Sybil Attacker Report
rchen8 opened this issue · 5 comments
Related Addresses
0x037be2500fae074adbf7bc267c89d8974e633d65
0x05feb7cc73b0e522a360d0d0bc0e0360e8b630d6
0x26a3e60905d8d9785a51df7fbc49b5749bc6fd85
0x3fe69e61d697dcf399def32c97eafd7470fa8eec
0x4639b83faed52e978e0b5d9a4b0f3f7d1b17d33f
0x69a5c0450d723be700081205bf613e98dfac02a8
0x73f61e66345b8f78951508e8f1cd0ab51e1d9b6b
0x7961cea5f1066f1f87ef71b080f3caa929db848b
0x79cbecca332a422f7914d8dce23f5f859b782897
0x8b212488ed7bcb40446fdf9ac1595a7a25871017
0x93ba368cfa7c4f672ca68292f695132ed30c4f1a
0x9891be2e4e8ffa295d9cbd146c6973e8e7b6cc58
0xa8766f06270d0ce616f115e4eb585dad0d6e830c
0xc17b32ec5b1e02231a41abdb38d476f20fa00d41
0xc63690afba73ebc8c7b93e0fa5dcf5799f0142b9
0xe4642d8fb8df4b39f35f6b403fe40932e9513a6b
Reasoning
Edges are Optimism transactions between addresses. It's clear that both clusters are Sybil farms but the question is are both groups related. I'll prove that on 2021-12-07, similar Hop transaction behaviors implicate addresses in both groups.
| Date | # Addresses |
|---|---|
| 2021-12-07 | 9 |
| 2021-12-10 | 4 |
| 2021-11-25 | 4 |
| 2022-04-10 | 4 |
| 2022-04-11 | 2 |
| 2021-12-08 | 2 |
| 2021-12-12 | 2 |
| 2022-02-15 | 2 |
| 2021-12-30 | 2 |
| 2022-05-21 | 2 |
| 2021-12-09 | 2 |
Below are the transaction details for 2021-12-07. The first 7 transactions belong to addresses in the top group of the graph, and the last 5 transactions belong to the addresses in the bottom group of the graph. Also 0x26a is part of this transaction behavior so it's clearly linked to the rest of the Sybil farm and not just a stray leaf node.
'0x796', 'Polygon', 'Gnosis', '588.3966', 'USDT'
'0x79c', 'Polygon', 'Gnosis', '1015.7944', 'USDT'
'0x79c', 'Gnosis', 'Polygon', '528.2263', 'USDT'
'0x93b', 'Polygon', 'Gnosis', '533.8358', 'USDT'
'0x93b', 'Gnosis', 'Polygon', '548.2187', 'USDT'
'0xc63', 'Polygon', 'Gnosis', '1203.1643', 'USDC'
'0xc63', 'Gnosis', 'Polygon', '1168.1349', 'USDC'
'0x037', 'Gnosis', 'Polygon', '1199.2015', 'USDC'
'0x26a', 'Polygon', 'Gnosis', '1170.7853', 'USDT'
'0x463', 'Gnosis', 'Polygon', '1179.6980', 'USDT'
'0x73f', 'Polygon', 'Gnosis', '1184.1924', 'USDT'
'0x989', 'Polygon', 'Gnosis', '1191.2847', 'USDT'
The last thing to prove is whether the chain of addresses from 0x05f to 0xe46 are related to the rest of the Sybil farm. First, on 2022-04-10 these addresses made the following similar Hop transactions. Of those, 0x79c and 0x05f are part of the top cluster of addresses.
'0x05f', 'Polygon', 'Gnosis', '777.5014', 'USDC'
'0x69a', 'Polygon', 'Gnosis', '790.5095', 'USDC'
'0x79c', 'Polygon', 'Gnosis', '792.9943', 'USDC'
'0x8b2', 'Polygon', 'Gnosis', '801.4984', 'USDC'
And then on 2021-12-09 both 0xe46 and 0x8b2 made the following similar Hop transactions so they are clearly linked together:
'0x8b2', 'Polygon', 'Gnosis', '888.5103', 'USDT'
'0x8b2', 'Gnosis', 'Polygon', '929.1099', 'USDT'
'0xe46', 'Polygon', 'Gnosis', '847.0242', 'USDC'
'0xe46', 'Gnosis', 'Polygon', '885.3479', 'USDT'
| Address | Total | Ethereum | Arbitrum | Optimism | Polygon | Gnosis | USD |
|---|---|---|---|---|---|---|---|
| 0x79cbecca332a422f7914d8dce23f5f859b782897 | 7 | 0 | 2 | 0 | 7 | 5 | 10380 |
| 0x8b212488ed7bcb40446fdf9ac1595a7a25871017 | 4 | 0 | 1 | 0 | 4 | 3 | 5893 |
| 0x69a5c0450d723be700081205bf613e98dfac02a8 | 4 | 0 | 1 | 1 | 4 | 2 | 5360 |
| 0x93ba368cfa7c4f672ca68292f695132ed30c4f1a | 3 | 0 | 1 | 0 | 3 | 2 | 4702 |
| 0x05feb7cc73b0e522a360d0d0bc0e0360e8b630d6 | 4 | 0 | 0 | 0 | 4 | 4 | 3767 |
| 0x3fe69e61d697dcf399def32c97eafd7470fa8eec | 4 | 1 | 1 | 1 | 3 | 2 | 3509 |
| 0x7961cea5f1066f1f87ef71b080f3caa929db848b | 5 | 0 | 0 | 1 | 5 | 4 | 3259 |
