safe-global / safe-user-allocation-reports

The proposed list of SAFE user allocations has been published on the Safe forum.
Creative Commons Zero v1.0 Universal
34 stars 10 forks source link

Safe Airdrop Farmers by @KARTOD #442

Closed 0xKARTOD closed 2 years ago

0xKARTOD commented 2 years ago

Related Safe Addresses

List of addresses that have yellow 🟡 and green 🟢 score: See all info at Methodology part

green_and_yellow_addresses_reworked.csv https://dune.com/queries/1277996

List of addresses that have red 🔴 score:

red_addresses_reworked.csv https://dune.com/queries/1268823/2173773 ~ 500 addresses

All addresses list:

score_results_reworked.csv https://dune.com/queries/1262047/2162924

Reasoning

In this report we tried to analyze the addresses of airdrop farmers. All the data was obtained using the Dune Analytics database.

A ranking system was built for airdrop addresses based on the following parameters:

Of course, satisfying one of these points is not proof that the address is a farmer. For example I could create a Safe address in 2021, but have only 3-4 transactions during GIP-29. Therefore, a model for evaluating such wallets on a 100-point system was proposed.

Methodology

First of all, let us mention three important references to Dune query:

Using the query [2], let's look at the number of Safe addresses created by one wallet and build the distribution. In a recent tweet I already mentioned wallet 0x5769770f5efe8fb017fb09b6de3b2d096668377d - this address created 5900 Safe addresses in the period from early 2022 to August 18, 2022 (hereinafter - event period).

It turned out that during the period of this event:

Next, using the query [3], let's look at the activity considering all the official master copies (singlet) in the Ethereum main network:

  1. 0x8942595A2dC5181Df0465AF0D7be08c8f23C93af (0.1.0)
  2. 0xb6029EA3B2c51D09a50B53CA8012FeEB05bDa35A (1.0.0)
  3. 0xaE32496491b53841efb51829d6f886387708F99B (1.1.0)
  4. 0x34CfAC646f301356fAa8B21e94227e3583Fe3F5F (1.1.1)
  5. 0x6851d6fdfafd08c0295c392436245e5bc78b0185 (1.2.0)
  6. 0xd9db270c1b5e3bd161e8c8503c55ceabee709552 (1.3.0)
  7. 0x3e5c63644e683549055b9be8653de26e0b4cd36e (1.3.0L2)

Namely, the following parameters - the number of transactions during this period, fees spent on transactions and the relative fees ( Fees / number of transactions ). Gas spend on txs is a good indicator on how valuable a txs was for the executor at the time of the tx .

Thus, the following important data were obtained:

But now how do we determine what is the optimal number of transactions to determine the airdrop farmer? Is the creation of a Safe Address proof that it is a farmer? We need to come up with a system or methodology to measure activity, amount of gas spent, address creation in 2022, etc.

Let's make the following grading system, where the maximum is 100 points:

Why 1450 txs and 1.18 fees?

Let's first look at the number of transactions for each wallet. image We see that the maximum number of transactions is 2256, but further we see a big gap between the first and second address, between the second and third, that is up to values ~900 transactions distribution has dedicated steps, which is best to smooth. So the best we can do is to take the average of the first five addresses and get 1450. Similar steps are done for gas.

Changes:

Lots of feedback has been received directly on the forum, that is why we have changed the criteria and methodology for calculating the score.

Tx fees

First of all, we excluded gas from consideration in this methodology. First, because the price of gas varies depending on the period you want to consider. And secondly, not a few users simply save and wait for the right time when the price of gas is lowest, and only then make a transaction.

Related Safe Addresses

Let's go a little deeper into the Related Safe Addresses system and say that if, for example, the original wallet has two addresses, he gets a penalty of 5 points (30 before).

If the purse has three Safe addresses - penalty of 15 points If more than or equal to 5, then a penalty of 30 points And the highest penalty, if more than 100 Safe addresses - 45 points

Also, we took into account the two addresses: '0x9e0bce7ec474b481492610eb9dd5d69eb03718d5' - Tokemak address 0x5769770f5efe8fb017fb09b6de3b2d096668377d' - Staker App address We treat them and the related addresses as separate addresses

Transactions Added regular transactions such as "Transfer", not only official master copies. Instead of calculating something by formula, taking averages, and so on, let's just say the following:

We also add a couple of points for addresses that have more than 50 transactions

Difference in the time of Safe address creation

A new parameter to consider is the time difference in creating addresses (with the exception of Tokemak and Staker App). For example, if the same user creates two addresses 1 hour apart, is that suspicious? I think so. And what if it happens on one day, for example? - That's not so bad. So again we introduce a penalty system and calculate the minimum and average interval between the addresses for each original address. The query below will help us with this.

https://dune.com/queries/1261299

If the minimum difference is less than 1 hour - remove 25 points If 3 hours - 15 points

