Sybil detection on DeFi protocols
July 14th, 2022

In April, Primitive launched its first product, RMM-01, a decentralized finance (DeFi) protocol that allows users to earn trading fees from automated trading. When the protocol reached nearly 1000 cumulative users, we analyzed the accounts to determine their authenticity.

On the RMM-01 protocol, nearly 80% of users were identified as suspects in Sybil attacks. In response, Primitive developed a straightforward method for detecting and filtering these users. While Primitive uses this tool to remove noise that Sybil attacks impose on user data, other DeFi protocols can expand the open-source code to suit a large array of their own needs.

What is a Sybil attack?

DeFi protocols commonly use airdrops as a method to launch tokens. This method rewards early users of the protocol by "airdropping," or giving, the users free tokens. Sybil attacks can be initiated to exploit airdrops in DeFi protocols.

The term "Sybil attack" originates from the main character in "Sybil" by Flora Rheta Schreiber. The book details a case study of a young girl who is thought to have Dissociative Identity Disorder. It was later revealed that the entire story was a ruse and Shirley Mason, the woman who inspired the character of Sybil, fabricated the different identities. In a Sybil attack, an entity generates a large quantity of pseudo-anonymous identities, akin to Sybil's multiple personalities in the book, to obtain a large influence over a network.

A common example of a Sybil attack is when a user, in anticipation of an airdrop, generates a large number of addresses, then deposits and removes tiny amounts of value from a DeFi protocol. This is referred to as "airdrop farming," and is often facilitated algorithmically. Protocol developers look down upon airdrop farming because their goal is to reward engaged and authentic users; not bots.

Sybil attacks on the RMM-01 protocol

Upon launching the RMM-01 protocol, the Primitive team set up a monitoring infrastructure to notify us when users add and remove liquidity. As the Total Value Locked (TVL) grew, we noticed a large quantity of the notifications were for very small amounts of liquidity that were almost immediately removed after they were added. The large volume of small transactions indicated that Liquidity Providers (LPs) were Sybil-ing the protocol in anticipation of an airdrop.

The noise from the Sybil attacks made it difficult to analyze the authentic user activity on the RMM-01 protocol. We realized the need to filter accounts that orchestrated Sybil attacks so that we could gain a more accurate understanding of the value that users derived from the protocol. After the accounts associated with Sybil attacks were filtered out, our data better reflected the activity of our unique users.

The script that we built in response to Sybil attacks serves as a tool for more accurately quantifying authentic users. At Primitive, we use the information derived from this process to better inform data-driven decisions and improve the RMM-01 protocol experience for our users. The script is fairly agnostic, so it can benefit other DeFi protocols in the same ways that it does RMM-01, or it can be extended to fit a wide array of needs for protocol developers.

Open-source method to filter Sybil attackers

In response to Sybil attacks on the RMM-01 protocol, the Primitive team has identified a straightforward methodology for compiling lists of addresses associated with Sybil attacks. Once this list is generated, the associated addresses can be blacklisted and disregarded.

The methodology and the corresponding detection scripts are open-source and can be found here. This approach is ideal because anyone can use a small script on relevant contracts for their benefit. The script is configured by entering your ETHERSCAN_API key and CONTRACT_TO_LOOK_AT in a .env file.

The script queries a contract's transactions using the Etherscan API and compiles a list of addresses that interacted with the configured contract. Then, the script filters out transactions where no value was exchanged (such as token approvals). After this, the cost of the transaction is checked by multiplying the user's cumulativeGasUsed by gasPrice. If the cost of the transaction is greater than the value of the transaction, the script adds this address to an array of Sybil suspects.

Future work

There are many ways to make this script more robust. One approach is to query all transactions from the Sybil suspects and check if they are a collection of deposits with the same value. This is a clear indication that the Sybil suspect's address is farming airdrops.

*Disclaimer: Primitive does not have a token or plans to release a token.

Written by 0xJepsen

Arweave TX
Ethereum Address
Content Digest