Sybil Attacker Report [200+] #192
Comments
|
Are there address have 20+ correlation between one of them? |
Yes, look at the picture there are chains of nodes with more than 20+ wallets involved EDIT: Here we go 🧐 |
|
To go deeper in this investigation with the following requirements:
I could recompute the links and the scores based on txs included in the specified block interval and probably decrease the probability of false negative. |
|
COOOL!!!! |
|
Processed @ 20%, here are the wallets included in a chain with more than 10 addresses connected.
I don't know what is going on at the center, but there is like a blockchain cartel 😨 |
|
You might want to reconsider folks that recieved funds from 0x05158d7a59fa8ac5007b3c8babaa216568fd32b3 This is the polygon 'initial gas' airdrop sender for folks that bridged via the polygon bridge. They recived .1 matic as starter gas. Obviously if there is other evidence, they should still be removed, but that address will hit a wide swath of legitimate users on its own. |
|
Thank you for this element, I didn't know that. But actually why this address is eligible for the airdrop? That must explein this cartel actually! EDIT : with this whitelisted address, it removes the gargantua chain at the middle, I'll update addresses on the main thread accordingly.
|
|
Thank you for your help, I already know this address.
As I mentioned in the main thread, this is only the first 1000 addresses. |
|
Really cool network plots! |
|
@Bal7hazar Thank you for the submission! This is really impressive work. It looks like the the following 84 addresses are the only ones eligible. Can you please try to add more data around these addresses specifically? I am not able to easily verify the data with the information you provided. For example, many of the addresses below do not exist in the spreadsheet, as far as I am aware. An example can you provide information about the types of similar behaviors? Simple transfers between accounts are not enough to prove Sybil attack behavior. Addresses can be linked by this if they are friends, performing OTC trades, selling NFTs to each other, etc. I'll be happy to revisit this report when additional, explicit information has been added about the following addresses. Thank you! |
|
@shanefontaine I'll update the report in the day according to your feedback. |
|
@shanefontaine, I updated the main thread with the good addresses and I added some example to improve your confidence in the results, I can provide more if needed.
That's why I worked with the score I detailed in the main thread, filters are quite severe in my opinion to avoid to include legit users, but if you want to adjust them feel free to tell me. Moreover, I'd like to catch your attention of this issue #3 where all addresses with at least 1 txn to a network have been considered. I pretty sure many legit users have been took into account because of this. There is also none filter on network with a 20+ addresses so it could catch networks with only 2 addresses (basicaly if someone send a txn to a friend then a friend give him back a txn, if both are eligible therefore both will be excluded). Note: I didn't planed to share the whole code since it is a bit nasty in the actual format, but if you need to I can share it. EDIT: I feel confident to reduce the network size criteria from 20 to 10 if you would like to catch more non legit wallets to distribute to the legit part of the community. It is an additional 50 wallets found. |
|
Hey @Bal7hazar can you please provide a spreadsheet of the connections with those 84 addresses like you did before? Maybe turn the |
Why is my address among these 84 addresses, this is my only address, I don't know what other addresses have to do with me |
|
Hey @shanefontaine, I updated the addresses in the first thread, at your first review I had 2000+ addresses that trigered the criteria but as you mentioned I didn't understood that Also I add a condition to ignore Could you please ignore the first 84 addresses that you catched at the first review and consider the 232 addresses listed at the begining of the thread please ? (If you did not read the main thread once again after the first review please consider to read once again I updated the methodology).
As mentioned, the zip contains a json and a html, I don't think I can save the html into the sheet 😉 I you have a content format of sheet in mind to provide you these evidences, could you please share it? |
As i mentioned in the previous comment, these 84 addresses are not longer to be considered. If your address is still in the list, let me know which one it is and I'll plot the network in which your address belong and we can see why it has been reported. |
My address is not in the previous 232 addresses |
|
@shanefontaine I just moved the evidences to this sheet, I hope filters could help you to navigate into this. |
Add custom group for GH issue #192
|
Thank you for your report @Bal7hazar. We have verified that the addresses in this report are Sybil attackers. The report included 137 eligible addresses as Sybil attackers which means you are eligible for 24519.629111650724208966 HOP! When Hop DAO is live, we will make a proposal for this reward — subject to a 1 year lockup, as mentioned in the original Mirror post. Please note, we recognize that there are many other addresses submitted here along with some incredible work. We reviewed all addresses and excluded some from the list below for a few reasons:
We look forward to reviewing #239 as well! Thank you again for the detailed report! The qualified addresses are as follows: |
|
Still do not get the idea. If you do not consider the similar behavior or these address, how could you be sure that they are Sybil attackers? Just because they have transactions with each other? I randomly checked these transactions, they are quite random also. |
|
@zlgitol, to understand it you can also ask: what is the probability that an address did all its transactions with only eligible addresses, while their belong network has 90% composed of these kind of addresses. In my opinion, chances to be legit are low, and those whatever the amount of token traded. Furthermore, if I was a Sybil attacker, I could say how easy it could be to add some randomness to these txs. |
|
@shanefontaine Could you provide more details to prove that these addresses belong to a group have similar operations such as #147 (comment) ? I don't think the current report can prove that real users have been excluded, and unless the project side set it as a rule, self-defined scores have no value. |
