The Battle Against Airdrop Sybil Attacks: Insights From LayerZero and ether.fi Strategies

Strategies and Technologies to Safeguard Airdrop Token Distributions

Adrià Parcerisas

Index

  1. Introduction
    1. What Are Crypto Airdrops and Why Are They Attractive?
    2. The Phenomenon of Airdrop Farming and Sybil Attacks
    3. Case Studies and Real-World Examples
    4. Detecting Sybil Airdrop Hunters
  2. Goals
  3. Methodology
    1. LayerZero Airdrop Analysis
    2. ether.fi Airdrop Analysis
    3. Combined Analysis for Both Airdrops
  4. Results
    1. LayerZero Airdrop Analysis
    2. ether.fi Airdrop Analysis
    3. Combined Analysis for Both Airdrops
  5. Discussion
    1. Mitigation Strategies
      1. Best Practices for Projects to Prevent Sybil Attacks
      2. Community and Technical Measures
      3. Future Trends in Airdrop Security​
      4. Addressing False Positives in Sybil Detection
      5. Clarification on Sybil Percentages
  6. Conclusion
    1. Recap of Key Points
    2. Final Thoughts
    3. Future Directions for Research and Development
  7. References

1. Introduction

In the dynamic landscape of cryptocurrency, airdrops have become a popular method for blockchain projects to distribute tokens, raise awareness, reward early adopters, and promote decentralization [1-3]. These airdrops serve multiple purposes, including bootstrapping network effects, incentivizing user engagement, and promoting wider adoption of the project. However, the rise of Sybil airdrop hunters—users who create multiple fake wallets to disproportionately accumulate tokens—poses a significant challenge to the integrity and effectiveness of these initiatives. By exploiting the system with numerous wallets, these hunters maximize their token gains, thereby undermining the goals of the airdrop.

This report delves into the phenomenon of Sybil airdrop hunting, explores its implications, and outlines strategies for detection and mitigation. By analyzing recent airdrops from LayerZero and ether.fi, we aim to identify clusters of suspicious wallets and evaluate the effectiveness of implemented countermeasures. LayerZero and ether.fi were chosen for their recent high-profile airdrops, substantial community engagement, and the innovative measures they implemented to combat Sybil attacks. These projects have garnered significant attention in the crypto community, making them ideal candidates for a detailed analysis of Sybil airdrop hunting tactics. Further discussion on Sybil airdrop hunters and their tactics will be provided in subsequent sections [3-5].

The primary objective of this report is to provide a comprehensive analysis of Sybil airdrop hunters within the cryptocurrency ecosystem. This report aims to understand the phenomenon, its implications, and how it can be detected and mitigated. Additionally, the report focuses on identifying clusters of wallets participating in multiple airdrops, indicative of coordinated Sybil attacks.

A key focus of the report is to compare two recent airdrops—LayerZero and ether.fi—that have implemented their own strategies to prevent Sybil attacks. By examining these airdrops, the report aims to assess the effectiveness of these strategies in mitigating fraudulent activities and identify any remaining vulnerabilities. This analysis will provide insights into whether these strategies successfully deter airdrop farmers or if there are still significant gaps that need addressing.

LayerZero and ether.fi were chosen for this analysis because they represent some of the most recent and high-profile attempts to innovate in airdrop security. LayerZero implemented a Sybil bounty hunting program and collaborated with advanced analytics platforms, while ether.fi introduced proof of participation mechanisms and community-driven reporting systems. These approaches offer valuable case studies for understanding how different methods can be applied and their relative success in preventing Sybil attacks.

This report will delve into specific detection methods such as transaction analysis, behavioral pattern recognition, and machine learning algorithms. By providing detailed insights into these methodologies, the report aims to equip other blockchain projects with the knowledge needed to safeguard their airdrop campaigns against Sybil attackers.

1.1 What Are Crypto Airdrops and Why Are They Attractive?

A cryptocurrency airdrop is a strategic method used by blockchain projects to distribute free tokens or coins to a wide range of wallet addresses. This approach is designed not just to raise awareness but also to reward early adopters, incentivize participation, and promote decentralization within the project [1,2,6]. Airdrops aim to spread the ownership of tokens, thereby fostering a decentralized community, kickstarting new projects, and encouraging broader adoption within the cryptocurrency ecosystem [1,2].

There are various types of crypto airdrops, each with its unique mechanism for distributing tokens:

  • Standard Airdrops: Distribute tokens to users who provide their wallet addresses.
  • Bounty Airdrops: Require participants to complete specific tasks, such as social media promotions or referrals.
  • Holder Airdrops: Allocate tokens based on the amount of a particular cryptocurrency held by users at a snapshot time.
  • Exclusive Airdrops: Target specific individuals based on predefined criteria.
  • Raffle Airdrops: Use a lottery system to distribute tokens [1-3].

Crypto airdrops are attractive to both users and projects for several reasons. For recipients, airdrops offer the possibility of obtaining free tokens that may appreciate in value, providing an opportunity to gain assets without significant financial investment. The main cost for recipients is typically their time or minimal transaction fees [1,3]. For projects, airdrops help build a community, increase token distribution, and enhance network effects. They serve as a powerful marketing tool, generating buzz and engagement around the project, thereby accelerating its growth and adoption [1,3,4].

For a detailed exploration of these concepts, refer to our previous comprehensive guide, "Airdropping: Some Truths" [5].

1.2 The Phenomenon of Airdrop Farming and Sybil Attacks

While airdrops can be highly beneficial to both projects and participants, they also attract individuals who seek to maximize their token gains through multiple wallets, a practice known as airdrop farming. For participants, airdrops provide an opportunity to receive valuable tokens, potentially leading to financial gains. For projects, they serve as an effective tool to increase visibility, incentivize participation, and foster community growth. However, these benefits come with risks, primarily due to the phenomenon of airdrop farming, which often results in Sybil attacks. In a Sybil attack, one entity creates numerous pseudonymous wallets to exploit the airdrop system, manipulating the distribution process to collect more tokens than intended, thereby undermining the effectiveness of the airdrop [1,3,5].

Sybil attacks pose significant risks:

  1. Dilution of Value: Excessive token distribution to a few entities can lead to significant sell pressure or price manipulation. When a large portion of tokens is concentrated in the hands of a few actors, these entities can exert undue influence over the token's market dynamics. This concentration can lead to rapid sell-offs, driving down the token's price and causing genuine holders to lose confidence and abandon the project.
  2. Reduced Engagement and Community Trust: If tokens are farmed and sold quickly, the intended community engagement and loyalty are diminished. When participants realize that airdrops are being exploited, it can lead to a loss of trust and interest in the project [1,3,5,6].
  3. Inaccurate Distribution Metrics: Sybil attacks can distort the metrics projects rely on to gauge the success and reach of their airdrop campaigns. This distortion can lead to misguided strategic decisions based on flawed data [6].
  4. Inefficiency in Reward Distribution: When a significant portion of the airdropped tokens goes to Sybil attackers, the primary goal of rewarding genuine supporters and early adopters is compromised. This inefficiency undermines the project's ability to build a dedicated community [5,6].

1.3 Case Studies and Real-World Examples

Each year, numerous airdrops are conducted, reflecting the growing trend and strategic importance of this distribution method in the cryptocurrency space. Cryptokoryo, through a detailed report and Dune dashboard, has compiled a comprehensive list of airdrops since 2021 (See Figure 1), providing valuable insights into various campaigns, including their dates, total amounts airdropped, and number of recipients [7].

Figure 1: Cryptokoryo's comprehensive list of airdrops since 2021, compiled through a detailed report and Dune dashboard, provides valuable insights into various campaigns, including their dates, total amounts airdropped, and number of recipients. Source: Dune Analytics. "History of Airdrops." Dune Analytics.

To understand the extent and impact of Sybil attacks on cryptocurrency airdrops, we will analyze several well-documented and recent cases. These examples illustrate the methods employed by attackers and the vulnerabilities exploited in different airdrop campaigns. By examining these cases, we can better understand the challenges and develop more effective countermeasures to mitigate Sybil attacks [8,9].

