search

hop-protocol / hop-airdrop

Hop Airdrop distribution 🐰
173 stars 218 forks source link

Sybil Attacker Report #308

Closed stabiloswano closed 2 years ago

stabiloswano commented 2 years ago

Related Addresses

0xec561dd73346f761d1c09f46999bc8ea1b1e95a2 0x99d6d24012361620bfa1a3f16d4e745066fc7c69 0xf935861a8b8cc6867eeb463d97b501c69d177092 0x42acf5773af88b0e49f413e10edf9bcef93c3805 0xc5ba2b86292a73830cfe7619f24f4fcab66e398b 0xce9cc2efb00a730009346b173045dba73fd3327c 0x48f73a47f17a374ba42253c665bd8389f2efdd31 0x15446371fe06e86fcd27b1f567491a3eee9c238e 0xdf23d6fd44249716a515bdddc81b82c18b915345 0xe6318ac14dc1235e01af21d354088118e15783ba 0x78e95eabc4f0115e87825e20ef040ad89d973f0d 0x3cbf5a2ad28271f6ec30e0d891905e663b78b865 0x91d87e8ba48a0e40f7913305792541191f92404e 0xf81d02a2797afd51c71225b07076f87b29bca025 0x6dae9dc6ee8a4e28dabb1acb019ae9bd4c7dd928 0xb08e71a3c5472d30a571dc0f04691d13611f7ae0 0x5c600f23e2c4dd1b7f65878f04709b6b06ec1678 0x58f1a54de7db6524be839ebb88cdda120df44274 0x6a82e96360153cd5982e6283e4c6a8af23ec7dce 0x4728c69e5530083656595113c7d9906ba481335b

Reasoning

Summary: Sybil cluster of 20 addresses. All addresses interacted with a NFT contract in a way that can only be interpreted as sybil attack. In addition, addresses are connected by direct transactions on Polygon.

Methodology

There is a pretty massive network of connected addresses on Polygon (+1000 addresses all eligible for HOP airdrop), but there are no obvious patterns of sybiling, so I started digging deeper. I chose 1 NFT contract and investigated how the addresses of the big network interacted with the contract.

I started by investigating direct tx connections between addresses in the +1000 address network that interacted with GENBAG NFT contract on Polygon (https://polygonscan.com/token/0x48d43e82831a5667658176c5c818ad539119e4e4). 122 addresses from the +1000 network have interacted with GENBAG. image

A network of 28 addresses that are directly connected to each other by tx's was found. A closer look to it below: image

Next I inspected how the clustered addresses interacted with the NFT (EDIT: interaction as in ERC721 tx) and found the following (first_datetime is datetime of first interaction with the NFT, last_datetime is the last interaction datetime and time_first_to_last is the duration between in hours):

image

The GENBAG contract was created on Jan-25-2022 08:03:54 PM +UTC and the first minting event was on Jan-26-2022 12:00:52 AM +UTC(https://polygonscan.com/tx/0x6e38020129e2bd9eed3c4774a79a1d1032eae9ab4c68c4c1cfb2461e27a85cb7), so it makes sense that most of the first interactions have happened pretty close to the start of minting. However, the time between first and last interaction is clear indication of sybiling here. 20 addresses interacted with GENBAG between 2022-01-26 00:00:58-00:04:58 and all of them had their last interaction between 2022-03-01 05:00:35-06:31:49, so about 820 hours between first and last interaction. Here's the distribution of GENBAG interaction duration for all addresses in the +1000 cluster (not all addresses in it interacted with GENBAG): image

The major spike at 820 hours is an anomaly in the distribution and the reason for the spike is one person operating 20 addresses.

Rewards Address

0xBCCD7DF161C0d155D3E56D8C57Cc31C185217546

shanefontaine commented 2 years ago

Thank you for your report @stabiloswano We have verified that the addresses in this report are Sybil attackers.

