This article is jointly published by X-explore and WuBlockchain.

Overview

The long-awaited Arbitrum has finally released its airdrop news. Along with the airdrop news, they also released their rules for checking Sybil addresses.

According to the rule described, we can infer that the project team:

1. Excluded cross-chain bridges, centralized exchanges, and smart contracts while detecting Sybil

2. A relatively tolerant detection was adopted for small-scale and same-person addresses

3. Only data before the snapshot (Feb 6, 2023) was used for Sybil detection

4. Only data from Arbitrum and Ethereum was used for Sybil detection, while ignoring data from other Ethereum layer 2 chains such as Optimism and Polygon.

We found that the above Sybil detection rules will cause significant loopholes. After many confrontations between Sybils and the project party, Sybils often use exchanges on a large scale for depositing their funds. This will result that these Sybils are not excluded from the Aribtrum's airdrop.

Through our internal same-person/Sybil address recognition model, we successfully identified more than 279,328 same-person addresses and 148,595 Sybil addresses that received the airdrop.

Same-person addresses

The same-person addresses refer to addresses that are controlled by the same entity. We run the Louvain Community Detection Algorithm on the sub-graph consisting of all the 624,136 airdropped EOA addresses (By the way, there are also 1007 contract addresses that received the airdrop and we will disclose it later on). The results show that there are a total of 279,328 addresses form more than 60,000 communities. Since personal addresses in the same community have frequent fund transfers, they are considered same-person addresses. They account for approximately 557 million tokens or 47.96% of the total Arbitrum airdropped token.

Below is the distribution of the same-person address group size and its corresponding address count. From the following figure, we can see that a large number of small-scale same-person communities have received tokens in this Arbitrum airdrop event.

Below is the distribution of the same-person address group size and its corresponding claimable token (Unit: token)

Sybil addresses

We further examined these same-person addresses and established the strictest screening criteria to identify Sybil among them. There are a total of 148,595 Sybil addresses that received the airdrop. They account for approximately 253 million Arbitrum or 21.8% of total airdropped tokens. The composition of Sybil addresses comes from two parts:

1. Communities with a large number of same-person addresses

2. High-confidence Sybil addresses identified by X-explore on Ethereum and multiple Ethereum layer 2 chains (Arbitrum, Optimistism, etc)

To combat Sybil detection, Sybil uses cross-chain bridges, centralized exchanges, and smart contracts to prevent direct connections between large numbers of addresses and make each address as independent as possible to evade Sybil detection. In Arbitrum Sybil hunting, the project party also removed entity addresses such as bridges, exchanges, and smart contracts. According to our analysis, some Sybil successfully countered the detection rules and a large number of addresses received this airdrop.

Case 1: CEX Sybil

Examples of CEX Sybil with more than 250 addresses.

1. Between August 24 and August 28, 2022, a total of 2997 addresses that received the airdrop withdrew funds from Binance Exchange (0xb38e8c17e38363af6ebdcb3dae12e0243582891d). The withdrawal amounts were very consistent, between 0.00114 and 0.00116 ETH (about 2 USD). These addresses received a total of 1.83 million airdrop tokens.

2. Between June 3 and June 4, 2022, a total of 1001 addresses that received the airdrop withdrew funds from FTX Exchange (0xa60113f7d43130919802b0863abdcdb956664fd5). The withdrawal amounts were very consistent, between 0.0022 and 0.0023 ETH (about 4 USD). These addresses received a total of 1.04 million airdrop tokens.

3. Between November 27 and November 30, 2022, a total of 645 addresses that received the airdrop withdrew funds from Binance Exchange (0xb38e8c17e38363af6ebdcb3dae12e0243582891d). The withdrawal amount was very consistent at 0.05 ETH (about 9 USD). These addresses received a total of 700,000 airdrop tokens.

4. Between October 29 and November 01, 2022, a total of 1035 addresses that received the airdrop withdrew funds from Binance Exchange (0xb38e8c17e38363af6ebdcb3dae12e0243582891d). The withdrawal amount was very consistent at 0.003ETH (about 5 USD). These addresses received a total of 980,000 airdrop tokens.

5. On February 6, 2023, 294 addresses that received the airdrop withdrew funds from Binance Exchange (0xb38e8c17e38363af6ebdcb3dae12e0243582891d). The withdrawal amount was very consistent at 0.0008 ETH (about 1.5 USD). These addresses received a total of 291,000 airdrop tokens.

6. On December 12, 2022, 273 addresses that received the airdrop withdrew funds from Binance Exchange (0xb38e8c17e38363af6ebdcb3dae12e0243582891d). The withdrawal amount was very consistent at 0.0095 ETH (about 17 USD). These addresses received a total of 242,000 airdrop tokens.