If the average is less than 5 hours and there is only one Safe address, another penalty of 5 points

Score calculation

Given that the maximum penalty will be 100 (if the address has more than 100 Safe addresses, has less than 1 transaction in the GIP-29 period, if there are additional Safe addresses and they were created less than 1 hour apart) the Score is now calculated as:

Safe Address

0x1B491d59846cb605A24a4690Df631946E52a2D0e

PulsarNetwork commented 2 years ago

"If the original address has more than 1 Safe address, it gets -30 points" rule is a big mistake

It goes against the principles of sybil hunting:

Methodology that has a non-negligible chance of eliminating legitimate users will not be considered. When in doubt, we opt for “this is legit usage”.

https://forum.gnosis-safe.io/t/community-challenge-identify-airdrop-farmers/847

0xKARTOD commented 2 years ago

"If the original address has more than 1 Safe address, it gets -30 points" rule is a big mistake

It goes against the principles of sybil hunting:

Methodology that has a non-negligible chance of eliminating legitimate users will not be considered. When in doubt, we opt for “this is legit usage”.

https://forum.gnosis-safe.io/t/community-challenge-identify-airdrop-farmers/847

No rush sir. I'm working on that

PulsarNetwork commented 2 years ago

Regarding newly added criteria:

For example, if the same user creates two addresses 1 hour apart, is that suspicious? I think so. And what if it happens on one day, for example? - That's not so bad. If the minimum difference is less than 1 hour - remove 20 points If 3 hours - 10 points If the average is less than 5 hours and there is only one Safe address, another penalty of 5 points

This assumption is arbitrary and unnecessary. I think it's against the principles of this airdrop as the reworked airdrop rules by @tschubotz indicates:

Minimum value stored in Safes: No minimum value required now (was 1 ETH before) In the original proposal, Safes that stored 1 ETH over time were included. This restriction was removed since it again sets an arbitrary restriction. Instead, the number of tokens allocated will just consider the value stored over time, relatively.

https://forum.gnosis-safe.io/t/new-proposal-reworked-safe-distribution-for-users/594

It's preferred that no arbitrary restriction is set, otherwise some legit use cases are likely to get excluded or discredited.

0xKARTOD commented 2 years ago

Regarding newly added criteria:

For example, if the same user creates two addresses 1 hour apart, is that suspicious? I think so. And what if it happens on one day, for example? - That's not so bad. If the minimum difference is less than 1 hour - remove 20 points If 3 hours - 10 points If the average is less than 5 hours and there is only one Safe address, another penalty of 5 points

This assumption is arbitrary and unnecessary. I think it's against the principles of this airdrop as the reworked airdrop rules by @tschubotz indicates:

Minimum value stored in Safes: No minimum value required now (was 1 ETH before) In the original proposal, Safes that stored 1 ETH over time were included. This restriction was removed since it again sets an arbitrary restriction. Instead, the number of tokens allocated will just consider the value stored over time, relatively.

https://forum.gnosis-safe.io/t/new-proposal-reworked-safe-distribution-for-users/594

It's preferred that no arbitrary restriction is set, otherwise some legit use cases are likely to get excluded or discredited.

I think this might hint to us that this original address created a) multiple addresses and b) over a short period of time. But again - this does not directly indicate that the address is a farmer. If, for example, this address is active or has only 2 Related Safe Addresses

PulsarNetwork commented 2 years ago

我是创建了两个安全地址,第一个我觉得它尾数不好我又创建了一个,到目前为止我只用一个进行多签安全存款,难道这也有错?

someone said:

"I did create 2 Safe addresses. I don't like the ending digits of the first one so I created another. Up till now I only used one of these Safes for transactions. How is it bad?"

and I have some hypothesized use cases for creating multiple Safes within a short time frame.

(1) a fund manager creates Safes for multiple clients

(2) a DAO sets up multiple wallets. One for community funds, another for receiving investor payments, another for salaries, etc.

Please consider these valid use cases.

0xKARTOD commented 2 years ago

我是创建了两个安全地址,第一个我觉得它尾数不好我又创建了一个,到目前为止我只用一个进行多签安全存款,难道这也有错?

someone said:

"I did create 2 Safe addresses. I don't like the ending digits of the first one so I created another. Up till now I only used one of these Safes for transactions. How is it bad?"

and I have some hypothesized use cases for creating multiple Safes within a short time frame.

(1) a fund manager creates Safes for multiple clients

(2) a DAO sets up multiple wallets. One for community funds, another for receiving investor payments, another for salaries, etc.

Please consider these valid use cases.

Yeh, I see what u mean. Just because you have two addresses does not automatically include you as a farmer. All you get is a 5-point penalty, which is no big deal. As for DAO or manager - if these addresses were later active and made more than 3 transactions, there is also nothing wrong.

