This short essay takes a brief look into the one of the problems decentralised protocols and applications face, Sybil attacks. It will cover the problems, why they exist, and a look at some of the current attempts to solve it.
For the sake of wanting this article to be enjoyed and understood by a wide audience, the writing shall use simple examples and simplifications. Sybil resistance is a complicated topic, and for those who wish to research this further and gain a deeper understanding the link below will provide a good starting point.
In essence, Sybil attacks stem from the ability of one user to create ‘multiple identities’ (identities being synonymous with wallet addresses for the duration of this essay) to exploit systems and protocols that are vulnerable to this sort of attack.
All of these examples could be taken advantage of by assuming multiple identities. Some of the main features of blockchain infrastructure; trustlessness, decentralisation and anonymity have many merits, but unfortunately come coupled with this vulnerability.
Lets work through an theoretical example: you are a DeFi protocol and you want to airdrop users of the protocol X number of governance tokens to help it become a community steered project. You are a great believer in decentralisation but you don’t want single individuals having disproportionately large influence over the direction. At present you have two measures you can employ:
In scenario 1, you open up the opportunity to exploit this airdrop by creating multiple wallets, receiving much more than those who only use one wallet. This has happened already in multiple instances, Uniswap and 1INCH just to name a few. Notoriously, the Ribbon airdrop was farmed by a VC firm that knew the conditions a wallet needed to be eligible, receiving $2.5 million worth of the airdrop as a result. These funds were returned following an outcry by the community, but someone else may not have acted the same. Read a full run down of events here. Whilst option 1 may reward cunning individuals, it is not a great recipe for even and fair distribution.
So that moves you on to option 2, airdrop tokens based on protocol usage. This may on the surface seem more ‘fair’, which in many ways it is. However this inevitably leads to whales dominating airdrops, as those with the largest TVLs acquire larger percentages. Your community voting power is now distributed proportionally to usage, but it doesn’t make for an even community, everyone’s voice is not evenly represented.
You’ve run out of conventional options that allow for complete anonymity on the blockchain, without KYC’ing your community you find yourself stuck. This is the current state of identity on the blockchain which certain features very difficult. If we wish to onboard more dimensions of social and economic activity, we must create solutions that allow participants to remain anonymous whilst provably ‘unique’ (not multiple personas under the control of one human).
Some have tried clever tricks like ‘quadratic voting’ in governance, helping curb large wallets voting power. But again, users wanting to maximise voting power can simply spread that voting power across many wallets and this measure if effectively nullified.
This ends the introduction and hopefully you now better understand the problems I have outlined thus far. From this point onwards, solutions and protocols shall be discussed in a more theoretical and speculative manner. As I am interested in solving these issues, naturally I am invested in some of the projects I will discuss. I will try to remain as unbiased as possible for the desire for this article to be informative and educational, so people can form their own conclusions. With that being said, lets dive into some projects trying to make solutions.
Firstly of all we have a current method of Sybil defence that is not a specific project, but a method used by some. KYC or ‘ know your customer’ is a way of proving you are an a unique individual by providing identity documents such as a Driving licence, passport, etc. This method relies on governments identifying people and then protocols trusting this information. This is the widely used form of identification on centralised exchanges or on-chain events that require tax compliance, such as certain types of fundraising.
Whilst robust (how the world off-chain verifies identity) you must trust 3rd parties with this sensitive information and ‘dox’ (reveal your identify) yourself. It does also have workarounds if people are willing to go far enough. Fake identities and stolen information may be used in place of true verification.
Knowing someone’s identity and also country of residence opens up the ability for protocols and people to discriminate based off of laws, tax rules, preference, etc. This is not in line with lots of the principles the open and non-discriminatory ‘web3’.
This attempt at on chain identity is called the proof of humanity project. It works by sending in a video of yourself and your Ethereum address and being verified by someone in the already verified as ‘human’ who knows you in real life. You pay a deposit that is refunded if your verification is approved.
If users feel like verified accounts are suspicious, they can dispute the request and it gets taken to Kleros (a decentralised court system).
Once users are verified, they start accumulating ‘universal basic income’ - UBI an inflationary token that does not have any function other than to accumulate at this point, but this may change in the future. One proposed use is to represent votes in the ‘UBI-dao’, but the value of this proposition is yet to be seen.
The project gained some buzz when Vitalik Buterin, cofounder of Ethereum (who is verified as a human on the platform), bought and burnt 50ETH worth of UBI. This caused the token’s prices to rapidly increase in price. The token price, has since declined, presumably due to market conditions and the inflationary nature of the token, but this article is not here to discuss token price but rather the technology. He presumably did this, to show support for the project.
The barriers to entry and lack of technical know-how needed is definitely a positive. The nature in which it works will also allow for scaling without a centralised entity. One problem that is already apparent however is the need to be publicly known. To verify you must ‘dox’ yourself, which may not sit well with many who prefer to remain anonymous whilst participating in crypto and on the internet in general. Another issue to raise is that what stops someone from being verified twice under two names should that person lead a double life in-real life? Two different people could vouch for that person thinking they were verifying someone’s true identity, when in fact they are being deceived themselves.
Governor DAO has an interesting history. One much too long to delve into here, but if you are interested it is definitely worth reading up on. They initially aimed to regroup the victims of the infamous ‘BREE rugpull’ and set out to build a community out of the wreckage. Their main goal was to offer the same service that was promised to them in CBDAO/BREE, ‘governance-as-a-service’ - helping daos set up and help run proper governance. They still offer their main focus has shifted, to an arguably more ambitious goal.
They have partnered with biometrics firm Finnovant to offer a product called ‘Proof of Existence’. The software takes face and voice data and mashes them together to form a ‘hash’ - in essence a long string of letters and numbers. This hash is stored instead of the voice and face data, meaning your data is never shared with anyone, not even governor dao/finnovant. Once registered the user’s wallet is sent a non-transferable ERC20 token (similar to a non-transferrable NFT) that marks that wallet as owned by a unique human. If the same person were to try and register with a different wallet, the software would produce the same hash, and therefore would not send them another token. This means that any two different wallets that own this ‘proof of existence token’ are provably owned by two different people. The hash can’t be reverse engineered into face and voice data, making it very favourable for those who wish to be anonymous.
This is first method I have seen that allows people to remain complete anonymous, so in that regard it is very interesting. At the moment they onboard people for free, whilst they build up reputation and numbers. Governor DAO’s plan is to monetise this service, where users must pay to be authenticated. It remains to be seen whether people will be willing to pay for it, or some other way of generating revenue will be implemented. If the adoption is large enough the incentives may be strong enough to pay to register e.g. to get onto desirable NFT mints or use certain protocols (maybe credit rating protocols or something that requires uniqueness and trust). Will protocols pay for the service in this case, or its users? This remains to be seen.
Most other protocols I considered writing about used a form of KYC/centralised identity to prove uniqueness, and thus I decided to omit them. The fact that there are only really two attempts at a solution shows a) how early we are in solving this problem B) how hard it is to solve. This was a very brief look into Sybil attacks and some of the projects trying to defend against, I don’t know which solution (if any) will prevail, but I’m willing to place my bets. I am sure many new interesting ideas; DeFi protocols, NFTs and methods of governance will spring from these sorts of innovations. If blockchain technology is to fuel the new era of economic and social activity, I have no doubt a solution to this problem will be required.
I hope you have enjoyed the read. This is my first piece of writing on Mirror, and hopefully not my last.