Case Study 1: Uniswap (UNI) Airdrop Exploitation

In September 2020, Uniswap conducted a highly publicized airdrop, distributing 400 UNI tokens to every wallet that had interacted with the platform before a specific cutoff date [2]. Some users farmed this by creating numerous wallets and performing minimal interactions to qualify for multiple airdrop rewards. This led to significant concentration of tokens among a few individuals, contrary to the intended widespread distribution [10-12]. Even though some bots and multi-accounts faced exclusion to ensure a more effective distribution, others impacted the distribution process. Genuine users received fewer tokens than anticipated, and the community trust was undermined [11,12]. Uniswap used transaction analysis to identify suspicious activity patterns. However, since the airdrop had already occurred, preventive measures were limited to enhancing future airdrop criteria. The need for robust eligibility criteria was highlighted, along with the importance of monitoring transaction patterns to preemptively detect Sybil activity [2,3].

Figure 2: Uniswap Retroactive Airdrop. Source: Coin98.

Case Study 2: 1inch (1INCH) Airdrop Farming Incident

1inch, a decentralized exchange aggregator, conducted an airdrop in December 2020 to reward its early users and liquidity providers [4]. Similar to the Uniswap case, attackers created multiple wallets and conducted minimal trades to qualify for the airdrop. The low interaction threshold made it easy for Sybil attackers to exploit the system.

Figure 3: 1inch claim example. Source: Cryptonews.

The skewed distribution resulted in a large portion of the tokens being claimed by a small number of users controlling numerous wallets. This reduced the intended benefits for legitimate users, as a significant amount of the airdropped tokens ended up concentrated among a few entities.

To address this issue, the project team tightened the eligibility criteria for subsequent airdrops and began exploring more sophisticated detection mechanisms to prevent similar exploits in the future. This incident highlighted the importance of setting higher interaction thresholds and using advanced algorithms to detect and prevent Sybil attacks. It also emphasized the necessity of continuous monitoring and adaptation to evolving attack strategies to maintain the integrity of airdrop distributions [4,12,13].

Case Study 3: LayerZero (LZO) Airdrop Sybil Report

LayerZero, an omnichain interoperability protocol enabling seamless data transfer across blockchains, conducted an airdrop in May 2024. This technology supports censorship-resistant messages and permissionless development through immutable smart contracts, aiming to enhance decentralized applications by facilitating cross-chain communication [14]. Similar to previous cases, users created multiple wallets and engaged in behaviors such as minimal trades or several low-volume transactions to qualify for the airdrop [15]. This allowed them to exploit the system and receive more tokens than intended, highlighting the need for robust Sybil detection mechanisms.

Figure 4: LayerZero claim example. Source: Twitter/X.

The project team implemented a comprehensive Sybil analysis using tools like Nansen and Chaos Labs and carried out a Sybil bounty hunting competition to further tighten eligibility criteria. This included developing more sophisticated detection mechanisms such as enhanced transaction pattern analysis, cross-chain activity correlation, and community reporting mechanisms. These efforts helped in identifying clusters of related wallets and suspicious activities more effectively [15].

The LayerZero case highlighted the effectiveness of incorporating advanced analytical tools and community-driven detection efforts. However, it also underscored the need for continuous improvement and innovation in detection methodologies, as sophisticated attackers can still evade existing filters. Continuous adaptation and enhancement of detection mechanisms are essential to keep up with the evolving tactics of Sybil attackers.

Case Study 4: ether.fi (ETHFI) Airdrop Sybil Report

Figure 5: ether.fi claim page. Source: claim.ether.fi.

ether.fi is the leading protocol in the rapidly growing field of liquid restaking (LRT), significantly outpacing its competitors by holding more than 50% of the market share (see Figure 6). Liquid restaking protocols are designed to maximize the utility of staked Ethereum by allowing it to secure other networks and protocols simultaneously. ether.fi stands out for its innovative use of non-fungible tokens (NFTs) for validators and its integration with EigenLayer to enhance yields [16]. For a deeper dive into the advantages and mechanisms of liquid restaking, refer to our recent research: Abstracadabra: The Liquid Restaking Over.

Figure 6: LRT Market Share - A chart illustrating the market share of various liquid restaking protocols. Each color represents a different platform. Source:  Dune Analytics. "LRT Staking." Dune Analytics.

As the #1 liquid restaking protocol, ether.fi has successfully captured a substantial market share, demonstrating the effectiveness of its platform in managing Ethereum staking and restaking. This leadership is highlighted by the high volume of assets locked in its protocol and its popularity among users seeking efficient and profitable staking solutions.

ether.fi's recent airdrop aimed to reward its active participants, leveraging its robust staking framework to ensure a fair and secure distribution of tokens. The reward points were calculated based on a formula that considered the amount of ETH staked and the duration it was staked. This approach aimed to balance rewards between large and small participants. The protocol's comprehensive strategies for detecting and mitigating Sybil attacks, including the use of advanced analytics and community engagement, further reinforce its position as a leader in the LRT space.

The primary concern was the potential for users to create multiple wallets to maximize their airdrop rewards. To mitigate this, ether.fi encouraged genuine engagement and participation. Users could earn tokens by actively farming through liquidity provision or staking, which required more involvement than simply holding tokens [17].

ether.fi implemented a proof of participation mechanism to deter multiple wallet creation, tracking user engagement to ensure eligibility based on genuine activity. Advanced analytical tools monitored transaction patterns to flag suspicious behaviors, while community involvement was incentivized to report anomalies. For the Season 2 airdrop, ether.fi promised significant rewards, including up to 150 ETHFI tokens for small stakers. In collaboration with Chaos Labs, ether.fi implemented measures to detect Sybil activity and suspicious behaviors. Users were required to validate their wallets to confirm they were not part of Sybil clusters to maintain eligibility for additional rewards, which had to be verified within 5 days [5,17,18].

The ether.fi case demonstrated the partial success of proof of participation mechanisms and the effectiveness of combining advanced analytics with community-driven efforts. However, it also underscored the need for continuous improvement in detection methodologies to adapt to sophisticated attackers. This case emphasizes the importance of regular updates and collective vigilance in securing airdrop campaigns. As early investors in ether.fi, we recognize the importance of maintaining integrity and transparency in these initiatives.

Lessons Learned from Past Incidents

Despite significant advancements in detection techniques, many airdrop farmers continue to exploit the system. Analyzing past incidents of Sybil attacks and airdrop farming reveals several critical insights for enhancing detection and prevention strategies [6]:

  1. Community Involvement: Engaging the community in monitoring and reporting suspicious activities has proven effective. For example, LayerZero's Sybil bounty hunt encouraged community members to report suspicious wallets, leading to the identification of many Sybil attackers [12]. Incentivizing community participation through rewards or recognition can enhance the effectiveness of this approach.
  2. Advanced Analytical Tools: Leveraging advanced data analytics and machine learning models can significantly improve the detection of abnormal patterns and behaviors indicative of Sybil attacks. Tools that analyze transaction patterns, account activities, and network relationships, such as those used by ether.fi in collaboration with Chaos Labs, can identify clusters of suspicious wallets more accurately [18].
  3. Enhanced Eligibility Criteria: Setting stringent and dynamic eligibility criteria for airdrop participation can deter fraudulent behavior. Criteria based on proof of participation, activity levels, and historical engagement with the project can ensure that only genuine users receive rewards. For example, ether.fi's requirement for users to validate their wallets and prove genuine activity helped filter out non-genuine participants [17].
  4. Continuous Monitoring and Iteration: Continuous monitoring and iterative improvements in detection methodologies are crucial. For example, Uniswap's post-airdrop analysis and adjustment of eligibility criteria for future airdrops highlight the importance of learning from past incidents to refine detection processes [2,3]. Regular audits, feedback loops, and adaptive algorithms that learn from previous attacks can help maintain robust defenses against emerging threats.
  5. Adaptive Attack Strategies: Attackers constantly evolve their strategies to bypass detection mechanisms. They may distribute their activities across numerous wallets or use sophisticated algorithms to mimic genuine user behavior. For instance, during the LayerZero airdrop, attackers used multiple wallets with varying transaction patterns to evade detection [15]. This requires detection systems to be continuously updated and improved to stay ahead of these tactics. Employing adaptive algorithms that learn from past incidents can help in refining the detection process to stay ahead of evolving tactics.