The report included 20 eligible addresses as Sybil attackers which means you are eligible for 6315.559681513708732175 HOP! When Hop DAO is live, we will make a proposal for this reward — subject to a 1 year lockup, as mentioned in the original Mirror post.

The qualified addresses are as follows:

0xec561dd73346f761d1c09f46999bc8ea1b1e95a2
0x99d6d24012361620bfa1a3f16d4e745066fc7c69
0xf935861a8b8cc6867eeb463d97b501c69d177092
0x42acf5773af88b0e49f413e10edf9bcef93c3805
0xc5ba2b86292a73830cfe7619f24f4fcab66e398b
0xce9cc2efb00a730009346b173045dba73fd3327c
0x48f73a47f17a374ba42253c665bd8389f2efdd31
0x15446371fe06e86fcd27b1f567491a3eee9c238e
0xdf23d6fd44249716a515bdddc81b82c18b915345
0xe6318ac14dc1235e01af21d354088118e15783ba
0x78e95eabc4f0115e87825e20ef040ad89d973f0d
0x3cbf5a2ad28271f6ec30e0d891905e663b78b865
0x91d87e8ba48a0e40f7913305792541191f92404e
0xf81d02a2797afd51c71225b07076f87b29bca025
0x6dae9dc6ee8a4e28dabb1acb019ae9bd4c7dd928
0xb08e71a3c5472d30a571dc0f04691d13611f7ae0
0x5c600f23e2c4dd1b7f65878f04709b6b06ec1678
0x58f1a54de7db6524be839ebb88cdda120df44274
0x6a82e96360153cd5982e6283e4c6a8af23ec7dce
0x4728c69e5530083656595113c7d9906ba481335b
shanefontaine commented 2 years ago

In addition to the data you provided, we also see further evidence:

  1. Almost all of the addresses performed an Orbiter Finance transaction with approximately the same amount on approximately the same day (May 7) on Arbitrum.
  2. Every address has nearly identical behavior on the Optimism testnet (as well as other testnets)
  3. Their behavior on Hop protocol is pretty similar:
address ensName total mainnet arbitrum optimism polygon xdai totalVolume
0x99d6d24012361620bfa1a3f16d4e745066fc7c69   17 2 0 0 7 8 $29,392.63
0xf81d02a2797afd51c71225b07076f87b29bca025   22 1 0 3 6 12 $27,563.76
0x91d87e8ba48a0e40f7913305792541191f92404e   17 0 0 0 13 4 $25,455.87
0x42acf5773af88b0e49f413e10edf9bcef93c3805   19 0 0 1 11 7 $21,246.90
0xf935861a8b8cc6867eeb463d97b501c69d177092   20 0 0 0 9 11 $20,946.36
0x3cbf5a2ad28271f6ec30e0d891905e663b78b865   16 0 0 0 6 10 $13,041.64
0xb08e71a3c5472d30a571dc0f04691d13611f7ae0   18 0 0 0 16 2 $12,570.48
0x6dae9dc6ee8a4e28dabb1acb019ae9bd4c7dd928   17 0 0 0 14 3 $12,553.91
0xec561dd73346f761d1c09f46999bc8ea1b1e95a2   21 1 0 2 11 7 $12,483.27
0xc5ba2b86292a73830cfe7619f24f4fcab66e398b   21 0 0 0 5 16 $12,261.28
0xce9cc2efb00a730009346b173045dba73fd3327c   19 0 0 0 5 14 $11,657.23
0x15446371fe06e86fcd27b1f567491a3eee9c238e   21 0 0 0 10 11 $11,081.57
0x48f73a47f17a374ba42253c665bd8389f2efdd31   18 0 0 0 9 9 $10,619.86
0x6a82e96360153cd5982e6283e4c6a8af23ec7dce   13 0 0 0 12 1 $9,565.39
0xe6318ac14dc1235e01af21d354088118e15783ba   14 0 0 0 7 7 $9,484.25
0x78e95eabc4f0115e87825e20ef040ad89d973f0d   14 0 0 0 7 7 $9,410.33
0x58f1a54de7db6524be839ebb88cdda120df44274   11 0 0 0 10 1 $7,664.77
0x4728c69e5530083656595113c7d9906ba481335b   13 0 0 0 12 1 $6,818.33
0x5c600f23e2c4dd1b7f65878f04709b6b06ec1678   10 0 0 0 10 0 $6,717.96
0xdf23d6fd44249716a515bdddc81b82c18b915345   14 0 0 0 6 8 $5,014.94
gaona20 commented 2 years ago

