Secret Weavers

This project showcases anonymous polling from authorized parties, storing that data with integrity guarantees backed by a blockchain, and using confidential computing to generate aggregated results without breaching individual privacy. Dashboards of real time data can be easily created to analyze members’ voting behaviors without the need to code or compromise data privacy of individual members, and all DAO members and managers can be given equal access.

This anonymity gives the DAO a chance to understand not only HOW its community is voting, but WHY. It also enables closed votes where early results won’t bias later results, as the release of results doesn’t have to happen in real time to benefit from Web3 security properties. Use cases for this tool can be expanded beyond DAO voting. For instance, we could build an ad platform that securely collects and analyzes zero-party data from end users.

Functionally, the first step is determining whether an anonymous party is authorized to interact with the data, which we do by validating that they have a POAP from a specific collection in their wallet. Users login to the browser using metamask, and then Weavechain ascertains POAP ownership. Once the user is authorized, Weavechain also assigns them all of the rights in its configuration associated with holders of the POAP. In this case, all requests executed from this account are validated to execute calls through Weavechain to write new records and perform computation on the data available through the Weave.

Once this is done, the user enters an input flow where they answer a series of questions, with the answers stored in a PostgreSQL database and hashes stored in a Polygon smart contract. To minimize expensive transactions, the answers to individual questions are stored in local storage until the survey is complete, at which point it’s submitted as a bundle.

We ensure that each user can only submit one vote by creating a salted hash of the wallet address and storing it in the database, grouping so that only the most recent vote is used. The salted hash is used to avoid having the wallet address stored in plaintext, however, the hashing happens on the UI in the PoC and it can be subject to bruteforce deanonymization attacks given that the salt can be reversed.

Weavechain nodes know how to establish consensus leadership with the Weave’s trust network, so that the leader node can then execute both the write to the PostgreSQL database, and the write of a one-way salted hash of the new data row to the Polygon Smart Contract https://mumbai.polygonscan.com/address/0x78F97E4417173620a9bd87fe4e33e9815D34333a. All future data access moments can compare the data in PostgreSQL with the hashes on Polygon, and throw an error if the hashes don’t match, implying that somebody has tampered with the database. We refer to this pattern as “Linked Bits”.

Note, for this hackathon we built a trust network using only a single Weavechain node with a single PostgreSQL database behind it - effectively centralized. Our ideal scenario is where each voter holds a local database of its votes, along with a running Weavechain node, so that storage and computation can happen in a trust minimized way. This is probably unrealistic, as users are likely not interested in keeping devices online at all times so that calculations can be done on the fly. Our expectation is that we will see the emergence of data brokers whose job it is to host the data of others and make it available for computation. We do not believe that public decentralized storage solutions like IPFS, Arweave, or even hosting data in a smart contract on a public blockchain are feasible in many scenarios, because data stored in this way is not GDPR compliant (it cannot be deleted to satisfy “erasure obligations” / “the right to be forgotten”) nor HIPAA compliant (having “physical safeguards” like firewalls in addition to “technical safeguards” like encryption).

After voting, the user is sent to a dashboard page, where they are presented with visualization tools driven by data from confidential computing calculations. We’re using multi-party computing in this scenario, where Weavechain acts as a layer on top of the SPDZ protocol. Again, this isn’t quite as interesting given that our data source is centralized for the hackathon, but it would be just as effective if there were multiple nodes in the trust network. We’ve included snippets of Jupyter notebooks in our presentation showing how any authorized party could independently run confidential computing against the Weave. I’ll note as well that Weavechain supports multiple forms of confidential computing, including Homomorphic Encryption and Compute-to-Data today, with Federated and Split Learning on its roadmap.

The majority of this application is built on Node.js and React. Weavechain handled authentication and authorization of Metamask wallets holding the POAP, gating the rest of the application. Weavechain also handled data access to and from a PostgreSQL database for data storage, and you can see notes in the long description re: how we’d prefer to decentralize data storage in the future. It also handled multi-party computing access via simple API calls, and interactions with a Polygon smart contract for hash storage.

Starting Friday night, we minted a set of 250 POAPs on the Gnosis chain on app.poap.xyz. We embedded the POAP claim page into our dApp via iframe. For production, if the dApp is exclusively for existing DAO members, this part could be skipped and end users start their user journey with authenticating DAO token ownership.

Note, our team’s designer was prolific with Figma, which was incredibly useful for all visual elements.