Scheme

Mint
Propose
Vote
Exec
AuthMoneyTransfer

Let $PoseidonHash$ be defined as in the section PoseidonHash Function.

Let $F_{p}, P_{p}, DerivePubKey, Lift_{q}, G_{N}, X, Y$ be defined as in the section Pallas and Vesta.

Let $PedersenCommit$ be defined as in the section Homomorphic Pedersen Commitments.

Let $MerklePos, MerklePath, MerkleRoot$ be defined as in the section Incremental Merkle Tree.

Let $Params_{DAO}, Bulla_{DAO}, Params_{Proposal}, Bulla_{Proposal}$ be defined as in DAO Model.

Let $AeadEncNote$ be defined as in In-band Secret Distribution.

Let $ElGamal.Encrypt, ElGamalEncNote_{k}$ be defined as in the section Verifiable In-Band Secret Distribution.

Mint

This function creates a DAO bulla $D$ . It's comparatively simple- we commit to the DAO params and then add the bulla to the set.

Wallet builder: src/contract/dao/src/client/mint.rs
WASM VM code: src/contract/dao/src/entrypoint/mint.rs
ZK proof: src/contract/dao/proof/dao-mint.zk

Function Params

Define the DAO mint function params $D PK \in im (Bulla_{DAO}) \in P_{p}$

/// Parameters for `Dao::Mint`
pub struct DaoMintParams {
    /// The DAO bulla
    pub dao_bulla: DaoBulla,
    /// The DAO public key
    pub dao_pubkey: PublicKey,
}

Contract Statement

DAO bulla uniqueness whether $B$ already exists. If yes then fail.

Let there be a prover auxiliary witness inputs: $L Q A^{%} τ x b_{DAO} \in N_{64} \in N_{64} \in N_{64} \times N_{64} \in F_{p} \in F_{p} \in F_{p}$

Attach a proof $π$ such that the following relations hold:

Proof of public key ownership $PK = DerivePubKey (x)$ .

DAO bulla integrity $B = Bulla_{DAO} ((L, Q, A^{%}, τ, PK), b_{DAO})$

Signatures

There should be a single signature attached, which uses $PK$ as the signature public key.

Propose

This contract function creates a DAO proposal. It takes a merkle root $R_{DAO}$ which contains the DAO bulla created in the Mint phase.

Several inputs are attached containing proof of ownership for the governance token. This is to satisfy the proposer limit value set in the DAO. We construct the nullifier $N$ which can leak anonymity when those same coins are spent. To workaround this, wallet implementers can attach an additional Money::transfer() call to the transaction.

The nullifier $N$ proves the coin isn't already spent in the set determined by $R_{coin}$ . Each value commit $V$ exported by the input is summed and used in the main proof to determine the total value attached in the inputs crosses the proposer limit threshold.

This is merely a proof of ownership of holding a certain amount of value. Coins are not locked and continue to be spendable.

Additionally the encrypted note $note$ is used to send the proposal values to the DAO members using the public key set inside the DAO.

A proposal contains a list of auth calls as specified in Auth Calls. This specifies the contract call executed by the DAO on passing.

Wallet builder: src/contract/dao/src/client/propose.rs
WASM VM code: src/contract/dao/src/entrypoint/propose.rs
ZK proofs:
- src/contract/dao/proof/dao-propose-main.zk
- src/contract/dao/proof/dao-propose-input.zk

Function Params

Define the DAO propose function params $R_{DAO} T P note i \in F_{p} \in F_{p} \in im (Bulla_{Proposal}) \in AeadEncNote \in ProposeInput^{*}$

Define the DAO propose-input function params $ProposeInput . N ProposeInput . V ProposeInput . R_{coin} ProposeInput . PK_{σ} \in F_{p} \in P_{p} \in F_{p} \in P_{p}$

/// Parameters for `Dao::Propose`
pub struct DaoProposeParams {
    /// Merkle root of the DAO in the DAO state
    pub dao_merkle_root: MerkleNode,
    /// Token ID commitment for the proposal
    pub token_commit: pallas::Base,
    /// Bulla of the DAO proposal
    pub proposal_bulla: DaoProposalBulla,
    /// Encrypted note
    pub note: AeadEncryptedNote,
    /// Inputs for the proposal
    pub inputs: Vec<DaoProposeParamsInput>,
}

