Streamlining Sybil Defense for Gitcoin Grants with Gitcoin Passport

This article explores the landscape of Grants 2.0, Sybil defense, SAD, and a case study of how Passport was integrated during GR14.

Sybil attacks are a known bug of decentralized networks.

If you’re a part of the Gitcoin community and have been following along with the recent narrative, you know that “Sybil defense” is one of Gitcoin’s biggest priorities.

Unfamiliar with the term? Sybil defense is the process of building systems that can adequately defend against those who seek to game a rewards-based system for profit, such as an airdrop, a raffle, or, in our case, a Gitcoin grants round. A “Sybil attacker” creates many accounts to reap additional rewards they would not have otherwise received by using a single account to register said airdrop or grants round.

You can read more about Sybil defense via this fun and informative piece we recently published, “Web3 Identity 101 – Episode 1: Sybil Attacks”.

Building the right tools and processes for Sybil defense is a high priority at Gitcoin because fairness and “credible neutrality” are key values in Gitcoin’s mission to build and fund digital public goods.

Both the Product and Fraud Detection and Defense(FDD) workstreams have been working on these problems since the inception of Gitcoin. 

Right now is a particularly exciting time in the Gitcoin community because a great deal of the thinking and building behind Sybil defense mechanisms is coming to fruition in the form of Gitcoin Grants 2.0.

This piece will talk about one of the Sybil defense tools we’re building in particular–Gitcoin Passport(Link to SDK), which is a tool that allows any project to grow a decentralized identity record via the Ceramic network.

Gitcoin recently used Passport for Grants Round 14(GR14). This article will primarily explore how a beta version of Passport was used for Sybil defense and identity verification in GR14 and what we learned from that.

But first, let’s zoom out a bit.

Let’s talk about grants.

Grants (2.0)

In brief, Gitcoin Grants 1.0 is a monolith. It’s centralized, and far from as credibly neutral as we’d like it to be. Also, because of the centralized nature of Grants 1.0, Gitcoin must maintain a grants database containing the “Personally Identifiable Information”(PIIs) of Gitcoin Grants participants.

Grants 2.0 seeks to change all of that.

Grants 2.0 will consist of both an “Ecosystem” and a “Platform.”

You can think of the Ecosystem side of Grants 2.0 as a suite of open source funding and governance mechanisms.

The Platform side consists of things like a dApp, a front-end for a universal project registry, or a “grants round manager,” which allow any community to launch and manage their own self-hosted grants round.

As you can see, Gitcoin Grants 2.0 encompasses a lot.

Instead of Gitcoin running its own grants round every quarter and partnering with other communities, we envision hundreds or thousands of grants rounds occurring at any given time, using the tools and protocols we’re building in Grants 2.0.

Gitcoin Passport: The First of Many Grants 2.0 Tools

As previously stated, Gitcoin Passport is an identity verification protocol built on the Ceramic network. It is designed to proactively verify the identities of people participating in grants rounds to protect against Sybil attacks.

Gitcoin Passport was announced on June 8th as a part of this Twitter thread announcing GR14 and recent Gitcoin updates.

On June 14th, Gitcoin announced the Passport hackathon via this blog post. The hackathon ran for two weeks. Developers were eligible to compete for $11,500 in prizes, and a full SDK of the Passport alpha was made available to them.

For more context on how Passport came to be, read our “Intro to Passport” piece we published last week.

Gitcoin Passport and GR14

In addition to being released publicly for the Passport hackathon, Passport was deployed in conjunction with GR14, which ran from June 8th to June 23rd. 

The decision was made to include Passport as a part of the registration process for GR14 by the FDD and Product workstreams. During GR14, nearly 15,000 people set up their Gitcoin Passport ID.

It was a fortuitous call to include Passport as a part of the GR14 registration process, as Sybil attacks during GR14 had increased significantly from the previous Grants Round, as reported in this forum post

As may be expected, most of the Sybil attacks in GR14 were related to “airdrop farming.”

It’s worth noting that Gitcoin is not the only Web3 ecosystem dealing with airdrop farmers. In May, the Optimism network removed 17,000 accounts that appeared to be airdrop farming from recent airdrops.

At this point, you may wonder, “Why all this talk about Sybil attacks?” and “Is Gitcoin Passport a complete solution for mitigating Sybil attacks?”

The truth is that Gitcoin Passport is just one-half of how Gitcoin handles Sybil defense and mitigation.

The other half? Sybil Account Detection!

Sybil Account Detection + Passport = Effective Sybil Mitigation

Sybil attacks are detected using Sybil Account Detection(SAD). 

Worth noting is that SAD has been around since GR11, three seasons longer than Passport.