Still think if there are no similar behaviors of token/hop interactions, it is hard to say they are Sybil attackers, even if they only transfer with eligible addresses. Could a small group of an interesting group. So why they don't add randomness and it is easy to add randomness? One answer could be they are not Sybil attackers. And one question, why there are so many connected components? I think all should belong to the largest group. If these connected components are generated by intentionally removing edges, the scores do not make sense anymore. |
If your purpose is to find attackers, you can indeed assume they added some randomness to txs. But if your purpose is to protect real users, I don't think this assumption is acceptable, because it will harm innocent people. |
Every methods defined over all reports are matter of probability, I did choices and I exposed them as they are. I admit that for some groups it is easier to prove relationships as you did in #147. Trying to find out more groups with less obvious behavior will indeed increase the risk of false negatives. In my opinion my risks are measured and still safe enough to protect legit users, you obviously disagree with that statement but as I said at the start, this is matter of probability so we probably won't be agree ever and it's ok since we don't take the responsibiliy and the final decision here, only Team does. |
@zlgitol, since you've obviously been trying to discredit other people's work and reports for the past few days, just saying you disagree. I won't have time to chat with you. |
I believe this is just a discussion about finding Sybil attackers. I didn't mean to discredit others' work. If such discussion offends you. I owe you an apology. By the way, an interesting group comes out in #207. |
Warum ist meine normale Adresse markiert? Können Sie bitte klären, warum ich diese Adresse markiert habe? |
|
Bitte löschen Sie meine Adressmarkierung |
|
@GreyPK @shanefontaine |
|
Each address that was chosen has many additional data points, such as similar transactions on similar days, similar Hop behavior, similar account length, etc. Many sub groups were formed out of the original 239. As an example, here is the behavior of one of the subgroups on Hop protocol. In this case, you can see nearly identical transactions on Arbitrum (among other things). All addresses that have been approved have this associated data and level of confidence that they are Sybil attackers. They would not be considered if they did not have a non-negligible probability of being a legitimate user.
|
|
return my hops 0xc75839b60f61be10ebeeb8c5a9c0008d30862905 |
and others
Related Addresses
Note: The addresses with a score of 100% and belonging to a network of 20+ nodes with a network score of 90+% (see below for details).
Reasoning
Description
The list above are all the addresses interacted exclusively with at least one other address of the airdrop list with a direct transfert. That's mean all transfers done by these addresses are exclusively done with other eligible addresses (
fromor to).For each of these suspect, a score of suspiciousness is computed based on the txs did with other eligible addresses over the total txs done in all scaned blockchains.
Scan has been performed through:
EDIT 2022/05/09
In order to avoid as much as possible legit wallets I computed a network score (additionaly to the individual score) based on the average of all individual scores of nodes belonging to the network (not evaluated wallets don't contribue to the average calculation), then I set the filter as follow:
EDIT 2022/05/12
I removed
fromcondition since it could trigger faucet address or some kind and consider the group as a networkMethodology
Description
Improved methodology of #3.
EDIT 2022/05/12
I used explorers of each blockchain to find all "contacts" (to information of the txs) of each considered addresses, defined in
finalDistribution.json file. I assume these addresses are all the addresses initially eligibles, it was necessary to consider those already removed to catch networks entirely.For each contact address I checked if it was also a considered address then I scored the original address (based on how exclusive are its txs to the network).
Then for each networks I scored the network with the average score of all belonging address.
Finally, I considered only networks with an average score over 90%, which mean 90% consanguineous network.
The I added a filter to take into account only addresses of these networks with a score of 100%, this mean that the address did txs exclusively (at 100%) with its belonging network.
This filter is quite severe but it will reduce very importantly the false positive results, therefor if an address did a txn with at least one other address which is not in the network then its score will go down and the address will be fitlered out.
Finally I filtered these addresses with the eligible addresses from
eligibleAddresses.txtfile.Note: On demand, I can share a 3M+ lines file with all txs of all 5 blockchains per considered addresses (148,000 addresses).
Evidences
Find here the evidences of this proposition.
evidence.zip
The zip contains a json file with the following structure:
And a
htmlfile to interact with the network (address is displayed as a tooltip on nodes).If you prefer a file per group or anything easier for you, let me know.
Note: html file could take few minutes to load according to your network speed.
EDIT 2022/05/14:
I pasted the evidences from the json file to the following sheet as discussed.
Example 01
It is note possible to plot the whole 148.000+ addresses in a single view so I did an example with the following criteria:
eligibleAddresses.txtfile ) are grey coloredAs you can see, some address belongs to a network that was ever partially excluded (that's why it was important to consider all the 148K+ addresses instead of just the eligible ones).
Example 02
Here is the largest network I found with a 2117 addresses involved, all of them have already been excluded.
Example 03
This filter have not been considered but could be on demand, I added a filter to the Example 01 with a median of the connexions of a network to match exactly 2 in order to find as much as possible what I call "DNA" networks.
Once again, only red addresses (with a 100% score are took into account in the final report)
Note : I can generate more example or adapt filters on demand.
Rewards Address
0x987ffC303bEa07c4aD724f2BA9800b1FDC6a7dB0For any question, you can contact me on:
@Blthazar2Balthazar#6199The text was updated successfully, but these errors were encountered: