Co-authors: @Jeremy & Umar
This has been posted on snapshot
Create a $5k quadratic funding round specifically for individuals with the skills to launch a sybil attack to come and claim the funding if they share information on how they do it.
Sybil Defense is one of the largest problems facing Web3 and the reason for the existence of Gitcoin Passport. Sybil Resistance enables UBI, more effective airdrops, better quadratic funding, and much more.
Over the years, Sybil Attackers could have stolen millions of dollars from Gitcoin and the Ethereum ecosystem. Gitcoin’s unique position is similar to a bank holding funds on behalf of the ecosystem and every quarter we open the vault to give out money to the people placed in line by our community. Yet among those people there are some wearing disguises, impersonating honest actors, in order to steal from the bank.
While we’ve developed defense mechanisms against these robbers (such as asking to see their passport) we haven’t implemented one of the most common techniques banks use to defend against robbers both in-person and online. Trying to break into your own bank.
When you try to break in yourself you learn exactly where the weaknesses in the system are and can then design new methods to strengthen those locations. With this round, we’re offering an incentive for hackers to try to break into our system and tell us where our weaknesses are. Once we’ve shored them up we’ll then be in a better position to implement quadratic funding and aid the web3 ecosystem at large with sybil defense.
“In a red team/blue team exercise, the red team is made up of offensive security experts who try to attack an organization’s cybersecurity defenses. The blue team defends against and responds to the red team attack.”
So far, Gitcoin and its community have played the role of the blue team. We defend from sybils and we often do so in an open-source way that reveals how we work to our adversary.
Our lack of knowledge about how the red team operates and attacks our system limits our ability to defend against them. Yet in our ecosystem we have people with the technical ability to break into our system who may have resisted doing so only because of their moral concerns. Let’s invite them to do what they’re good at and work with us.
The best part? No squelching.
Grants Stack makes it extremely easy to spin up a QF round. We will start one with the following rules:
- All non-offensive applications are accepted
- Grants must get at least 100 unique contributions above a 20 passport score to receive any matching payout
- Grants must share a detailed document on how they attacked the system via email before payouts and be available to answer questions (and preferably, but not required: hop on an anonymous voice call)
- 80% matching cap: if a single attacker drastically outcompetes the others they can claim up to $4k
- All donors will be labeled as Sybils in the Passport data sets and may not be able to receive scores or reuse credentials in the future
This will also require support from the MMM team to communicate about the round to draw in participants. This would involve:
- One design asset
- One or two emails
- Several tweets
Something similar to what Yearn did:
- Insights into how sybil attacks are conducted
- Insights into how to improve our sybil defense
- Possibility to create new partnerships with proven experts
- Costs $5k
- Creates pressure to rapidly shore up our defenses after identifying key learnings
Yes: Pilot the Sybil Attacker QF Round and allocate $5k from the matching pool
No: Do not fund this work and do not move forward
Abstain: I am missing context or this proposal needs more refinement
- Yes - Pilot the round for $5k
- No - Do not fund