One wallet, one vote.

[Aurum420]

I believe Gridcoin voting should be a fair democratic process. It is currently controlled by just a few with the highest magnitude (Charity Engine) and balances. Each wallet deserves one vote and only one vote.

[jamescowens]

As I explained many times before this cannot be done unless we implement a strong form of KYC style individual identification. There is no way to correlate UTXO’s to an individual wallet, and so there is likewise no way to reliably identify an individual. This would be immediately subject to a Sybil attack, and in fact the very people you are concerned about would be the most likely to chop up their keys into many wallets to further multiply their voting power.

[jamescowens]

I am reopening this because @Aurum420 created a poll referencing this issue.

[jamescowens]

Given that this is the subject of an opinion poll, I think it is warranted for me to give a more comprehensive explanation of why "the one wallet, one vote" is not possible:

Anybody can create a wallet. Let's say that a person has 1000 GRC. If this person has that GRC in one wallet, under the "one wallet, one vote" metric, they would be counted as "1". If they wanted to take maximum advantage of the "one wallet, one vote" metric, they would generate ~2000 new addresses and then send the 1000 GRC via script from the current address that those GRC are on to those addresses @ 0.5001 GRC each. (The minimum required to vote + the fee.) They would then import each of those addresses into separate wallets and then vote with each wallet using a script to automate it. They would then be counted as almost "2000".

You can see how this is not a good idea. This is a classic Sybil attack.

The ONLY metrics that can be used that prevent this sort of attack must satistfy the mathematical property of linearity. Namely a function f is linear iff f(ax + by) = af(x) + bf(y).

If f is a voting weight function, and f(balance, magnitude) = balance + a * magnitude, where a is an equivalence factor, then f is linear.

If someone splits their balance into two wallets and their magnitude into two CPID's, then we have

balance = balance.1 + balance.2

magnitude = magitude.1 + magnitude.2

f(balance, magnitude) = balance + a magnitude = f(balance.1 + balance.2, magnitude.1 + magnitude.2) = (balance.1 + balance.2) + a (magnitude.1 + magnitude.2) = (balance.1 + a magnitude.1) + (balance.2 + a magnitude.2) = f(balance.1, magnitude,1) + f(balance.2, magnitude.2)

Thus a metric which weights votes according to balance + a * magnitude is LINEAR and is immune to this type of Sybil attack. this proves that if they split up their balance and magnitude and then vote with the post splits separately, they get the same voting weight in the aggregrate as if they had voted without splitting.

Note this metric form covers both the available balance and balance + magnitude poll types, because the former is simply where a = 0 and the later where a > 0.

[empirebuilder1]

This is not an appropriate knee-jerk reaction to the Sidock poll failing because you couldn't follow the whitelisting rules and had confusing, conflicting polls operating concurrently.

Jim has very clearly explained the obvious, glaring security holes in a "one wallet, one vote" approach. Voting no.

[sibebleuze]

I think the system as it is now works very good (regardless of feasibility). Those who invested the most in Gridcoin, be it their time, money or computational power, are the people who have the highest balances and magnitudes (=> the highest voting shares). They are also the ones most active in the community, they know what goes on here and may even be familiar with the code base. This means they know what can and cannot be done and what is the best way to do things. I think it's only fair if their vote weighs heavier and I don't mind if my vote is a less important in favor of someone who is a lot more involved. If anything, I think we should do this in more places (based on people's involvement, experience and knowledge, not their money, that is).

[RoboticMind]

To further clarify for those not super familiar with all this, it's not possible to uniquely identify what's a singular wallet and what's not. You can use some heuristics to find some of what's connected, but it's easy for some bad actor to get around that. Even if there were some way to always uniquely identity a singular wallet, you could trivially spin up new wallets.

