Auditing dPolls
A couple of hours ago, I have been informed that there are discrepancies on voting results between dPoll interface and the blockchain.
Before going into details, I want to thank @abh12345 for asking me the situation privately before posting the issue into the public.
The problem
dPoll uses main posts as polls, and comments as votes. Whenever you post a poll, a secret json metadata is written to the blockchain. That's the same with votes.
People may delete the comment from Steemit. This operation doesn't actually delete the comment but sends a signal that it's deleted. The comment operations still stay in the history of the blockchain, However,
get_content_repliesdoesn't return the deleted comments.People may edit the comments with alternative Steem apps. These apps may hijack the json_metadata, therefore removes the voting_data when they're used for editing.
So, if we want to verify the dPoll interface results with blockchain, we need to have lots of checks.
The solution
I have coded a verification script in Python. It's workflow is simple:
Get the dPoll results from dpoll API.
Call
get_content_replies. (Asking data to the blockchain directly.)Check each comment's json metadata to see if the dPoll vote is there. If it's not, add the missing votes into a
missing_voteslist.For each missing vote, check if the author deleted a
dpoll vote comment. If that's the case, mark the vote as correct.If the author didn't delete the comment, then check for author's account history to see any other dApp overwrites the json_metadata. If that's the case, mark the vote as correct.
After all these processes, if there are still missing votes on the blockchain, then we can say we can say we have a problem at dPoll side.
Output of the audit script
Source code of the audit script
TL;DR
Regarding @theycallmedan's 10k SP delegation poll:
There are 2 votes registered on dPoll doesn't have a blockchain reference. (@steemitwitchery, @harmonyval to
SteemitBloggers). This looks like a bug in our end. It might be related to this, I need to check the logs and update the code to behave more defensive/transactional. This will be addressed soon.There are lots of accounts deleted their comment. (mostly clustered around
TEAM-CNchoice.) This makes verifying hard. So, if you need to verify, you should also loop through the account history of missing voters.There are users edited their comment from alternative interfaces like Partiko. Some interfaces hijack the json_metadata and overwrite their values, there. So, they remove the
votes, actually. That's why an account history loop is also required here, too.
Thank you for looking into this... I am clueless about coding and all the behind the scenes of computers and technology... and as a steemitbloggers (powerhousecreatives) member... I wanted to thank you personally for all this hard work and research you did!
Thanks for the audit work, hopefully this will be of help in future Polls.
I guess the questions will come, so I'll just come right out with it.
Do you think the vote count / votes with deleted comments should stand? Or is this something for the Poll owner, @theycallmedan to decide?
Cheers!
Hmmm...seems to me that if you delete a comment that is saying "wait, no I don't want to make that vote" Other then trying to hide shady activity there is no reason to delete you comment.
That would be my take also.
Yes. Its totally up to the @theycallmedan at that point. There is a group of accounts voted for the same choice and deleted their comments. These are valid votes in app’s context.
Account based voting has some downfalls as we can see at that poll. :)
Yeah. Fair enough, let's see what happens :)
If all those accounts with deleted comments are related in other ways, would that make it quite suspicious activity?
I dont want to speculate on that topic, for me what really matters is they are valid votes in dPoll’s context and verifiable from the blockchain.
I don't understand all this technical stuff, but I'm glad you do! lol. Thanks for checking on this and breaking it all down for us!
Goodevening Emre you audit is appreciated, Thank you for the time and effort and the explanation !
We Will See what @theycallmedan , Dan decides
Gr.
Britt
I wonder if that's because I've only made a couple of comments through this account, and still haven't done my intro post yet... oopsies... LOL!
If I can help with the bug in any way, please feel free to shout out! 😊
Looks like you have used some witchery! :)
Maybe... 😉 😊
via GIPHY
And so much for maintaining an air of mystery, when I reply from the wrong account... 😂
via GIPHY
Hahaha, I've done the same thing before with my pen name!
I have done the same thing @steemwitchery and @byn on Instagram when I've posted a cat or food photo on my work/Destination McGregor account! Lol
Yeah,, @byn and @fionasfavourites, I'd like to say this was the first time I've done this, but... 😂
Back in the early days of blogging (2004), I wrote a blog for a local newspaper's website called, "Confessions of an Internet G33k." To add to the mystique, I had (with the editor's approval) an "InternetG33k" account for commenting, as well as my "Traci York" account.
Let's just say it didn't last long before I gave up, and just blogged as myself... 😜
OMG.... hahahahah
It's you!!
I knew there was something unique about that hairstyle
Yeppers, @kaerpediem! 😊
And, unique? Why does everyone keep using that word with me?
Oh, wait.... 😂
Nice work!
Posted using Partiko Android
Thank you for taking the time and energy to look into discrepancies and share your findings. Deeply appreciated BeautyFull!
Much love from the #powerhousecreatives tribe
💯🙏💕✨🙌
Posted using Partiko Android
The diligence and dedication is admirable! Thanks for doing it in this case and for the platform in general.
I don't understand the technical side of things, but it seems like you are on top of it! Nice work!
Thank you for your dilgence to this! 🙌