$ZK Cluster Analysis
MarcoV
0x2832
June 21st, 2024

$ZK Cluster Analysis

This analysis looks into possible clusters that have claimed the $ZK airdrop. Before we get into it, I just wanted to point out:

  • It is impossible to filter out all sybils when doing an airdrop

  • It is obviously easier to do this post-airdrop analysis than beforehand

  • Not all clusters found can be 100% considered as clusters or sybils, there might be other reasons these tokens are gathered to a similar address (e.g. phishing)

  • This write up is not a judgement of the distribution of the $ZK airdrop, merely an observation

Let’s get into it!

Tracking $ZK Claims/Transfers

Finding these clusters can be done in a similar way I did before with the $ARB airdrop; by following the first $ZK transfers out for addresses that claimed the $ZK airdrop. In other words, looking at where the received airdrop is ‘collected‘. By summarizing these results we can find addresses that received $ZK from many other addresses (a cluster). To get this result we set the following parameters:

  • Exclude contract addresses; we rule these out by looking at the ‘zksync.traces’ table where type = ‘create’, indicating the creation of a contract.

  • Only look at direct $ZK transfers to other wallets; we can do this by looking at the transfer method: ‘0xa9059cbb‘

  • Include the $ZK transfers that happen within a short period after the claim; 2 days.

  • Making sure the send amount is equal to or smaller than the airdrop amount received

Using these parameters we get the visualization below, showing many clusters and hence addresses that have been send the $ZK airdrop from many addresses. This visualization is limited to addresses receiving the airdrop from more than 150 addresses, resulting in 57 unique clusters. But when setting the minimum to more than 20 transactions received, the total number of clusters increases to 660.

$ZK token clusters
$ZK token clusters

Cluster totals

In total these 660 clusters received 94.5M $ZK from a total of 46.386 addresses. This is a total of 2.57% of the total $ZK airdrop (3.675B) and 6.67% of total users (695K) that were eligible for the airdrop. Below the top 5 cluster addresses by number of $ZK transfers received. The top cluster receiving 2.4M $ZK from 1516 addresses.

Top 5 Clusters by number of transfers in
Top 5 Clusters by number of transfers in

If we order the clusters by amount of $ZK received we can see that there are also clusters which received a high amount with much less transactions then the top clusters by transactions.

Top 6 Clusters by amount $ZK reveived
Top 6 Clusters by amount $ZK reveived

Many of these clusters have deposited the funds to a unique deposit address for an exchange, which then sends the funds to a general exchange wallet, like the top cluster that send the funds to: 0xdfd8e719e1c29b44d9ff5b7d37234bc50a60bac5. To be more specific, 185 clusters send the funds to Binance, 5 to Bybit and 3 to Gate.io (using the cex.addresses dataset on Dune). As these addresses are user specific, this makes it highly likely these users are connected, as you probably will not send your funds to a deposit addresses of someone else.

Now that we have identified these potential clusters, let’s see if we can find any other similarities within some of these clusters. As it is impossible to go through all the 660 clusters, I will highlight a few.

Wallet Funding

In hindsight it is easier to look for similarities between these addresses, as we have the “linking pin”, which is the address the funds were collected. But could the link between some of these clusters be noticed beforehand? Let’s lets dig a little deeper and look at how some of these cluster addresses were initially funded. We can do this by looking at the very first transfer to these addresses. Let’s walk through a set of examples:

Example #1 Cluster: 0xdfd8e719e1c29b44d9ff5b7d37234bc50a60bac5 (1.5K addresses, 2.4M $ZK)

Looking at this cluster’s funding transactions, ordered by date we can see some clear patterns emerging. All funding happened through Oribiter Bridge and had very similar funding amounts (also notice the decimal number) like you can see in table below with a few examples. Also the timing of these transactions was very close to each other and happened in timeframes. These funding transactions continued in these patterns until October ‘23!

Examples of the funding pattern through Orbiter Bridge
Examples of the funding pattern through Orbiter Bridge

Example #2 Cluster: 0x706bc550fd4ba2fd38a663410cb8c0abdb62de69 (829 addresses, 1.8M $ZK)

The second example took a different approach and went through the ZK Bridge on Ethereum. First the wallets were funded on Ethereum via OKX (example 1, example 2), by very similar but again slightly different amounts. Then the majority of these funds were sent to the ZkSync network. In the table below you can see some examples, in this case the timing of the transfers is even closer than the previous example. Also interesting detail that the funding pattern changed on the 28th of July for this cluster to smaller amounts with many more decimals.

Examples of the funding pattern through ZK Bridge Ethereum
Examples of the funding pattern through ZK Bridge Ethereum

Example #3 Cluster: 0x430a5cc9e68fe2b61898e39fcd64338439bd3406 (99 addresses, 1.9M $ZK)

For the third example we will look at the cluster that received a high amount of $ZK with 99 addresses. In this case, there is a clear direct connection made between these addresses. As the funds have initially been send around on the ZkSync network itself from address to address. After funding, an action was performed, after which it was send to the next one. You can see the funding pattern below, creating a chain.

Examples of the funding pattern from address to address
Examples of the funding pattern from address to address

Example #4 Cluster: 0x78b05c5d952f2a0574ef500f976d2d0527e78358 (216 addresses, 488K $ZK)

The fourth and final cluster example shows a lot of effort as this cluster uses many different ways of funding the wallets.

  1. First off, this cluster shows a direct way of funding the addresses on ZkSync through exchanges, like you can see below. Again similar values following each other in a short period of time. Most addresses were funded via Binance, but also via Bidget.

  2. The second method this cluster uses is via Orbiter Bridge, like we seen before. Values around 0.01 - 0.02 ETH have been bridged multiple times.

  3. The third method is funding the addresses through the ZkSync Bridge from Ethereum, which as we seen before, have been funded through Binance on Ethereum with similar amounts around the same time (example 1, example 2).

Examples of the funding pattern directly from exchanges
Examples of the funding pattern directly from exchanges

Conclusion

By looking at where the $ZK airdrop is collected we could identify 660 potential clusters claiming 94.5M $ZK, which in the end is “only“ 2.57% of the total airdrop supply, although not all clusters can be identified using this method of course. Many clusters send the $ZK token to a CEX address, indicating a link between these addresses. We also looked at different initial funding methods these clusters used and saw that various methods were used and could be found relatively easy. When researching these clusters I found many similar funding patterns in terms of timing and amounts, so I am not ruling out some of these clusters are also connected to each other in some way.

That’s it for now, I hope you found this analysis useful, if you have any questions or remarks please reach out to me: Twitter

Sources: dune.com, era.zksync.network, etherscan.io
Dune: dune.com/Marcov

Subscribe to MarcoV
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
3NAAyVCQS11nIAu…dnLQHJmB4HFgHy4
Author Address
0x283266045Ab2aB0…21D55f685636Ae0
Content Digest
veMoja9XjhW-JtA…f-DVMuGlyi__HA0