The only ways you could realistically try to implement this would not be secure:

• If you say "one address = one wallet" it's trivial to create tons of new ones.
• If you try "one cpid = one wallet" it's trivial to create a bunch of BOINC accounts and it would exclude those not running solo.
• If you try to validate who's a unique user through a centralized source, you have multiple problems:
  • What do you validate - if email/text/similar it's easy to create a bunch of those and limits votes from people without access to those.
  • You also have to have a lot of trust in the person/people validating the information. Would have to trust that they're sending out and checking what they say they are.
  • You have risks of denial of service type attacks that stop other people from getting validated
  • And more

TL;DR: One person = one vote is really hard to do here because you can't really easily check who's a singular person on a cryptocurrency

[JeffGoldblum1952]

To further clarify for those not super familiar with all this, it's not possible to uniquely identify what's a singular wallet and what's not. You can use some heuristics to find some of what's connected, but it's easy for some bad actor to get around that. Even if there were some way to always uniquely identity a singular wallet, you could trivially spin up new wallets.

The only ways you could realistically try to implement this would not be secure:

* If you say "one address = one wallet" it's trivial to create tons of new ones.

* If you try "one cpid = one wallet" it's trivial to create a bunch of BOINC accounts and it would exclude those not running solo.

* If you try to validate who's a unique user through a centralized source, you have multiple problems:

  * What do you validate - if email/text/similar it's easy to create a bunch of those and limits votes from people without access to those.
  * You also have to have a lot of trust in the person/people validating the information. Would have to trust that they're sending out and checking what they say they are.
  * You have risks of denial of service type attacks that stop other people from getting validated
  * And more

TL;DR: One person = one vote is really hard to do here because you can't really easily check who's a singular person on a cryptocurrency

Gotta agree with you and Jim on this one, I think it's pretty clear that one person, one vote just doesn't work...

[iFoggz]

1 wallet one vote is a manipulation waiting to happen. Our current poll protocol for whitelist is fair.

[iFoggz]

Ok now home I can comment more on this. Making a 1 wallet = 1 vote would be a failing and exploitable system and also does eliminate magnitude.

Magnitude is important in the vote. The more hardware someone throws at the network for boinc crunching should have more of a say. That is more resources invested into Gridcoin and Gridcoins mission.

All honesty I believe the problem and original opening of this issue was because the first incorrect poll was made. It was made without considering the well planned out protocol for whitelisting. If the first invalid poll wasn't made then it is possible the vote could of passed.

One wallet = one wallet also allows a person to not keep any investment but minimal in the network.

[ygboucherk]

a strong form of KYC

I guess that, even it's technically very hard (impossible ?), it would destroy main principle of cryptocurrencies. Maybe u wanna see satoshi back (for telling u the same thing) ?

[Maciej-Ficek]

One wallet, one vote.

It reminds me of something.

Ein Brieftasche, Ein Abstimmung, Ein Fuhrer.

[nathanielcwm]

There's not a good way to tell that it's just a single person without intense kyc which completely undermines one of the main goals of crypto...

[Maciej-Ficek]

There's not a good way to tell that it's just a single person without intense kyc which completely undermines one of the main goals of crypto...

Yeah I know. But one can create many Gridcoin wallets to vote then so therefore I'm against one wallet = one vote.

[Keith-UCT]

For the hell of it, I dropped 7 votes for each option. Dumb poll imho.

[Aurum420]

Magnitude is important in the vote. The more hardware someone throws at the network for boinc crunching should have more of a say. That is more resources invested into Gridcoin and Gridcoins (sic) mission.

Magnitude alone would be much preferred but there is no option on polls to vote just magnitude, it's balance or balance + magnitude. Balance should have no place in voting.

Gridcoin's mission was flushed when it was decided to grow fake cactus for a kid's game. Dead and buried.

All honesty I believe the problem and original opening of this issue was because the first incorrect poll was made. It was made without considering the well planned out protocol for whitelisting.

Wrong, it's not well planned. It's a disaster. Instead of having the discussion about whitelisting on a BOINC forum where anyone eligible to vote would be able to log in using their BOINC credentials the discussion must be scattered over 4 different irrelevant forums. There is no requirement for a BOINC philanthropist to have an account with github, discord, or those other 2 forums.

The real reason I created this poll is the absurd AVW formula. This formula has no relevance whatsoever to voting. It has fitting factors and can be made to create any answer. This formula should be eliminated for whitelist voting.

[jamescowens]

Your opinion is not shared by the community @Aurum420.

[wilkart]

... and "growing fake cactus" can take us into a future with the same chance like "sensing gravitational waves". I am also voting NO convinced by arguments.

