Many people outside the crypto world may ask themselves “What is a sybil attack”? A Sybil attack is a security threat on an online system where one person tries to take over the network by creating multiple accounts or nodes. In the crypto environment, sybil attacks may become particularly relevant within Decentralised Autonomous Organisations (DAOs) where sybil attackers may eventually steer the voting process to their advantage, disrupting the democratic fundament of such organisations.
In the next pages, we want to better understand the magnitude of sybil attacks, the functioning of these threats, and existing solutions.
Sybil Attacks: The functioning
The name “Sybil attacks” comes from Sybil Dorsett, an American woman who was known in the last century for having 16 different personalities. In a similar way, a sybil attack occurs when a crypto user fakes different personalities. This can happen in two different ways. The first way is when one user creates multiple accounts with different usernames and passwords. Another way, and even more relevant, is when a user runs multiple nodes on a blockchain network.
A node is one of the computers that runs the blockchain’s software to validate and store the complete history of transactions on the network. In the case of most cryptocurrencies, the nodes of a blockchain do not rely on any validation from the top of the system because they check and verify each other by a consensus mechanism. Anyone can set up a node by downloading the blockchain’s software onto their personal computer anywhere in the world. This is why sybil attacks may become so relevant in the crypto world.
The scope of a sybil attack can influence the voting process in the case of DAOs, receive more tokens in case of launchpads projects or even to collect more revenues within Universal Basic Income (UBI) crypto projects. Sybil attacks become a real threat because attackers may be able to out-vote the honest nodes on the network if they create enough fake accounts. They can then refuse to receive or transmit blocks, effectively blocking other users from a network, change the ordering of transactions, and prevent transactions from being confirmed.
Existing solutions against sybil attacks
Existing solutions to fight sybil attacks may be divided in 3 categories: analysis, sybil score ranking and KYC. The analysis solution involves pulling metadata for every address and manually checking each group for some overarching common behaviour that could hint to a sybil threat. This approach may be supported by the community itself, namely by requiring users to report sybil addresses and rewarding them with tokens. However, this approach does not assure to eliminate sybil addresses and might lead to the elimination of non-sybil addresses, creating a damage to honest users. Furthermore, it is a burdensome approach and requires high analysis capabilities, which not every organisation can afford.
Another solution is to make use of a “Sybil Score”. A sybil score is an amount of points given to users based on different criteria, which might include: (1) confirm control over a whitelisted address, a list is of early and particularly active DeFi users who were never involved in sybil attacks; (2) contributing to moderation, education or translation, in other words being an active user in the community; (3) confirm control over a KYC-restricted platform such as Coinbase or Gemini, which make use of extended KYC processes. Making use of a sybil score might be useful for bigger organisations but might be burdensome for smaller ones which do not have the capability to set up the logistics to evaluate such criteria.
Digital, passport-free KYC
A better and less burdensome solution to limit the power of sybil attackers is leveraging existing technology for a digital, passport-free KYC in order to prevent users from creating different accounts. Today, KYC processes still require sharing passport and ID data and might take up to several days before approving users. This might be counterproductive for crypto organisations which want to onboard a considerable number of users who are often reluctant to share their private documents.
A digital, passport-free KYC process is possible by authenticating users based on their existing accounts on other crypto exchanges, their DMV login website, or other government platforms. In just some clicks, users can digitally prove their identity without sharing their passport and ID, allowing crypto platforms to perform a more efficient KYC process with the assurance that no user will be able to create more than one account. This happens because citizens only have one institutional ID account and might only use that one to prove their identity.
Sybil attacks are a threat for the crypto environment as they disrupt the efficiency of the entire ecosystem by creating advantages for some users at the expense of the community. Existing ways to stop it, such as in-depth user analysis and sybil scores, have proved burdensome for companies and users. Digital, passport free KYC is an easy solution to prevent users from creating multiple accounts while still preserving users’ privacy.