Implementing Cost of Forgery weaponizes cost for attackers and keeps cost low for legitimate users. Project owners can then utilize forgery costs to cap Sybil-resistant rewards to users. In the next stage of its evolution, the Gitcoin Passport team is exploring the Cost of Forgery as another mechanism to aid projects in designing their Sybil resistance.
Sybil attacks are a significant concern that undermine the trust and integrity of decentralized networks. A multitude of decentralized mechanisms rely on the assumption that each participant has a unique identity on the network and an equal voice; Sybil attacks disrupt this assumption when a single user creates multiple fake identities and manipulates the system.
When Sybil attacks involve creating multiple fake accounts, a person can gain more airdrop rewards than they would otherwise be entitled to receive. This behavior distorts the distribution of rewards and undermines the integrity of the airdrop program, which is designed to incentivize participation and reward legitimate users.
Quadratic funding and voting mechanisms also rely on the expectation of unique humanity. Sybil attacks, if left unmitigated, will disproportionately distribute votes or funds to unintended fake accounts and take away votes and funds from good actors.
The article introduces the concept of Cost of Forgery; it considers the cost, time and effort required to create a fake identity. Implementing Cost of Forgery weaponizes cost for attackers and keeps cost low for legitimate users. Project owners can then utilize forgery costs to cap Sybil-resistant rewards to users.
Adversaries deploying Sybil attacks can have varying levels of sophistication, ranging from script kiddies to organized crime or nation-states — motivated by financial gain, personal amusement or malicious intent. These adversaries may attempt different types of attacks (identity theft, collusion, coercion, IP address manipulation, botnets, social engineering, Sybil malware, etc.) that are vulnerable to different countermeasures, requiring a comprehensive anti-fragile approach to Sybil resistance.
It’s crucial to build systems that are more expensive to attack than to defend. This means that the cost of mounting a successful attack on the system should be higher than the cost of implementing effective defenses against such attacks. By economically disincentivizing adversaries to launch attacks, the system can be more resilient to Sybil attacks and other types of fraud.
Sybil-resistant consensus requires each identity to be unique and singular. Various protocols have achieved Sybil resistance while also maintaining self-sovereignty (creating and controlling an identity without the involvement of a centralized third party) and privacy preservation (acquiring and utilizing an identifier without revealing personal information in the process). These three requirements (Sybil resistance, self-sovereignty and privacy preservation) form the "Decentralized Identity Trilemma."
To address the challenges posed by Sybil attacks and establish a reliable system for human identification, it’s helpful to view Sybil resistance as a spectrum reflecting the trade-offs between security, efficiency and scalability. By doing so, the problem becomes more manageable, and it’s possible to find a balance between the three factors that align with the goals of the system. While strong security measures can enhance Sybil resistance, they can also limit the efficiency and scalability of the system. Conversely, prioritizing efficiency and scalability may lead to weaker Sybil resistance. Therefore, finding the optimal balance between these factors is critical for building effective decentralized identity systems that can resist Sybil attacks. This is one of the strongest reasons there’ll be no single silver bullet but rather a plurality of approaches to tackling this problem.
Gitcoin Passport has developed two mechanisms to assess the unique humanity of users in web3 applications: Gradual Unique Humanity Verification and Boolean Unique Humanity Verification. These mechanisms assign weights to various stamps (verified Twitter and Google accounts, GTC or ETH ownership and previous participation in Gitcoin Grants), to calculate a Passport score (Unique Humanity Score) for the holder. The scores can determine access to partial rights, features and other benefits to Passport holders. To qualify for matching in the Gitcoin Grants Beta Round, for example, a donor must have a score of 15 or more.
Gradual Unique Humanity Verification allows developers to assign partial rights based on the user's score; Boolean Unique Humanity Verification prevents bot/Sybil attacks and safeguards user privacy by verifying a set of stamps and a combined score above a certain threshold. For example, in order to verify a user’s uniqueness on Bankless Academy, a web3 educational platform that offers lessons and tutorials, a user must collect a determined number of stamps. First lessons on Bankless Academy only require two stamps, which a new user can claim by connecting with their favorite web2 platform.
In the next stage of its evolution, the Gitcoin Passport team is exploring the Cost of Forgery as another mechanism to aid projects in designing their Sybil resistance. Cost of Forgery offers design choices that harness an easy-to-understand metric to safely distribute airdrops or enable access to a community by tying the cost to the denominated outcomes.
Cost of Forgery is a way to make it expensive for attackers to create fake identities. This is done by considering the resources, time and effort required to forge an identity compared to the cost of implementing defenses against such attacks. By making forgery more expensive, attackers are less likely to engage in fraudulent behavior, improving the system's security.
If the Cost of Forgery’s eminent goal is maximizing the cost for attackers while keeping the cost low for real users, then we need to create systems that are more expensive to attack than to defend. Here are four main ways to build Sybil-resistant mechanisms today:
In future versions of Gitcoin Passport, we’ll categorize stamps based on these four areas to ensure a plurality of mechanisms are in place, because a) no single solution can fully protect against Sybil attacks; and b) using multiple mechanisms can make the system more resistant to different types of attacks.
Despite the efficacy in the Cost of Forgery approach, if the total cost of forgery in the system is equal to the amount of capital in the system, then only wealthy individuals may have access to identities. This presents a potential challenge of creating plutocratic outcomes without paths to avoid them. Therefore, it’s crucial to prioritize verification mechanisms that include individuals with lesser means. Financial status shouldn’t determine access to identities.
Any anti-Sybil scheme can be cracked at some cost, so the focus should be on determining the acceptable level of fraud; it should be more efficient for individuals to obtain anti-Sybil verifications through proper channels rather than purchasing them on the gray or black market. While the Cost of Forgery should be kept high to deter adversaries, it’s essential to strike a balance to avoid making it difficult for legitimate users to obtain verifications.
Here are some compelling applications that highlight the utility of the Cost of Forgery for project owners:
It’s important to note that Sybil-resistant identity systems are still prone to collusion attacks (bribery). For an ideal system, TCB (Total Cost of Bribery) and TCF (Total Cost of Forgery) must be greater than the amount of rewards that are available to citizens of the system to exploit it. While cost-based metrics are essential in combating forgery, they’re not always the most effective way in preventing it: adversaries may be willing to incur the Cost of Forgery if the potential non-financial benefits outweigh the cost. For instance, an adversary who wants to promote their own project or agenda may be willing to spend the time and resources to create multiple fake identities, even if the Cost of Forgery is high. Additionally, adversaries with significant financial resources may be more willing to incur the high costs in order to gain access to valuable resources or privileges.
Luckily, there are other mechanisms that help us reduce these surface areas (pairwise dampening, MACI, cluster mapping, etc.), and Gitcoin recognizes it’ll take a plurality of solutions to stay ahead of the curve.
Cost of Forgery offers communities more granular and intuitive ways to design Sybil resistance for security, efficiency and scalability. When combined with a self-sovereign and privacy-preserving protocol, Cost of Forgery can provide much-needed plurality to ensure identities are singular and unique.
We’d love to gather feedback from the community on a cost-based metric to combat forgery. If you use Gitcoin Passport for your dApp or intend to integrate it, let us know how the Unique Humanity Score compares to the Cost of Forgery. Lastly, with advancements in technology, certain mechanisms (such as reverse Turing tests) for Proof of Personhood have become susceptible to AI-enabled breaches. This could likely have a non-trivial impact on the approach to the Cost of Forgery.
Join and share your thoughts on the Gitcoin Passport Builders Telegram.