[Aurum420]

Your opinion is not shared by the community @Aurum420.

How would you know? You've argued compellingly that you don't even know who is in the GRC community. The biggest balance makes the decisions and no else matters. Time for a new poll.

[RoboticMind]

This formula has no relevance whatsoever to voting

It's based directly off of vote weight and then looks at what part of that is active. How does that have no relevance to voting?

How would you know

The rules we use now were passed with pretty overwhelming support - even if were to look at the number of votes (which is not the best metric, but I digress)

Doesn't mean there can't be changes to it, but to suggest that no one supported it overall would be false. I highly suggest refraining from making yet another poll

The biggest balance makes the decisions...

They usually vote really late and either with what was the majority or abstain as to try to not influence it. If we removed the abstain option as you suggested in the past, you'd be making the situation worse and make them have to decide for the community on tight polls.

As well these users all tend to have high magnitude as well. If you switch to mag only, it really wouldn't change the situation.

I'd agree that it's not super great that the whales have such a large potential influence, but the solutions you're suggesting aren't effective

[additude]

I want to leave a comment please. Although I have argued technically in the past with Mr. jamescowens over other issues, I will concede that Mr. jamescowens, and I'll add his team of developers, do know their venue and for that I offer my respects. I am more than confident that him and his team have only the best in mind. Saying that, I'll also express gratitude and thanks for all the work and effort that they admonish to this project. I myself are beholden to them. But saying what I said exemplifying the outstanding job that they do, there is at least one shortcoming that possesses them with impunity because they are, "The Ultimate and Final End and Authority"..... I speak such, with respect to Mr. jamescowens and "our" team of developers. I speak such with hope and reverence of their consideration. I speak such because we can all become stewards of our best practices. Today, this day in todays world, all of us Gridcoiner's are all elegantly trying and attempting to try to survive "Gridcoin" in the Crypto Coin World. A lot of people have spent a lot of time, effort and money in and promoting GridCoin". We all care, there was within recent thought a request drive to collect donated "GridCoins" to update the website and I think improve the marketing to attract new members. I will just say, I was one of the 30,000 GRC Donators to that cause. My point is this: Voting and the ability to have a Vote has always been an issue with new members. It was actually the first concern I experienced with GridCoin.....and to be honest, I felt very alienated from the rest of the GRC group of Gridcoiner's because I couldn't vote and I really wanted to vote......why? Simply because voting meant that I was a real GridCoiner. It was Democratic and that means, so far in the history of "Man", that it's the best that we have found. Not Perfect mind you, just the best so far. So I am requesting that we take the best that GridCoin has to muster, meaning Mr. jamescowens and the exemplary development team to research this thought of Voting and find a way, whether to navigate thru months or thru years, to find a way and an acceptable conclusion with the goal of allowing someone with 1 grc to have 1 vote and someone with a million grc to have a million votes as possibly the answer. But there is an ANSWER here........ I do not believe that this "ANSWER" is lost or is unobtainable within GridCoin Wallet "C+" code..... Guys, I think it's a big deal for beginners...... because right from the gitgo, it makes them outsiders. With all due respect, think about it, don't deny it because you are the Ultimate Authority.

[Aurum420]

I'm trying to understand where the actual final vote values come from and I believe there's a major bug. I cast the first vote and I recall that my magnitude was over 4,000 and my GRC balance was 135,497.7171. On April 10th my GRC wallet broke and has not synced since. I found the instructions on deleting two folders etc and I'm now reindexing my wallet and will see what happens tomorrow. Apparently ones final vote is not calculated until the poll closes. That means as your balance and magnitude change from the time you voted until the time the poll ends your vote changes. Want it to go up then go buy some GRC. Decide to crunch some non-whitelisted projects then your magnitude goes down as well as your vote. Or maybe the data on this webpage is not what is used behind the curtain to tally the votes. https://www.gridcoinstats.eu/poll/879b0c96a100a2850bd079fdc25ce30dd2107d1bd94936e8056da23920d333ce/1/active:1

And the largest number of votes goes to anonymous: https://www.gridcoinstats.eu/pollverify/3f99d273c3aaf8880140678ad3649dcc592a5b05560da1cce22b43d9a63a050b Actually it's me. I was also the first to cast a vote so I appear to have about 7 million votes yet I'm losing. Click on that address and it shows 5,071.82 GRC that I sent from an exchange to my broken unsynced wallet address RzZ9wNZQR8W5bZS6Lsg7GUzAzJUbjsuDeH that I can't see yet. The other half of that transaction shows my 0.998 GRC wallet balance. Yet some how 5,072.818 GRC turned into a vote of 5,882,099.44. Maybe after my wallet syncs up it'll self-correct.

