Open JacerMrs opened 5 months ago
@chaos lab, Aren't you going to add these addresses? These are also witch addresses, which are a cluster.
Filtered addresses count: 1365
Remaining addresses count: 60
0x42f22ab5ec2f2d77aa76a2da067d910b3f208097
0xef9cd032a3d1e61a618e7e1c8bab7ea1d1965c69
0x63d61a59d833192b1e8da13fd69bc4428b974724
0x71b36b6a1e756529a27eaa4e25dbf71f2b7ca183
0xad41144974a1e94b4eb57a0c7004c9bea41e498e
0x5b476a49fa831734c3369be8839355b22727b91e
0x1cddf2adef520a9694555836b7d2531db2e4d798
0xa6948fa5e957119d6d4ce20890925c3861c8267e
0x79991e5fa0e91e54eec25bc4908ee1277c164d18
0xe6f19cf6adc9e49b7aee95b2365982c9118c0782
0x3ac97dd4a204b4961c49f96577f84c4778e21834
0x83b7f7773e77483aa2318a459be164f90b3a2006
0x32ba20f072db110e648e03d4319987c223e35ad0
0x2aa7b46ff07238028c74405812c2effd69c22bcb
0x3cd405b46283af690633d08caf8f4378ed10a312
0xddf827a598feb114c54eb8e42af028e5613af3e7
0x93c82360f2e92441f6b1e8c16b30dd436589ec24
0x7f6a4fd43f76794e5364ec83c486ad695d933f04
0xb4840ecfee38411206a5cdc5043e88205250e4af
0x408951c4adc7cc7f4999164dce193a9787f8f52e
0xb952831bc61fa5d59033c707917b42badc7f68d1
0xa36de622f744c33cf77fcc88ad944363171f90cb
0x616095f0c5c4794d282b33acd334605f1fabbbcf
0xe77fe5833b948474b3bc1b0f537c0a8dc3589924
0xb3521856fb854400553774418be85d74b8e2ab00
0xedabff31be0cd5f35c3a5a215f8b4f83fa0413bc
0xf484da281d4ba200c9d0614330ee87d8430a14d2
0x328945cf70e17b3ed5a02efacd04635b4cd2e35c
0x8098ea312c8ff6f76bc3cde2403507b2aac34d41
0x5f7782eeb8e73859992ffdc04cdd4c8996c35b86
0xa4145eb0081e169c87eadd2790fd6b403cc41d39
0xacecb8833b715cf8312c8c5845b84905b5fbc5ca
0x38f307228e7dd78cf5474307cba045bc585b00ed
0x028a4e3d33613a74ed0746d255d4f203e1011fa7
0x04dafc2546c2e889bcf6157e871b1fe9e4e9bbbc
0x96cb2ff89a9d4633cdc4b0a637453c989379d4d5
0x51ef9225a79910f8f8cc9b930f929c775c609298
0xaede3fbff13a91eab74b906f2d61fb259fc78afb
0x9d71d3150e09a3b3d4f27b60fcab5740ea3f7192
0x31a607f264517488842cca3c0e20a26d329f4383
0x67d5ab09fd08b0003f3ee5e8e2e464d5cdfc2044
0x78c91d0d3a2bf8518d4f5ea70f710828adde0bdc
0xa59eb3cfd0785affb0dbc1652dacac286387fbdf
0xa17d29d8470b3beae9e244f52a0fecc6697b384e
0xfbb8def6516fbfd689ee737df0ee34c6e40231a6
0x16bb302f8578a436ff274fe34855cfe3ae220bdc
0xab0efe673dad49fe2deb19f2c41744e67d3ce91a
0x50a64ecc60830b64a3190e5accb675716c1402d0
0xddbdc9309427cdbd31d425c6f42d6a45f011564e
0x63f088821abef7ae14b4fa9d08d5a065c2a9e9dd
0x6f4bf0ebd6f3b880fb4078d1eaed5966660c2ef3
0x3e1e3b7ecd981692c97fecf46f5fbb3f4a6b4a52
0xf1ed3994368965c9342c3676ed94d3b159127c16
0xf34f50a6c3123025eb268990831f755eca8a6a07
0x266a1d50621fe9bf13045f7500bd5709e59c6c66
0x9955283e439df2ab508397ca76eda829d5e13103
0x630ba6d413efc945d0142cd7ef5d73e8cffe97bc
0x46a926d8a652b890f2d8f9c65ba4f53861f771f1
0x76d340fced1ae63b809d58d084e0975c032ef8dd
0x2f3f32ee54db724ec3d73b7d4c4b2babbc48d03f
To produce the above results, just change the following parameters and run it. Change begin_time from 2024-04-16 00:00 to 2024-04-19 00:00 Change end_time from 2024-05-02 00:00 to 2024-05-01 00:00
still 60 addresses that do not appear in provisionalSybilList3.0, They even received the same number of airdrops, both over 60.
