So I think this is a question about the strength of the sybil resistance.
Youâre wondering if it is easier to make many verified PayPal accounts than it is to make many wallets that have enough on-chain history to get matching?
Weâve tested it out and talked with the Gitcoin team and found it to be Sybil resistant. Iâd encourage you to try it as well and see how well it works then share the results
Thank you for sharing the stats! >40% in all those countries is actually a lot more than I was expecting.
Definitely agree that work you do onboarding people to web3 who donât have access to tradfi and bank accounts is AWESOME and exactly the sort of work that crypto ecosystem should be doing that provides value by letting everyone access these systems.
I also think adding in fiat doesnât affect any of that, it just adds an additional payment method thatâs easier so that way more people participate in these blockchain systems, the ecosystem grows, thereâs more alloGMV and easier partnerships for Gitcoin as they appeal to wider groups, etc.
Iâm not wondering, I know it is easier to âMake, Buy or Hackâ PayPal verified accounts than to make wallets with enough on-chain history that doesnât look like a Bot to pass the COCM & Passport Model Based Defense.
This is why if your Sybil Defense is âPayPal said this is a verified userâ then you have a problem as the introduction of PayPal and other FIAT Methods it is just introducing new attack vectors for; custodian of Fiat, Round Operator, Matching Pool, Grants Stack and Gitcoin as a whole, because those attacks will be âAllow listedâ and its weight would count for matching.
Again, if your sybil resistance relies on the data that is coming from paypal then this may be flawed due to how easy is to do âshady stuffâ on PayPal.
If you decide to implement other forms of verification that the donation actually came the real customer then yes it becomes way more resistant, PayPal alone wonât cut it unless you introduce âfrictionâ that makes the process safer.
I am not a round operator yet, but if i venture into trying to bring FIAT to my QF Round, i wonât rely solely on what PayPal said as by default PayPal transactions arenât final and you could get a chargeback even 180 days down the line.
Easy way to improve the actual flow? Do extras verifications on each transaction no matter the amount; you could leverage a Blockchain-native KYC Provider and this could be a Trojan Horse to âOnboardâ that person into Web3.
@noahchonlee My perception is that you basically made it so easy that you brought in every mother, aunt, brothers. sisters, cousins, entire families and friends⌠but overwhelmingly from the North⌠am I wrong?
as a personal opinion you would be a lot more democratic for the world if you could take regional QFs to Paypal for folks in these Paypal markets , and regular no Paypal rounds for the global community.
It would be nice if for compensation all the Paypals operators joined a Global South Round
Ah my apologies. What tests did you already do and what were the results that led to this conclusion?
The table I showed previously shows how Paypal use is skewed to a few northern countries what is very undemocratic, I hope that @thedevanshmehta can join this forum, once he was the one who suggested adding paypal after the round was approved by the community. I also hope that other round opperators also join this discussion, like @MontyMerlin and @LuukDAO from Regen Coordination and BioFi, and the operator of the Youth in Need Round.
Please be aware that my concern is with the integrity of the Gitcoin Community that voted for rounds aligned with their democratic and safety measures, Itâs easy to judge that I am here trying to get some crumbs, but it is not the case. I am very found and thankful for the relationships I have built with all of you over these years.
We havenât been presented the round results yet, but in the roundâs Signal group @metahands ran simultations without the Paypal donations, which shows clearly that from the 4th to the 15th places there would be significant changes in the results:
If you can show us a decent collusion protection and democratic use of fiat donations, I would support Viaprize. But this opaque and inequal functioning only raises concerns about the reliability of the tool, and thereâs a chance that the Gitcoin Community wouldnât approve giving 20k for allegedly âdemocraticâ rounds. I reinforce that this happened not because of operators will but simply because of demographics of Paypal users and lack of transparency of fiat tx.
Tests about what in specific? Because if you refer to my statement about PayPal and Fiat Payments Security, this is public information, and you can verify it with a simple google search.
Whoever receives PayPal and give $USDC in exchange is at risk of many legacy issues, I donât need to run a test to know that because it is public domain already and plenty of research about it.
If you ask me specific questions about my previous messages then i can go deeper into it.
1 Like
I would like to note this chart is taken out of its original context. It was a simple simulation to show what round results might have looked like if verified PayPal transactions didnât receive quadratic funding, though itâs not a fully accurate counterfactual since presumably some portion of those donors would have still contributed via crypto instead. In other words, please do not rely on this chart for empirical data.