[jamescowens]

Did you actually vote with your wallet out of sync?

[cyrossignol]

@Aurum420 A vote transaction contains the signed, unspent outputs in a wallet at the time of the vote and a beacon signature for magnitude weight claims. This means that:

• Coins received after the vote was created don't count unless the wallet casts a new vote
• Coins spent from outputs claimed in the vote are decremented from the vote weight
• Voting weight for staked coins remains eligible unless side-staked to a different address
• Block and research rewards received from staking increase the weight of the outputs cast in a vote
• Final magnitude weight is determined by the superblock when the poll closes

Since balance weight is measured by UTXO amounts, and a wallet must sign those outputs to prove ownership and prevent someone else from changing the voter's choices, the voting system cannot measure balance added in transactions that confirm after the previous vote transaction, and it must remove weight for outputs spent after the previous vote transaction to prevent duplicate votes with the same GRC.

Staked coins are the exception. Wallets can verify with certainty that staked coins belong to the voter, so the system automatically grants vote weight for subsidies earned when staking a block.

Magnitude weight must be calculated from a single point of reference (one superblock). Otherwise, counting magnitude will over- or under-value the network's magnitude portion of the weight because individual magnitudes change every day. The voting system uses the last superblock in the poll window because new CPIDs can join the network before the poll finishes.

It's not a perfect system, but these trade-offs are probably the only way to securely measure votes on the blockchain within the limitations of our current technology. I hear your concerns and your frustration. There are planned and in-progress changes to improve the voting experience in the wallet and so that people can track their own votes. The old UI we have now is not sufficient.

[cyrossignol]

In some ways, this topic is similar to the discussions that propose to allocate all of the staking rewards for BOINC work only. I wrote a bit about that recently:

...a decentralized ledger is a closed system secured by cryptographic proofs. All the information needed to verify payments already exists in the blockchain.

As we know, the blockchain runs on math and cryptography. It doesn't need to be that way, but this implementation lets us participate in a trust-less, decentralized system. Any external information increases the need for trust and centralization. This is why BOINC computations cannot be used for consensus in a reasonably secure way.

As an application built on the blockchain, Gridcoin's voting system follows the same rules. Poll results are calculated from data in the blockchain and verified with math and cryptography to re-use the decentralized capabilities of the ledger. However, as others have pointed out, a one-vote-per-individual approach requires external data, trust, and centralization to establish the concept of an individual. It's not impossible to do, but it contradicts the point of using blockchain technology in the first place.

[Aurum420]

Did you actually vote with your wallet out of sync? Let me see, wallet just synced up. I created the poll 4/10/2021 14:52. I voted 4/10/2021 14:58. I made a withdrawal 4/10/2021 15:15. Will an out-of-sync wallet allow poll creation, voting and withdrawals??? I didn't think so. BTW, I'm pretty sure my ancient computer that randomly reboots corrupted one of the GRC files. Reindexing seems to have worked great so far. It'll take some time before the scraper updates my magnitude and distributes my pending reward. Side note: I suggest removing REQUIRE_TEAM_WHITELIST_MEMBERSHIP = 0 and TEAM_WHITELIST = from the scraper and inserting explainmagnitude CPID. Also, it'd be nice to have a better way to know when to upgrade the wallet than running Diagnostics. And add a link to latest wallet release. It's impressive how much this generation of the wallet has improved.

[Aurum420]

And the largest number of votes goes to anonymous: https://www.gridcoinstats.eu/pollverify/3f99d273c3aaf8880140678ad3649dcc592a5b05560da1cce22b43d9a63a050b Actually it's me. I was also the first to cast a vote so I appear to have about 7 million votes yet I'm losing. Click on that address and it shows 5,071.82 GRC that I sent from an exchange to my broken unsynced wallet address RzZ9wNZQR8W5bZS6Lsg7GUzAzJUbjsuDeH that I can't see yet. The other half of that transaction shows my 0.998 GRC wallet balance. Yet some how 5,072.818 GRC turned into a vote of 5,882,099.44. Maybe after my wallet syncs up it'll self-correct.