| 0xc63690afba73ebc8c7b93e0fa5dcf5799f0142b9 | 4 | 0 | 1 | 0 | 3 | 4 | 2824 |
| 0xc17b32ec5b1e02231a41abdb38d476f20fa00d41 | 7 | 0 | 0 | 1 | 6 | 7 | 2782 |
| 0x037be2500fae074adbf7bc267c89d8974e633d65 | 7 | 0 | 0 | 0 | 7 | 7 | 2543 |
| 0xe4642d8fb8df4b39f35f6b403fe40932e9513a6b | 3 | 0 | 0 | 0 | 3 | 3 | 2511 |
| 0xa8766f06270d0ce616f115e4eb585dad0d6e830c | 3 | 0 | 0 | 0 | 3 | 3 | 2028 |
| 0x73f61e66345b8f78951508e8f1cd0ab51e1d9b6b | 6 | 0 | 0 | 3 | 6 | 3 | 1690 |
| 0x4639b83faed52e978e0b5d9a4b0f3f7d1b17d33f | 2 | 0 | 0 | 1 | 2 | 1 | 1610 |
| 0x9891be2e4e8ffa295d9cbd146c6973e8e7b6cc58 | 4 | 0 | 0 | 2 | 4 | 2 | 1289 |
| 0x26a3e60905d8d9785a51df7fbc49b5749bc6fd85 | 3 | 0 | 1 | 0 | 3 | 2 | 1232 |
Methodology
I implemented the Union-Find algorithm, which is a famous graph algorithm that gets all of the connected subgraph components in O(1) time. The nodes in the graph are from the most up-to-date list of eligible airdrop addresses. The edges in the graph are from using Covalent's API to find transactions that connect between these addresses.
Finding the timestamps of Hop transactions per address is done using the Hop Explorer and reverse engineering their API so I can automate it. :)
Rewards Address
0x9bb82fbf10cF4959909BAB9bE07805bd1d28D04A
Thank you for your report @rchen8. We have verified that the addresses in this report are Sybil attackers.
The report included 15 eligible addresses as Sybil attackers which means you are eligible for 2802.014351555928343429 HOP! When Hop DAO is live, we will make a proposal for this reward — subject to a 1 year lockup, as mentioned in the original Mirror post.
Interestingly, all the qualified addresses have an ENS name on L1. Most of these ENS names are some variation of coin, token, ens, or name.
Please note that 0x26a3e60905d8d9785a51df7fbc49b5749bc6fd85 was not included as a qualified address. While they look extremely suspicious, there are some key differences that make it hard to be 100% confident in the relationship with the rest of the group. These differences are:
- That is the only address that sent Hop transactions from a single chain
- That is the only address that does not have an ENS name
- That address does not send any transactions
tothe rest of the group in the subgraph provided.
The qualified addresses are as follows:
0x037be2500fae074adbf7bc267c89d8974e633d65
0x05feb7cc73b0e522a360d0d0bc0e0360e8b630d6
0x3fe69e61d697dcf399def32c97eafd7470fa8eec
0x4639b83faed52e978e0b5d9a4b0f3f7d1b17d33f
0x69a5c0450d723be700081205bf613e98dfac02a8
0x73f61e66345b8f78951508e8f1cd0ab51e1d9b6b
0x7961cea5f1066f1f87ef71b080f3caa929db848b
0x79cbecca332a422f7914d8dce23f5f859b782897
0x8b212488ed7bcb40446fdf9ac1595a7a25871017
0x93ba368cfa7c4f672ca68292f695132ed30c4f1a
0x9891be2e4e8ffa295d9cbd146c6973e8e7b6cc58
0xa8766f06270d0ce616f115e4eb585dad0d6e830c
0xc17b32ec5b1e02231a41abdb38d476f20fa00d41
0xc63690afba73ebc8c7b93e0fa5dcf5799f0142b9
0xe4642d8fb8df4b39f35f6b403fe40932e9513a6b
Hi, Sir
I’m not Sybil, i’m a loyal user about hop。
Obviously, that's the account of two people, the under five address belong to me( i think That's not illegal have 5 address on hop’s rule)。
but once transfer money , two people were associated.
This is the transfer record of my friend with me chat message。
——->> the content : I borrowed two celoc coin from him, then I repay him two matic coin。
i hope you can think about the report , We didn't break the rules
Thanks
Whatever the outcome ,i will use hop, It's really excellent product。
太特么的离谱了
@ttname Thank you for the additional details. Unfortunately, both groups exhibited very similar behaviors on Hop and otherwise. Because of this, the submission will remain as-is. Thank you for your understanding.