Research Summary: Fighting Sybils in Airdrops


  • Airdrop is a crucial concept in tokenomics. Startups of decentralized applications (DApps) reward early supporters by airdropping newly issued tokens up to a certain amount as a free giveaway. Most airdrops have prerequisites for qualification, in which utilizing these DApps is unsurprisingly the principal.
  • We argue that these individual transactions could reveal underlying signatures of their sending accounts. Specifically, accounts controlled by the same Sybil may exhibit some common behaviors.
  • A careful analysis of Sybil’s behaviors shows that accounts controlled by the same Sybil may produce similar DApp activities and regular token transfer patterns.
  • We model the transactions as graphs by representing accounts as vertices and transactions as edges. When multiple accounts receive tokens from the same Sybil to conduct interactions with DApps, we inspect the graphs for these activities and patterns to detect suspicious accounts.


Liu, Zheng, and Hongyang Zhu. “Fighting Sybils in Airdrops.” arXiv preprint arXiv:2209.04603 (2022).

Core Research Question

We focus on detecting Sybils in airdrops. Sybils in airdrops expect to receive more airdrop tokens by creating and controlling multiple accounts.


  • Sybils tend to create multiple accounts and manipulate each account’s activities for airdrop qualification, aiming at obtaining more issued tokens. This breaks the original intention of airdrops in tokenomics.

  • When Sybils control multiple accounts and use them to interact with the targeted DApp, the activities of these accounts are not much different from the ones of the ordinary user account. Each account usually triggers a few functions provided by the DApp.

  • In order to control multiple accounts, a Sybil generally employs a specifically designed computer problem, called bot to execute the interactions from these accounts automatically. Of course, there are also diligent Sybils who conduct interactions by hand. In this case, we consider them to be manual bots.


  • Sybil detection is to find the accounts controlled by the same Sybil or bot. We argue that it is possible to infer bot’s accounts from patterns of the transactions generated from the activities within their DApp’s interactions.

  • We focus on two facets of the transaction details.

    1. One is the field of transaction receipt event logs. These event logs reveal what kind of activities the account triggers in the DApp.

    2. The other is the field called transaction fee. For a transaction to be included in a block in a blockchain, the account submitting the transaction must have enough funds to pay miners and states gas fees as compensation.

  • With the above observation, we propose to study Sybil’s behaviors, specifically their account activities, by exploring the above activity and transaction patterns.

    1. DApp activities: If lots of accounts interact with a DApp, is it possible to qualify the patterns of similar activities in the transaction details from accounts potentially controlled by the same bot?

    2. Token transfers: Bot’s accounts need initial funds for paying gas fees and interacting with DApps, meaning these accounts must receive the funds from somewhere. Are there any distinctive patterns of the token transfer transactions to these accounts?


  1. Finding Similar DApp Activities
  • Bots cannot randomly trigger activities because if the activities are in totally random order and involve token transfers, it is complicated to track the trace of the tokens for both computer programs and manual bots.

  • We extract all activity pairs from this sequence and represent it by the set of activity pairs. Each activity pair maintains the temporal order of the two activities on sequences.

  • With the properly defined activity sequence similarity based on Jaccard similairty, it is easy to see that we can apply popular cluster algorithm DBSCAN to find cohesive sequence clusters.

  1. Searching Token Transfer Patterns, given accounts in a cluster with similar activity sequences.
  • Searching Sequential Patterns

  • The key task is to find a path on the transaction graph {\cal G} that can pass through all the vertices corresponding to these accounts. We only consider finding paths on a subgraph G of {\cal G}. Let V(G) and E(G) represent the vertex set and the edge set of G, respectively. V(G) is the vertex set containing all the vertices in the clusters and their 2-hop neighbors on {\cal G}. For u,v \in V(G), if (u, v) \in E({\cal G}), (u, v) \in E(G). Then finding paths that contain the vertices in the clusters is equivalent to finding cliques on the reachability graph of G.

  • Searching Radial Patterns

  • We use the same subgraph G in searching sequential patterns. Then searching radial patterns is done by finding 1-hop and 2-hop common neighbors of vertices in the given cluster on G.


  • Similar DApp Behaviors
  • Token Transfer Patterns

Discussion and Key Takeaways

  • On the large transaction graph, many accounts obtain native tokens from hot wallets of Centralized Exchange (CEX), which form a perfect star token transfer pattern. The hot wallets of some popular CEX may have up to hundreds of neighboring vertices. With a large number of neighbors, there are sometimes similar DApp interactions between these users if the number of interaction types is relatively small. In this case, ordinary users’ accounts might be tagged as Sybil’s account by mistake.