Who is Owner:Non-Cruncher with no magnitude and why does it get to cast 5,882,099.44 votes for No??? https://www.gridcoinstats.eu/address/SKzjWmvu2MZUBXrNtz2zgxhMtSQuHgNVxE/transaction#subTab

[startailcoon]

Who is Owner:Non-Cruncher with no magnitude and why does it get to cast 5,882,099.44 votes for No???

Non-cruncher is one that has no BOINC CPID, someone that only keep a balance. They can cast a vote with 5,882,099.44 as this was their balance at the time.

[WGrav01]

As I explained many times before this cannot be done unless we implement a strong form of KYC style individual identification. There is no way to correlate UTXO’s to an individual wallet, and so there is likewise no way to reliably identify an individual. This would be immediately subject to a Sybil attack, and in fact the very people you are concerned about would be the most likely to chop up their keys into many wallets to further multiply their voting power.

Sorry that I'm late to this. I personally don't want KYC verification. That would make Gridcoin more centralized limited. However, if it can be done without KYC, I might agree. However, I don't think that it would be possible to associate two addresses with one wallet. I think it would be possible to count the votes per address, so you can't vote twice with one address. That should be there. For now I'm voting no. There's my opinion.

[frank0051]

Gridcoin's mission was flushed when it was decided to grow fake cactus for a kid's game. Dead and buried.

@Aurum420 I'm someone that's been around on GRC for over 5 years but isn't the most active beyond BOINCing and securing the blockchain, but it would be helpful to know what you mean by this. As a fun aside, I actually remember when James joined the community and I was one of the individuals that actually pointed him towards the slack when he asked how to get involved - I think we were still using IRC a lot back then.

That said:

• I share @jamescowens concern. There are just too many ways to abuse a one wallet, one vote system.
• I also share @additude 's frustration with how little my vote matters with my lowly 105K or whatever share it is that I have. While one wallet, one vote isn't the solution to that, it would be interesting to think about potentially other solutions. Two I just put out there:
• • I remember at one point new joiners got like a double impact on their magnitude to help kick-start them, perhaps that could still a function
• • Perhaps there could be some sort of ceiling on how much. While I realize many of the whales aren't as active anymore in terms of voting, maybe the ceiling could be developed using some sort of log function from the median or average holding, or perhaps just a arbitrary cap of no one should have more than 5M votes or maybe like 5% of the votes. I realize that's not scientifically eloquent but we have lots of rules in society that are fairly arbitrary (for instance the Maastricht Treaty 3% rule on fiscal deficit isn't really based on any studies and was just added in by some young staff members last minute to close a debate).

[RoboticMind]

They are giving a poor description of one of the new projects added to the whitelist called Minecraft@Home.

---

Perhaps there could be some sort of ceiling on how much [...] or a log function [...]

The reason this wouldn't work is what Jim was talking about earlier. If you remove linearity (i.e 1 mag gets x vote-weight and 1 GRC gets y vote-weight), you immediately have a system that's very vulnerable. A whale could split up into multiple pretend new users and gain an even larger outsized vote weight.

Cap it at 5 Million, and they can make multiple wallets and move 5 million into them. Put a log function, they can split it across many small wallets and get way more vote weight, etc.

It's the same issue with not being able to identify what's a single wallet

I remember at one point new joiners got like a double impact on their magnitude to help kick-start them, perhaps that could still a function

It was removed because this is very insecure. Same problem as above

[frank0051]

The reason this wouldn't work is what Jim was talking about earlier. If you remove linearity (i.e 1 mag gets x vote-weight and 1 GRC gets y vote-weight), you immediately have a system that's very vulnerable. A whale could split up into multiple pretend new users and gain an even larger outsized vote weight.

Ah, yes, I see. I wonder if you could do something similar to what we have now on the block-chain explorer and say these are related addresses? How is it that the blockchain explorer can do something and we cannot for voting?