By incorporating these lessons, blockchain projects can better safeguard their airdrop campaigns, ensuring effective and equitable distribution of tokens while minimizing the impact of fraudulent activities. This multi-faceted approach, combining technological, procedural, and community-driven efforts, is essential for maintaining the integrity and success of airdrop initiatives.

1.4 Detecting Sybil Airdrop Hunters

Detecting Sybil airdrop hunters involves analyzing on-chain data to identify patterns indicative of farming behavior. Effective detection methods combine various techniques to provide a comprehensive defense against Sybil attacks. Common techniques include:

  1. Transaction Analysis: Identifying clusters of wallets with similar transaction patterns or simultaneous activity. For example, Wormhole uses sophisticated transaction analysis to detect wallets engaging in repetitive or coordinated behaviors, which are indicative of Sybil attacks (Wormhole) [17]. This method involves examining the frequency, volume, and timing of transactions to spot anomalies. Tools like Nansen and Chainalysis have been instrumental in providing the analytical capabilities required for such in-depth analysis [5,6]. By mapping the transaction flows, analysts can pinpoint wallets that are likely working in concert to farm airdrops. Additionally, while wallets created before the project existed are generally less likely to be Sybil wallets targeting that specific airdrop, it's important to consider that some farming operations reuse Sybil wallets across multiple projects. Sybil wallets often perform multiple transactions within a very short time frame. By setting thresholds for transaction volumes and frequencies, unusual spikes can be flagged for further investigation.
  2. Behavioral Patterns: Monitoring for behaviors such as frequent wallet creation, repetitive actions, or coordinated token transfers. Trusta AI is implementing advanced behavioral analysis to track these activities (Trusta AI) [18]. This approach focuses on identifying abnormal wallet creation rates, unusual transaction sequences, and synchronized activities across multiple wallets, which are tell-tale signs of Sybil behavior. Trusta AI uses algorithms to track activities like the rapid creation of wallets and their transaction histories. By setting alerts for behaviors that deviate from the norm, they can quickly identify potential Sybil attacks. Furthermore, clustering similar behaviors across wallets can indicate coordinated attacks, especially if multiple wallets exhibit identical transaction patterns or simultaneous activity within the same timeframe [18].
  3. Machine Learning: Using advanced algorithms to detect anomalies and predict potential Sybil attacks based on historical data. Trusta AI is also developing machine learning models that analyze past transaction data to identify patterns that signify Sybil activity (Trusta AI) [6,18]. These models can adapt to new attack strategies by continuously learning from new data, making them more effective over time. The use of machine learning allows for continuous improvement in detection capabilities as more data is collected and analyzed [6,18].

By identifying these patterns, projects can implement safeguards to ensure a more equitable distribution of tokens, thereby preserving the integrity and intended benefits of their airdrop campaigns [1,6,17]. For instance, setting dynamic thresholds for transaction volumes and frequencies can help detect and mitigate Sybil attacks before they affect the airdrop.

Crypto airdrops are a powerful tool for community building and project promotion. However, they also present challenges that need careful management to prevent exploitation by Sybil airdrop hunters. Proper detection and mitigation strategies are essential to maintaining the effectiveness and integrity of airdrops in the crypto ecosystem [1,3,6]. As attackers evolve their tactics, the need for sophisticated and adaptive detection mechanisms becomes increasingly critical. By leveraging advanced analytics, community engagement, and continuous monitoring, projects can protect their airdrop campaigns from being undermined by Sybil attackers.

2. Goals

The primary objective of this report is to provide a comprehensive analysis of Sybil airdrop hunters within the cryptocurrency ecosystem. Sybil airdrop hunting involves creating multiple fake identities (wallet addresses) to accumulate a disproportionately large share of airdropped tokens. This report aims to understand the phenomenon, its implications, and how it can be detected and mitigated. Additionally, the report focuses on identifying clusters of wallets participating in multiple airdrops, indicative of coordinated Sybil attacks.

A key focus of the report is to compare two recent airdrops—LayerZero and ether.fi—that have implemented their own strategies to prevent Sybil attacks. By examining these airdrops, the report aims to assess the effectiveness of these strategies in mitigating fraudulent activities and identify any remaining vulnerabilities. This analysis will provide insights into whether these strategies successfully deter airdrop farmers or if there are still significant gaps that need addressing.

LayerZero and ether.fi were chosen for this analysis because they represent some of the most recent and high-profile attempts to innovate in airdrop security. LayerZero implemented a Sybil bounty hunting program and collaborated with advanced analytics platforms, while ether.fi introduced proof of participation mechanisms and community-driven reporting systems. These approaches offer valuable case studies for understanding how different methods can be applied and their relative success in preventing Sybil attacks.

This report will delve into specific detection methods such as transaction analysis, behavioral pattern recognition, and machine learning algorithms. By providing detailed insights into these methodologies, the report aims to equip other blockchain projects with the knowledge needed to safeguard their airdrop campaigns against Sybil attackers.

3. Methodology

This analysis aims to identify wallets that have potentially farmed airdrops from both LayerZero and ether.fi, two of the most recent and anticipated airdrops. The criteria for participating in these airdrops are as follows:

  • LayerZero: Utilization of its bridge with basic criteria plus passing the last Sybil filtration [19].
  • ether.fi: Holding eETH/weETH, holding Ether Fan NFT, or being an early adopter participant (staking ETH on its platform) [20].

To achieve this, the process involves a detailed, multi-step approach to analyze each airdrop separately and then identify common wallets that exhibit farming behavior in both airdrops using FlipsideCrypto and Python (see Figure 7).

Figure 7: Flowchart of Sybil Detection and Analysis Methodology for Detecting Potential Farmers of LayerZero and ether.fi Airdrops.

Step 1: Data Aggregation 

The initial step involves aggregating transaction data from LayerZero and ether.fi. For LayerZero, data is collected on bridge usage, transaction counts, and volumes. For ether.fi, data includes holdings of eETH/weETH, ownership of Ether Fan NFTs, and staking activities. This data is sourced from FlipsideCrypto's comprehensive database, ensuring accuracy and up-to-date information.

Step 2: Initial Criteria Filtering 

For each airdrop, wallets are filtered based on preliminary criteria to identify potential Sybil attackers:

  • LayerZero: Wallets with transaction counts between 1 and 5, total transaction volumes not exceeding $1,000, and transactions occurring within a 24-hour period. Additionally, wallets using fewer than three distinct source contracts are flagged for further analysis.
  • ether.fi: Wallets with deposits and withdrawals of eETH/weETH around the snapshot date and those with similar transaction patterns are identified.

Step 3: Refinement with Temporal Correlation and Contract Patterns 

Further refinement of suspect addresses includes:

  • Transactions occurring within a single hour.
  • Limited distinct destination transaction hashes.
  • For ether.fi, patterns of staking and withdrawals are closely examined to identify coordinated behaviors.

Step 4: Detailing Interlinked Addresses 

Addresses are cross-referenced to find similar transactional patterns across different chains and addresses, indicating possible Sybil behavior. Source of funds is analyzed to identify common sources funding multiple suspect addresses, establishing a network of interconnected addresses.

Step 5: Clustering and Final Selection 

Addresses are clustered based on their source of funds and transactional behavior. Only clusters with a significant number of addresses (e.g., 5 or more) are considered. Machine learning algorithms and advanced analytics are employed to identify clusters of related wallets and suspicious activities more accurately.

Step 6: Cross-Airdrop Analysis 

The final step involves matching wallets that participated in both airdrops. These wallets are subjected to the same rigorous analysis and filtering to detect Sybil wallets and identify clusters of wallets with similar behavior across both airdrops. This comprehensive cross-analysis helps in understanding if recurrent airdrop farmers are exploiting multiple airdrops.

Step 7: False Positives Mitigation 

The dataset is split into 70% training and 30% testing sets to evaluate clustering performance. K-means clustering is applied to the training set to identify distinct groups based on transactional behaviors. The model predicts cluster labels for the testing set, with performance evaluated using the silhouette score.

