Sybil Detection

🎯 Overview

Eliminate fake accounts, bot networks, and Sybil attackers from your protocol with advanced on-chain behavioral analysis. zPass provides the most sophisticated Sybil detection system in Web3, protecting your campaigns, governance, and user base.

Perfect for: Airdrops, governance systems, fair launch mechanisms, campaign integrity, community building

🚨 The Sybil Attack Problem

What Are Sybil Attacks?

Sybil attacks occur when malicious actors create multiple fake identities to:

Exploit Airdrops: Claim multiple allocations unfairly
Manipulate Governance: Control voting outcomes with fake accounts
Farm Rewards: Extract value without genuine participation
Skew Metrics: Inflate user numbers and engagement stats
Drain Resources: Consume limited resources meant for real users

The Cost of Sybil Attacks

Financial Impact

40-60% of typical airdrop recipients are Sybil accounts
$500M+ lost annually to airdrop farming
25-40% of governance votes from fake accounts
3x higher customer acquisition costs due to fake users

Community Impact

Genuine users receive smaller airdrop allocations
Governance decisions influenced by bad actors
Community trust and engagement decline
Protocol reputation damage

🛡️ zPass Sybil Detection

How It Works

zPass identifies Sybil accounts through advanced behavioral analysis:

Pattern Recognition

Transaction Timing: Coordinated activity across multiple wallets
Fund Flows: Suspicious funding patterns and distributions
Behavioral Similarity: Identical interaction patterns across accounts
Network Analysis: Cluster detection of related wallets

AI-Powered Detection

Machine Learning Models: Trained on millions of wallet interactions
Anomaly Detection: Identify unusual patterns that indicate automation
Cross-Protocol Analysis: Detect farming across multiple platforms
Real-Time Scoring: Instant Sybil probability assessment

🏗️ Implementation Guide

Step 1: Basic Sybil Filtering

Start with simple Sybil detection for your campaigns:

async function filterSybilAccounts(walletAddresses) {
  const sybilAnalysis = await zpass.batchSybilCheck(walletAddresses);
  
  const results = {
    genuine: [],
    suspicious: [],
    sybil: [],
    summary: {
      totalChecked: walletAddresses.length,
      genuineCount: 0,
      suspiciousCount: 0,
      sybilCount: 0
    }
  };
  
  sybilAnalysis.forEach(analysis => {
    const { wallet_address, sybil_score, risk_level, confidence } = analysis;
    
    if (sybil_score < 0.3 && risk_level === 'Low') {
      results.genuine.push({
        address: wallet_address,
        sybilScore: sybil_score,
        confidence: confidence,
        status: 'approved'
      });
      results.summary.genuineCount++;
    } else if (sybil_score < 0.7) {
      results.suspicious.push({
        address: wallet_address,
        sybilScore: sybil_score,
        confidence: confidence,
        status: 'review_required'
      });
      results.summary.suspiciousCount++;
    } else {
      results.sybil.push({
        address: wallet_address,
        sybilScore: sybil_score,
        confidence: confidence,
        status: 'rejected'
      });
      results.summary.sybilCount++;
    }
  });
  
  return results;
}

// Usage for airdrop eligibility
async function processAirdropEligibility(participants) {
  const sybilResults = await filterSybilAccounts(participants);
  
  console.log(`Airdrop Analysis:
    Total Participants: ${sybilResults.summary.totalChecked}
    Genuine Users: ${sybilResults.summary.genuineCount} (${(sybilResults.summary.genuineCount/sybilResults.summary.totalChecked*100).toFixed(1)}%)
    Suspicious: ${sybilResults.summary.suspiciousCount} (${(sybilResults.summary.suspiciousCount/sybilResults.summary.totalChecked*100).toFixed(1)}%)
    Sybil Accounts: ${sybilResults.summary.sybilCount} (${(sybilResults.summary.sybilCount/sybilResults.summary.totalChecked*100).toFixed(1)}%)
  `);
  
  return {
    approved: sybilResults.genuine,
    needsReview: sybilResults.suspicious,
    rejected: sybilResults.sybil
  };
}

