On March 23rd, 2023, Arbitrum launched an airdrop of $ARB. As the governance token on Arbitrum One, owning $ARB makes you a member of the Arbitrum DAO and allows you to participate in Arbitrum’s on-chain governance.
From the airdrop distribution criteria announced by Arbitrum officials [1], we can see that Offchain Labs and Arbitrum Foundation have made good preparations for this airdrop. Compared to other airdrops, Arbitrum has made several improvements, especially in the innovative use of graph-based clustering algorithms for sybil detection. Highlights of this airdrop include:
- A significant amount of tokens were airdropped to Dapps with community-controlled treasuries, to incentivize the communities built on Arbitrum.
- The airdrop point system was designed based on comprehensive on-chain behaviors. Time span, transaction volume, and number of transactions were taken into consideration.
- Undesirable on-chain behaviors were defined, and a deduction rule was deployed to avoid bots and sybils.
- Using the Louvain community detection algorithm, large and medium-sized sybil groups were identified and removed from the airdrop list.
We are especially impressed that Arbitrum’s data scientists excluded hot addresses such as CEX and cross-chain bridges and avoided small groups of addresses (<20 EOAs) when runnig the sybil detection algorithm. These steps greatly reduced false positives, which had also been validated in Trusta Labs’ Gitcoin Hackathon work [2].
Trusta Labs, a professional solution team for on-chain airdrops and the champion of the first Gitcoin Sybil Slayer Hackathon, released the first standardized sybil score product TrustScan in January this year. Since the end of last year, Trusta Labs has been focusing on airdrop opportunities for various L2 solutions and has conducted forward-looking sybil analysis based on TrustScan for EVM-compatible EOA addresses.
Can Arbitrum do better?
Arbitrum made an effort to balance avoiding false positives and detecting sybils in its airdrop. Trusta Labs analyzed and tracked user transfer behavior within three days after the airdrop, including claiming tokens, aggregating tokens, dumping them for profit. A number of suspicious addresses were identified and potential improvements could be made by Arbitrum’s sybil detection.
As shown in this figure, right before the Airdrop Claim opened on March 23, 2023, suspicious addresses promptly claimed $ARB and quickly cashed out. Their actions are as follows:
- Claim $ARB from Arbitrum Foundation: ARB Token Contract 0x912ce59144191c1204e64559fe8253a0e49e6548 as soon as possible.
- Quickly aggregate $ARB obtained from dozens to hundreds of addresses to a target address.
- Transfer the $ARB of the target address to the exchange address (Binance Hot Wallet).
- (Speculated) Profit from trading within CEX.
Through standard definition of sybil behaviors, Trusta Labs discovered 96,755 sybil addresses in Arbitrum’s eligible airdrop list, gaining a total profit of an astonishing 164,153,951 $ARB.
TrustScan, making airdrops more accurate
This figure shows how TrustScan can provide systematic and proactive weapons before you make an airdrop plan, including:
- Chainlike network attack (in-depth mining of funding networks);
- Starlike network attack (in-depth mining of funding networks);
- Bulk operation attack (single behavior analysis);
- Similar behavior sequence attack (behavior sequence analysis).
In the subsequent analysis, we will show typical cases to illustrate the effectiveness of the above models in defending against 96,755 sybil addresses that have already profited from airdrops.
No.1: chainlike network
TrustScan has analyzed the funding network of the target address 0x15e42a3448609f4dd684af8fe94563ac7c3a7502 based on Ethereum mainnet data from October 13th, 2021.
- (Figure 1) The address has been found to be part of a typical chainlike sybil group.
(https://www.trustalabs.ai/trustscan/reports/0x15e42a3448609f4dd684af8fe94563ac7c3a7502?chainId=1)
2. (Figure 2) In the Arbitrum airdrop, the target address transferred the claimed $ARB to an aggregation address 0x023 — .
3. (Figure 3) 0x023 — received a total of 437,500 $ARB from 425 airdropped addresses, and eventually transferred all the $ARB to other addresses in multiple transactions.
No.2: starlike network
TrustScan has analyzed the funding network of the target address 0x0d917a622ed9a5773e52ccb1fac82a75a8a6d9d9 based on Ethereum mainnet data from July 17th, 2022 and June 26th, 2022.
- (Figure 1) The address has been found to be part of a typical starlike sybil group.
(https://www.trustalabs.ai/trustscan/reports/0x0d917a622ed9a5773e52ccb1fac82a75a8a6d9d9?chainId=1)
2. (Figure 2) In the Arbitrum airdrop, the target address transferred the claimed $ARB to an aggregation address 0xe1a —
3. (Figure 3) 0xe1a — received a total of 401,000 $ARB from 222 airdropped addresses, and eventually transferred all the $ARB to other addresses in multiple transactions.
No.3: bulk operation
TrustScan has analyzed the funding network of the target address 0xab95b349b94afc3c3ba8511b23001c8cd46d9301 based on Ethereum mainnet data from October 18th, 2022 and October 19th, 2022.
- (Figure 1) The address has been found to be part of a typical bulk operation sybil group.
(https://www.trustalabs.ai/trustscan/reports/0xab95b349b94afc3c3ba8511b23001c8cd46d9301?chainId=1)
2. (Figure 2) In the Arbitrum airdrop, the target address transferred the claimed $ARB to an aggregation address 0x950 — .
3. (Figure 3) 0x950 — received a total of 293,501 $ARB from 202 airdropped addresses, and eventually transferred all the $ARB to other addresses in multiple transactions.
No.4 : similar behavior sequence
TrustScan has analyzed the funding network of the target address 0x00dfa97a2c05b7afc55e40651351a5e40b181352 based on Ethereum mainnet data from August 17th, 2022 and August 21st, 2022.
- (Figure 1) The address has been found to be part of a sybil group with typical similar behavior sequence.
(https://www.trustalabs.ai/trustscan/reports/0x00dfa97a2c05b7afc55e40651351a5e40b181352?chainId=1)
2. (Figure 2) In the Arbitrum airdrop, the target address transferred the claimed $ARB to an aggregation address 0x584—
3. (Figure 3) 0x584— received a total of 530,250 $ARB from 393 airdropped addresses, and eventually transferred all the $ARB to other addresses in multiple transactions to Binance Hot Wallet.
Summary
The above analysis based on Post Airdrop yielded over 200 groups of sybil addresses and the profit for each group exceeded 200,000 $ARB. Their disbehaviors were so disguised that Offchain Labs’ algorithm failed to detect them.
For these 96,755 fugitive sybil addresses, TrustScan’s AI model can effectively identify 24,496 of them, a recognition rate by 25.3%.
Currently, TrustScan has launched a commercial version of its product, and the above addresses can be checked in [3]. Interested readers can refer to [4] to understand the principles of TrustScan’s algorithm. The project team welcomes cooperation with projects that focus on real users and long-term community value. Especially those who do not have the luxury to maintain an in house sybil analysts, TrustScan can help to build a healthy and sustainable community, and to enable real users to receive airdrops more equally.
For detailed sybil address list, please contact Trust Labs.
References
[1] https://docs.arbitrum.foundation/airdrop-eligibility-distribution
[2] https://github.com/0x9simon/slaysybil/blob/main/antisybil-V6.pdf
[3] https://www.trustalabs.ai/trustscan/app?tab=single
[4] https://trustalabs.gitbook.io/trustscan