How I hacked the Tezos based voting dapp
TLDR: Voting use case is extremely complex to get it right. That is even more difficult on blockchain. You can find the live-tweet summary of the hack (in French) day 1 and day 2
Two years ago, Orange CEO Stephane Richard announced their ethereum based voting dapp (Le Vote now retired), that i hacked that very day, the rationale being a misconception on how to identify a user.
On October 1st, several cities at the north of Paris decided to open a ballot to let their 26 000+ citizens decide about the construction of a road. One marketed innovation was that they decided to go for a tezos based dapp, that was developed by a company called Avosvotes.
“In Verneuil-sur-Seine, the decentralized and secure voting evidence on the blockchain — resulting from French researchers at Tezos — will make it possible to guarantee the sincerity of the ballot,”
Florian Ribiere, CEO of Avosvotes.
So i decided to have a look into the dapp developed by top French researchers at Tezos, and live-tweeted the findings.
Day 1 : the Voting Dapp
I started from the front-end app, and it took only a few minutes to discover several critical vulnerabilities that have been reported to the team (notably sql injections, unprotected API, DoS exposed interface).
I then decided to look into the blockchain part, but i was surprised that the data of the votes were exposed almost in clear. One can get information about ongoing status of the vote with exact numbers, when the individual votes happens, when people are voting in the day, which day they are voting most etc… Even worse, there is a privacy issue that leaks IP-vote to google analytics.
Day 2 : The smart-contract
The day after, I decided to audit the Tezos smart-contract. It looked like an unaudited code that was just changing a few lines from a demo contract. It was not a complicated task, but i managed to send vote transaction, artificially incrementing the number of votes counter, and call 2 unused contract functions.
So much for the “French researchers at Tezos”. It was clearly a marketing stunt with no security concern. The interesting aspect is that formal verification, as promoted by Tezos, does not prevent from misconception of a smart-contract. It only helps to verify that the code executes correctly, not that the code matches the intended use case.
This is sad to see this behaviour on the blockchain space but not surprising. I hope this event has clearly sent a signal that people must substantially higher their standard, above all when a 26 000 citizens ballot is in the game.
At Ark Ecosystem, we take security in the blockchain space very seriously. We have an ongoing security bounty program and hiring a creative pentester to innovate in the space. We have also launched a sister company protokol to help companies deal with this very subject.
