"Arbitrum Airdrop Sybil Loophole": Proposed Measures to Address the Issue for the StarkNet Project

In response to the Sybil vulnerability in the Arbitrum airdrop, the StarkNet project can take the following measures:

  1. Review Sybil detection rules: StarkNet needs to review its existing Sybil detection rules, especially those that exclude cross-chain bridges, centralized exchanges, and smart contracts. It could consider introducing more data sources and algorithms to improve detection accuracy, including data from other Ethereum layer-2 solutions.

  2. Strengthen community supervision: StarkNet needs to strengthen community supervision to monitor and identify potential Sybil addresses and communities. It could consider establishing a community reward mechanism to encourage active participation in monitoring and identification, as well as enhancing community communication and interaction.

  3. Improve user education: StarkNet needs to improve user education to help users better understand Sybil attacks and how to prevent them. It could use mediums like publishing articles, organizing online events, etc., to promote and educate.

  4. Enhance network security: StarkNet needs to strengthen the security of the entire network, including preventing DDoS attacks, improving firewall and cryptographic security, etc. It could consider introducing more security mechanisms and technologies to protect network security.

In conclusion, StarkNet needs to take a series of measures to address the Sybil vulnerability, protect network security, and community interests. This requires the joint efforts of community members and enhanced cooperation and coordination.


Thank you for bringing this up. I wonder how do you think that Starknet should be detecting sybil attacks for the possible airdrop?. Do you have any proposals?

I believe the network shouldn’t be invasive when it comes to offering identity solutions (KYC), as it is a bad precedent for inclusion. There are many human beings that don’t have government issued identification and that doesn’t make them less humans.


If there is any proposal of a token airdrop to users, it should be discussed extensively. Obviously, 95% of the accounts are not normal users.


I agree, here are some examples of what is done elsewhere:


Sybil detection is a good method, and let’s be a little cautious, as we do not want the real users to be killed by friendly fire.


Including CEx and cross chain can be bit messy because there are intertransactions between users from different part of the world. So it is obvious for a user to send funds to different wallet because of a thousand reasons.


That is a good topic. In regards to Sybil, my suggestion is, we can refer to the method of AP or ARB, and try to keep everthing transparent.


I think KYC should be used as a means of eliminating fraud


Honestly to say,it’s very difficult to resolve these issues,anyway,we can do something for sure.
In terms of detecting Sybil attacks for the possible airdrop, Starknet could use various techniques such as IP address analysis, user behavior analysis, machine learning algorithms, among others. Additionally, community members could report any suspicious activity to help Starknet more effectively detect Sybil attacks.


Sybil detection is a must. The first link you provided is great. Is anyone in Starnet ecosystem working on similar solution? Who can we contact to make it happen?

Sybil protection and sybil sinks (check Aidrop farmers) could push us into the right direction.


We started something during the Tel-Aviv hackathon (sybil-shield), but we ran out of money until May. The main pain point is about to collect all the data we need (and time to work on this topic).


While community involvement and supervision can be helpful, it may not be the most reliable solution. Relying on the community to identify potential Sybil addresses and communities could be problematic as it can be difficult to differentiate between actual users and fake ones, leading to false positives and negatives. Additionally, it may be challenging to incentivize community members to participate in monitoring and identification activities.


It will be impossible to weed out sybil attackers completely, there will always be edge cases but the main goal should be to

incentivise ‘strong on-chain’ profile over one or small number of addresses, vs ‘weak on-chain’ profile over many.

This is implicit incentivisation and can only be achieved by projects going this route, unfortunately I think ARB has emboldened sybiloors.

I have a friend who claimed DYDX, on 50 addresses and sold it all for 500k or so, the same friend just claimed ARB on 100. Currently farming the hell out of Argent wallet, but liquidity there can’t be more than $100 on average on each of these farming wallets.

I was mistaken in my assumption, that the optimal strategy would be ‘strong on-chain’ profile on one or few addresses, it turned out my friend was right to sybil (from a pure profit standpoint)
Optimism did this best, with the scaling factor, this made the optimal strategy to have a strong on chain profile

Projects should consider

Volume: unfortunately, the more liquidity/volume per address the more likely it belongs to an individual, there are limits to spreading capital.
eg: my friend with <$100 on separate argent wallets,
Large players with large pools of capital can do this but then things such as patterns can possibly be used to identify.

KYC: this is a touchy subject but its probably the best way to curb sybils

Eg: Anima: proof of personhood, or KYC without the need for projects/or counterparts to hold any identifying information themselves.

Not an expert on anima, just saying its worth exploring similar ideas

Sybil Bounty’s: this is great as you outsource a sybil hunting tasks to the community with an incentive at basically zero cost.

eg: Hop Protocol, some have complained about the HOP’s method, but there was a review process and it can be viewed on their repo, many reports were invalidated as reports accepted with clear identification.

Other meaningful activity: Such as Governance voting, which requires some attention, Public Goods Funding- Gitcoin donations,
even if ‘gamed’ for the inclusion in airdrops, its created an environment where more public goods are funded

These activities make it more likely that a person is behind just regular transactions.

I also think a criteria that is useful to add is ‘beacon chain depositors’

After filtering out the obvious centralized entities, anyone in this list has meaningfully contributed to Ethereum’s security and is ecosystem aligned in a way that is hard to sybil.

NOTE: this isn’t to neglect users, its to ‘include’ a set of specific actors likely to support node operations, it’s a targeted distribution, one that especially makes sense for zk based L2s
I go into more detail in my forum post here: [DRAFT] [Airdrop: Proposal] Ethereum Validators

1 Like

This is a must read for how ARB was sybil attacked, with some methodology for identification

1 Like

In my humble opinion as a Venezuelan who doesn’t believe in nation states, KYC should be a no go. KYC discriminate those that come from authoritarian governments.


Totally agree on 1. and 3., for item1 the best way is to prohibit or constrain IP which will increase those hunters cost. Imaging that those hunters will leave this ecosystem immediately once they get their token and not the real user. On the other hand, it also dilutes the rewards for those real users that may potentially damage community.

For item3, through education of users will bring the positive thinking not only just an airdrop. It could effectively improve the consensus on Starknet.

Please do discuss and consider it!

Added the article regarding Sybil attack analysis on $ARB:

Incentivisation of onchain profile is a very good idea as any form of kyc would go against the tenets of decentralisation and anonymity. I know "starknet id " already incorporated this on chain verification of social identities (twitter, discord, & github) for their users.
In addition genuine users could get punished if other extreme measures are used. I have on one or two occasions sent funds to friends on starknet, I shouldn’t get punished for that.
The gitcoin passport should be the ultimate point with regard to identity validity.
In summary, some form of wedding out is welcome however attestation of identity on chain should take precedence and be incentivised. :smiling_face:

An immature idea.
Phase 1- Set a criteria for minimum amount of funds in the wallet. This will screen out most of the airdrop farmers’ accounts.
Phase 2- Set a second sceening process for those that got screened out during Phase 1. If they got legit on-chain activities, they should still be worthy of airdrop.
PS: I wouldn’t vote for KYC. You can easily fake that these days. It has become an industry in some countries.

But if KYC is implemented, it will no longer be decentralized. I think there should be more conditions to verify it’s a loyal user.

One question on this: should we publish the rule beforehand or after airdrop? Any preferred options? My suggestion is to publish it beforehand.