7. On August 19, 2022, 261 addresses that received airdrops withdrew funds from the FTX exchange (0xa60113f7d43130919802b0863abdcdb956664fd5). And the amount of funds withdrawn is very consistent, at 0.003 ETH (about 5 USD). These addresses received a total of 189,000 tokens.

We further took out these Sybil addresses that withdrew from exchanges (FTX). In addition to the consistent amount of funds, they also have very consistent smart contract calls.

Note: The nodes in the figure represent addresses, while the edges represent interactions between addresses.

Case 2: Bridge Sybil

Examples of Bridge Sybil

1. Between November 02 and November 07, 2022, a total of 1114 addresses that received the airdrop crossed over to Arbitrum via HOP Bridge(0x33ceb27b39d2bb7d2e61f7564d3df29344020417). The deposit amounts were very consistent, between 0.0025 and 0.0025 ETH (about 4 USD). These addresses received a total of 1.08 million tokens.

Case 3: Smart contract Sybil

Examples of Smart contract Sybil

1. Address 0x922008a118feff7fb017ee67eb3b02371e559999 deposited funds into 1,274 airdrop addresses via the Disperse contract (0x692b5a7ecccad243a07535e8c24b0e7433238c6a). The deposit amount was very consistent at 0.0005 ETH (about 8 USD). These addresses received a total of 1.059 million Tokens.

Similarly, the number of Sybil addresses that prevent their direct connection via the Disperse contract (defined as a single address depositing funds into 50 different airdrop addresses) was 9,483. These addresses received a total of 10.98 million tokens.

Case 4: Sybil collects funds after snapshot

We have chosen a representative example from this type of Sybil. The example Sybil has a total of 198 addresses and earned 174,375 Tokens. Although these addresses have obvious collection behavior, they were not excluded from the airdrop addresses because the collection behavior occurred after the snapshot. Therefore, we call on the Arbitrum team to conduct a final Sybil screening before the airdrop.
(Sybil addresses in this figure have been sampled)

Case 5: Sybil on another chain (Optimism)

We have selected an example that is representative of this kind of Sybil. The example Sybil contains a total of 202 addresses and earned 204,250 tokens. These addresses also have very similar transaction records on the Arbitrum chain, but the transaction amounts and times are slightly different, so they were not identified as Sybil. However, they also have identical transaction records on the OP (Optimism) chain. It is worth mentioning that X-explore can not only identify Sybil addresses on Arbitrum, but also supports Ethereum, Optimism, and other Ethereum layer 2 chains.

Further looking at these Sybil results, we will find that some projects (Synapse, Balancer, etc.) are being attacked by these Sybils. If the project party does not filter out Sybils when airdropping tokens in the future, these Sybils will once again become big winners.

(Sybil addresses in this figure have been sampled)

We can infer that the rules established by the Arbitrum were not effective in preventing the following four types of Sybils:

1. Sybils with fewer than 20 addresses

2. Sybils that deposit and withdraw through exchanges, cross-chain bridges, smart contracts

3. Sybils with obvious collection behavior of NFTs or funds after the snapshot

4. Sybils with obvious batch operation behavior on other chains such as Optimism, Ethereum

Smart Contracts receive airdrop:

When we were investigating Sybil, we also found some interesting examples. The winners of this Arbitrum airdrop were not only EOA, but some contract addresses also received airdrops. A total of 1,007 contract addresses received airdrops, and the total number of Arbi tokens received was about 1 million.

Examples:

2. 0x8c44c0ab9a15bacad7a4b663a89593c406c6b4ea

3. 0x44e4c3668552033419520be229cd9df0c35c4417

4. 0x6e87672e547d40285c8fdce1139de4bc7cbf2127

5. 0x8585a10f59fd4dd6e7d5e19254d5a791dc25f3f4

Summary:

Sybil hunting has always been a hot potato for project parties. Project parties need Sybil to support the popularity of the project, but on the other hand, they have to bear the risk of Sybil's profits and the risk of market dumping after Sybil cashed out. According to X-explore's estimates, there are around 150k Sybil addresses and at least 4000 Sybil communities included in the airdrop and the total profit of Sybil addresses accounts for more than 253 million tokens.
After multiple rounds of verification, we have obtained a very reliable list of Sybil addresses. Arbitrum is welcome to contact us for it.

For more, please follow x-explore.
Mirror: https://mirror.xyz/x-explore.eth
Twitter: https://twitter.com/x_explore_eth