1 Like
Would be interesting to have the demographic data of the paypal donations or banks used for their validation, it could give an idea of the countries that they came from. That data could easily end the debate on Paypalâs demographic inequality.
Id really like to understand your concerns.
It seemed in the first message you said that you know that the sybil defense is weak. How do you know this?
In this message you seem to be saying theres a legal issue. What legal issue is it? We have talked to multiple lawyers and our partner has the necessary licenses.
Ah thats an interesting perspective. So while everyone can participate either with fiat or crypto, the concern isnt whether everyone has a way to participate, it is that some people can participate easier which is unfair. Is that right?
Would we have some way to know demographics of just crypto? We would need a way to compare
Hi all,
Iâm glad we can discuss the merit of certain features.
I believe:
- Helping someone acquire/earn their first crypto to donate > having someone donate with Paypal.
At the same time, I also believe:
- Having someone donate with Paypal > having someone not donate at all.
I can understand where the concerns related to PayPal donations come from as: 1. Itâs harder to validate their independence than onchain donations and, to a lesser extent, 2. Many underserved communities canât access PayPal (as easily).
We should continue to monitor these effects, but I feel the largest wins can be made by continuing to make it easier and more rewarding to donate onchain and stick around!
1 Like
- If Sybil Defense relies on PayPal alone, then it is weak and have many attack vectors.
- If a Payment can be disputed 180 days via Buyer Protection, then whoever is receiving the PayPal Funds is liable for 6 months on the possibility of having a claim opened against you.
- If a central entity/group (people who provide the list of âFiat Donorsâ to the Round Manager) have the decision-making over Model-based Detection, then youâre introducing another attack vector that relies on a workflow that already introduced few attack vectors (PayPal)
- If a merchant is being used to âreceiveâ the PayPal funding and convert this into $USDC and charge a fee during this process then this is considered a âsale or purchaseâ and applies the same 180 days Buyer Protection; meaning that if Red Team decides to attack a round then you may not notice the issue until Chargebacks Claims start to pile up and your merchant start calling.
- If a merchant is being used to process global payment for anything crypto related then i guess this will be a âhigh-riskâ merchant, if this merchant provides the assurances that they handle Chargebacks then yay you have 1 less problem in your plate but still if your Sybill strategy relies on PayPal then it is weak because PayPal as a TradFi System have many attack vectors on its own.
Hi wasabi, for the many attack vectors that mean weak dybil defense, where is this information from?
Plenty of reports by doing a Google search showcases how cheap is to attack PayPal
This is a cool one; Dark web prices for stolen PayPal accounts and credit cards
Yes, it is unfair, it makes it more easy for some than for others. In Brazil for digital payments we use something called Pix, not Paypal. So imagine if the Round had allowed Pix donations, but not Paypal ones, how would the non Brazilian grantees feel? If Pix was allowed, I would get my mother, family and friends to donate. But Pix is not used in other countries, so it would be unfair with Paypal donors, and would of course only favor Brazilians.
Imo the safe method, where everyone can participate in a democratic way is for grantees to invest in educating their supporters about autocustody and web3 tooling for public goods.
Taking into consideration @LuukDAO comments, I agree with him that donating with Paypal > not donate at all. To solve this problem maybe round operators could add a box for the projectâs Paypal/Pix/Stripe/etc addresses and people could donate in fiat directly to them if they prefer. However letting these donations get matched with community funds is very unsecure, inequal and maybe not aligned with Gitcoin intents.
1 Like
Hi Wasabi, I took a look and this report says thereâs hacked PayPal accounts available on the dark web for purchase for $161.59 each. Thatâs much too expensive per account for it to be a realistic sybil attack
Makes sense. In the end itâs either about increasing allo GMV by providing easiest options for as many people as possible or sticking with only crypto
Yes, those prices are unrealistic, seems like the reporter didnât make a good job at the math.
Those accounts go for way less, price depends on many variables, but you may be surprised how much of legacy payment system accounts are up for sale on the internet.
TLDR: It is cheaper to attack Stripe, PayPal, and others legacy payment systems than to attack the Model-based Detection built by Passport Team, because of centralized points of failure and similar risks associated with the Legacy Payment System.
If add additional friction to verify those payments then yes it could lower the risks, yet if the Red Team decides to attack the Rounds consistently then you may face two problems; the merchant reaching out to close the account or asking a higher fee because your transactions are labeled as âhigh-riskâ.