[GCP] - Sybil Attacker QF Round

GCP: Sybil Attacker QF Round

Co-authors: @Jeremy & Umar

Thank you to @owocki , @meglister , @azeem , @MathildaDV , @CoachJonathan, @Sov , @connor , @M0nkeyFl0wer , @epowell101 for feedback on this GCP and/or conversations about the idea


Create a $5k quadratic funding round specifically for individuals with the skills to launch a sybil attack to come and claim the funding if they share information on how they do it.


Sybil Defense is one of the largest problems facing Web3 and the reason for the existence of Gitcoin Passport. Sybil Resistance enables UBI, more effective airdrops, better quadratic funding, and much more.

Over the years, Sybil Attackers could have stolen millions of dollars from Gitcoin and the Ethereum ecosystem. Gitcoin’s unique position is similar to a bank holding funds on behalf of the ecosystem and every quarter we open the vault to give out money to the people placed in line by our community. Yet among those people there are some wearing disguises, impersonating honest actors, in order to steal from the bank.

While we’ve developed defense mechanisms against these robbers (such as asking to see their passport) we haven’t implemented one of the most common techniques banks use to defend against robbers both in-person and online. Trying to break into your own bank.

When you try to break in yourself you learn exactly where the weaknesses in the system are and can then design new methods to strengthen those locations. With this round, we’re offering an incentive for hackers to try to break into our system and tell us where our weaknesses are. Once we’ve shored them up we’ll then be in a better position to implement quadratic funding and aid the web3 ecosystem at large with sybil defense.


In a red team/blue team exercise, the red team is made up of offensive security experts who try to attack an organization’s cybersecurity defenses. The blue team defends against and responds to the red team attack.”

So far, Gitcoin and its community have played the role of the blue team. We defend from sybils and we often do so in an open-source way that reveals how we work to our adversary.

Our lack of knowledge about how the red team operates and attacks our system limits our ability to defend against them. Yet in our ecosystem we have people with the technical ability to break into our system who may have resisted doing so only because of their moral concerns. Let’s invite them to do what they’re good at and work with us.

The best part? No squelching.


Grants Stack makes it extremely easy to spin up a QF round. We will start one with the following rules:

  • All non-offensive applications are accepted
  • Grants must get at least 100 unique contributions above a 20 passport score to receive any matching payout
  • Grants must share a detailed document on how they attacked the system via email before payouts and be available to answer questions (and preferably, but not required: hop on an anonymous voice call)
  • 80% matching cap: if a single attacker drastically outcompetes the others they can claim up to $4k
  • All donors will be labeled as Sybils in the Passport data sets and may not be able to receive scores or reuse credentials in the future

This will also require support from the MMM team to communicate about the round to draw in participants. This would involve:

  • One design asset
  • One or two emails
  • Several tweets

Something similar to what Yearn did:


  • Insights into how sybil attacks are conducted
  • Insights into how to improve our sybil defense
  • Possibility to create new partnerships with proven experts


  • Costs $5k
  • Creates pressure to rapidly shore up our defenses after identifying key learnings

Vote (tbd on Snapshot)

Yes: Pilot the Sybil Attacker QF Round and allocate $5k

No: Do not fund this work and do not move forward

Abstain: I am missing context or this proposal needs more refinement

Temperature Check

  • Yes - Pilot the round for $5k
  • No - Do not fund
  • Abstain
0 voters

I support this proposal and the amazing work @umarkhaneth is doing here at Gitcoin.


is gitcoin passport a cost center for gitcoin? or is it a billion dollar opportunity to bootstrap an ecosystem of sybil resistent dapps that uniquely gitcoin can do?

if the former, then ppl likely will want to skimp on spending to improve this data set. if the latter, then its worth doubling down on probably.

another point: i do worry that $5k is a pittance to the most sophisticated sybil attackers/red team people, who likely make millions of $$$ per year in yield farming operations. i wonder if we might encourage the red team to cooperate instead of defect in other ways and/or increase the funding for these types of operations (this GCP, but also Upala style campaigns) in the future


Good feedback @owocki.

i do worry that $5k is a pittance to the most sophisticated sybil attackers/red team people, who likely make millions of $$$ per year in yield farming operations.

I think it’s OK to start small to see what value we can glean and make sure we have the full close loop in place before we ramp up the type of funding we’d put on the attacking side.


Gitcoin passport is the reason people hate Gitcoin. 3/4 of people who wanted to donate to our projects could not get enough points to donate as you made passport even more restrictive. Also, you agressively push your partners in a way that make users hate you (that is what some people told me). For example, at some point UI did’t allow to make donations if the user didn’t register brightid, even though often headache with brightid is higher than number of points you can get (unless it was a ui bug and it was not mandatory)Please, find a way to make gitcoin usable again!


3/4 wallets were able to reach a passport score >20 in GG18. There’s a tension between making it hard for sybils and easy for humans that’s still being explored on a relatively new product. That tension gets better with every round

When was this the case? Do you have any more specific information?

Passport lets you have your choice of any stamps to verify with as long as you make it over 20. I know I’m not verified with BrightID and I’m well over a 20 passport score + able to make donations.

Your comments here are off-topic. If you wish to continue this convo, please dm me :]


Voted yes, but also agree with @owocki on the matching amount. I’d like to see something closer to the minimum for featured rounds to motivate participation. $5K doesn’t commensurate with the long term value this brings to Gitcoin.


I’m very in support of this proposal. I think this will lead to a lot of interesting data for the Passport team.

I’ll also add concern that $5k might be too small to attract much attention from “professional” sybil attackers.