Dear sir: This is a wrong report.4 of the addresses belong to me and I am not associated with the others. GENBAG only gave 5 minutes to mint, so the interaction time is the same and normal. The pre-sale of GENBAG is in the form of a blind box. The time for everyone to open the blind box for the first time must be the same。And last interaction time is not same,and the time span is quite large.And add:0xec561DD73346f761d1C09f46999bc8Ea1b1E95a2 it is my real friend. We have occasional transfers. I checked this address, and I have not interacted with op, prep, gal and other items, and the interaction methods are also different. Arbitrum is a well-known project. Everyone knows about airdrops, and it is unreasonable to judge based on transactions. There are many communication communities, and it is normal for everyone to have similar transactions and interactions. It is unreasonable to simply judge my account as a Sybil attackers. I am a user who has really used hop products and spent a lot of time and money on this product. If this reporting behavior does not stop, it will hurt a large number of loyal users. I hope the project side will check it again and stop this erroneous reporting behavior immediately.Thank you. My address:0x5c600f23e2c4dd1b7f65878F04709B6B06EC1678 0x58F1a54de7DB6524bE839Ebb88cddA120Df44274 0x6a82E96360153CD5982E6283e4C6A8Af23Ec7dCE 0x4728C69e5530083656595113c7d9906BA481335b

shanefontaine commented 2 years ago

@gaona20 It looks like there are many other similarities between the addresses you posted and the other addresses in that group.

For example:

Because of this, and many other data points, your addresses meet the definition of a Sybil attacker.

gaona20 commented 2 years ago

Dear sir: Add:0xec561DD73346f761d1C09f46999bc8Ea1b1E95a2 it is my real friend.We often exchange projects together. Because I was new to web3 last year, I followed him on many projects, so we will have similar behavior. But we also have different behaviors, for example, ENS/BICONOMY/GALAXY and some other projects. If it's a one person operation, why don't I do these more famous projects? The FTM testnet is based on the strategy, and the behavior of the people who have done it is consistent. So I implore you to think about it again, check again, not just seeing the same behavior, but not seeing a different behavior.Thank you

zsandwf commented 2 years ago

Hello,sir: I am the 0xec561DD73346f761d1C09f46999bc8Ea1b1E95a2 address holder, 0xF81D02a2797AfD51C71225B07076f87b29bCa025 0x99d6d24012361620Bfa1a3f16d4e745066fC7c69 0xf935861a8b8cc6867Eeb463D97b501c69D177092 0x42acf5773Af88b0e49f413E10edF9bcEf93C3805 0xC5Ba2B86292a73830CfE7619f24f4FcaB66E398b 0xCe9cc2efb00a730009346B173045DbA73fd3327c this address is mine too. but I am not sybil attacker, pls recheck those address. Frist,those address are real user,I crosschain over five chains,(ETH,OPT,AVAX,MATIC,BSC,XDAI,FTM) WHY? because I am a real user,I cross my usdc or xdai to another chain for defi and test. If I am Attacker, I will choose cheaper chain and swap many times,this way will save more times and more gas. second, this address are stake LP for long times, it is diffrient from other sybil attackers, who will used IP to attacker? third,I used over 10K usdc to transfer and test more chains, between this crosschain, there are not at the same time,pls recheck it. I use the product more attentively than most users ,The last was defined sybil attacker,It was unfair for early contributors

Check it again. Don't let your customers leave your product, thank you!