TL;DR
- Airdrop is a crucial concept in tokenomics. Startups of decentralized applications (DApps) reward early supporters by airdropping newly issued tokens up to a certain amount as a free giveaway. Most airdrops have prerequisites for qualification, in which utilizing these DApps is unsurprisingly the principal.
- We argue that these individual transactions could reveal underlying signatures of their sending accounts. Specifically, accounts controlled by the same Sybil may exhibit some common behaviors.
- A careful analysis of Sybil’s behaviors shows that accounts controlled by the same Sybil may produce similar DApp activities and regular token transfer patterns.
- We model the transactions as graphs by representing accounts as vertices and transactions as edges. When multiple accounts receive tokens from the same Sybil to conduct interactions with DApps, we inspect the graphs for these activities and patterns to detect suspicious accounts.
Citation
Liu, Zheng, and Hongyang Zhu. “Fighting Sybils in Airdrops.” arXiv preprint arXiv:2209.04603 (2022). https://arxiv.org/abs/2209.04603
Core Research Question
We focus on detecting Sybils in airdrops. Sybils in airdrops expect to receive more airdrop tokens by creating and controlling multiple accounts.
Background
-
Sybils tend to create multiple accounts and manipulate each account’s activities for airdrop qualification, aiming at obtaining more issued tokens. This breaks the original intention of airdrops in tokenomics.
-
When Sybils control multiple accounts and use them to interact with the targeted DApp, the activities of these accounts are not much different from the ones of the ordinary user account. Each account usually triggers a few functions provided by the DApp.
-
In order to control multiple accounts, a Sybil generally employs a specifically designed computer problem, called bot to execute the interactions from these accounts automatically. Of course, there are also diligent Sybils who conduct interactions by hand. In this case, we consider them to be manual bots.
Summary
-
Sybil detection is to find the accounts controlled by the same Sybil or bot. We argue that it is possible to infer bot’s accounts from patterns of the transactions generated from the activities within their DApp’s interactions.
-
We focus on two facets of the transaction details.
-
One is the field of transaction receipt event logs. These event logs reveal what kind of activities the account triggers in the DApp.
-
The other is the field called transaction fee. For a transaction to be included in a block in a blockchain, the account submitting the transaction must have enough funds to pay miners and states gas fees as compensation.
-
-
With the above observation, we propose to study Sybil’s behaviors, specifically their account activities, by exploring the above activity and transaction patterns.
-
DApp activities: If lots of accounts interact with a DApp, is it possible to qualify the patterns of similar activities in the transaction details from accounts potentially controlled by the same bot?
-
Token transfers: Bot’s accounts need initial funds for paying gas fees and interacting with DApps, meaning these accounts must receive the funds from somewhere. Are there any distinctive patterns of the token transfer transactions to these accounts?
-
Method
- Finding Similar DApp Activities
-
Bots cannot randomly trigger activities because if the activities are in totally random order and involve token transfers, it is complicated to track the trace of the tokens for both computer programs and manual bots.
-
We extract all activity pairs from this sequence and represent it by the set of activity pairs. Each activity pair maintains the temporal order of the two activities on sequences.
-
With the properly defined activity sequence similarity based on Jaccard similairty, it is easy to see that we can apply popular cluster algorithm DBSCAN to find cohesive sequence clusters.
- Searching Token Transfer Patterns, given accounts in a cluster with similar activity sequences.
-
Searching Sequential Patterns
-
The key task is to find a path on the transaction graph {\cal G} that can pass through all the vertices corresponding to these accounts. We only consider finding paths on a subgraph G of {\cal G}. Let V(G) and E(G) represent the vertex set and the edge set of G, respectively. V(G) is the vertex set containing all the vertices in the clusters and their 2-hop neighbors on {\cal G}. For u,v \in V(G), if (u, v) \in E({\cal G}), (u, v) \in E(G). Then finding paths that contain the vertices in the clusters is equivalent to finding cliques on the reachability graph of G.
-
Searching Radial Patterns
-
We use the same subgraph G in searching sequential patterns. Then searching radial patterns is done by finding 1-hop and 2-hop common neighbors of vertices in the given cluster on G.
Results
- Similar DApp Behaviors
- Token Transfer Patterns
Discussion and Key Takeaways
-
On the large transaction graph, many accounts obtain native tokens from hot wallets of Centralized Exchange (CEX), which form a perfect star token transfer pattern. The hot wallets of some popular CEX may have up to hundreds of neighboring vertices. With a large number of neighbors, there are sometimes similar DApp interactions between these users if the number of interaction types is relatively small. In this case, ordinary users’ accounts might be tagged as Sybil’s account by mistake.
-
We carefully analyzed Sybil’s behaviors based on the details of the transactions on blockchains when Sybils manipulate controlled accounts to interact with DApps.
-
In the proposed detection framework, the cohesive groups of similar DApp activities are found by applying a popular cluster algorithm with a similarity measure defined on the sets of activity pairs. The same Sybil potentially controls accounts in a single cluster.
-
The potentiality is further enhanced by finding the regular token transfer patterns among these accounts.
Applicability
- More and more DApps adopt airdrops as a market promotion strategy, which makes it a crucial task to detect Sybil’s accounts from the airdrop qualification list.