By systematically applying these steps, the analysis aims to provide a comprehensive identification of Sybil airdrop farmers and understand their behavior across different airdrops. The on-chain data is successfully provided by FlipsideCrypto in which a dashboard has been created to detect Sybil wallets and provide a list for each case. The representation of Sankey Diagram, PCA analysis as well as Time-Series has been done using Python.

3.1 LayerZero Airdrop Analysis

The analysis of the LayerZero airdrop leverages a multi-step approach to identify and refine suspect addresses that may be involved in Sybil attacks. The following steps outline the methodology used:

  1. Data Aggregation: The first step involves aggregating LayerZero transaction data to compute metrics such as transaction count, total volume in USD, and distinct contracts involved. This provides a comprehensive overview of all activities related to the airdrop.
  2. Initial Criteria Filtering: To identify potential Sybil addresses, we apply specific filters:some text
    • Transaction Count: Wallets with transaction counts between 1 and 5 are flagged. This range is chosen based on the assumption that Sybil attackers perform multiple transactions quickly to qualify for the airdrop without attracting much attention. Research indicates that limited transaction counts often correspond to Sybil behaviors [21, 22].
    • Total Transaction Volume: Wallets with a total transaction volume not exceeding $1,000 are considered. This threshold is based on observations that typical Sybil wallets don't spend large amounts to minimize risk. Studies have shown that lower transaction volumes are a common characteristic of Sybil wallets [23, 24].
    • Activity Window: Transactions occurring within a 24-hour period are identified, as quick, concentrated activity is indicative of Sybil behavior. Activity outside this window is less suspicious due to the dispersed nature of genuine transactions [21].
  3. Refinement with Temporal Correlation and Contract Patterns: Further narrowing down suspect addresses involves:some text
    • Temporal Correlation: Transactions occurring within a single hour are highlighted to identify highly concentrated activities.
    • Destination Hashes: Limited distinct destination transaction hashes are analyzed to find patterns typical of Sybil behavior [22].
  4. Detailing Interlinked Addresses: Addresses are cross-referenced to find similar transactional patterns across different chains and addresses, indicating possible Sybil behavior. This involves tracking the origin of funds to identify common sources funding multiple suspect addresses, establishing a network of interconnected addresses [21].
  5. Source of Funds Analysis: In this step, the origin of funds is analyzed. Source of funds that appear in the labels or in the contracts’ table in Flipside's database have been excluded. Labeled wallets are often related to institutional entities, centralized exchange (CEX) hot wallets, etc., which could lead to false positives. For example, multiple wallets might have the same source of funds labeled as Binance, but this does not indicate coordinated Sybil activity since Binance is simply a CEX. Additionally, hot wallets of large CEXes function similarly to mixers, further complicating the detection of genuine Sybil behavior [22-24].
  6. Clustering and Final Selection: Addresses are clustered based on their source of funds and transactional behavior. For this analysis, the K-means algorithm was utilized to identify patterns among the addresses. Various cluster sizes were tested, and the final analysis focused on clusters containing 5 or more addresses to ensure statistical significance. This clustering helps in identifying coordinated groups rather than isolated incidents [23]. By grouping addresses with similar transaction patterns and sources of funds, we can better detect potential Sybil behavior and differentiate it from normal user activity. 
  7. Excluding Possible False Positives: After conducting a comprehensive analysis using the described methodology, a final list of wallets is identified as being involved in Sybil attacks. These wallets are meticulously analyzed and filtered through multiple stages to ensure accuracy and minimize the risk of false positives. This involves rechecking against known legitimate activity patterns and removing any that might have been wrongly flagged due to normal large-scale activities like those from institutional wallets [22].

3.2 ether.fi Airdrop Analysis

The analysis for the ether.fi airdrop is simpler but similarly rigorous, involving several key steps to identify potential Sybil attackers:

  1. Data Aggregation: The first step involves aggregating ether.fi deposit and withdrawal data to compute metrics such as transaction count, total volume in USD, and the number of wallets involved. This provides a comprehensive overview of all activities related to the airdrop.
  2. Filtering with Temporal Correlation and Contract Patterns: To identify potential Sybil clusters, the following criteria are applied:some text
    • Temporal Correlation: Identify clusters where DEPOSIT_TIME and WITHDRAWAL_TIME are closely aligned within a specific range (e.g., within a few minutes or hours). This range-based approach accounts for slight variations in transaction timing, which is more realistic than expecting exact matches.
    • Volume Similarity: Instead of requiring identical AMOUNT_DEPOSITED and AMOUNT_WITHDRAWN, transactions are grouped if their volumes fall within a certain confidence interval or percentage range. For example, deposits and withdrawals within 5% of each other are considered similar. This approach recognizes natural variations in transaction amounts while still identifying coordinated behaviors.
    • Cluster Formation: Create clusters with five or more wallets exhibiting similar behaviors as defined above. This threshold helps in identifying coordinated groups rather than isolated incidents.
  3. Detailing Interlinked Addresses: Addresses are cross-referenced to find similar transactional patterns across different chains and addresses, indicating possible Sybil behavior. This step involves:some text
    • Tracking the origin and destination of funds to identify common sources and sinks, establishing a network of interconnected addresses.
    • Analyzing patterns in transaction timings, amounts, and counterparties to detect coordinated behaviors indicative of Sybil attacks.
  4. False Positive Filtration: To ensure the accuracy and reliability of the detection process, wallets that did not match any of these clusters are filtered out. This involves:some text
    • Excluding wallets that show no significant pattern or similarity to identified clusters.
    • Rechecking the data against known legitimate activities and institutional wallets to remove any potential false positives. For example, wallets linked to centralized exchanges (CEX) or institutional entities are filtered out as they do not represent Sybil behavior.

3.3 Combined Analysis for Both Airdrops

The final step is to identify wallets that participated in both LayerZero and ether.fi airdrops and might be recurrent airdrop farmers. This involves the following detailed steps:

  1. Find intersection of LayerZero and ether.fi airdrop participants: Combine the data obtained after applying the filters in sections 3.1 and 3.2 to detect Sybil wallets in the combined dataset.
  2. Cluster Analysis and False Positives Mitigation: Identify clusters of wallets exhibiting similar behaviors in both airdrops. This analysis focuses on wallets with the same transaction patterns and activities in both LayerZero and ether.fi, helping to identify systematic farming across multiple airdrops. Clustering is based on transactional behaviors, source of funds, and activity patterns, providing a somewhat comprehensive picture of coordinated efforts.

The dataset is split into training (70%) and testing (30%) sets to evaluate the robustness of the clustering algorithm. This split allows for assessing the model's performance on unseen data, providing a measure of its generalizability. K-means clustering is applied to the training set to identify distinct groups of wallets based on their transactional behaviors. The number of clusters is predetermined (e.g., five clusters) and can be adjusted based on specific insights from exploratory data analysis.

The trained model is then used to predict the cluster labels for the testing set. The performance of the clustering is evaluated using the silhouette score, which measures the similarity of an object to its own cluster compared to other clusters. A higher silhouette score indicates better-defined clusters.

Principal Component Analysis (PCA) is used to reduce the dimensionality of the data to two components, PCA1 and PCA2, facilitating visualization. Scatter plots are created to visualize the clusters for both the training and testing sets, with each dot representing a wallet and colors indicating different clusters identified by K-means. The size of the dots is proportional to the number of wallets, highlighting the concentration within each cluster.

By systematically applying these steps, the analysis aims to provide a comprehensive identification of Sybil airdrop farmers and understand their behavior across different airdrops. The on-chain data is successfully provided by FlipsideCrypto, where a dedicated dashboard has been created to detect Sybil wallets and provide a list for each case. Additionally, visual representations such as Sankey Diagrams, PCA analysis, and Time-Series charts have been created using Python, enabling a clear and detailed examination of Sybil activities.

