrary manipulation by plutocrats. Our schemes can also be repurposed to attack proof of stake or proof of work blockchains profitably, posing severe security implications for all blockchains.
Blockchain Voting Today
Blockchain voting schemes abound today. There’s Votem, an end-to-end verifiable voting scheme that allows voting using mobile devices and leverages the blockchain as a place to securely post and tally the election results. Remix, the popular smart contract IDE, offers an election-administering smart contract as its training example. Yet more examples can be found here (1), here (2), and here (3).
On-chain voting schemes face many challenges, privacy, latency, and scaling among them. None of these is peculiar to voting, and all will eventually be surmountable. Vote buying is a different story.
In political systems, vote buying is a pervasive and corrosive form of election fraud, with a substantial history of undermining election integrity around the world. Sometimes, the price of a vote is a glass of beer. Thankfully, as scholars have observed, normal market mechanisms usually break down in vote buying schemes, for three reasons. First, vote buying is in most instances a crime. In the U.S., it’s punishable under federal law. Second, where secret ballots are used, compliance is hard to enforce. A voter can simply drink your beer, and cast her ballot in secret however she likes. Third, even if a voter does sell their vote, there is no guarantee the counter-party will pay.
No such obstacles arise in blockchain systems. Vote buying marketplaces can be run efficiently and effectively using the same powerful tool for administering elections: smart contracts. Pseudonymity and jurisdictional complications, as always, provide (some) cover against prosecution.
In general, electronic voting schemes are in some ways harder to secure against fraud than in-person voting, and have been the subject of general and academic interest for many years. One of the fundamental building blocks was introduced early by David Chaum, providing anonymous mix networks for messages which could be anonymously sent by participants with receipts of inclusion. Such end-to-end verifiable voting systems, where users can check that their votes are correctly counted without sacrificing privacy, are not just the realm of theoreticians and have actually been used for binding elections.
Later work by Benaloh and Tuinstra took issue with electronic voting schemes, noting that they offered voters a “receipt” that provided cryptographic proof of which way a given vote had been cast. This would allow for extremely efficient vote buying and coercion, clearly undesirable properties. The authors defined a new property, receipt-freedom, to describe voting schemes where no such cryptographic proof was possible. Further work by Juels, Catalano, and Jakobsson modeled even more powerful coercive adversaries, showing that even receipt-free schemes were not sufficient to prevent coercion and vote buying. This work defined a new security definition for voting schemes called “coercion resistance”, providing a protocol where no malicious party could successfully coerce a user in a manner that could alter election results.
In their work, Juels et. al note that “the security of our construction then relies on generation of the key pairs… by a trusted third party, or, alternatively, on an interactive, computationally secure key-generation protocol such as  between the players”. Such “trusted key generation”, “trusted third party”, or “trusted setup” assumptions are standard in the academic literature on coercion resistant voting schemes. Unfortunately, these requirements do not translate to the permissionless model, in which nodes can come and leave at any time without knowing each other a priori. This (somewhat) inherently means users generate their own keys in all such deployed systems, and cannot take advantage of trusted multiparty key generation or any centralized key service arbiter.
The blockchain space today, with predictable results, continues its tradition of ignoring decades of study and instead opts to implement the most naive possible form of voting: directly counting coin-weighted votes in a plutocratic fashion, stored in plain text on-chain. Unfortunately, it is not clear that better than such a plutocracy is achievable on-chain. We show that the permissionless model is fundamentally hostile to voting. Despite any identity or second-layer based mitigation attempts, all permissionless voting systems (or schemes that allow users to generate their own key in an untrusted environment) are vulnerable to the same style of vote buying and coercion attacks. Many vote buying attacks can also be used for coercion, shackling users to particular voting choices by force.
Source/More: On-Chain Vote Buying and the Rise of Dark DAOs