Research Summary: Fighting Sybils in Airdrops


  • Airdrop is a crucial concept in tokenomics. Startups of decentralized applications (DApps) reward early supporters by airdropping newly issued tokens up to a certain amount as a free giveaway. Most airdrops have prerequisites for qualification, in which utilizing these DApps is unsurprisingly the principal.
  • We argue that these individual transactions could reveal underlying signatures of their sending accounts. Specifically, accounts controlled by the same Sybil may exhibit some common behaviors.
  • A careful analysis of Sybil’s behaviors shows that accounts controlled by the same Sybil may produce similar DApp activities and regular token transfer patterns.
  • We model the transactions as graphs by representing accounts as vertices and transactions as edges. When multiple accounts receive tokens from the same Sybil to conduct interactions with DApps, we inspect the graphs for these activities and patterns to detect suspicious accounts.


Liu, Zheng, and Hongyang Zhu. “Fighting Sybils in Airdrops.” arXiv preprint arXiv:2209.04603 (2022).

Core Research Question

We focus on detecting Sybils in airdrops. Sybils in airdrops expect to receive more airdrop tokens by creating and controlling multiple accounts.


  • Sybils tend to create multiple accounts and manipulate each account’s activities for airdrop qualification, aiming at obtaining more issued tokens. This breaks the original intention of airdrops in tokenomics.

  • When Sybils control multiple accounts and use them to interact with the targeted DApp, the activities of these accounts are not much different from the ones of the ordinary user account. Each account usually triggers a few functions provided by the DApp.

  • In order to control multiple accounts, a Sybil generally employs a specifically designed computer problem, called bot to execute the interactions from these accounts automatically. Of course, there are also diligent Sybils who conduct interactions by hand. In this case, we consider them to be manual bots.


  • Sybil detection is to find the accounts controlled by the same Sybil or bot. We argue that it is possible to infer bot’s accounts from patterns of the transactions generated from the activities within their DApp’s interactions.

  • We focus on two facets of the transaction details.

    1. One is the field of transaction receipt event logs. These event logs reveal what kind of activities the account triggers in the DApp.

    2. The other is the field called transaction fee. For a transaction to be included in a block in a blockchain, the account submitting the transaction must have enough funds to pay miners and states gas fees as compensation.

  • With the above observation, we propose to study Sybil’s behaviors, specifically their account activities, by exploring the above activity and transaction patterns.

    1. DApp activities: If lots of accounts interact with a DApp, is it possible to qualify the patterns of similar activities in the transaction details from accounts potentially controlled by the same bot?

    2. Token transfers: Bot’s accounts need initial funds for paying gas fees and interacting with DApps, meaning these accounts must receive the funds from somewhere. Are there any distinctive patterns of the token transfer transactions to these accounts?


  1. Finding Similar DApp Activities
  • Bots cannot randomly trigger activities because if the activities are in totally random order and involve token transfers, it is complicated to track the trace of the tokens for both computer programs and manual bots.

  • We extract all activity pairs from this sequence and represent it by the set of activity pairs. Each activity pair maintains the temporal order of the two activities on sequences.

  • With the properly defined activity sequence similarity based on Jaccard similairty, it is easy to see that we can apply popular cluster algorithm DBSCAN to find cohesive sequence clusters.

  1. Searching Token Transfer Patterns, given accounts in a cluster with similar activity sequences.
  • Searching Sequential Patterns

  • The key task is to find a path on the transaction graph {\cal G} that can pass through all the vertices corresponding to these accounts. We only consider finding paths on a subgraph G of {\cal G}. Let V(G) and E(G) represent the vertex set and the edge set of G, respectively. V(G) is the vertex set containing all the vertices in the clusters and their 2-hop neighbors on {\cal G}. For u,v \in V(G), if (u, v) \in E({\cal G}), (u, v) \in E(G). Then finding paths that contain the vertices in the clusters is equivalent to finding cliques on the reachability graph of G.

  • Searching Radial Patterns

  • We use the same subgraph G in searching sequential patterns. Then searching radial patterns is done by finding 1-hop and 2-hop common neighbors of vertices in the given cluster on G.


  • Similar DApp Behaviors
  • Token Transfer Patterns

Discussion and Key Takeaways

  • On the large transaction graph, many accounts obtain native tokens from hot wallets of Centralized Exchange (CEX), which form a perfect star token transfer pattern. The hot wallets of some popular CEX may have up to hundreds of neighboring vertices. With a large number of neighbors, there are sometimes similar DApp interactions between these users if the number of interaction types is relatively small. In this case, ordinary users’ accounts might be tagged as Sybil’s account by mistake.

  • We carefully analyzed Sybil’s behaviors based on the details of the transactions on blockchains when Sybils manipulate controlled accounts to interact with DApps.

  • In the proposed detection framework, the cohesive groups of similar DApp activities are found by applying a popular cluster algorithm with a similarity measure defined on the sets of activity pairs. The same Sybil potentially controls accounts in a single cluster.

  • The potentiality is further enhanced by finding the regular token transfer patterns among these accounts.


  • More and more DApps adopt airdrops as a market promotion strategy, which makes it a crucial task to detect Sybil’s accounts from the airdrop qualification list.

Hi @zliu, I find this paper interesting which led me to do more research on the topic.

Some of the prerequisites I found out were :

  • One needs to perform some tasks like on a social media platform to spread the news about the services of the DApps
  • Sometimes to qualify, the user must have interacted with the DApps at a specific time.
  • Sometimes one needs to have some tokens of the airdropping protocol already.

Airdrop is a strong marketing strategy for New and upcoming crypto tokens. In 2021, Vitalik Buterin, co-founder of Ethereum, was airdropped a large amount of Shiba Inu tokens.

This got people talking about the token and increased speculation on the token.


This post was flagged by the community and is temporarily hidden.

1 Like

I wonder if the users of airdrop farming services can be reliably clustered. Would also be interesting to see if such services eventually leak customer addresses to sybil hunting programes for extra income when profitable.
Interesting reseach, though, as always, if it can be gamed, it will be gamed. Airdrops need to be strategic and select their beneficiaries more by sweat equity invested in the wider ecosystem to the detriment of transitive, superficial metrics, that have as sole purpose to appear attractive on paper in a language VCs understand.


Thank @zliu for your time and effort in this paper, I think it is important to pay attention to the fact that Airdrop in tokenomics does not necessarily mean sending gift tokens to more users is good. The token supply on the liquidity market directly influences the token’s value, so this is a subtle trade-off for DApp startups.Hence, crypto airdrops are market promotion strategy for startups and new projects.

It Is interesting to know that When a Sybil creates multiple accounts, a computer
problem called bot is usually employed to manage these accounts and their interactions with DApps. It is Worthy to note that accounts controlled by the same Sybil may exhibit some common behaviors. therefore,
Sybil detection is to find accounts possibly controlled by Sybils. I think the paper explores solutions by qualifying and identifying these common behaviors.

Generally, it will be helpful if one can set up prerequisites based on the in-depth analysis of
existing Sybil’s behaviors in the DApp. I think the
experiment results on a recent airdropped DApp shows that the proposed approach could detect Sybil’s accounts effectively.But assuming that there are no predefined qualified requirements, could we at any point actually recognize Sybil’s records?


The short answer is yes. If we focus on the behaviors of all accounts, Sybils conduct similar behavior sequences. A clustering algorithm like DBSCAN could solve this. However, this method cannot find all potential Sybils.
As I mentioned in the original paper, the similarity of behavior sequences could be adjustable. In this case, the developers could estimate how many Sybils they could bear.

1 Like