Trusta Labs Launches Innocence Self-Proof Program: Fighting Against Witch Poisoning
Recently, the Connext Witch Hunt program has caused dissatisfaction and heated discussions in the community. Some community members have threatened to poison addresses associated with Connext, especially those in the top 10% transaction volume on zkSync. Although most of it is just talk, some users have claimed to have been poisoned. Trusta Labs, a blockchain data analytics and security platform, has discussed two main strategies for witch poisoning attacks: forced clustering and label propagation. They also provided a detailed analysis of a real witch poisoning case that occurred on Polygon using Connext.
Such poisoning behavior may wrongfully label many innocent addresses as witches, causing harm to users and the entire community, and eroding trust between the community and project teams. Therefore, Trusta Labs has launched the "Proof of Innocence Program" (PoIP) to unite the community and project teams in combating witch poisoning and allowing affected addresses to prove their innocence. In the PoIP program, users submit relevant information for Trusta to analyze and validate manually and using AI. Users receive feedback within 1 day. This data is shared with project teams and anti-witch teams to prevent wrongful witch identification and better protect users.
Connext Witch Hunt Plan and Witch Poisoning
Connext is an L2 open protocol that enables developers to build applications that can use any token on any chain. Last week, Connext updated the airdrop rules and announced the Witch Hunter Plan, which has sparked dissatisfaction and heated discussions within the community. Some community members have threatened to poison Connext witch addresses, especially those addresses with the top 10% transaction volume on zkSync. Let's first outline the schedule for the Connext airdrop:
1. On August 18th, Connext announced a cross-chain airdrop for its xERC 20 token $NEXT.
2. On August 24th, Connext introduced the Witch Reporting Plan, similar to HOP and SAFE.
3. From August 24th to September 1st, community members identified and reported witch attackers by submitting reports on Github.
4. As of September 1st, the community gathering the witch reporting plan collected about 600 reports from 62,070 candidate addresses, involving approximately 20K addresses (35%) (https://github.com/connext/community-sybil-reports/issues).
Although the intention behind selecting and rewarding valuable real users is good, we have seen a lot of controversy within the community regarding the witch reporting plan. "Witch poisoning" has become a hot topic, with some reported witch address users threatening to poison other wallet addresses. Their goal is to disrupt the entire witch reporting work and airdrop plan. Some KOLs have even demonstrated short videos of using bots to poison, but it was later proven to be just mockery. Although most of these witch poisonings are just empty talk, there are users who claim to have actually been poisoned.
Witch Poisoning Strategy Discussion
Trusta Labs analyzes and discusses the two main techniques and strategies for witch poisoning attacks based on on-chain data analysis and security risk management experience: Forced clustering and tag propagation, and has discovered real poisoning cases.
Poisoning Method I (Forced Association/Clustering): The poisoner uses batch operation scripts or tools like disperse.app for batch token transfers. They will make numerous small transfers to a group of innocent addresses in a very short period of time. All the forged transfers send the same token with extremely small amounts.
Through the poisoner's large-scale token transfers, all unrelated addresses are forcibly associated together, forming a cluster. Due to the batch transfer relationship of the poisoned addresses and belonging to the same cluster, some witch identification algorithms mark all addresses in the cluster as witch addresses. This forced clustering is entirely based on the batch transfer relationship between these addresses and the poisoned address, despite the fact that these addresses are actually unrelated.
Poisoning Technique II (Witch tag propagation): Tag propagation is a graph mining algorithm based on the rule that closely connected nodes in a graph often have the same tag. In the graph, the addresses in the rectangles have been marked as witch addresses due to their chained fund transfer relationships. Attackers can use these witch addresses as "poisoners" to intentionally transfer funds to innocent addresses, forming an extended chain structure and propagating the witch tags to other innocent addresses.
Witch tag propagation relies on existing witch addresses to propagate their tags to other addresses through fund transfer relationships. This requires the poisoner to already be marked with a witch tag. In contrast, forced association does not require pre-existing witch addresses. Any address can be used as a poisoner to artificially create a false pattern of witch addresses in bulk. This makes execution easier and cheaper.
Trusta discovered a poisoning case using Connext on Polygon during the process of analyzing on-chain data. Through a detailed analysis of this case, it explains the above poisoning technique.
Real Connext Witch Poisoning Case
As shown in the figure, the poisoning address 0x 6 ab uses disperse.app to transfer funds to seven innocent addresses in batches. We have analyzed this Connext witch poisoning case in detail based on the following evidence:
Polygon Scan shows the transaction records of the poisoner, who deposited 1 Matic from OKX and then transferred funds to these 7 addresses in batches. (https://polygonscan.com/address/0x6ab8472c4f92ecac445191ea787a0e4128c7af81)
The poisoning transfers occurred during the period from 2023-08-25 05:49:40 to 2023-08-25 05:52:12, which is the period of the Context community witch reporting program.
The poisoner made 7 rounds of transfers, sending 0.0001 MATIC to each address in the 7 addresses. As the poisoner can make multiple transfers to the same address in a round, a total of 180 transfers were made in all 7 rounds. The complete list of the 180 poison transfer can be found in the following Google Docs link. (https://docs.google.com/spreadsheets/d/ 1 dR 9 wVZN 1 o 0 _vBixKrxg 6 JSycHj 7 ADQlo /edit?usp=sharing&ouid= 117000940990722879540 &rtpof=true&sd=true)
All 7 addresses are Connext airdrop candidate addresses. Witch report #589 (https://github.com/connext/community-sybil-reports/issues/589) uses these transfers as evidence, accusing these seven addresses of being a witch cluster gang.
No direct transfers were detected between these 7 addresses. Apart from direct transfers from the poisoning address, there were no other transactions between them.
We analyzed the Polygon activity statistics of these addresses. As shown in the table, these 7 addresses are completely different in terms of initial funding sources, first and last transaction dates, number of interacting contracts, transaction fees, and active weeks/months. This extreme difference suggests that they cannot belong to a witch-controlled coven.
Through analysis, we have concluded that this is an actual poisoning case related to the Connext airdrop, which uses a forced correlation/clustering poisoning strategy.
Trusta Initiates "Proof of Innocence" Plan (PoIP)
Trusta has found through on-chain analysis that many unrelated addresses have been mistakenly marked as witches due to witch poisoning attacks. This not only occurred in the Connext airdrop, but also in various indiscriminate attacks on innocent wallets. Such poisoning attacks have caused harm to users and the entire community, and have also affected the trust between the community and the project teams.
Trusta has been committed to establishing more trust in the Web3 and crypto world. In order to better protect innocent addresses from witch poisoning and unite against such attacks, Trusta has launched the "Proof of Innocence" Plan (PoIP). This plan allows the poisoned innocent addresses to prove their innocence. If your address has been poisoned, you can choose:
1. Visit the PoIP portal (link provided below) and provide details of the poisoning, such as your wallet address, the poisoned address, transaction hash, and the blockchain platform involved. (https://docs.google.com/forms/d/e/1FAIpQLSe_1dl6ocyhnDWUtm9BBvmWDGL_rDjhc9NNpfHXff2XhXL5eg/viewform)