  • We carefully analyzed Sybil’s behaviors based on the details of the transactions on blockchains when Sybils manipulate controlled accounts to interact with DApps.

  • In the proposed detection framework, the cohesive groups of similar DApp activities are found by applying a popular cluster algorithm with a similarity measure defined on the sets of activity pairs. The same Sybil potentially controls accounts in a single cluster.

  • The potentiality is further enhanced by finding the regular token transfer patterns among these accounts.


  • More and more DApps adopt airdrops as a market promotion strategy, which makes it a crucial task to detect Sybil’s accounts from the airdrop qualification list.

Hi @zliu, I find this paper interesting which led me to do more research on the topic.

Some of the prerequisites I found out were :

  • One needs to perform some tasks like on a social media platform to spread the news about the services of the DApps
  • Sometimes to qualify, the user must have interacted with the DApps at a specific time.
  • Sometimes one needs to have some tokens of the airdropping protocol already.

Airdrop is a strong marketing strategy for New and upcoming crypto tokens. In 2021, Vitalik Buterin, co-founder of Ethereum, was airdropped a large amount of Shiba Inu tokens.

This got people talking about the token and increased speculation on the token.


I wonder if the users of airdrop farming services can be reliably clustered. Would also be interesting to see if such services eventually leak customer addresses to sybil hunting programes for extra income when profitable.
Interesting reseach, though, as always, if it can be gamed, it will be gamed. Airdrops need to be strategic and select their beneficiaries more by sweat equity invested in the wider ecosystem to the detriment of transitive, superficial metrics, that have as sole purpose to appear attractive on paper in a language VCs understand.


Thank @zliu for your time and effort in this paper, I think it is important to pay attention to the fact that Airdrop in tokenomics does not necessarily mean sending gift tokens to more users is good. The token supply on the liquidity market directly influences the token’s value, so this is a subtle trade-off for DApp startups.Hence, crypto airdrops are market promotion strategy for startups and new projects.

It Is interesting to know that When a Sybil creates multiple accounts, a computer
problem called bot is usually employed to manage these accounts and their interactions with DApps. It is Worthy to note that accounts controlled by the same Sybil may exhibit some common behaviors. therefore,
Sybil detection is to find accounts possibly controlled by Sybils. I think the paper explores solutions by qualifying and identifying these common behaviors.

Generally, it will be helpful if one can set up prerequisites based on the in-depth analysis of
existing Sybil’s behaviors in the DApp. I think the
experiment results on a recent airdropped DApp shows that the proposed approach could detect Sybil’s accounts effectively.But assuming that there are no predefined qualified requirements, could we at any point actually recognize Sybil’s records?


The short answer is yes. If we focus on the behaviors of all accounts, Sybils conduct similar behavior sequences. A clustering algorithm like DBSCAN could solve this. However, this method cannot find all potential Sybils.
As I mentioned in the original paper, the similarity of behavior sequences could be adjustable. In this case, the developers could estimate how many Sybils they could bear.


@zliu, thanks for sharing your work with us. I remember advocating for this paper to be summarized after the launch of Aptos blockchain when a rumor came that there was a sybil attack with its airdrop programme.

I think that airdrop, as a marketing strategy, has lost its flavor. The goal with airdrop is to reward users of a Dapp and possibly to entice them to invest in the protocol or project through purchasing more tokens, interacting more with the Dapp, and talking to other people about it.

But here is what I have observed with time. I know a couple of people who hunt airdrops. So they basically scout for possible airdrops and start interacting with the appropriate Dapps. Once they get the airdropped token, they sell them off immediately, and run off to the next one for more hunts.

But someone can argue that airdrops help the Dapps generate activities, like trading volume and all that. But that’s not real. It will probably deceive people to get involved with the project. However, I believe it will never be a sustainable way to keep people interested in the project.


Thank you very much @zliu

Discovering Airdrop Hunters

This is graphical representation of the addresses identified as part of a Sybil attack.

Sybil attack visualization.

Here’s how to read the sybil attack visualization:

Each address is a node in the graph, and all shown addresses are connected by on-chain transfers between each address denoted by each edge.

The sybil attacker exhibits two distinct patterns with the blue-colored edges denoting pattern one and the green-colored edges denoting pattern two.

Orange-colored nodes denote addresses that serve as on-chain connections between all sybil accounts where transfers occurred, and are included in the submission set due to deviations from the two main patterns outlined in this report.

Pattern #1

All addresses connected by blue edges used Hop Exchange to ping-pong back-and-forth between Gnosis Chain (formerly xDai) and Polygon.