Essentially, SAD uses machine learning to identify which accounts are Sybil attackers. You can read Disruption Joe’s blog post on how SAD works here for devs and technical folks looking for a deep dive. 

You can think of Passport as a driver’s license. It keeps people who should not be operating an automobile off the road (in this case, Sybil attackers), with the result being a cleaner dataset for Sybil Account Detection, which equals more accurate and effective SAD equals a richer and more trustless and credibly neutral grants ecosystem.

To complete the metaphor, you can think of SAD as the traffic cops and tow truck companies that defend and mitigate against the impact of those that seek to break the rules (speeders, reckless drivers, illegal parkers) and penalize them accordingly. 

Although we may not be enamored with the actions of traffic police and tow truck companies in daily life, we can point to one bug in particular that Grants 2.0 seeks to solve for–they are not credibly neutral!

Police departments generate significant revenue via traffic stops and ticketing. Tow truck companies are for-profit enterprises and are not known for fairness and transparency.

How SAD Has Improved Over Time

As previously stated, SAD has been around since GR11. The FDD workstream has tracked the effectiveness of SAD (aided by humans in evaluating whether an account is a Sybil attacker) in defeating Sybil attacks over the last four grants rounds.

You can dig into the figures here, but for comparison’s sake, in GR13, it took 37 FDD contributors roughly $17,000 worth of labor hours to review 12,000 evaluations of possible Sybil attackers, at an average cost of $1.42 per eval.

In GR14, it cost $3000 for ten contributors to review 3,000 evaluations, at $1.00 per eval. FDD could lower the amount of evaluation while increasing the quality and reducing the cost per review by almost 30%. 

This was primarily due to improvements made to the SAD machine learning model by the FDD team. Well done!

As SAD has improved from grants round to grants round, we expect Passport to as well, with new synergies being discovered between the two as time goes on.

FDD is currently working with the Passport team to improve the Passport’s preventative Sybil defense features. 

The Future of Passport, and Grants 2.0

“The launch of Passport is the first step towards a Grants 2 future.” (Disruption Joe’s GR14 governance brief)

There are three things in particular that Gitcoin is excited about as we build, iterate, and release Grants 2.0 projects. They are: 

  1. A trust bonus is driven by Passport Stamps, which would be given to users according to their contributions in grants rounds, whether as a builder, someone who donated, or as an entity providing matching funds.
  2. Continual improvement of SAD algorithms to flag fewer accounts as false positives and improve the fairness and culture of future grant rounds.
  3. Continuing to launch grants 2.0 projects include Grants Hub, a universal grants registry, and Round Manager, a platform that lets any community use the same tools that Gitcoin uses to run their own grants rounds, with a minimum of technical overhead.

Trust Bonus + Passport Stamps

Gitcoin has issued “trust bonuses” to known and trusted contributors via the Grants 1.0 monolith for several seasons now. In the future, Gitcoin Passport will build on the preexisting work done in creating the trust bonus, with the added features of privacy, decentralization, and credible neutrality in issuing trust bonuses. 

Passport users will gain stamps for various interactions, from connecting their Web2 and Web3 identities, participating in grants rounds as a builder, donating to a project, and so on. A user’s trust bonus will be calculated and granted algorithmically, based on the stamps they hold in their Passport.

In the future, Gitcoin hopes that stamps can be given to Gitcoin contributors to recognize their efforts and labor, to allow those contributors to be recognized and given rewards in particular ways, i.e., not only trust bonuses, but NFTs, POAPs, and special access and privileges within the community.

Read more about the future of Passport here.

Continual Improvement of SAD Process

Similar to a court of law, the detection and mitigation of Sybil attacks are not always perfect. With a large enough dataset, some accounts are inevitably labeled as “false positives” or Sybil attackers when they might be new, well-meaning grants round participants.

The FDD workstream will continue to improve the SAD machine learning model, as well as build processes to flag and evaluate accounts that may have been misclassified as Sybil attackers.

Upcoming Launches for Grants 2.0 Projects

As mentioned above, two of the biggest Grants 2.0 projects that have not yet been launched are Round Manager and Grants Hub.

In the interest of creating digital public goods for all, our vision is that these projects will transform the nature of grants funding in Web3 by offering much-needed tools for Web3 communities to launch and run their quadratically-funded grants runs, entirely independent of Gitcoin.

Both of these projects will be free and open source.

Stay tuned for future announcements soon!

To Learn More About Passport

Check out the Passport documentation here and the Passport Github repo here. You can also drop into the Gitcoin Discord server and inquire within.

– Team Gitcoin

Thank you to Alex for creating this piece.