/// Input for a DAO proposal
pub struct DaoProposeParamsInput {
    /// Value commitment for the input
    pub value_commit: pallas::Point,
    /// Merkle root for the input's coin inclusion proof
    pub merkle_coin_root: MerkleNode,
    /// SMT root for the input's nullifier exclusion proof
    pub smt_null_root: pallas::Base,
    /// Public key used for signing
    pub signature_public: PublicKey,
}

Contract Statement

Let $t_{0} = BlockWindow \in F_{p}$ be the current blockwindow as defined in Blockwindow.

Let $Attrs_{Coin}$ be defined as in Coin.

Valid DAO bulla merkle root check that $R_{DAO}$ is a previously seen merkle root in the DAO contract merkle roots DB.

Proposal bulla uniqueness whether $P$ already exists. If yes then fail.

Let there be prover auxiliary witness inputs: $v b_{v} b_{τ} p b_{p} d b_{d} (ψ, Π) \in F_{p} \in F_{v} \in F_{p} \in Params_{Proposal} \in F_{p} \in Params_{DAO} \in F_{p} \in MerklePos \times MerklePath$ Attach a proof $π_{P}$ such that the following relations hold:

Governance token commit export the DAO token ID as an encrypted pedersen commit $T = PedersenCommit (d . τ, b_{τ})$ where $T = \sum_{i \in i} T_{i}$ .

DAO bulla integrity $D = Bulla_{DAO} (d, b_{d})$

DAO existence $R_{DAO} = MerkleRoot (ψ, Π, D)$

Proposal bulla integrity $P = Bulla_{Proposal} (p, b_{p})$ where $p . t_{0} = t_{0}$ .

Proposer limit threshold met check the proposer has supplied enough inputs that the required funds for the proposer limit set in the DAO is met. Let the total funds $v = \sum_{i \in i} i . v$ , then check $d . L \leq v$ .

Total funds value commit $V = PedersenCommit (v, b_{v})$ where $V = \sum_{i \in i} i . V$ . We use this to check that $v = \sum_{i \in i} i . v$ as claimed in the proposer limit threshold met check.

For each input $i \in i$ , perform the following checks:

Unused nullifier check that $N$ does not exist in the money contract nullifiers DB.

Valid input coins merkle root check that $i . R_{coin}$ is a previously seen merkle root in the money contract merkle roots DB.

Let there be a prover auxiliary witness inputs: $x_{c} c b_{v} b_{τ} (ψ_{i}, Π_{i}) x_{σ} \in F_{p} \in Attrs_{Coin} \in F_{v} \in F_{p} \in MerklePos \times MerklePath \in F_{p}$ Attach a proof $π_{i}$ such that the following relations hold:

Nullifier integrity $N = PoseidonHash (x_{c}, C)$

Coin value commit $i . V = PedersenCommit (c . v, b_{v})$ .

Token commit $T = PoseidonHash (c . τ, b_{τ})$ .

Valid coin Check $c . P = DerivePubKey (x_{c})$ . Let $C = Coin (c)$ . Check $i . R_{coin} = MerkleRoot (ψ_{i}, Π_{i}, C)$ .

Proof of signature public key ownership $i . PK_{σ} = DerivePubKey (x_{σ})$ .

Signatures

For each $i \in i$ , attach a signature corresponding to the public key $i . PK_{σ}$ .

Vote

After DAO::propose() is called, DAO members can then call this contract function. Using a similar method as before, they attach inputs proving ownership of a certain value of governance tokens. This is how we achieve token weighted voting. The result of the vote is communicated to other DAO members through the encrypted note $note$ .

Each nullifier $N$ is stored uniquely per proposal. Additionally as before, there is a leakage here connecting the coins when spent. However prodigious usage of Money::transfer() to wash the coins after calling DAO::vote() should mitigate against this attack. In the future this can be fixed using set nonmembership primitives.

