tomasbrod
commented
7 years ago No, the brackets worked just fine. But I deleted the poll as I don't want to see gridcoin community affected by results of manipulated poll. I already privately contacted developers as well as mentioned that no important polls should be created until a security release. But nothing changed so here it is:
- The poll/voting mechanism is insecure:
- Anyone can create polls
- I can delete polls
- I can vote on any poll, multiple times, with whatever share weight I want
- And maybe delete legit votes too
Please, do not create or interpret any polls for now.
iFoggz
denravonska
gridcoin
Reload polls and Load history do not work at all on voting dialog. Nothing happens when either of these buttons are pushed and when loading up the voting dialog it hasn't updated with the latest poll at all but does "loading data" and gets 3 polls. I didnt know if that was a voting dialog issue so I went further.
GetJSONPollsReport is run to get the poll information much like in rpc calls
I went further and checked "execute listpolls" uses GetJSONPollsReport as well and it hasn't updated that either even after a wallet restart and just shows 3 polls not the current one
I can see the poll information in mininginfo but thats is about it but that uses sMessageKey
From this I've determined that the [ and ] in the enigma poll breaks JSON output. Example: [whitelist Poll] Should Enigma Be Rewhitelisted?
normally we would have it listed as Type : Poll Question or Just Poll Question Example: Technical Poll : What Should We Do Regarding The Mandatory Team Requirement? Whitelist Poll : Should We Remove Enigmaathome From The Whitelist Due To No Available Work Units
I believe this is the cause.
You can vote on it through execute vote just fine but I can't pull up poll details, etc. Seems like this is the cause but maybe its something in new version.
--
If this is the case lets avoid [ and ] usage in future polls if we want full functionality of voting dialog and execute listpolls, etc
--
addpoll makes a contract in xml ofcourse and its read in xml but exported in json. If that will remain the same we could add if statements for Question if it contains [ or ] or { or } then make it invalid for containing an illegal character in poll name. or just make it common knowledge and practice to not use those characters.