Airdrop Vulnerabilities: Farm Accounts and Sybil Attacks

The cryptocurrency industry has been grappling with the issue of fake farm accounts or “Sybil attacks,” where individuals create multiple accounts to manipulate the system and claim more tokens during airdrop events. These events, which have become highly profitable, involve rewarding users who engage with or create quality content on social media channels linked to crypto projects. Many users have started posting subpar content solely to earn airdrop points, leading to a crackdown by project creators.

One such project, Degen memecoin, recently took action by banning approximately 2,000 users suspected of farming their tokens. They warned that participating in coordinated posting or artificial engagement would result in bans. Similarly, Bitget Wallet, a self-custody wallet, deducts airdrop points from users using emulators and cloud phones to create artificial referrals and downloads.

Although identifying Sybil attacks is a challenge, efforts are being made to penalize dishonest behavior without impacting genuine users. Banteg, a prominent DeFi developer, discovered numerous accounts linked to repeat or renamed GitHub accounts controlled by airdrop farmers during an airdrop by the Ethereum layer-2 protocol Starknet. These addresses were still included in the airdrop.

Deploying a Sybil attack involves using scripts or bots to create a large number of fake accounts on a targeted platform and automating tasks such as registration and account verification. This leads to a disproportionate distribution of tokens, harming the project’s reputation, inflating token supply, and potentially causing price manipulation through dumping by airdrop farmers.

The rise of Sybil attacks has prompted blockchain projects to develop more sophisticated methods for verifying user identities and ensuring fair distribution during airdrops. While these attacks present challenges, they also contribute to the development of a more robust and secure blockchain ecosystem in the long run.