Perhaps you could even have two calculations that run in parallels and then require a majority of votes on both: one that is based on [mag + balance] and the other that is based on this refined tracking system? Or perhaps you could have two calculations: one based on [mag + balance] and the other based on one vote per CPID (tying it back to the original purpose: BOINC) and it would have to pass on both. Basically, it creates counter-vailing measures similar to a lower/upper house dynamic but all within the same casted vote.

[RoboticMind]

Gridcoinstats.eu does not find every address that's related. Even for a normal user, it often will miss some of your own change addresses. It cannot find every related address.

As well it's trivial for a bad actor to get around it. The most straightforward way is someone just spinning up another wallet and send coins to it.

This is what I was saying earlier in the thread about how it's only possible to find some of what's related, but not all not all

one vote per CPID

CPIDs are trivial to create. It's just an email and a password to create a new one. See the earlier linked post

[frank0051]

@RoboticMind : I hate to tell you this, but you're coming across as a negative Nancy to people that are just trying to express what they perceive as reasonable concerns.

In any case, @Aurum420 and @additude : I've put forward a couple ideas. I do think there is potentially something here with a dual voting systems where you perhaps have a) [Mag+balance] = to your lower house and b) CPID or the like type of one vote system = to your upper house and then a poll would have to pass both ways of counting votes in order to be committed. In any case, just spitballing ideas. It does seem fairly obvious that there are some turn-offs for [Mag+Balance] but there are also some vulnerabilities with doing one-wallet/one-CPID one-vote type of system. Beyond fusing the two together, what other proactive suggestions might you propose?

I think the poll gives us an opportunity to at least try to engage in a white-board type of exercise and see what we can come up with. Maybe we cannot come up with anything, but it doesn't hurt to at least thought-process it out.

[RoboticMind]

My comments were not about dismissing concerns with the current system. I have my fair share of concerns with it too. I mean for one my vote hardly counts too. The issue is that these other plans bring up more concerns.

For the split vote part specially, If you have a system that requires something to pass two types of votes, and one is very vulnerable, the result can still be manipulated. For instance, a bad actor that doesn't want some poll to pass can create thousands of CPIDs and flood a poll with false no votes to make it fail every time it's brought up. There's not really a way to use a vote that can be manipulated in a meaningful way.

The best alternative idea I have is one I'm not very sure would work. It revolves around biometrics and Neural Networks. In short, you would preform some task and then that would be used to try to identify (through a NN) if you were human and if you were different from someone else that's voted. I'm not confident that the NN would be resistant to a dedicated attacker or that it would even tend to work with high enough accuracy for normal votes. I wrote up about it a while ago in #216 if you want to read about it.

[RoboticMind]

This opinion poll has ended. Since this is an opinion poll, the result are not binding but are merely informative.

It ended May 1st at around 22:00 UTC with the following results:

Choice	% of total voteweight	voteweight for that choice	# of votes
No	~89.36%	45401612.52691548	230
Yes	~10.64%	5405652.09601355	72

Other Metrics	Value
% of AVW	~21.3%
total voteweight	50807264.62292903

For more information, click the dropdown below

More information from the result of the getpollresults command (in JSON format)

```json { "poll_id": "879b0c96a100a2850bd079fdc25ce30dd2107d1bd94936e8056da23920d333ce", "votes": 579, "invalid_votes": 277, "total_weight": 50807264.62292903, "top_choice_id": 1, "top_choice": "No", "responses": [ { "choice": "Yes", "id": 0, "weight": 5405652.09601355, "votes": 72 }, { "choice": "No", "id": 1, "weight": 45401612.52691548, "votes": 230 } ] } ```

[RoboticMind]

@jamescowens now that this poll is over, I think we can close this

[WGrav01]

Yes, close it.

On Mon, May 3, 2021 at 3:44 PM RoboticMind @.***> wrote:

@jamescowens https://github.com/jamescowens now that this poll is over, I think we can close this

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/gridcoin-community/Gridcoin-Tasks/issues/246#issuecomment-831489059, or unsubscribe https://github.com/notifications/unsubscribe-auth/APFLSOR3JQB7WUFP2RUYGMTTL34JVANCNFSM42W5WBVQ .