Using various visual representations in this analysis provides several advantages. Sankey Diagrams effectively illustrate the flow of funds and the movement of tokens between wallets, highlighting the connections and pathways used by suspected Sybil wallets. This type of visualization helps in understanding the magnitude and direction of transactions, making it easier to spot unusual patterns. Principal Component Analysis (PCA) is employed to simplify the complexity of high-dimensional data while retaining significant trends and patterns, which allows for the visualization of clusters of wallets with similar behaviors. PCA is particularly useful in reducing dimensionality and highlighting relationships between variables that may not be immediately apparent. Time-Series charts are essential for visualizing the activity of wallets over time, showing patterns in deposits, withdrawals, and transaction timings. This helps in identifying synchronized activities that are indicative of Sybil attacks. These visual tools are selected for their ability to provide intuitive and comprehensive insights into complex data sets, offering clarity and precision that other methods may lack.

All these visual representations have been created using Python, which provides robust tools for data analysis and visualization. We at Node Capital have developed an open-source tool for the crypto community, designed to assist in detecting and analyzing Sybil activity in airdrops. This tool is a practical solution aimed at improving airdrop strategies. By sharing this tool, we aim to empower the broader crypto community to enhance their airdrop analyses and strategies, fostering more robust and equitable token distributions.

4. Results

The results section presents detailed findings from the analysis of LayerZero and ether.fi airdrop participants, highlighting the extent of Sybil activity and the effectiveness of detection mechanisms. It is important to note that while this methodology provides a comprehensive approach to identifying Sybil wallets, it is not exhaustive. Other methodologies could be applied to detect more Sybils, and having more on-chain data would also help in identifying additional Sybil wallets.

4.1 LayerZero Airdrop Analysis

Based on a combination of transaction counts, volume, and temporal correlations, the analysis of LayerZero participants revealed a significant number of Sybil wallets, accounting for 5.9% of the total participants. The term "significant number" is based on the context of typical Sybil detection rates observed in the industry, where Sybil attack rates can range from a few percent to over 10%, depending on the robustness of the detection mechanisms and the attractiveness of the airdrop [25]. In the case of LayerZero, identifying 5.9% of participants as Sybil wallets is substantial given the large number of total participants, indicating a meaningful portion of the user base engaged in fraudulent behavior.

Research indicates that even a small percentage of Sybil wallets can greatly impact token distribution and network integrity. For instance, studies have shown that Sybil attack rates in certain blockchain networks can be as high as 10-15%, significantly affecting the fairness and security of these systems​​ [25,26]. Therefore, the detection of nearly 6% Sybil wallets in LayerZero's airdrop underscores the importance of robust detection methods and reflects a considerable effort in mitigating fraudulent activities.

In total, over 5.8 million participants were involved in the LayerZero airdrop. Among these, 341,000 wallets were detected as Sybil wallets, making up 5.9% of the total participants. This identification was achieved through meticulous analysis and multiple stages of filtering to ensure accuracy and minimize false positives.

Cluster analysis revealed a total of 28,679 clusters of Sybil wallets, with the largest cluster containing 2,051 wallets. This indicates a high level of coordination among Sybil attackers, highlighting the sophisticated nature of these attempts.

A Sankey diagram (see Figure 8) was used to illustrate the flow of funds between different chains. The diagram shows that the BNB Chain was prominently used for farming activities. The lines in the diagram represent the direction of fund transfers, with the thickness of each line corresponding to the number of wallets involved. This visual representation underscores the scale and complexity of the Sybil attack efforts, with almost 200 clusters containing more than 100 wallets each.

However, it is to say that the available data we have is related to all activity previous to the snapshot date, so we have to take into account that after that, LayerZero implemented a Sybil Bounty Hunt, which incentivized community members to identify and report Sybil wallets. This initiative led to the detection and filtering of a significant number of Sybil wallets, demonstrating the effectiveness of community-driven security measures.

Figure 8: LayerZero Sybil Activity Flow - A Sankey Diagram illustrating the flow of funds. The lines represent the direction of fund transfers, and the thickness of each line corresponds to the number of wallets involved in these transfers. Source: Python Scrypt.

The presence of many Sybil accounts doesn't necessarily indicate whether a protocol is good or bad. What matters is how the protocol addresses and filters out these Sybil accounts. The results show the number of users attempting to farm an airdrop, but this doesn't equate to the number of users who actually receive the airdrop. Even though LayerZero had a higher number of Sybil accounts, the protocol team applied stringent filter criteria afterward. This filtering process excluded a significant portion of these Sybil accounts from receiving the airdrop. Therefore, while initial numbers may seem inflated due to Sybil activity, the effective measures taken by the team ensured that only legitimate users benefited from the airdrop. This highlights the importance of robust filtering mechanisms in maintaining the integrity and fairness of airdrop distributions.

4.2 ether.fi Airdrop Analysis

The ether.fi airdrop showed a lower percentage of Sybil wallets, with less than 1% of the total participants detected as Sybil wallets. The analysis involved approximately 84,064 total participants, out of which fewer than 1,000 wallets were identified as Sybil attackers. This translates to a Sybil wallet percentage of less than 1%.

Cluster analysis revealed a total of 73 clusters of Sybil wallets, with the largest cluster containing 39 wallets. This indicates that while the prevalence of Sybil attacks was relatively low, there were still coordinated efforts among some attackers. However, it is worth noting that ether.fi and Chaos Labs identified a significantly larger cluster of Sybil wallets, with one cluster containing 1,008 wallets, as highlighted in this tweet by Mike Silagadze, ether.fi’s CEO. This discrepancy underscores the effectiveness of their more advanced detection methods.

The multi-line time series chart (see Figure 9) highlights the similar behaviors among detected clusters, with many wallets depositing and withdrawing within similar periods. This suggests that Sybil attackers often operate in coordinated patterns to maximize their rewards. ether.fi's strategy of focusing on eETH holdings and staking activities helped reduce the prevalence of Sybil attacks. However, the patterns observed suggest that some sophisticated attackers were still able to exploit the system.

Figure 9: Multi-line Time Series of Deposits and Withdrawals by ether.fi Sybil Wallet Clusters. The start of each line represents the deposit time, and the end indicates the withdrawal time, illustrating the coordinated activities of Sybil attackers. Source: Python Scrypt.

In response to these challenges, the ether.fi team partnered with Chaos Labs to implement additional Sybil filtering measures. This collaboration aimed to refine the detection process and ensure that genuine users were accurately distinguished from Sybil attackers. The advanced detection techniques and comprehensive data analysis from this partnership have led to the identification of larger Sybil clusters, providing a deeper understanding of the extent of Sybil activity in the airdrop.

4.3 Combined Analysis of LayerZero and ether.fi

The combined analysis of LayerZero and ether.fi airdrops provides a comprehensive view of user behavior and Sybil activity across both platforms.

User activity spiked significantly during the launch of the platforms and again around the time the airdrop was announced or suspected (see Figure 10 and 11). This trend is evident from the increased number of daily active wallets and the volume of transactions. These spikes in activity indicate heightened interest and participation driven by the potential for airdrop rewards. However, it also underscores the need for robust detection mechanisms to filter out non-genuine participants during these high-activity periods.

Figure 10: Daily LayerZero User Activity and Average Transactions and Volume Bridged. This chart displays user activity from the inception of LayerZero until the airdrop snapshot. Source: FlipsideCrypto. "Airdrop Farmers: LayerZero and ether.fi cases.” FlipsideCrypto.

Figure 11: Daily ether.fi User Activity and Average Transactions and Volume Bridged. This chart illustrates user activity from the inception of ether.fi until the airdrop snapshot.  Source: FlipsideCrypto. "Airdrop Farmers: LayerZero and ether.fi cases.” FlipsideCrypto.

Approximately 46,500 wallets participated in both airdrops, with 454 of these identified as Sybil wallets, representing about 0.9% of the total participants. Notably, 29% of the ether.fi Sybil wallets are also present in the list of participants for both airdrops. This significant overlap indicates that Sybil attackers frequently target multiple airdrops to maximize their gains. The recurring nature of these attacks underscores the need for continuous monitoring and robust detection mechanisms to mitigate the impact of such fraudulent activities.

