Web3 Identity 101: episode 1 – Sybil Attacks

This article forms part of a 2-part series exploring Sybil Attacks, Sybil Resistance, and mechanisms that form part of the solution in the fight against Sybil attacks.

So, what’s the problem, anon?

You’ve seen it before. You’ve lived through the pain, even if you’re not consciously aware of it.

It looks something like this: the thousands of spam emails that sit collecting digital dust in the deep archives of our Gmail. The uncertainty around the validity of Wiki articles, knowing that malicious actors can go in and change them on a whim, to the annoyances of someone gaming that recent online giveaway using three different company emails, so that they get three entries instead of one. And the all-too-familiar way of cheating an online voting system. These are all symptoms of this class of problems in everything we do online, influencing practically everything in the decentralized world. 

This problem — that through the power of technology and the internet, a single human actor can pose as dozens or potentially hundreds of unique accounts simultaneously — is not new to the web, nor is it fully solved yet. 

This is commonly known as a Sybil Attack. 

Understanding the problem is the first step to addressing it effectively – a core milestone to making cryptocurrency and decentralized applications widely usable and available for all humanity.

A Sybil attack is an attack on a computer network where an individual gets around the reputation and account system rules by creating many alternative identities and using them to gain a disproportionately large influence. 

It came from the book “Sybil,” a case study of a woman diagnosed with a dissociative identity disorder. The idea is a single individual posing as multiple unique actors. The core problem here is that this poses a direct threat vector in distributed governance models, online reputation systems, or any other digital system where one-person-one-action is a vital axiom to uphold.

“How do we solve the scenario where anyone can create multiple wallets and pose as multiple users? The rate at which money and resources are pumped into web3 projects, especially during a bull market, creates incentives for money-grabbing founders to do this exact thing. Identifying and being able to prevent Sybil Attacks is one of the most important pieces to solving in order for crypto to become usable for the average person.” – Kevin Owocki 

How can you adequately run direct democracy models if single malicious actors can suddenly gather the voting power of hundreds of individuals, skewing votes in their favor? And what if the results of these votes involve allocating significant sums of money? 

Even something as simple as a referral reward mechanism, where an individual is rewarded for helping grow an ecosystem by bringing in new participants, is subject to exploitation via Sybil attacks. 

The solution: Sybil resistance

Sybil resistance is still an active area of study in decentralized systems and online environments. Non-personhood approaches to Sybil resistance includes Proof of Work, Proof of Stake, and Proof of Project (economic barriers to entry). Through the lens of personhood Sybil resistance, it’s about moving towards one-person-one-vote instead of one-dollar-one-vote. 

No decentralized system we have ever built has ever been able to stand up to Sybil attacks in a truly meaningful way. And “solving it, need not and should not force us to give up our privacy.”  Bryan Ford

Some of the main approaches of Sybil resistance, depending on the principle you leverage, are: government paper trail/identity, biometric identity, social network/trust network, and presence-based. Yet still, none of these are the silver bullet — they each still contain their own trade offs.

Let’s dive a little deeper:

  1. Identity Validation: Identity validation is straightforward; in order to use a network or service, the actor must confirm their identity, and that identity cannot already be a part of the system. Showing your driver’s license, or tracking IP addresses, are examples of this. In a technological age, it’s not foolproof, but it is enough of a time/energy investment that it deters some sybil attacks. 
  2. Social Trust Graphs: Social trust graphs use the power of distributed P2P systems to help identify trustworthy individuals via reputation and vouching systems. While also not completely foolproof, this uses the power of the network itself to help maintain the integrity of the network population.
  3. Economic Costs: By forcing individuals to incur an economic cost for core actions or account creation, you remove all or the majority of the benefit. If it cost $1 to send an email, you can be fairly certain there would be considerably less spam email on the internet right now. Though this solution forces good actors to incur this same cost.
  4. Proof-of-Humanity / Proof-of-Personhood: There are several ‘proof-of-humanity’ initiatives underway. Using oracles or vouching systems to have the network claim the uniqueness and validity of new accounts. This is a strong filtering mechanism, but requires considerable energetic investment from the network/oracles.

It’s time

While this may seem to be the domain of network nerds or technical geeks, Sybil attacks (and Sybil resistance on the part of networks) is a central and core obstacle that the cryptocurrency and blockchain worlds will need to resolve and manage for if they are to reach the grand heights and visions that we all believe they can.

Some of the questions we should be asking are: how do we create a more democratic environment? Do we want one-person-one-vote or one-dollar-one-vote to prevail? How do we opt for maximum participation and inclusion? How do we want to approach identity and personhood? And how do we do all this and still preserve privacy?

If you’d like to dig deeper into Sybil attacks and beyond, check out this podcast with Bryan Ford and Kevin Owocki. For a deeper dive into the mechanisms behind Sybil resistance, keep an eye out for episode 2 of this series coming out later this week!

– Team Gitcoin

Thank you to Eric and MathildaDV for creating this piece.