Hello, I am the author of this report(https://commonwealth.im/layerzero/discussion/18002-sybil-attacker-report) and it has been reviewed and appears in the final list just released(Line 584543: https://commonwealth.im/layerzero/discussion/0x9e042a2129f73E45A5aD975d9669029a954dBC31,Cluster_1,0x010da8535d0b75d95de9194e9d56526a62e470b6)
I now have strong evidence that the following addresses are Sybil addresses (not in the final report) and are a cluster of more than 1,000 accounts. These addresses were originally in the initial list, but some were removed from the final list just released, so I think it is necessary to report these addresses. The reason I didn't report it earlier is because I found them all on the initial list.
Sybil Addresses
1140 addresses In the same cluster
900 Reported address
240 Unreported address
Reasoning
Methodology
I created multiple SQL statements and generated multiple query results charts on https://dune.com/huntingforyou/lz-sybil. After continuously adjusting the model parameters, the input parameter settings for hunting one of the sybil attacker clusters are as follows:
All the data displayed in the charts is filtered by the above conditions,
lz-sybil-min_amount_original
shows a list of addresses arranged in ascending order according to the value ofmin_amount_original
. The value ofmin_amount_original
means the minimum amount in all cross-chain transactions using ETH.input_days_interval
represents the number of days of the input parameter difference,active_days_count
represents the number of active days among these difference days. According to the SQL codedate_diff('day',CAST('{{begin_time}}' AS timestamp), CAST('{{end_time}}' AS timestamp)) = active_days_count
here, their values are equal. As shown in the chart, the min value ofmin_amount_original
in all wallets is 0.01165197ETH when cross-chain ETH. So far, we have 1177 Sybil addresses.lz-sybil-max_amount_original
shows a list of addresses sorted in descending order by the value of max_amount_original, which is the maximum amount in all cross-chain transactions using ETH. As shown in the chart, the max value ofmax_amount_original
in all wallets is 0.0199864ETH when cross-chain ETH.lz-sybil-warmup
, we can draw the following conclusions a. The value of warmup_txs_count is in [3, 8]. b. Most of the warmup_days are less than 1 day, and others are also within 2 days.Running the SQL statements gets the query results of
lzsb-age-source-des-txs
andlzsb-user_stat-on-age-source-des-txs
, and we get the number of Sybil addresses so far is 1140.a. Fetch all 1140 addresses from code below, store results to file
addresses.txt
api_key = 'Your-Dune-API-KEY' query_id = 3834373 url = f'https://api.dune.com/api/v1/query/{query_id}/results'
headers = {'X-Dune-API-Key': api_key} params = {"limit": 2000}
response = requests.get(url, headers=headers, params=params)
if response.status_code == 200: with open('addresses.txt', 'w') as fout: for row in response.json()['result']['rows']: fout.write(row['user_address'] + '\n') print('Success to fetch data') else: print(f'Failed to fetch data: {response.status_code} - {response.text}')
Output Csv File: filtered_results_dask.zip, From the PROJECT column of this file, we can see that all addresses use those and only those protocols listed in the 5. Section of Reasoning Part.
c. Analyze the time when each address first used a certain protocol. Note: Aptos Bridge records all times and uses the latest timestamp for comparison. The main purpose is to form a group with l2telegraph, which requires the latest timestamp.
Output Csv File: wallets_project_first_occurrences.csv
For each address, its Is_Sequential field value is TRUE, we can conclude the order of using protocols is ['Angle', 'Harmony Bridge', 'CoreDAO', 'L2Marathon'] -> ['l2telegraph', 'Aptos Bridge'] -> 'Gas.zip'. Of course, there are a lot of Stargate protocol throughout the cycle.
Reward Address
0x9e042a2129f73E45A5aD975d9669029a954dBC31
Additional Notes
I was originally going to report over 1500 Sybil addresses, but since I saw PrimordialAA@twitter said that high trust was required, I made the criteria quite strict.
In addition, these addresses are also suspected of farming on ZKSync.