Step 2: Advanced Cluster Detection

Implement sophisticated cluster analysis to find related accounts:

async function detectSybilClusters(walletAddresses) {
  const clusterAnalysis = await zpass.analyzeWalletClusters(walletAddresses);
  
  const clusters = [];
  
  clusterAnalysis.clusters.forEach(cluster => {
    const clusterRisk = calculateClusterRisk(cluster);
    
    clusters.push({
      id: cluster.cluster_id,
      wallets: cluster.wallet_addresses,
      size: cluster.wallet_addresses.length,
      riskScore: clusterRisk.score,
      riskLevel: clusterRisk.level,
      commonPatterns: cluster.common_patterns,
      suspiciousActivities: cluster.suspicious_activities,
      recommendation: getClusterRecommendation(clusterRisk)
    });
  });
  
  return clusters.sort((a, b) => b.riskScore - a.riskScore);
}

function calculateClusterRisk(cluster) {
  let riskScore = 0;
  
  // Size penalty (larger clusters are more suspicious)
  if (cluster.wallet_addresses.length > 10) riskScore += 30;
  else if (cluster.wallet_addresses.length > 5) riskScore += 15;
  
  // Pattern similarity penalty
  riskScore += cluster.pattern_similarity * 40;
  
  // Timing correlation penalty
  riskScore += cluster.timing_correlation * 30;
  
  // Funding pattern penalty
  if (cluster.common_funding_source) riskScore += 25;
  
  // Activity synchronization penalty
  riskScore += cluster.activity_synchronization * 20;
  
  return {
    score: Math.min(100, riskScore),
    level: riskScore > 70 ? 'High' : riskScore > 40 ? 'Medium' : 'Low'
  };
}

function getClusterRecommendation(clusterRisk) {
  if (clusterRisk.score > 70) {
    return {
      action: 'reject_all',
      reason: 'High probability Sybil cluster',
      confidence: 'high'
    };
  } else if (clusterRisk.score > 40) {
    return {
      action: 'manual_review',
      reason: 'Suspicious patterns detected',
      confidence: 'medium'
    };
  } else {
    return {
      action: 'approve',
      reason: 'No significant Sybil indicators',
      confidence: 'high'
    };
  }
}

Step 3: Real-Time Sybil Monitoring

Set up continuous monitoring for ongoing Sybil detection:

class SybilMonitor {
  constructor(zpassClient) {
    this.zpass = zpassClient;
    this.monitoredCampaigns = new Map();
    this.alertThresholds = {
      sybilRate: 0.15, // Alert if >15% Sybil accounts
      clusterSize: 5,   // Alert if clusters >5 accounts
      rapidSignups: 100 // Alert if >100 signups/hour
    };
  }

  async startCampaignMonitoring(campaignId, participants) {
    const campaign = {
      id: campaignId,
      startTime: Date.now(),
      participants: new Set(participants),
      sybilDetections: [],
      clusters: [],
      alerts: []
    };

    this.monitoredCampaigns.set(campaignId, campaign);
    
    // Initial analysis
    await this.performInitialAnalysis(campaignId);
    
    // Set up periodic monitoring
    this.schedulePeriodicChecks(campaignId);
    
    return campaign;
  }

  async performInitialAnalysis(campaignId) {
    const campaign = this.monitoredCampaigns.get(campaignId);
    const participants = Array.from(campaign.participants);
    
    // Sybil detection
    const sybilResults = await filterSybilAccounts(participants);
    campaign.sybilDetections = sybilResults;
    
    // Cluster analysis
    const clusters = await detectSybilClusters(participants);
    campaign.clusters = clusters;
    
    // Check alert thresholds
    await this.checkAlertThresholds(campaignId);
  }

  async checkAlertThresholds(campaignId) {
    const campaign = this.monitoredCampaigns.get(campaignId);
    const alerts = [];
    
    // Check Sybil rate
    const sybilRate = campaign.sybilDetections.summary.sybilCount / 
                     campaign.sybilDetections.summary.totalChecked;
    
    if (sybilRate > this.alertThresholds.sybilRate) {
      alerts.push({
        type: 'high_sybil_rate',
        severity: 'high',
        message: `Sybil rate (${(sybilRate*100).toFixed(1)}%) exceeds threshold`,
        timestamp: Date.now()
      });
    }
    
