Sybil Attacks on Airdrops

Jul 15, 2022

Sybil attacks occur when networked systems get gamed by a small number of accounts, creating multiple identities.

Proof-of-stake and Proof-of-work mechanisms on blockchains provide Sybil resistance against attacks. These mechanisms prevent a single user from spinning up a large number of nodes to influence the network (economic costs).

There's a different flavor of Sybil attacks that occur on blockchains now. Many chains or web3 applications have used airdrops as a growth mechanism (whether or not it works, that's TBD). Airdrops of new tokens or rewards might be allocated to users who used the application during a certain period. Some airdrops were even scaled with activity: i.e., the more you used the service, the higher the reward you were given.

Of course, creating new identities in web3 is as simple as generating a private key (in a simple test, I can generate about 120,000 keys/second on my MacBook). Moving large amounts from wallet to wallet only costs a relatively small amount in transaction fees but creates the illusion of activity that can be rewarded by an airdrop.

  • An investor, Divergence Ventures, Sybil attacked one of their portfolio companies, Ribbon Finance, for about $2 million in ETH rewards. They later returned the funds after being exposed.
  • The Ukrainian government announced an airdrop to those who donated crypto to their cause. This caused an influx of microdonations of (maybe Sybil attackers) who wanted to be eligible for the airdrop. Most were between 0.001 and 0.01 ETH.
  • An Ethereum Layer 2 removed 17,000 addresses from their airdrop that were suspected Sybil attackers. They did so by running some proprietary network analysis on the eligible airdrops. It's unknown how many of these were false positives (or how many false negatives were missed).

Some closing thoughts:

Sybil attacks increase as transaction fees become lower.

Identity validation provides Sybil resistance but goes against many of the maxims of web3. For example, verifying telephone numbers, credit cards, bank accounts, or government identification would eliminate most of these attacks.

Sybil attack identification is a game of cat and mouse. I predict that Sybil attacks will become increasingly sophisticated until they are nearly indistinguishable from real user activity. The cost of identifying bad actors will quickly outweigh the benefits of the airdrop.

Do airdrops even work? There's little evidence that users who receive the rewards interact with the application more. So far, many users seem to cash out as soon as they receive the reward. (Are airdrops a taxable event that's out of your control?)