Each address prominently featured Hop transactions denominated in ~1000 $USDC (1 transaction in USDT) with a variable range of ± 250 dollars across the transactions, criss-crossing from one chain to another and back sequentially.

Furthermore, each batch of transactions within each address took place over a very small timespan (on the order 1-3 hrs).

Pattern 1 transactions

Here is an example of this behavior:

Hop Explorer

How was pattern #1 discovered?

Pattern #1 was found by tracing on-chain Ethereum transfers using the Alchemy Transfers API. Upon investigation, a connected set of addresses, namely Pattern #2, was connected to Pattern #1 by tracing transfers between the hub address (0xb23691043293de4deeae3b565bd33bc059f264eb) and its associated spokes on the Avalanche mainnet.

Pattern #2

For addresses connected by green edges, the attacking addresses used Hop Exchange multiple times over a period of several hours, conducting repeated exchanges primarily from Gnosis Chain (formerly xDai) to Polygon.

All transactions typically utilized $200-$300 dollars in $DAI, $USDC, or $USDT.

In aggregate, Pattern 2 occurred over the span of a week from Jan 15th, 2022 - Jan, 24th 2022.

Pattern 2 transactions.

Here is an example of this behavior:

Hop Explorer

Connecting Pattern #1 and Pattern #2

Pattern #1 and #2 were found to be connected because the sybil attacker overlapped transactions on the Ethereum mainnet and the Avalanche mainnet.

Specifically, transfers between these addresses occurred on both networks denoting the connection in the two patterns.

  • 0x1100cc….d34e76a8e ←→ 0xb2369….59f264eb
  • 0xb23691….f264eb ←→ 0x80d….19b9

With over 30,000 addresses to comb through, it was challenging to find a connected subset, but the Transfers API was able to effectively trace transactions on Ethereum.

It is generally possible to set up prerequisites for detecting Sybil accounts (i.e., accounts that are controlled by the same entity but appear to be distinct and separate) based on an analysis of the behavior of these accounts within a decentralized application (DApp). For example, Sybil accounts may exhibit certain patterns of behavior that are different from those of genuine accounts, such as attempting to game the system or manipulate voting outcomes. By analyzing these behaviors, it may be possible to identify Sybil accounts and put measures in place to prevent them from affecting the operation of the DApp.

However, it is also important to note that detecting Sybil accounts can be a complex and challenging task, particularly if there are no predefined qualified requirements in place. Without predefined requirements, it may be more difficult to differentiate between genuine and Sybil accounts, as the behavior of these accounts may be more similar. In this case, it may still be possible to recognize Sybil accounts, but it may require more extensive analysis and investigation to do so.

1 Like

I think that airdrops are a marketing tactic in which a cryptocurrency project distributes free tokens to a certain group of users, often as a way of promoting the project and increasing its user base.

However, Sybil accounts, which are accounts controlled by the same entity but appear to be distinct and separate, can sometimes be used to game the system and obtain a larger share of airdropped tokens than they would otherwise be entitled to. This can be a problem for airdrop campaigns, as it can result in a more concentrated distribution of tokens, with some individuals or entities receiving a disproportionate share.

To combat this problem, airdrop campaigns can implement various measures to detect and prevent Sybil accounts from obtaining airdropped tokens. For example, they can require users to complete certain tasks or provide certain information in order to be eligible for the airdrop, such as verifying their identity or completing a survey. They can also use algorithms or other automated systems to analyze user behavior and identify suspicious or anomalous activity that may indicate the presence of Sybil accounts.

On the whole, fighting Sybils in airdrops requires a combination of proactive measures to prevent Sybil accounts from being created in the first place, as well as reactive measures to detect and prevent these accounts from obtaining airdropped tokens.

It is certainly possible that users of airdrop farming services could be reliably clustered, as these services typically attract users who are interested in obtaining airdropped tokens and are willing to pay for the services of the farming service to help them do so. However, it would likely depend on the specific characteristics of the users of the service and the methods used to cluster them.

It is also possible that airdrop farming services could leak customer addresses to Sybil hunting programs for extra income if it is profitable to do so. This would be a concern for users of these services, as it could compromise their privacy and potentially expose them to risks such as phishing attacks or other forms of online fraud.

it is important for airdrop campaigns to be strategic in their approach to selecting beneficiaries and to consider factors such as sweat equity invested in the wider ecosystem, rather than just relying on transitive, superficial metrics that may be attractive on paper but do not necessarily reflect the true value or contributions of the recipients. As you noted, if a system can be gamed, it will be gamed, so it is important to put measures in place to prevent this from happening.