Sybils can exploit decentralized communities' reward systems by distributing their influence across multiple identities. This can lead to a single malicious actor accumulating a significant portion of the resources or rewards, skewing the distribution away from genuine participants. In this case study, we will review how Gitcoin Passport fortified CyberConnect’s loyalty program enhancing security and enabling a sharper focus on genuine participants.
CyberConnect is a web3 social network that enables developers to create social applications empowering users to own their digital identity, content, connections, and monetization channels. Developers can build innovative social applications where users own their identities and data while creators can grow their audiences in a fairer and decentralized environment. Messari, Rarible, 1inch, and BNB Chain, along with 2,500 projects and 1.2M users and creators are building long-lasting connections through apps built on CyberConnect.
In March 2023, CyberConnect launched FanClub, a loyalty program to recognize and reward quality enagement by its community members on both on and off-chain channels. The program rewards daily and weekly points to users for their contributions in the following categories: Twitter Engagements, CyberConnect Protocol Engagements, and Referrals. Points can be redeemed for tickets to participate in weekly raffles.
The team consistently encountered Sybil attacks that led to an unfair distribution of the weekly reward pool. In one instance, a single address 0x82…43a4 funded gas fees to over 1,700 addresses in early April, allowing each address to purchase seven raffle tickets every week. Without intervention, this Sybil account could have amassed over 11,000 tickets and won 5,000 mini-shards (a collectible reward) from the raffle every week.
The CyberConnect team initially focused on identifying Sybil utilizing data from Link3, a web3 social network built on CyberConnect protocol. l. Many Sybil accounts were identified based on bulk invitations, similarity of handles for user profiles and email addresses, and synchronized actions for activities such as registration, login, minting, and joining FanClub. In addition, the team introduced onchain criteria such as lack of transactions on Mainnet, gas on Binance Smart Chain originating from a single transfer or a contract, and accounts that have received mini shards (a form of a collectible) from multiple addresses.
These results obtained through automated tools were manually reviewed weekly, allowing the team to ban obvious Sybil accounts. However, the manual review process was time-consuming.
After the CyberConnect team noticed many Sybil-like activities, they integrated Gitcoin Passport to ensure that rewards are distributed fairly. As a solution, the project divided the reward pool into a Main Pool and a Side Pool. Additionally, the team introduced a Credit Point system to differentiate human users from bots. Users with 24+ Credit Points can access the Main Pool and share most rewards. The Credit Points combine the Gitcoin Passport score and other qualifying user attributes based on weights as follows:
Gitcoin passport passing score: Up to 100
Link3 profile completion with an avatar, display name, basic info: 1.67
Paid CyberProfile: Up to 3.34
Link3 event W3ST holding: Up to 6.68
The optional requirement for paid CyberProfile and W3ST (Web3 Status Tokens) holding elevates the cost of forgery for attackers with low Gitcoin Passport Score. In combination, the Credit Point system keeps costs low for legitimate users. Users with 24 or more Credit Points have their raffle tickets automatically enter into the Main Pool. All other users' raffle tickets enter the Side Pool.
The seamless integration with Gitcoin Passport has led to enhanced efficiencies:
CyberConnect utilized a built-in, battle-tested Sybil detection mechanism in the form of Passport Score while augmenting this mechanism with the Credit Point system to protect the interests of long-time community members. Passport’s streamlined API lets developers easily integrate, saving time and money while gaining access to defenses built leveraging years of institutional experience safeguarding the Gitcoin Grants program.
For more information on Gitcoin Passport, you can access the Passport Documentation or join the Gitcoin Passport Builders Telegram if you’re interested in getting help from the Passport team in integrating Passport into your project or community.