Talking about the anti-witch mechanism from the Arbitrum airdrop craze
Original source: Beosin
Recently, the Arbitrum airdrop of the Ethereum Layer 2 extension protocol has become a hot topic in the cryptocurrency community.
On-chain data shows that the number of transactions on Arbitrum exceeded 1.21 million on March 22, a record high, surpassing the 1.08 million transactions of the Ethereum mainnet and the 260,000 transactions of Optimism. Its fiery degree can be seen.
Arbitrum is a Layer 2 scaling protocol with high performance, low cost and decentralization. After the airdrop on the evening of March 16, a large number of users of "Lu Mao" were restricted by a series of anti-witch rules. Today, we will study what anti-witch rules are.
When it comes to witch attacks, many friends should be familiar with it. In the blockchain, Sybil Attack refers to an attack method in which attackers control the network by forging multiple identities or nodes.
The Airdrop Sybil Attack is an attack method against cryptocurrency airdrop activities. Attackers use forged identities and false addresses to obtain more airdrop tokens.
To talk about the anti-witch rules, let’s start with the rules of this airdrop.
Arbitrum airdrop rules and detection model
In the airdrop of Arbitrum tokens, some airdrop strategies and distribution models have been formulated to quantify whether each wallet or entity address on the chain meets the airdrop qualification criteria:
1. If all wallet transactions of the airdrop recipient occur within 48 hours, 1 point will be deducted.
2. If the airdrop recipient's wallet balance is less than 0.005 ETH, and the wallet has not interacted with more than one smart contract, subtract one point.
3. If the wallet address of the airdrop recipient is identified as a sybil address during the Hop Protocol bounty program, the recipient will be disqualified.
4. There is also a standard that has not been confirmed by the project party, that is, users who use the same IP to connect to multiple wallets to view on http://arbitrum.foundation will be directly disqualified from the list.
Meanwhile, Arbitrum uses on-chain data to identify related addresses owned by the same user, and uses data from Nansen, Hop, and OffChain Labs to remove physical addresses such as bridges, exchanges, and smart contracts. There are also some addresses that are removed through manual inspection, such as donation addresses.
Use the following data types for data cleaning:
1. Original qualification list address (from Nansen)
2. Excluded Entity Addresses (from Nansen)
3. CEX deposit address (from Nansen)
4. CEX recharge address (traceable from CEX's hot wallet)
5. Unique transaction routes (from, to) on the Arbitrum chain
6. Unique transaction routes (from, to) on the Ethereum chain
7. Internal address list of OffChain Labs
8. Blacklist in Hop airdrop
9. The address after removing the Sybil attack in the Hop airdrop
10. Nansen address label
11. Other manually marked active addresses
After data cleaning is complete, two types of charts will be generated:
The first type of graph will have each transaction with msg.value as an edge (from_address, to_address).
The second type of graph will have each backer/sweep transaction as an edge (from_address, to_address), where the backer transaction is the first ETH credited to the account, and the sweep transaction is the last ETH transfer from the account.
Clusters are generated by partitioning the above graph into strongly connected subgraphs and weakly connected subgraphs. Decomposes large subgraphs using the Louvain community detection algorithm, providing finer results and more accurate disarming of Sybil addresses.
Identify Sybil clusters based on known patterns, such as:
Migrating in clusters of over 20 addresses
addresses funded by the same source
addresses with similar activity
From this a witch cluster was generated, as follows:
Contains 110 Sybil attack-compliant address clusters 319
https://github.com/ArbitrumFoundation/sybil-detection
Cluster 1544 containing 56 Sybil-eligible addresses
https://github.com/ArbitrumFoundation/sybil-detection)
How Do Researchers Identify Sybil Addresses?
Offchain Labs researchers identified possible Sybil wallets by using a clustering algorithm on from_address / to_address transaction data from Nansen Query, and integrated tracking and token transfers on Arbitrum and Ethereum, and artificially checked the data for possible false positives. "examine".
The image below is an example of a suspected witch address:
In a group of ~400 addresses, two addresses had very similar activity (sending funds to the same centralized exchange deposit address).
Source nansen
It can be seen that the two addresses performed similar operations at very close times.
Source nansen
Of course, despite this, some people still complain about the flaws in Arbitrum’s airdrop strategy. They regard the wallet addresses attacked by Sybil as normal, but the wallet addresses of real users are restricted instead.
In addition to the recent Arbitrum, last year's Hop Protocol airdrop also identified a large number of Sybil attackers through anti-Sybil rules.
Sybil Attacker during Hop Protocol Airdrop
On May 6, 2022, after the cross-chain bridge Hop Protocol officially announced the airdrop rules, it stated that among the 43,058 addresses initially eligible for the airdrop, 10,253 were identified as Sybil attackers.
The following are some of the basis for judging Sybil attacks by the Hop Protocol project party:
1. Multiple addresses have a unified fund distribution or collection address, which proves that it was initiated by a Sybil attacker, such as:
Source: Sybil Attacker Report #275
2. Multiple addresses have obvious correlations in transfer records, such as:
Source: Sybil Attacker Report #367
3. Sybil attacks have traces of batch operations in many places, including but not limited to: batch transfers in a short period of time, the same gas value, and similar interaction amounts.