Another leakage is that the proposal bulla $P$ is public. To ensure every vote is discoverable by verifiers (who cannot decrypt values) and protect against 'nothing up my sleeve', we link them all together. This is so the final tally used for executing proposals is accurate.

The total sum of votes is represented by the commit $V_{all} = \sum_{i \in i} i . V$ and the yes votes by $V_{yes}$ .

Wallet builder: src/contract/dao/src/client/vote.rs
WASM VM code: src/contract/dao/src/entrypoint/vote.rs
ZK proofs:
- src/contract/dao/proof/dao-vote-main.zk
- src/contract/dao/proof/dao-vote-input.zk

Function Params

Define the DAO vote function params $τ P V_{yes} enc_vote i \in F_{p} \in im (Bulla_{Proposal}) \in P_{p} \in ElGamalEncNote_{4} \in VoteInput^{*}$

Define the DAO vote-input function params $VoteInput . N VoteInput . V VoteInput . R_{coin} VoteInput . PK_{σ} \in F_{p} \in P_{p} \in F_{p} \in P_{p}$

Note: $VoteInput . V$ is a pedersen commitment, where the blinds are selected such that their sum is a valid field element in $F_{p}$ so the blind for $\sum V$ can be verifiably encrypted. Likewise we do the same for the blind used to calculate $V_{yes}$ .

This allows DAO members to securely receive all secrets for votes on a proposal. This is then used in the Exec phase when we work on the sum of DAO votes.

/// Parameters for `Dao::Vote`
pub struct DaoVoteParams {
    /// Token commitment for the vote inputs
    pub token_commit: pallas::Base,
    /// Proposal bulla being voted on
    pub proposal_bulla: DaoProposalBulla,
    /// Commitment for yes votes
    pub yes_vote_commit: pallas::Point,
    /// Encrypted note
    pub note: ElGamalEncryptedNote<4>,
    /// Inputs for the vote
    pub inputs: Vec<DaoVoteParamsInput>,
}

/// Input for a DAO proposal vote
pub struct DaoVoteParamsInput {
    /// Vote commitment
    pub vote_commit: pallas::Point,
    /// Vote nullifier
    pub vote_nullifier: Nullifier,
    /// Public key used for signing
    pub signature_public: PublicKey,
}

Contract Statement

Let $t_{0} = BlockWindow \in F_{p}$ be the current blockwindow as defined in Blockwindow.

Proposal bulla exists check $P$ exists in the DAO contract proposal bullas DB.

Let there be prover auxiliary witness inputs: $p b_{p} d b_{d} o b_{y} v b_{v} b_{τ} t_{now} esk \in Params_{Proposal} \in F_{p} \in Params_{DAO} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in F_{p}$ Attach a proof $π_{V}$ such that the following relations hold:

Governance token commit export the DAO token ID as an encrypted pedersen commit $T = PedersenCommit (d . τ, b_{τ})$ where $T = \sum_{i \in i} T_{i}$ .

DAO bulla integrity $D = Bulla_{DAO} (d, b_{d})$

Proposal bulla integrity $P = Bulla_{Proposal} (p, b_{p})$

Yes vote commit $V_{yes} = PedersenCommit (o v, Lift_{q} (b_{y}))$

Total vote value commit $V_{all} = PedersenCommit (v, Lift_{q} (b_{v}))$ where $V_{all} = \sum_{i \in i} i . V$ should also hold.

Vote option boolean enforce $o \in {0, 1}$ .

Proposal not expired let $t_{end} = N_{64} 2 F_{p} (p . t_{0}) + N_{64} 2 F_{p} (p . D)$ , and then check $t_{now} < t_{end}$ .

Verifiable encryption of vote commit secrets let $n = (o, b_{y}, v, b_{v})$ , and verify $enc_vote = ElGamal . Encrypt (n, esk, d . PK)$ .

For each input $i \in i$ , perform the following checks:

Valid input merkle root check that $i . R_{coin}$ is the previously seen merkle root in the proposal snapshot merkle root.

