https://commonwealth.im/layerzero/discussion/17883-sybil-report hireus.eth - Reports
•https://commonwealth.im/layerzero/discussion/17886-hireuseth-reports
The format of our report will be as follows:
Complete methodology behind our reports
We have used a multistep approach in identifying clusters of sybil wallets.
1 - First step - identify clusters of wallets based on the months they were active on LayerZero. More on how we did this + code will be provided later, but this allowed us to partition the dataset provided by LayerZero into smaller datasets that contained wallet sets that we have classified as suspicious.
2 - Second step - analyze smaller clusters that we have got from step 1. We used both data provided by LayerZero to analyze LayerZero activity and onchain scanners to analyze the activity of wallets outside LayerZero. For onchain stuff, we focused on mainnet + the biggest L2’s (arb, op, bsc, polygon, avax).
- Regarding LayerZero data analysis - we have written a function to look for identical activity among wallets from the set in tight date ranges (1-30 days). When we have narrowed the cluster into wallets that have had similar activity on a couple of matching date ranges we have run a couple of checks to identify sybil activity. Criterias that we believe could show wallets to by sybil:
- repeated usage of the same protocols (ideally with the same volume, dest, and source chains) during a small time period (this one is the most important one)
- identical total stargate volume (+-10%)
- matching set of source and/or destination chains
- identical parameters for Nth transaction for each wallet (time, volume, source/dest chains, project). i.e every wallet having Stargate bridge of 100-110$ from Opti to Arb during a 5-day period as their first tx is very suspicious
- matching set of used projects on Layer Zero
- same protocol path (i.e. every wallet used Stargate -> Merkly -> Stargate -> L2Pass). And this was all of their activity on L0
- Similar number of distinct active days and total # of txs on L0 Obviously, none of these prove anything on their own, but when they all are combined they signalize that a set of wallets is probably a sybil cluster.
- Onchain analysis. This part is simple. Every sybil wallet has to be funded before interacting with LayeZero. If all wallets from a set are funded from the same exchange for approximately the same amount within a tight time period - then welp :) maybe it is not a coincidence. Also, we have checked for the activation (first ever interaction) of wallets on each chain. Most of sybil wallets are newly created wallets. So if the wallets in our dataset all suddenly get activated (funded) in some same chain and then start interacting with LayerZero it means they could be a sybil cluster.
Notes regarding our reports: We do not provide any tx hashes or nansen screenshots for our reports, just description of activity since we’re reporting almost 20k wallets total and that would be a heck of data. But all of this data can be easily generated using our code that we have attached. Or the easiest way is just to open the wallets in LayerZero scan. For most of the clusters the fact that they are sybil is very visible from a first glance Some of the text in our reports looks generated. That is because it is. We have analyzed almost 20k wallets in less than a week and writing text for each of them would be impossible. The way we generated text can also be observed from our code
FULL DESCRIPTION OF OUR FIRST STEP For each wallet let’s find a set of active months starting from January 2023. Then represent this set of months as a binary number where 1(0) on position k means the wallet was(not) active on the kth months starting from January 2023. For example, mask 100101 (or 21 decimal) means the wallet was active on Jan 2023, Mar 2023, and Jun 2023. This way we assign a decimal number under 217 to every wallet(217 because 17 months from Jan 2023 to May 2024).
As the next step let’s compare wallet count for each of the masks with counts for similar masks. To get similar masks, we take the current mask, find two different consecutive bits(01 or 10), and do one of the following operations: update the first bit with the value of the second, update the second bit with the value of the first, or swap the values. For example for mask 111111100111110 possible similar masks are: 111111110111110, 111111100011110, 111111101111110. In this particular example, counts are: 69 wallets for 111111100111110, 9 for 111111110111110, 2 for 111111100011110, and 1 for 111111101111110. 69 looks suspicious compared to 1, 2, and 9. Let’s find all the suspicious masks. For the mask to be suspicious, the wallet count for the current mask should be 2+ times more than the p90 of wallet counts of all the similar masks. The idea behind this is that there is no reason for similar masks to have that much different wallet counts.
After finding those suspicious masks let’s export the corresponding wallets and move to Step 2 - proving those are actually clusters. Code below in thread
GUIDE TO USING CODE FOR SECOND STEP: Onchain: Code in thread below
L0 only: To generate csv data: put wallets.txt in the same dir as readcsv.py and L0 snapshot (call it snapshot.csv). Then run python3 readcsv.py Code below in thread
To get a cluster from these wallets put generated ftw.csv from first script into the same dir as cluster_wallets.py and run python3 clusterwallets.py Code below in thread
Only members within the following group(s) can interact with this topic:
Include comments flagged as spam
This report was submitted during a hard time for commonwealth and got duplicated. Disregard this thread please and see the original report at https://commonwealth.im/layerzero/discussion/17897-hireuseth-reports