| name | about | title | labels | assignees | | -------- | -------- | -------- | -------- | -------- | | Sybil Report | Report Sybil Activity on LayerZero | 0xScore Sybil Report 1 | under review | 0xScore | # Reported Addresses Due to the length of the list, we're posting it on [gist](https://gist.github.com/0xScore/da9f150908f00417з5735faccc435f208); # Description We created a **methodology** for sybil detection based on **address behavior clustering**, and we hope that the results of our work will **benefit the real users** of LayerZero and help decrease the amount of unfair rewards to airdrop farmers. We are **open for cooperation** and happy to adjust our work to your needs if you have any special requests. # Detailed Methodology & Walkthrough We started with data collection. To do this, **we sparse all transactions** that interacted with smart contracts that somehow send messages using the LayerZero protocol. We processed `Packet(bytes)` events on the UltraLightNode. By decoding, we extracted dstAddress and other information we needed. Thus, we obtained a dataset on such blockchains as **arbitrum** **avalanche** **base** **bsc** **celo** **eth** **fantom** **gnosis** **optimism** **polygon** *If necessary, we can load the script to collect transactions into gist, and the dataset itself into s3*. We made research for different networks which have activity with LayerZero Research steps: 1. Selecting chains. We start with **less popular networks because they can be used by drop farmers** to increase activity. In this report, we provide sybil addresses detected on **Gnosis, Celo, Base, and Fantom**. We are going to make another commit with other networks a bit later. Arbitrum, BSC, Optimism, and Polygon have a lot of transactions, and it takes some time to prepare them. 2. We **retrieve all LayerZero transactions** from this chain and create a pivot table where the rows are "from address of the source chain" and the columns are "destination address on the destination chain." In the cells, we put the number of transactions from each specific "from" address to each "destination" address. 3. We use the **machine learning method "clustering"** to find "from" addresses that have similar patterns of LayerZero transactions. For example, we might find 300 addresses that, on average, have 30 transactions to address A, 5 to address B, and 7 to address C, and around 0 to all other addresses. We can conclude that these addresses are **controlled by the same sybil entity** and probably even **operated by bots**. All these pivot **matrices** for each identified cluster of every chain are **stored in a special folder**, and **you can check each of them**. 4. Step by step **manual hand check** of each interesting cluster and deep **checking of several random addresses** from the cluster in explorers to confirm that this set is **indeed sybil activity**. 5. After this, we **collect all sybil addresses** in one place and **exclude from this list every address already published by LayerZero as sybil**. The result is the **final list**. We [**uploaded**](https://docs.google.com/spreadsheets/d/1M2gBpuCMxNaIMe3m8ja_IUc4HWVWKHVHFps8Ud50hiw/edit?usp=sharing) a **good example of a sybil cluster** to Google Sheets. It contains **423 addresses**, each of which has around **5-6 transactions to 7 destination addresses and around zero transactions to all other** destination addresses All other tables are uploaded to a [**shared folder**](https://drive.google.com/drive/folders/1Fjp80ufGU-9rkZb6P_qzAXKJ74Xcc8ZM) on Google Drive and are available for analysis. Each file **contain chain in his name**. For simplicity, we have placed the columns with the **most active destination addresses on the left side**, sorted based on the total number of transactions involving these destination address # Reward Address (If Eligible) 0xf1d7653b8c8557984265334f5D67E9C2370B36DE