After conducting a comprehensive analysis to determine the robustness of the clusters and filter out false positives, a Silhouette Score of 0.462 was obtained. This score indicates that the clusters are relatively well-defined, meaning that most points are closer to their own clusters compared to other clusters. However, there is still some degree of overlap or ambiguity between clusters. This suggests that while the clustering results are fairly robust, there is room for improvement in distinguishing between clusters. More data and refined techniques could enhance the clarity and separation of these clusters, leading to a more precise analysis.

The behavioral analysis, illustrated by the PCA analysis chart (see Figure 12), provides insights into the activity patterns of clusters that participated in both airdrops. Each dot in the chart represents a cluster, with its position indicating relative differences based on transaction count, volume bridged, ETH deposited, and the number of wallets. Larger dots signify clusters with more wallets. Most clusters exhibit similar farming behaviors, with only a few clusters well-separated, indicating distinct behavioral patterns. This indicates that while there is a common behavior among most Sybil attackers, some exhibit unique patterns that distinguish them from the majority.

Figure 12: PCA Analysis of Sybil Wallet Clusters Participating in Both LayerZero and ether.fi Airdrops. The behavioral analysis, illustrated by the PCA analysis chart, provides insights into the activity patterns of clusters that participated in both airdrops. Each dot in the chart represents a cluster, with its position indicating relative differences based on transaction count, volume bridged, ETH deposited, and the number of wallets. This visualization helps to identify similarities and distinctions in the behavior of Sybil attackers across both airdrop campaigns. Source: Python Scrypt.

The analysis reveals that despite the lower overall number of Sybil wallets in ether.fi, a significant portion of these wallets also farmed LayerZero. Specifically, 29% of the identified Sybil wallets in ether.fi were also active in LayerZero, highlighting the recurring nature of these farming activities and the necessity for continuous monitoring and improvement of detection strategies to mitigate Sybil attacks effectively.

The study also found that 0.9% of the total users participating in both airdrops were identified as Sybil wallets. This statistic underscores the importance of recognizing that Sybil attackers often target multiple airdrops to maximize their gains, emphasizing the need for comprehensive and interconnected monitoring systems across different projects.

By analyzing user behavior and identifying recurring Sybil activity, this study provides valuable insights for future airdrop campaigns. The significant overlap of Sybil wallets between ether.fi and LayerZero underscores the importance of robust and adaptive detection mechanisms to maintain the integrity of token distributions. This cross-platform Sybil activity indicates that attackers often target multiple airdrops to maximize their gains, emphasizing the need for comprehensive and interconnected monitoring systems across different projects.

All information and analysis can be found on this FlipsideCrypto dashboard, which includes the list of all Sybil wallets for LayerZero, ether.fi, and both airdrops, as well as the clusters detected in each case.

5. Discussion

The analysis of LayerZero and ether.fi airdrops reveals distinct patterns of Sybil activities:

- LayerZero experienced a higher rate of Sybil wallet participation, with significant clustering indicating coordinated efforts.

- ether.fi had a lower incidence of Sybil wallets, but still showed notable clustering of similar behaviors.

- Combined Analysis highlighted recurring patterns among wallets participating in both airdrops, suggesting systematic farming strategies.

By visualizing these behaviors through Sankey diagrams, multi-line time series charts, and PCA analysis, we can better understand and detect Sybil activities, helping to improve future airdrop designs and detection methodologies.

5.1 Mitigation Strategies

5.1.1 Best Practices for Projects to Prevent Sybil Attacks

Airdrop projects should adopt robust strategies to prevent Sybil attacks and ensure effective token distribution. One key approach is to set effective eligibility criteria. These criteria are not just about filtering participants but about aligning incentives to attract the right users and foster meaningful engagement. Effective eligibility criteria help build a thriving community, ensuring each token distributed contributes to the project’s growth and ecosystem health  [6-7, 26-28]​​.

Additionally, integrating airdrops into the overall tokenomics strategy with clear, actionable goals can create a strong foundation for growth. For a detailed exploration of how to effectively incorporate airdrops into tokenomics, you can refer to our comprehensive three-part series on tokenomics. Tools like our Airdrop Assist can empower teams to analyze data-driven insights and optimize their campaigns. Continuous iteration based on empirical data is essential for improving airdrop strategies [6]​​​​.

Airdrops face several challenges that can undermine their effectiveness:

  1. Farming: Users creating multiple wallets or engaging in other manipulative behaviors to maximize their airdrop rewards pose a significant challenge. This practice makes it difficult for projects to execute an equitable distribution that rewards genuine users, partners, VCs, and the team for their contributions simultaneously. Excessive farming leads to a skewed token distribution and undermines the project’s goals [7]​​.
  2. Participant Quality: Attracting genuine participants who will add value to the project rather than just selling the tokens immediately can be difficult. This issue can dilute the intended community and reduce long-term engagement [27]​​.
  3. Effective Distribution: Ensuring a lower Fully Diluted Valuation (FDV) instead of a high FDV can help avoid high sell pressure post-airdrop. This approach ensures that the token distribution remains stable and encourages long-term holding rather than immediate sell-offs​​ [28-32].
  4. Dilution of Value: Excessive token distribution to a few entities can dilute the token's value, negatively impacting genuine participants. This dilution occurs because a disproportionate share of tokens ends up with a few actors, reducing the overall scarcity and perceived value of the token [1]​​.
  5. Reduced Engagement and Community Trust: If tokens are farmed and sold quickly, the intended community engagement and loyalty are diminished. When participants realize that airdrops are being exploited, it can lead to a loss of trust and interest in the project [22,24]​​​​.
  6. Inaccurate Distribution Metrics: Sybil attacks can distort the metrics projects rely on to gauge the success and reach of their airdrop campaigns. This distortion can lead to misguided strategic decisions based on flawed data​​ [3].
  7. Inefficiency in Reward Distribution: When a significant portion of the airdropped tokens goes to Sybil attackers, the primary goal of rewarding genuine supporters and early adopters is compromised. This inefficiency undermines the project’s ability to build a dedicated community​​ [2].

By addressing these challenges and adopting best practices, projects can better safeguard their airdrop campaigns, ensuring an equitable and effective token distribution. This multi-faceted approach, combining technological, procedural, and community-driven efforts, is essential for maintaining the integrity and success of airdrop initiatives.

5.1.2 Community and Technical Measures

Community involvement plays a crucial role in preventing Sybil attacks. Projects can leverage the community to monitor and report suspicious activities, providing an additional layer of defense. Incentivizing community members through rewards for reporting potential Sybil behaviors can enhance vigilance and participation. This decentralized approach aligns with the ethos of the cryptocurrency space, promoting collective responsibility and engagement in maintaining the integrity of airdrop processes [26].

The primary challenge of Sybil attacks is fundamentally a technical problem that requires robust technical solutions. Several existing legal frameworks already cover most aspects of Sybil attacks and airdrop farming, such as fraud, market manipulation, identity fraud, securities fraud, and unfair competition. Therefore, the focus should be on developing and implementing effective technical measures rather than creating additional regulations [33]​​.

Technical solutions include:

  1. Advanced Algorithms and Machine Learning: Utilizing machine learning models to analyze transaction patterns, detect anomalies, and predict potential Sybil attacks. These models can adapt and improve over time, becoming more effective at identifying fraudulent behaviors .
  2. Proof of Participation Mechanisms: Implementing systems that require participants to prove active and genuine engagement with the project. This can include holding tokens for a certain period, participating in governance, or contributing to the community in meaningful ways [34]​​.
  3. Network Analysis: Conducting detailed network analysis to identify clusters of suspicious activities and interlinked addresses. This helps in pinpointing coordinated efforts to manipulate airdrops and enables the exclusion of these entities from the distribution process [25]​​.
  4. Behavioral Analysis: Monitoring for specific behaviors indicative of Sybil attacks, such as frequent wallet creation, repetitive actions, or coordinated token transfers. By recognizing these patterns, projects can filter out non-genuine participants more effectively [35].