But with time, yes, I agree, there are several addresses that have 100 or more Safe addresses. Two of them we found are Tokemak and Staker. But as for the others, we have to do it manually and look for who owns these addresses.

PulsarNetwork commented 2 years ago

Thank you for your consideration. The point system can actually act as effective pre-filtering rules that help us identify suspicious wallets.

0xKARTOD commented 2 years ago

Thank you for your consideration. The point system can actually act as effective pre-filtering rules that help us identify suspicious wallets.

Yep, that make sense. Thanks for the feedback

Sean20216 commented 2 years ago

@0xKARTOD I am aslo feel weird about Gnosis team did, even though they knew that it would result in a lot of invalid addresses and farmers get airdrop, they also decided to change the minimum number of txs made count from 3 to 1 and no minimum value required. What happened after this new proposal passed? farmers make money, hunters make money, real users get taxed. I feel ironic about the team decided to lower the airdrop threshold without being able to exculde ineligible addresses.The minimum number of airdrop tokens that were dropped from 400 to 100, and the remaining 300 were given to farmers and hunters. The team did not benefit anyone by lowering the airdrop threshold, they just approved report so you may be labeled as a sybil attacker even if you only use third-party dapps and not use it send transaction yet.

Sean20216 commented 2 years ago

Is it possible to compensate for lowering the airdrop threshold by labeling ineligible addresses as sybil attackers?

0xKARTOD commented 2 years ago

Is it possible to compensate for lowering the airdrop threshold by labeling ineligible addresses as sybil attackers?

Do u mean addresses that have less that 5 or 3 or 2 transactions?

Sean20216 commented 2 years ago

@0xKARTOD yep, you will see a large amount Sybil attackers which just the addresses have less 3 transactions finally.These addresses Gnosis team should filter and exclude them by themselves, they are not Sybil attackers, but these addresses will be seen as attackers on other projects after this challenge done.

0xKARTOD commented 2 years ago

@0xKARTOD yep, you will see a large amount Sybil attackers which just the addresses have less 3 transactions finally. And these addresses Gnosis team should filter them by themselves, they are not Sybil attackers, but these addresses will be seen as attackers on other projects after this challenge done.

Of course, right now I'm trying to load all the Dune requests. This time I'm trying to focus on user activity - the biggest penalty is the lack of transactions - 50 points

skyonedot commented 2 years ago

Listen, in the statistical community, we have different measures for outcomes, such as AUC, ROC ... In Safe Sbliy Attack Detection, you need to consider the confusion matrix, which is the probability of misclassifying a good guy as a bad guy and the probability of misclassifying a bad guy as a good guy.

I'm 100% sure that the address you've determined here must be wrong, You need to be more granular about the same type of address, you know?

ww941019 commented 2 years ago

你的意思是只有6500个真实用户?多么愚蠢的提议杀死了大多数真正的用户

6500个是哪来的数据?

stringStar commented 2 years ago

That's stupid, if you want to catch a witch. Please show us the evidence of witches, which is not to exclude small capital users. If I only use your application once and become a witch, will I continue to use your application in the future? If you need to exclude users with small funds, you can directly let the official rules limit the number of uses. If you want to give a score. Please go to debank

stringStar commented 2 years ago

This score proposal cannot be used to screen witch accounts. Your score only indicates whether he is a high-quality user, not whether he is an Airdrop Farmer. Airdrop Farmers has only one standard to prove whether the account is related. Don't persecute normal users here

PulsarNetwork commented 2 years ago

This score proposal cannot be used to screen witch accounts. Your score only indicates whether he is a high-quality user, not whether he is an Airdrop Farmer. Airdrop Farmers has only one standard to prove whether the account is related. Don't persecute normal users here

@stringStar don't worry. It's only for screening, not final decisions

stringStar commented 2 years ago

Also, your score evaluation looks ridiculous. All the reference indicators are imaginary, and there is no large amount of data reference. I haven't used safe. I saw this proposal on Twitter

PulsarNetwork commented 2 years ago

I still can't agree with identifying the current list of 500 addresses as sybils in https://dune.com/queries/1268823/2173773, even though I think many of them are suspicious.

According to sybil hunting principles:

Methodology that has a non-negligible chance of eliminating legitimate users will not be considered. When in doubt, we opt for “this is legit usage”

https://forum.gnosis-safe.io/t/community-challenge-identify-airdrop-farmers/847

Procedure justice means that once the rules are set, we should follow the rules. This ensures fairness and integrity of this sybil hunting community challenge.

Wsyglsr commented 2 years ago

I hate air investment hunters, but your rules really hurt ordinary users and new users.Can't a address be created 2 safe?You should give him a quota and normal users to avoid very expensive gasoline fees.

hjg888 commented 2 years ago

Real and fake users can send an nft to https://galxe.com/ and require verification of Twitter, discord, and email address to receive nft. The created address of nft will be airdropped, and the addresses that cannot be received will not be given. That's it.