This article is from: Gitcoin
Translator: Odaily Azuma
Translator: Odaily Azuma
Sybil attacks (commonly known in the airdrop industry as hair-pulling) are a very serious problem, which destroys the trust and integrity of the decentralized network.
The decentralized mechanism operates on a unique identity assumption - each participant has an independent identity on the network and has an equal voice between different identities - however, when a single user is created through a Sybil attack This assumption no longer holds when multiple false identities are assumed and the system is manipulated.
Through sybil attacks, a user can create multiple fake addresses, and then get airdrop rewards far exceeding that of a single address. This behavior distorts the distribution of rewards and undermines the original airdrop program, which is supposed to incentivize real users.
Gitcoins secondary matching mechanism and voting mechanism also rely on the above unique identity assumption to operate. If Sybil attacks are not resisted, votes and funds may be distributed disproportionately to those unexpected false identities, thus The votes and funding that quality participants would have received were cut.
secondary title
Where is the key to breaking the game?
The types of sybil attacks are very complex. The initiators may be scientists, criminal organizations or even a nation-state, and the motives may be profit, entertainment or pure malice. These adversaries may try vastly different attack tactics, such as identity theft, IP manipulation, botnets, social engineering attacks, coercion and collusion, etc. Tactics to deter these attacks vary. What we need is a comprehensive, anti-fragile method of defense.
secondary title
Balance between Security, Efficiency, and Scalability
Sybil-resistant consensus requires each identity to be independent and unique. Currently, there are some protocols that achieve self-sovereignty (creating and controlling identities without the involvement of a centralized third party) and privacy (acquiring and utilizing identities without revealing personal information) The resistance to Sybil attacks, these three dimensions (resisting Sybil attacks, protecting self-sovereignty, and protecting privacy) are exactly the trilemma faced by decentralized identities.
secondary title
Initiatives of Gitcoin Passport
In Gitcoin Passport, an on-chain identity credential system developed by Gitcoin, the team uses two mechanisms to assess a users independent identity: Gradual Unique Humanity Verification and Boolean Unique Humanity Verification. These mechanisms assign weights to various behavioral achievements of users (such as whether they have verified Twitter or Google accounts, whether they hold GTC or ETH, whether they have participated in Gitcoin Grants), and then Passport calculates the holders composite score. Scores can determine whether Passport holders can unlock certain rights, features or other benefits. For example, in order to activate secondary matching qualifications in the last round of Gitcoin Grants Beta Round, donors must have a composite score of at least 15 or higher.
secondary title
How to implement the concept of counterfeit cost
The cost of forgery concept is essentially a strategy to make it more expensive for an attacker to forge identities. The key point is to compare the resources, time and effort required to forge identities with the cost of implementing defenses. By increasing the cost of counterfeiting, attackers are less likely to engage in fraudulent behavior, increasing the security of the system.
If the main strategy of counterfeiting costs is to drive up the cost of attackers while keeping the cost of ordinary users low, then what we need to do is to create a system that is more expensive to attack than to defend. Here are the four main approaches to building Sybil resistance today:
1. Verification based on government-issued identification (drivers license, passport, ID card, etc.);
2. Verification based on biometric information (face scan, fingerprint or retinal scan, etc.);
3. In-person (conference, party, etc.) verification;
4. Authentication based on social/trust network (Web2 account, Web3 account, NFT, ENS, etc.).
secondary title
potential disadvantage
secondary title
Advice to project parties
Any plan to resist sybil attacks can be cracked at a certain cost, so the project party needs to focus on determining the acceptable degree of fraud; individuals should be able to obtain anti-sybil certification more effectively through appropriate channels, rather than in the gray or Purchase on the black market; although the cost of counterfeiting needs to be designed at a higher level, attention should also be paid to maintaining a balance so as not to cause real users to complete verification.
It’s worth noting that Sybil-resistant identity systems are still vulnerable to collusion attacks (such as bribery). For an ideal system, TCB (Total Cost of Bribery) and TCF (Total Cost of Fraud) must be greater than the number of rewards available to citizens within the system. While cost-based metrics are essential in combating counterfeiting, they are not always the most effective way to prevent counterfeiting, and attackers may still be willing to incur some cost if the potential non-financial benefits outweigh the costs . For example, a counterparty who wants to promote its own project may be willing to spend time and resources creating multiple fake identities, even if the cost of counterfeiting is quite high. In addition, an opponent with a huge financial resource advantage may also be willing to bear high costs in order to obtain valuable benefits or privileges.
Luckily, there are other mechanisms that can help us mitigate these attacks, and Gitcoin has realized that multiple solutions are the only way to maintain an advantage in the battle against attackers.
Collusion
The cost of counterfeiting concept provides the community with a more granular and intuitive approach to designing the security, efficiency, and scalability of Sybil resistance systems.
Wed love to gather more relevant feedback from the community. If you are using Gitcoin Passport in your Dapps or planning to integrate it, please let us know how the overall score compares to the cost of counterfeiting. Finally, I would like to add that as technology advances, the mechanism of some peoples identification (such as the reverse Turing test) has become more vulnerable to artificial intelligence, which may also have a negative impact on the method and design of cost of counterfeiting. Tremendous influence.