By combining these technical measures with active community involvement, projects can create a robust defense against Sybil attacks, ensuring a fair and equitable token distribution process. This integrated approach leverages both technological advancements and the collective vigilance of the community to maintain the integrity of airdrop campaigns. For crypto to be truly decentralized, it needs decentralized solutions that can be integrated across various platforms. Decentralized Identity (DiD) systems and anti-Sybil specific projects are pivotal in this regard. For instance, solutions like BrightID and Idena focus on creating unique digital identities to prevent Sybil attacks. These projects utilize decentralized and community-driven verification processes to ensure that each participant is unique, thereby enhancing the security and fairness of token distributions in a decentralized ecosystem.

5.1.3 Future Trends in Airdrop Security

The future of airdrop security lies in the continuous improvement of detection methodologies and the adoption of advanced technologies. Machine learning and AI are pivotal in this evolution, as they can analyze patterns and detect anomalies indicative of Sybil attacks. These technologies can help identify and mitigate fraudulent behaviors more effectively, enhancing the integrity of airdrop distributions​​ [6,36]. 

Moreover, the design space for airdrops is ripe for innovation. Crypto developers have immense opportunities to create new, secure ways to distribute tokens. By balancing ambition with practicality and iterating based on empirical data, projects can improve their chances of making a lasting impact [6]. Innovations in smart contract design, dynamic eligibility criteria, and real-time monitoring can significantly enhance security measures and reduce the incidence of Sybil attacks​​​​.

In conclusion, addressing Sybil attacks in airdrops requires a comprehensive approach. While it is challenging to completely prevent Sybil attacks, projects can significantly reduce their occurrence through effective eligibility criteria, community engagement, and continuous innovation in detection technologies. This multifaceted strategy ensures more secure and equitable token distributions, fostering a healthier and more trustworthy cryptocurrency ecosystem.

5.1.4 Addressing False Positives in Sybil Detection

False positives in Sybil detection can undermine the credibility of airdrop distributions and adversely affect genuine participants. False positives occur when legitimate users are incorrectly identified as Sybil attackers. This misidentification can have several negative consequences:

  1. Erosion of Trust: When real, engaged users are wrongly flagged as Sybil attackers and excluded from airdrops, it erodes trust in the project. Users may feel unfairly treated and lose confidence in the project's integrity and fairness .
  2. Loss of Engagement: Genuine participants who are mistakenly identified as Sybil attackers may become disillusioned and disengage from the project. This loss of engagement can lead to a decline in community support and participation, which are crucial for the project's growth and success .
  3. Negative Publicity: False positives can generate negative publicity and damage the project's reputation. This negative perception can be difficult to reverse and can deter new users from joining the community​​.
  4. Regulatory Implications: Incorrectly confiscating or excluding funds from legitimate users can have serious legal ramifications. Projects must operate under the principle of "innocent until proven guilty," ensuring that funds are not unjustly withheld without sufficient evidence. Regulatory frameworks in many jurisdictions protect individuals from having their assets unfairly seized or withheld, making it imperative for projects to adopt rigorous and fair detection methodologies to avoid potential legal issues.

To minimize false positives and ensure accurate detection, several strategies can be employed:

  1. Refinement of Detection Algorithms: Continuously improving and refining detection algorithms can help reduce the occurrence of false positives. This involves regularly updating the algorithms based on new data and evolving attack strategies​​.
  2. Multiple Verification Methods: Validating suspicious activities through multiple verification methods can enhance the accuracy of detection. Cross-referencing different data points and using diverse analytical approaches can help confirm whether an activity is genuinely suspicious​​.
  3. Collaboration with Security Experts: Engaging with security experts and leveraging their expertise can provide additional insights and techniques for accurate detection. These experts can help identify potential weaknesses in the detection system and suggest improvements​​.
  4. Leveraging Diverse Data Sources: Utilizing various data sources for cross-verification can help ensure that decisions are based on comprehensive information. This approach reduces the likelihood of false positives by providing a more complete picture of user behavior​​.

By implementing these strategies, projects can significantly reduce the incidence of false positives, ensuring that legitimate users are not unfairly excluded from airdrops. This approach not only maintains the integrity of the airdrop process but also fosters trust and engagement within the community.

5.1.5 Clarification on Sybil Percentages

The Sybil percentages presented in this report may seem low compared to industry expectations. This discrepancy highlights the need to clarify the distinction between users and wallets. Our analysis focuses on wallets, not individual users, which may account for the lower percentages. Each wallet is treated as a separate entity, and it is possible for a single user to control multiple wallets, thereby influencing the overall count.

It is also important to note that our analysis focuses on detecting a specific subset of Sybil behaviors characterized by patterns such as similar transaction volumes and timing. This means that other Sybil strategies, such as using the same platforms or different behavioral patterns, might not have been fully captured in this study. Future research incorporating these additional dimensions could potentially reveal higher percentages of Sybil activity.

6. Conclusion

6.1 Recap of Key Points

This report has comprehensively analyzed Sybil airdrop hunters in the context of LayerZero and ether.fi airdrops, highlighting their impact and the mechanisms used to detect and mitigate their activities.

LayerZero Airdrop: LayerZero had a higher initial number of Sybil wallets. However, stringent post-detection filtering ensured a more equitable distribution. The presence of many Sybil accounts doesn't necessarily indicate whether a protocol is good or bad. What matters is how the protocol addresses and filters out these Sybil accounts. Effective measures taken by the LayerZero team ensured that legitimate users primarily benefited from the airdrop, highlighting the importance of robust filtering mechanisms in maintaining the integrity and fairness of airdrop distributions.

ether.fi Airdrop: ether.fi demonstrated lower Sybil activity, with effective strategies to deter Sybil attacks. ether.fi's focus on eETH holdings and staking activities reduced the prevalence of Sybil attacks. However, the presence of sophisticated attackers indicates a need for continuous improvement in detection mechanisms. Additionally, ether.fi implemented a points system to further mitigate Sybil activity, rewarding genuine user engagement and staking behavior.

Combined Analysis: The combined analysis highlighted recurring Sybil patterns across both airdrops, emphasizing the need for robust detection mechanisms. Despite the lower overall number of Sybil wallets in ether.fi, a significant portion of these wallets also farmed LayerZero, suggesting that Sybil attackers often target multiple airdrops to maximize their gains.

6.2 Final Thoughts

To effectively mitigate Sybil attacks in airdrop campaigns, projects should adopt a multi-faceted approach that includes robust eligibility criteria, advanced detection tools, community engagement, and continuous improvement. While these strategies have potential downsides and must be balanced against user friction, they offer valuable guidelines for enhancing security. Here are specific, actionable recommendations:

  1. Strengthen Eligibility Criteria:some text
    1. Transaction Limits: Identify and analyze transaction limits to filter out suspicious activity. Employing statistical models to find outliers with a low P-value can help ensure that transactions fall within a typical user activity range, thereby identifying and excluding potential Sybil behaviors [28].
    2. Minimum Holding Periods: Require participants to hold tokens for a minimum period before becoming eligible for airdrops, discouraging quick buy-sell actions typical of Sybil behavior [29].
    3. Engagement Requirements: Mandate active participation in community activities, such as voting in governance proposals or contributing to forums, to qualify for airdrops. This ensures participants are genuinely invested in the project’s success.
  2. Utilize Advanced Detection Tools:some text
    1. Machine Learning Algorithms: Use machine learning models to analyze transaction data and identify anomalies. These models can improve over time, becoming more effective at spotting fraudulent behaviors [31].
    2. Network Analysis Tools: Tools like Nansen and Chainalysis can map and analyze relationships between wallets, identifying clusters of suspicious activity that indicate coordinated Sybil attacks.
    3. Real-time Monitoring: Implement real-time monitoring systems to continuously scan for and flag suspicious activity, allowing for prompt action.
  3. Engage the Community:some text
    1. Incentive Programs: Offer rewards for community members who report suspicious activities or help identify potential Sybil attackers. This can include additional tokens or exclusive access to project events [30].
    2. Community Watch Programs: Establish programs where trusted community members are given tools and training to monitor and report unusual activity effectively.
  4. Continuous Improvement and Innovation:some text
    1. Feedback Loops: Collect and analyze feedback from the community and participants to identify weaknesses in the airdrop process and areas for improvement.
    2. Innovative Airdrop Designs: Explore new methods of token distribution that incorporate dynamic criteria and adaptive algorithms. For example, structuring airdrops to reward long-term participation and engagement rather than one-time actions [28,29].
    3. Pilot Programs: Test new airdrop strategies in smaller pilot programs before full-scale deployment to gather data and refine the approach based on real-world results.

