The Arbitrum airdrop highlighted a ton of Sybil Attacks. Many people have created multiple accounts to get as many tokens as possible, exceeding the hard cap of 10,000 ARB. If you don't know what we're talking about, you should know that when interacting on a blockchain project that should release its token, the chain/dapp rewards early users (all those users who have used the protocol in the early stages). "Sybil" seizures are named after a 1973 book featuring a woman who suffered from dissociative identity disorder. Essentially this technique uses a single node to simultaneously manage many fake identities (Sybil identities), within a peer-to-peer network. A successful Sybil attack gives attackers the ability to perform unauthorized actions on the system. For example, it allows a single entity, such as a computer, to create and manage multiple identities based on the same IP address. All these false identities deceive systems and users into perceiving them as real. A strong Sybil attack could allow an attacker to control over half (51% or more) of a network's total hash rate or computing power. This attack damages the integrity of a blockchain system and can potentially cause network outages. A 51% attack can change the order of transactions, reverse transactions to allow double spending, and prevent confirmation of transactions. The attacker creates and controls several aliases. Blockchain researchers have tracked addresses that pool more than $1 million of Arbitrum ARB tokens from various other wallets, suggesting they belong to the same person.
Some multi-account users have accrued more modest token totals. However, at least 198 addresses raised funds from other addresses after the snapshot was announced. All accounts accused of Sybil were banned (but the mechanism was ineffective).
WHY ARE AIRDROP PERFORMED?
The first reason is to reward the community, therefore active users who have produced profits (fees) when the native token did not yet exist (early adopoters). Another reason is marketing.
The teams are fine with a user coming to use the chain organically by grinding transactions and fees, what is not fine are the Sybil attacks (which produce minimal profit and accumulate tokens and then dump them). Before the airdrops, ICOs (Initial Coin Offerings) were all the rage, i.e. the project team sold tokens to investors in a process similar to the IPO (Initial Public Offering). This mechanism has attracted the attention of US securities regulators who have argued that ICOs constitute the unregistered sale of securities (see Ripple, Algorand, Dash and similar considered Securities).
While projects may not publicly admit it, airdrops were initially seen as a way to avoid some of the regulatory red flags associated with ICO.
Howey's test, a legal precedent that US regulators use to determine whether an asset qualifies as a security, defines securities as "the investment of money in a joint venture with a reasonable expectation of returns from the efforts others" (promotion and marketing).
Nowadays, most of the big projects that launch tokens tend to avoid promising returns on investments, so there is no "profit expectation" from owning a token. Furthermore, by distributing your token to a community and using "governance rights" to "decentralize" an ecosystem, it is easier to prove that the project is not controlled by an entity. If the project associated with a token is decentralized, it is more difficult to argue that the appreciation of the token's value has been "derived from the efforts of others." The ground rules for what constitutes "decentralization," however, aren't objective: Offchain Labs, for example, reiterated that nearly half of ARB's circulating offering ended up with investors and team members.
HOW TO SPOT AIRDROP HUNTERS?
Hunters often fund their wallets by withdrawing/depositing money from a centralized exchange. Since all of these withdrawals are processed by an exchange's hot wallet, which aggregates the tokens of many users into a single address, it's impossible to tell if they're the same person. This makes it more difficult to identify portfolios that have received funding from the same portfolio and therefore appear to belong to the same owner. Different speech for outgoing funds, where it could be deduced based on the receiving address that they are addresses belonging to the same person (interacting with the same exchange). However, some exchanges have the "memo" on some cryptocurrencies (therefore many user reception addresses are the same) and this makes it more difficult to control.
POSSIBLE SOLUTIONS
Sybil attacks in the blockchain are difficult to counter because an identity verification (KYC) cannot be performed in DeFi and on non-custodial wallets. Identity validation can help prevent Sybil attacks by revealing the true identity of hostile entities. Validation relies on a central authority that verifies the identity of entities in the network and can perform reverse lookups. Identities can be validated directly or indirectly (via old verifications performed by others).
Identity techniques can use different methods such as phone number verification, credit card verification and IP verification. These methods are not perfect and can still be evaded by attackers. Identity-based validation provides greater confidence that an address is real but sacrifices anonymity which is important for most types of peer-to-peer networks. When analyzing connectivity data there are several useful techniques, including SybilGuard, SybilLimit and Advogato Trust Metric to identify attackers and bots.
Another way is to use social graphs by calculating a scarcity-based metric, this allows you to identify suspicious Sybil clusters in distributed systems. There are a few ways to exclude airdrop hunters who use multiple accounts from distribution. For example, projects can cut all wallets that do not exceed a certain threshold (by number and type of transactions, volumes, activity over time, balance on the address), addresses with similar activity at the same time (i.e. deposits and claims at the same time on multiple addresses), correlation between transactions and interactions between wallets (for example sending funds from address 1 to address 2 and continuous interactions between 2 or more wallets with movements of non-organic funds). There are also databases (black lists) where some of these addresses are entered, if labeled as "Sybil Address" by other protocols (for example: Sybil Attacker Report ). As mentioned, centralized checks would lead to the identification of users through social networks or even IP or KYC.
CHARACTERISTICS THAT I WOULD ADOPT
-Number of transactions over time (activity)
-Amounts (consider "valid" only trades over $20 for example)
-Check the type of trade. If it is all trades Usdc/Usdt or Eth/wEth it is clear that it is an airdrop hunter
-Check the gas on each wallet
-Check LP (for example, if they contain $10-20 it is clear that it is an airdrop hunter)
-For testnets, verify identity via social networks (Twitter and above all Discord)
WHAT I WON'T DO
-No KYC (Discord and Twitter are only good for testnet)
-Interactions between wallets. This point is highly controversial. You consider lending some funds to a friend. Or you think if a friend of yours gives you a crypto or asks you to swap a token because he is unable to do so. They might look like wallets belonging to the same person but that's not the case. Interactions between wallets can detect a Sybil attack but a large number of interactions must be considered, otherwise "legit" addresses could be filtered out. Definitely it could be adopted if one wallet interacts with another, many times.
Are you interested in ways to earn crypto bonus? Check it out here: Some Sites To Earn Crypto Bonus (Old & New)
