Anyone considering whether to vote in this poll should be aware of the risks associated with moving funds in order to use the shielded voting protocol. These include non-obvious risks that would not be present for normal transfer of funds, because of the need to reveal a seed phrase.
For example, suppose you hold all funds being voted in hardware wallets — which you absolutely should for any amount of funds large enough to matter in the poll. Then there is a software-only attack —valid in the normal threat model for hardware wallet usage— that could potentially mislead you into thinking that the funds have been successfully sent out of the wallet to which you’re going to reveal the seed phrase, when actually they are still in that wallet and could be stolen. This attack is completely undetectable unless you have a reliable independent way of checking whether that transaction that should have moved out the funds is correct and confirmed on the consensus chain (using the viewing key of the account you intended to move the funds back to, and a trusted platform).
To anticipate a likely objection, yes you are “only” explicitly revealing the seed phrase to the voting software, but in the normal threat model for hardware wallet usage, that should be treated as revealing the seed phrase to an adversary, because the voting software runs on an untrusted platform. And so the integrity or good intentions of the provider of the voting software are irrelevant; the malware that steals your funds in general isn’t that software.
As a result, I cannot in good conscience recommend that this protocol be used. I’m aware that saying this is likely to reduce turn-out, and might selectively bias the results against participation by risk-adverse users (or users who trust me on this), but I cannot see any way to avoid that. I would encourage anyone who would otherwise have used the shielded voting protocol, but does not do so because of this advice, to say so here.
Note that this isn’t a necessary problem with shielded coinholder voting. Using a viewing key rather than a seed phrase would help, although it wouldn’t mitigate all risks. I have other issues with putting too much weight on coinholder polls, but that’s not what I’m discussing here.