search

hop-protocol / hop-airdrop

Hop Airdrop distribution 🐰
176 stars 218 forks source link

Sybil Attacker Report #579

Closed rchen8 closed 2 years ago

rchen8 commented 2 years ago

Related Addresses

0x067767cc3f620a63f43bf937aaf550e21835bfd3
0x156e6c5a2fac34bb2fcf2ac1bbaa0e75bde3ac4f
0x1af20e3a07319b986cd7f35c60e74d2c74f49fc0
0x1e8cad4a817b6a6ca8a5b63aa0cc39e2b48b78f7
0x25955561740ee18502b1a329a664c2cd77b23e48
0x3c467f871517363a5b32b894d07dadb7de5232f7
0x3e8f7fef4a277a5866956f6fd31a8d53f9d74e69
0x600ff523c83fb5010afaff6ce6f1fce6f35b2bb4
0x67922a9561423548a9ccfd67ad80d6c637c26bfe
0x690aacaba31bd5e2cc7abe83541f2370efb6ec2d
0x72b3ba62ece7f9086ecf0df80bd121bb53b88871
0x795f50722cf5ad82f78dda8dc8f7b235332977c3
0x993b0af94d3e816aaa5e32381ed0ab30ad216bc9
0xc6a5f848ec2a149a230d4a8d2496e111ee492529
0xe989f0bda987e9205355fbd7823c98e6fa0d4694
0xefd718e07b10db1f1400f0db6346b99fbbbf02e5

Reasoning

Screen Shot 2022-05-22 at 8 11 59 AM

All 16 addresses belong to the same connected subgraph component, where the edges are Arbitrum transactions between addresses. 0x679 is the master node that funds the various clusters of addresses that are Sybil farming the airdrop.

Date # Addresses
2021-10-23 4
2021-09-23 4
2021-11-11 4
2022-01-22 2
2022-01-21 2
2022-02-14 2
2021-11-12 2
2022-04-22 2
2021-12-07 2
2022-02-02 2
2022-04-01 2
2022-02-06 2
2021-10-13 2
2021-11-09 2
2021-10-01 2
2021-10-12 2

Consider a few examples of such clusters. On 2021-10-23 four addresses ping pong transfer either ~0.24 ETH between Arbitrum and Optimism or ~147 USDC between Arbitrum, Gnosis, and Polygon.

'0x600', 'Arbitrum', 'Optimism', '0.2491', 'ETH'
'0x600', 'Gnosis', 'Arbitrum', '146.0063', 'USDC'
'0x600', 'Polygon', 'Arbitrum', '147.8743', 'USDC'
'0x067', 'Arbitrum', 'Optimism', '0.2391', 'ETH'
'0x067', 'Gnosis', 'Arbitrum', '135.4549', 'USDC'
'0x067', 'Polygon', 'Arbitrum', '149.5040', 'USDC'
'0x1af', 'Arbitrum', 'Optimism', '0.2391', 'ETH'
'0x1af', 'Gnosis', 'Arbitrum', '149.3963', 'USDC'
'0x1af', 'Polygon', 'Arbitrum', '147.8711', 'USDC'
'0xefd', 'Arbitrum', 'Optimism', '0.2491', 'ETH'
'0xefd', 'Gnosis', 'Arbitrum', '146.3870', 'USDC'
'0xefd', 'Polygon', 'Arbitrum', '145.8731', 'USDC'

On 2021-11-11 four addresses ping pong transfer 1.12-1.17 ETH between Polygon and Arbitrum.

'0xe98', 'Polygon', 'Arbitrum', '1.1263', 'ETH'
'0x72b', 'Arbitrum', 'Polygon', '1.1782', 'ETH'
'0x795', 'Polygon', 'Arbitrum', '1.1761', 'ETH'
'0xc6a', 'Arbitrum', 'Polygon', '1.1782', 'ETH'
Address Total Ethereum Arbitrum Optimism Polygon Gnosis USD
0x156e6c5a2fac34bb2fcf2ac1bbaa0e75bde3ac4f 25 13 16 4 17 0 376716
0x67922a9561423548a9ccfd67ad80d6c637c26bfe 24 12 21 2 13 0 272478
0x3e8f7fef4a277a5866956f6fd31a8d53f9d74e69 11 5 5 4 8 0 152449
0x993b0af94d3e816aaa5e32381ed0ab30ad216bc9 5 3 3 1 3 0 128579
0x795f50722cf5ad82f78dda8dc8f7b235332977c3 11 5 8 2 7 0 118449
0xc6a5f848ec2a149a230d4a8d2496e111ee492529 6 5 4 1 2 0 57853
0x3c467f871517363a5b32b894d07dadb7de5232f7 14 8 9 0 11 0 36943
0x25955561740ee18502b1a329a664c2cd77b23e48 9 8 2 2 6 0 29059
0x690aacaba31bd5e2cc7abe83541f2370efb6ec2d 3 0 2 1 3 0 22539
0x1e8cad4a817b6a6ca8a5b63aa0cc39e2b48b78f7 3 1 3 1 1 0 13423
0x72b3ba62ece7f9086ecf0df80bd121bb53b88871 2 0 2 1 1 0 8794
0xe989f0bda987e9205355fbd7823c98e6fa0d4694 2 1 2 0 1 0 7234
0x600ff523c83fb5010afaff6ce6f1fce6f35b2bb4 7 0 7 2 3 2 4938
0xefd718e07b10db1f1400f0db6346b99fbbbf02e5 7 0 7 2 3 2 3347
0x1af20e3a07319b986cd7f35c60e74d2c74f49fc0 7 0 7 2 3 2 3318
0x067767cc3f620a63f43bf937aaf550e21835bfd3 6 0 6 2 2 2 1736

Methodology

maxresdefault

I implemented the Union-Find algorithm, which is a famous graph algorithm that gets all of the connected subgraph components in O(1) time. The nodes in the graph are from the most up-to-date list of eligible airdrop addresses. The edges in the graph are from using Covalent's API to find transactions that connect between these addresses.

Finding the timestamps of Hop transactions per address is done using the Hop Explorer and reverse engineering their API so I can automate it. :)

Rewards Address

0x9bb82fbf10cF4959909BAB9bE07805bd1d28D04A

shanefontaine commented 2 years ago

Thank you for your report.

Unfortunately, none of these addresses are eligible. All eligible addresses are here.

Would it be possible to provide additional information about these addresses to prove that they are all related. The central node is great, but the behaviors of many addresses are different enough to make it difficult to say with confidence that they are related.