By carefully balancing these recommendations, projects can reduce the risk of Sybil attacks while maintaining a positive user experience. Each strategy should be adapted to the specific context and needs of the project, ensuring that security measures do not overly hinder genuine user engagement. This comprehensive approach ensures that tokens are distributed to genuine, engaged users while minimizing the risk of Sybil attacks. Combining technological advancements with active community involvement, this strategy maintains the integrity and effectiveness of airdrop campaigns.

6.3 Future Directions for Research and Development

  1. Enhanced Machine Learning Techniques: Future research into machine learning and AI can provide more sophisticated methods for detecting Sybil attacks. Developing adaptive models that can learn and adapt to new attack patterns will be crucial. These models should integrate real-time data analysis, allowing for continuous updates and improvements. Complementary problems include ensuring data quality and addressing biases in training data, which can impact the accuracy and reliability of these models [31].
  2. Blockchain Interoperability: Investigating ways to enhance interoperability between different blockchains will be vital in tracking and analyzing cross-chain Sybil activities more effectively. This involves creating standardized protocols for data sharing and transaction tracking across various blockchain networks. Improved interoperability can help in identifying patterns of fraudulent behavior that span multiple platforms, providing a more comprehensive defense against Sybil attacks [6].
  3. Improved Community Tools: Developing tools that empower the community to participate more actively in monitoring and reporting suspicious activities is essential. User-friendly interfaces and robust reward systems can significantly boost community engagement. For example, platforms can implement decentralized reporting mechanisms where users can flag suspicious activities and receive tokens or other incentives for accurate reports [30]. Enhancing the accessibility and functionality of these tools will encourage broader participation and strengthen the overall security of the ecosystem.
  4. Continuous Innovation and Iteration: Regularly iterating and improving airdrop strategies based on empirical data and community feedback is crucial. Innovation in designing and implementing airdrops can help mitigate risks and ensure more equitable token distribution. Pilot programs and testing phases can be valuable for gathering data and refining approaches before full-scale deployment. This iterative process ensures that airdrop mechanisms evolve in response to emerging threats and user behaviors [28,29].

By adopting these recommendations and focusing on continuous improvement, projects can better protect their airdrop campaigns from Sybil attacks, ensuring fairer and more effective token distributions. Emphasizing trustless solutions and leveraging the strengths of decentralized technologies will align with the core principles of the cryptocurrency space while addressing its evolving challenges.

To further bolster these efforts, ongoing research and development in detection methodologies, community engagement, and adaptive strategies are crucial. As the landscape of blockchain technology and airdrops continues to evolve, maintaining a proactive stance against Sybil attacks will be essential. Collaboration across projects and shared learning can foster a more resilient ecosystem, safeguarding the integrity and intended benefits of airdrop campaigns. Together, these measures will help build a more secure, transparent, and equitable environment for all participants in the cryptocurrency space.

7. References

  1. Investopedia. "What Is a Cryptocurrency Airdrop?" Investopedia.
  2. Cointelegraph. "What Is a Crypto Airdrop and How Does It Work?" Cointelegraph.
  3. Crypto.com. "What Is a Crypto Airdrop?" Crypto.com.
  4. Coindesk. "What Is a Crypto Airdrop?" Coindesk.
  5. Node Capital. "Airdropping Some Truths." Node Capital Research.
  6. Delphi Digital. "Do Airdrops Hurt More Than They Help?" Delphi Digital.
  7. Dune Analytics. "History of Airdrops." Dune Analytics.
  8. Coincu. "ether.fi Season 2 Airdrop Claim." Coincu.
  9. Layerdrop. "LayerDrop Official Site." Layerdrop.
  10. Cryptonomist. "The Airdrops of zkSync and LayerZero Are Behind Us: Which Other Crypto Projects to Farm?" Cryptonomist.
  11. X (formerly Twitter). "ether.fi Status Update." ether.fi on X.
  12. Flipside Crypto. "Airdropped Tokens Analysis." Flipside Crypto.
  13. LinkedIn. "Harness the Power of Uniswap (UNI) Airdrops: Your Comprehensive Guide." Luis Malave.
  14. The Defiant. "LayerZero Labs Identifies 800,000 Potential Sybil Addresses in Public List." The Defiant.
  15. Cointelegraph. "LayerZero Concludes Sybil Self-Reporting Phase." Cointelegraph.
  16. Kucoin. “Top Liquid Restaking Protocols of 2024”. Kucoin.
  17. Cryptoneva. "2024 ether.fi Airdrop Guide: Insights Before You Claim Season 2 Airdrop." Medium.
  18. Trusta's AI and Machine Learning Framework for Robust Sybil Resistance in Airdrops. "ETHResearch." ETHResearch.
  19. LayerZero. "LayerZero Airdrop: All You Need to Know." Medium.
  20. Airdrops Verse. "LayerZero Airdrop Details." Airdrops Verse on X.
  21. The Cryptonomist. "Crypto airdrops: what are anti-sybil rules?" The Cryptonomist.
  22. Zheng Liu and Hongyang Zhu. Fighting Sybils in Airdrops. 2022. doi:10 . 48550 /arXiv.2209.04603. eprint: 2209.04603
  23. CoinDesk. "Crypto Traders Exploit Airdrops with Sybil Attacks for Massive Profits." CoinDesk.
  24. CoinMarketCap. "Crypto Airdrop: What are Anti-sybil Rules?" CoinMarketCap.
  25. "Cryptocurrency fraud detection through classification techniques," International Journal of Electrical and Computer Engineering (IJECE), Vol. 14, No. 3, June 2024, pp. 2918-2926, DOI: 10.11591/ijece.v14i3.pp2918-2926.
  26. Nathaniel Popper. "How Decentralized Applications Can Battle Sybil Attacks." Medium.
  27. Andreas M. Antonopoulos. "Mastering Bitcoin: Unlocking Digital Cryptocurrencies." O'Reilly Media, 2014.
  28. Cryptobriefing. "Airdrop Best Practices: Ensuring Fair Distribution." CryptoBriefing.
  29. Xie, J. et al. "Sybil Attacks and Their Defenses in the Internet of Things." IEEE Internet of Things Journal, 2017.
  30. Coinbase. "Understanding Fully Diluted Valuation (FDV) in Crypto and Its Impact on Token Price." Coinbase.
  31. Medium. "Why FDV Matters in Crypto Investments." Medium.
  32. Gate.io. "What is the Fully Diluted Market Cap (FDV)?" Gate.io.
  33. Medium. "Community-Driven Approaches to Combat Sybil Attacks in Cryptocurrencies." Medium.
  34. Faster Capital. "Incentivizing Community Participation in Blockchain Security." Faster Capital.
  35. Cointelegraph. "How Blockchain is Tackling the Problem of Sybil Attacks." Cointelegraph.
  36. IEEE. "AI in Cybersecurity: Machine Learning for Security Improvements." IEEE.

We value your insights. Share them with us on @node_or and @Node_Cap.

Disclaimer

This content is for informational purposes only and should not be considered financial, legal, or any other type of professional advice. Consult with a qualified professional before making any financial decisions based on the information provided.

Disclosure of Potential Investments: Node Capital may have, directly or indirectly, through its affiliates, subsidiaries, partners, or related entities, taken positions or executed transactions in certain projects, tokens, or technologies mentioned in this content. These positions or transactions may include, but are not limited to, investments, strategic partnerships, or other forms of financial involvement.

The mention of any specific project, token, or technology should not be construed as an endorsement, recommendation, or guarantee of future performance. Readers are advised to conduct their own due diligence and research before making any investment decisions.

Node Capital's potential investments or involvements do not influence the objectivity of the information presented. However, readers should be aware of this potential conflict of interest when evaluating the content.

Past performance is not indicative of future results. Cryptocurrency and blockchain investments are subject to high market risk. Please be cautious and invest responsibly.

← See All Posts