Unused nullifier (money) check that $N$ does not exist in the money contract nullifiers DB.

Unused nullifier (proposal) check that $N$ does not exist in the DAO contract nullifiers DB for this specific proposal.

Let there be prover auxiliary witness inputs: $x_{c} c b_{v} b_{τ} (ψ_{i}, Π_{i}) x_{σ} \in F_{p} \in Attrs_{Coin} \in F_{v} \in F_{p} \in MerklePos \times MerklePath \in F_{p}$ Attach a proof $π_{i}$ such that the following relations hold:

Nullifier integrity $N = PoseidonHash (x_{c}, C)$

Coin value commit $i . V = PedersenCommit (c . v, b_{v})$ .

Token commit $T = PoseidonHash (c . τ, b_{τ})$ .

Valid coin Check $c . P = DerivePubKey (x_{c})$ . Let $C = Coin (c)$ . Check $i . R_{coin} = MerkleRoot (ψ_{i}, Π_{i}, C)$ .

Proof of signature public key ownership $i . PK_{σ} = DerivePubKey (x_{σ})$ .

Signatures

For each $i \in i$ , attach a signature corresponding to the public key $i . PK_{σ}$ .

Exec

Exec is the final stage after voting is Accepted.

It checks the correct voting conditions have been met in accordance with the DAO params such as quorum and approval ratio. $V_{yes}$ and $V_{all}$ are pedersen commits to $v_{yes}$ and $v_{all}$ respectively.

It also checks that child calls have been attached in accordance with the auth calls set inside the proposal. One of these will usually be an auth module function. Currently the DAO provides a single preset for executing Money::transfer() calls so DAOs can manage anonymous treasuries.

Wallet builder: src/contract/dao/src/client/exec.rs
WASM VM code: src/contract/dao/src/entrypoint/exec.rs
ZK proof: src/contract/dao/proof/dao-exec.zk

Function Params

Let $AuthCall, Commit_{Auth^{*}}$ be defined as in the section Auth Calls.

Define the DAO exec function params $P A V_{yes} V_{all} \in im (Bulla_{Proposal}) \in AuthCall^{*} \in P_{p} \in P_{p}$

/// Parameters for `Dao::Exec`
pub struct DaoExecParams {
    /// The proposal bulla
    pub proposal_bulla: DaoProposalBulla,
    pub proposal_auth_calls: Vec<DaoAuthCall>,
    /// Aggregated blinds for the vote commitments
    pub blind_total_vote: DaoBlindAggregateVote,
    /// Public key for the signature.
    /// The signature ensures this DAO::exec call cannot be modified with other calls.
    pub signature_public: PublicKey,
}

/// Represents a single or multiple blinded votes.
/// These can be summed together.
pub struct DaoBlindAggregateVote {
    /// Weighted vote commit
    pub yes_vote_commit: pallas::Point,
    /// All value staked in the vote
    pub all_vote_commit: pallas::Point,
}

Contract Statement

There are two phases to Exec. In the first we check the calling format of this transaction matches what is specified in the proposal. Then in the second phase, we verify the correct voting rules.

Auth call spec match denote the child calls of Exec by $C$ . If $# C \neq = # A$ then exit. Otherwise, for each $c \in C$ and $a \in A$ , check the function ID of $c$ is $a$ .

Aggregate votes lookup using the proposal bulla, fetch the aggregated votes from the DB and verify $V_{yes}$ and $V_{all}$ are set correctly.

Let there be prover auxiliary witness inputs: $p b_{p} d b_{d} v_{y} v_{a} b_{y} b_{a} \in Params_{Proposal} \in F_{p} \in Params_{DAO} \in F_{p} \in F_{p} \in F_{p} \in F_{v} \in F_{v}$ Attach a proof $π$ such that the following relations hold:

DAO bulla integrity $D = Bulla_{DAO} (d, b_{d})$

Proposal bulla integrity $P = Bulla_{Proposal} (p, b_{p})$ where $p . A = A$ .

Yes vote commit $V_{yes} = PedersenCommit (v_{y}, b_{y})$

All vote commit $V_{all} = PedersenCommit (v_{a}, b_{a})$

All votes pass quorum $Q \leq v_{a}$

Approval ratio satisfied we wish to check that $\frac{A _{q}^{%}}{A _{b}^{%}} \leq \frac{v _{y}}{v _{a}}$ . Instead we perform the equivalent check that $v_{a} A_{q}^{%} \leq v_{y} A_{b}^{%}$ .

Signatures

No signatures are attached.

AuthMoneyTransfer

This is a child call for Exec which can be used for DAO treasuries. It checks the next sibling call is Money::transfer() and accordingly verifies the first $n - 1$ output coins match the data set in this call's auth data.

Additionally we provide a note with the coin params that are verifiably encrypted to mitigate the attack where Exec is called, but the supplied Money::transfer() call contains an invalid note which cannot be decrypted by the receiver. In this case, the money would still leave the DAO treasury but be unspendable.

Wallet builder: src/contract/dao/src/client/auth_xfer.rs
WASM VM code: src/contract/dao/src/entrypoint/auth_xfer.rs
ZK proofs:
- src/contract/dao/proof/dao-auth-money-transfer.zk
- src/contract/dao/proof/dao-auth-money-transfer-enc-coin.zk

Function Params

Define the DAO AuthMoneyTransfer function params $C_{enc} D_{enc} \in ElGamalEncNote_{5}^{*} \in ElGamalEncNote_{3}$

This provides verifiable note encryption for all output coins in the sibling Money::transfer() call as well as the DAO change coin.

/// Parameters for `Dao::AuthMoneyTransfer`
pub struct DaoAuthMoneyTransferParams {
    pub enc_attrs: Vec<ElGamalEncryptedNote<5>>,
    pub dao_change_attrs: ElGamalEncryptedNote<3>,
}

Contract Statement

Denote the DAO contract ID by $CID_{DAO} \in F_{p}$ .

Sibling call is Money::transfer() load the sibling call and check the contract ID and function code match Money::transfer().

Money originates from the same DAO check all the input's user_data for the sibling Money::transfer() encode the same DAO. We do this by using the same blind for all user_data. Denote this value by $UD_{enc}$ .

Output coins match proposal check there are $n + 1$ output coins, with the first $n$ coins exactly matching those set in the auth data in the parent DAO::exec() call. Denote these proposal auth calls by $A$ .

Let there be a prover auxiliary witness inputs: $p b_{p} d b_{d} b_{UD} v_{DAO} τ_{DAO} b_{DAO} esk \in Params_{Proposal} \in F_{p} \in Params_{DAO} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in F_{p} \in F_{p}$

Attach a proof $π_{auth}$ such that the following relations hold:

DAO bulla integrity $D = Bulla_{DAO} (d, b_{d})$

Proposal bulla integrity $P = Bulla_{Proposal} (p, b_{p})$ where $P$ matches the value in DAO::exec(), and $p . A = A$ .

Input user data commits to DAO bulla $UD_{enc} = PoseidonHash (D, b_{UD})$

DAO change coin integrity denote the last coin in the Money::transfer() outputs by $C_{DAO}$ . Then check $C_{DAO} = Coin (d . PK, v_{DAO}, τ_{DAO}, CID_{DAO}, D, b_{DAO})$

Verifiable DAO change coin note encryption let $n = (v_{DAO}, τ_{DAO}, b_{DAO})$ , and verify $D_{enc} = ElGamal . Encrypt (n, esk, d . PK)$ .

Then we do the same for each output coin of Money::transfer(). For $k \in [n]$ , let $a = (C_{enc})_{k}$ and $C$ be the $k$ th output coin from Money::transfer(). Let there be prover auxiliary witness inputs: $c e \in Attrs_{Coin} \in F_{p}$ Attach a proof $π_{k}$ such that the following relations hold:

Coin integrity $C = Coin (c)$

Verifiable output coin note encryption let $n = (c . v, c . τ, c . SH, c . UD, c . n)$ , and verify $a = ElGamal . Encrypt (n, esk, d . PK)$ .

Signatures

No signatures are attached.

The DarkFi Book