4. The interaction history of witch addresses has the attack records of other projects in the past.
Of course, there are also inexperienced project parties who did not formulate anti-witch rules when starting the airdrop, such as Aptos.
Looking back at Aptos' unconventional airdrop, the wool party won a big victory?
In October last year, during the Aptos airdrop event, many "wool party scientists" received a large number of airdrops because the project party did not prevent sybil attacks on nodes.
Someone shared a screenshot of his application for the Aptos test network on Twitter and the community, and he could see the application interface of multiple trumpets on the VPS host. According to feedback from community users who apply for tokens, Aptos’s airdrop rule is that each testnet application account can get 300 tokens, and users who mint NFTs have 150 tokens. So if you have 100 accounts, you can get 30,000 tokens, and if you have 1,000 accounts, you can get 300,000 tokens.
Screenshots of claiming airdrops posted by community users
After Aptos went online on Binance, the price stretched instantly, and then there was a huge smash. According to the researcher’s analysis, sybil attack addresses accounted for 40% of the Aptos addresses deposited into Binance at that time.
It can be seen that the airdrop sybil attack will have a certain impact on the airdrop project and participants, such as the impact on the token price, the damage to the reputation of the airdrop plan, and the impact on community builders and participants.
How are anti-Sybil rules formulated?
When airdropping, the project party will use the anti-sybil mechanism to prevent malicious users from obtaining too many tokens through multiple wallet addresses or other means, so as to issue tokens to real users.
From past airdrop events, we can see the characteristics of Sybil attacks:
1. Sub-addresses are distributed/collected by the same parent address
2. Exactly the same interaction process, time and items
3. The same GAS value, transaction amount and time
4. There are frequent transfers between addresses, and there are exchanges.
The following are some anti-sybil mechanisms that airdrop project parties may use:
Snapshot time: The airdrop project party can take a snapshot of all addresses at a specific point in time, and airdrop tokens to those addresses that have held tokens before that point in time. This prevents malicious users from creating new addresses to acquire tokens after the snapshot time.
Interaction route: Take the addresses that interact with this project within a period of time, and check the consistency of the interaction paths of these addresses before/after participating in this project according to the interaction time.
Fund flow: mainly check the flow direction of funds, and check the one-to-many or many-to-one transfers of wallets.
Interaction amount: View the size of the project interaction amount and the reuse rate of funds.
Interaction Frequency: Export the address details that interact with the project within a certain period of time, and use the Excel perspective chart or the project’s self-developed Kanban to take the data in the abnormal peak period for secondary research. You can check whether the activity of this batch of addresses is resemblance.
Interaction depth: Take the details of the addresses that participated in the interaction of this project within a certain period of time. Check whether the number of past interactions with this batch of addresses and the number of interactions after participating in this project are sufficient.
Proof of Stake: Proof of Stake (PoS) is a consensus mechanism used by some blockchains to validate transactions. In PoS, users need to hold a certain amount of tokens to participate in the network. Airdrop project parties can require participants to hold a certain amount of tokens to be eligible for airdrops, raising the threshold for airdrops.
KYC/AML verification: The airdrop project party can require participants to pass the KYC (Know Your Customer) or AML (Anti-Money Laundering) verification process. This process can help verify the identity of participants, which helps prevent Sybil attacks.
For example, the Beosin KYT virtual asset anti-money laundering compliance and analysis platform can help customers avoid interacting with potential risk addresses (perpetrator addresses), and at the same time identify abnormal behaviors, and Path Tracing intelligently expands suspicious addresses to allow risk verification made easier. Further reading:Beosin KYT, an "on-chain expert" for all your AML needs
Social media verification: The airdrop project party can require participants to follow, like or repost social media posts to qualify for airdrops. This helps ensure that participants are real people and not automated scripts.
Whitelist: The whitelist is a list of addresses eligible for airdrop. Airdrop project parties can limit airdrops to a pre-approved list of participants, which helps prevent Sybil attacks.
Limit on the number of transactions: The airdrop project party can limit the number of transactions that can be made by each address. This prevents malicious users from acquiring too many tokens by making large transactions.
Holding time limit: The airdrop project party can require that the address holding tokens must be kept for a certain period of time in order to obtain airdropped tokens. This prevents malicious users from rapidly buying and selling tokens to acquire too many tokens.
Other supporting references:
Social media activity: registration time, frequency of speaking, quality of speaking (likes and retweets), fans, followers, avatar, profile, etc.
IP address device number: the number of registered addresses of the same IP/device, the frequency of changing the IP of the same address, etc.
What should we pay attention to when participating in the airdrop?
Finally, Beosin has also noticed everyone's enthusiasm for airdrops. As a security company, we need to remind everyone as follows.
1. Understand the official information sources of the project: Before participating in the airdrop, you should go to the project's official website and social media pages to check relevant information, including the specific details and rules of the airdrop plan, as well as the contract address of the airdrop token, etc.
2. Do not easily disclose personal information and wallet addresses: some airdrop projects may require participants to provide personal information and wallet addresses, but care should be taken to protect personal privacy and security, and not to disclose sensitive information to unknown websites and projects.
Original link