    // Check large clusters
    const largeClusters = campaign.clusters.filter(c => c.size > this.alertThresholds.clusterSize);
    if (largeClusters.length > 0) {
      alerts.push({
        type: 'large_clusters',
        severity: 'medium',
        message: `${largeClusters.length} large Sybil clusters detected`,
        clusters: largeClusters,
        timestamp: Date.now()
      });
    }
    
    // Send alerts
    for (const alert of alerts) {
      await this.sendAlert(campaignId, alert);
      campaign.alerts.push(alert);
    }
  }

  async sendAlert(campaignId, alert) {
    // Implementation for sending alerts (email, webhook, etc.)
    console.log(`🚨 SYBIL ALERT for Campaign ${campaignId}:`, alert);
    
    // Could integrate with:
    // - Email notifications
    // - Slack/Discord webhooks
    // - Dashboard alerts
    // - SMS notifications
  }
}

🎯 Use Case Applications

Airdrop Protection

async function protectedAirdrop(airdropConfig) {
  const { participants, tokenAmount, distribution } = airdropConfig;
  
  // Step 1: Filter Sybil accounts
  const eligibilityResults = await processAirdropEligibility(participants);
  
  // Step 2: Adjust distribution for genuine users
  const genuineParticipants = eligibilityResults.approved;
  const adjustedAllocation = tokenAmount / genuineParticipants.length;
  
  // Step 3: Create distribution plan
  const distributionPlan = genuineParticipants.map(participant => ({
    address: participant.address,
    allocation: adjustedAllocation,
    confidence: participant.confidence
  }));
  
  return {
    originalParticipants: participants.length,
    genuineParticipants: genuineParticipants.length,
    sybilsFiltered: participants.length - genuineParticipants.length,
    tokensSaved: (participants.length - genuineParticipants.length) * (tokenAmount / participants.length),
    distributionPlan
  };
}

Governance Protection

async function validateGovernanceVoters(proposalId, voters) {
  const sybilAnalysis = await zpass.batchSybilCheck(voters);
  
  const validVotes = [];
  const invalidVotes = [];
  
  sybilAnalysis.forEach(analysis => {
    if (analysis.sybil_score < 0.5 && analysis.confidence > 0.8) {
      validVotes.push(analysis.wallet_address);
    } else {
      invalidVotes.push({
        address: analysis.wallet_address,
        reason: 'Potential Sybil account',
        sybilScore: analysis.sybil_score
      });
    }
  });
  
  return {
    proposalId,
    totalVoters: voters.length,
    validVotes: validVotes.length,
    invalidVotes: invalidVotes.length,
    integrityScore: validVotes.length / voters.length,
    flaggedVoters: invalidVotes
  };
}

📊 Detection Accuracy & Performance

Proven Results

Airdrop Analysis Results

Based on analysis of major Web3 airdrops

60% average Sybil rate in unfiltered airdrops
95% accuracy in Sybil detection with zPass
<2% false positive rate for genuine users
80% cost savings through Sybil elimination

Detection Capabilities

Attack Type

Detection Rate

False Positive Rate

Simple Farming

98%

<1%

Coordinated Clusters

95%

<2%

Sophisticated Bots

90%

<3%

Cross-Protocol Farming

93%

<2%

🚀 Getting Started

Quick Implementation

- Get your API credentials
Test with Sample Data - Analyze a small set of wallets
Implement Basic Filtering - Start with simple Sybil detection
Add Cluster Analysis - Detect related account groups
Set Up Monitoring - Continuous protection for ongoing campaigns

Best Practices

Start Conservative: Use higher confidence thresholds initially
Manual Review: Always review suspicious cases manually
Continuous Learning: Update detection models based on new patterns
Multi-Layer Defense: Combine zPass with other security measures
Community Feedback: Allow appeals process for false positives

🤝 Support & Resources

Implementation Support

💬 Discord: Join our security community
📧 Email: [email protected]
📞 Emergency: 24/7 support for critical campaigns

Advanced Features

Custom Models: Train detection models for your specific use case
Real-time APIs: Instant Sybil scoring for live applications
Forensic Analysis: Deep investigation of suspicious activities

Ready to protect your protocol from Sybil attacks?

PreviousUser Segmentation NextReputation Scoring

Last updated 1 day ago