Sybil Detection - MVHQ

Sybil Detection

Dec 29, 2023
General Strategy
Sybil Detection

Airdrop farmers, you may want to know how Sybil detection works so you don’t get disqualified from the airdrop that you are investing your time and money into. Sybil detection checks for multiple wallets that were created by an individual for the purpose of earning more airdropped tokens.


Below are findings from Trusta, the company that Gitcoin used for their passport and that has a site to check wallet score (incl. Sybil detection) for zkSync, Linea, Starknet, Base, Scroll, and Manta: 


The following is how Sybil detection works and how we can intelligently use this info.



Trusta’s AI-ML Sybil detection looks at:

I) Asset transfer relationships – token transfers between addresses and the first gas provision to an address.


II) Account behavior – interacting with the same contracts/methods with comparable timing and amounts. Variables considered include first and latest transaction dates, smart contracts interacted with, interaction amount, frequency, and volume.


Guidelines if you are farming

  • Don’t fund your wallets from a single external address. E.g. if you use a CEX, make sure you can generate a different send address for every send.
  • Space out the timing of the first txs among wallets, as well as timing of new txs
  • Try to vary: how often you interact with certain wallets, the amount sent per tx among wallets, and the smart contracts used across wallets


How Sybil Detection Works


Previous airdrops had 

i) No Sybil resistance (eg. Uniswap, ENS) 

ii) Community reporting (Safe, Optimism) or 

iii) AI-ML algorithm (e.g. Arbitrum)


Trusta is advancing the AI-ML approach with a 2-phase framework to identify Sybil communities using clustering algorithms (see bold text for key factors):

Asset transfer graphs

Phase 1 analyzes asset transfer graphs (ATGs) with community detection algorithms like Louvain and K-Core to detect densely connected and suspicious Sybil groups.


  • General transfer graph - edges for any token transfer between addresses
  • Gas provision network - edges show the first gas provision to an address. Initial gas transfer activates new externally owned accounts (EOAs), forming a sparse graph structure ideal for analysis. It also represents a strong relationship as new accounts depend on their gas provider
  • Known attack patterns (see image)
    • The star-like divergence attacks: Addresses funded by the same source
    • The star-like convergence attacks: Addresses sending funds to the same target
    • The tree-structured attacks: Funds distributed in a tree topology
    • The chain-like attacks: Sequential fund transfers from one address to the next in a chain topology.



Account behavior similarities

Phase 2 computes user profiles and activities for each address. K-means refines clusters by screening dissimilar addresses to reduce false positives from Phase 1.

  • Transaction logs reveal address activity patterns. Sybils may exhibit similarities like interacting with the same contracts/methods, with comparable timing and amounts. Two variable types:
    • Transactional variables: These variables are derived directly from on-chain actions and include information such as the first and latest transaction dates and the protocols or smart contracts interacted with.
    • Profile variables: These variables provide aggregated statistics on behaviors such as interaction amount, frequency, and volume.


StarLike Asset Transfer Graph:




ChainLike Asset Transfer Graph:



TreeLike Asset Transfer Graph:



As always, NFA and DYOR. Please share your comments and discussion in the Crypto Airdrop Farming channel in MVHQ!