I spend more time on Farcaster these days, so I find myself a little insulated from Twitter, but jumped in today to find that many were upset about Octant using Gitcoin Passport for our first round of QF.
I get the frustration:
We didn’t have clear enough communication around how this unique setup works.
Many find Gitcoin Passport to be a pain for real users, while still allowing Sybils into the system.
We obviously want to improve as best as we can. The reason we moved quicker than we had planned was because our last round experienced full exposure of why a plutocracy doesn’t work from a community members perspective. Why have a system that wishes to be a platform that aggregates funds based upon user preferences if there are only a few users that actually have influence over the funds?
I agree.
So moving to QF, and using Gitcoin Passport was the path forward that we felt was better than remaining a plutocracy. We did explore a lot of other options. ALOT. Nothing else seemed to be a better alternative at this stage. People wouldn’t be happy with getting on a call with BrightID. People sure as hell wouldn’t be happy scanning their eyeball. DisruptionJoe made it clear that the FDD option isn’t an option right now…
So I’m here to listen, because trying to filter through comment after comment on twitter, and the sub threads that get created is really hard to manage. Got any ideas? Maybe creating a social graph of trust, along with Passport until we can move to what would work even better? I’m really curious to hear your thoughts.
I think the main issue with trying to prove uniqueness is the nature of the problem ie everyone is unique, and so the proof they can offer for that uniqueness varies widely from person to person. So kind of by definition there can’t really be a single rigid system that will work well for everyone.
Personally I find Passport fairly painful to use. That said, I think the system design they have come up with is reasonably logical ie build a score, choose from a range of services that offer different pathways to prove uniqueness.
I think it could be improved quite a bit if it expanded & localised the stamps. Eg rather than just offering US-centric CEXs for KYC processes, they allow a wider range of reputable options.
For me as a designer I have a long established Figma account that has published some quite popular community files & that i’ve created a ton of work in, it would be nice if that could count to my score.
Or things like Minecraft & other platforms where people are publishing original content that can be socially verified as non-automated.
So I think Passport’s main problem is not that it’s a bad idea, more that they haven’t taken it far enough to cover the amount of unique identities that exist.
In Gardens v2, the 1Hive community is gonna use Conviction Voting for sybil resistance.
…something something “when the tool you have is a hammer, every problem looks like a nail…” but for smaller, high-context communities it should be extremely effective.
For bigger communities I don’t know of a better solution than Gitcoin Passport.
Here’s an excerpt from the proposal description for the 1Hive v2 sybil resistance CV:
Citizen’s Registry for Sybil Resistance
CV Type: Signaling
Voting Weight System: Unlimited
Description: create a proposal for yourself, support proposals of 1hivers you know, dispute proposals that are clearly sybils. 1Hive is a small enough community that active people know everyone else who’s active. Unlimited makes it expensive to sybil, and disputability makes it not worth even trying. We can set a minimum support threshold for this CV that defines addresses that are eligible to participate in Fixed, Capped, and Quadratic Pools. Note that v2 will have Gitcoin Passport for sybil resistance, but I think this strategy will be even more effective for us.
I understand how this could be really useful, the only problem is we plan to scale our community much further over the next 12 months compared to where we are right now. So I can see conviction voting working like you said in a smaller setting, but I suppose we are trying to plan with where we intend to go, not with where we are right now.
Any thoughts on what is a solution for a community that is 1k, 5k, 10k @paul ?
I know there are other options like https://holonym.id/ that allow you to verify you have a bank account as KYC beyond US entities.
Although it’s messy, I keep feeling that we can use a handful of solutions including a trusted social graph or allowlist along with tech for unfamiliar entities until we can get to a solid allocation mechanism maybe beyond QF that will work for a large scale community long term.
I’m generally a skeptic of finding a definitive solution to the problem of sybil, and of the solutions that are currently out there I don’t know if any are good enough (in terms of both efficacy and UX. Gitcoin Passport is not bad in terms of efficacy, but lots of users despise the UX).
With that said, I believe we could come up with a custom sybil resistance strategy that would work and work well for Octant, depending on its growth strategy. In other words, the growth strategy itself could integrate sybil resistance components that can be used later on
Also, since sybil to a large extent is a cat and mouse game, it’s probably better if the cat doesn’t tell the mouse where it’s going to be looking for it - at least not share it on a public forum…
Yeah I largely share what you said here. I think the other issue to consider is that we have big aspirations to grow substantially larger in the next 6-12 months from where we are now. When you couple that with features that I imagine will be present, including outside donations, this is largely a question of finding the best tradeoffs that wont substantially inhibit our growth.
But what does that look like? I mentioned some ideas above, but as you said, nothing is perfect…
It’s helpful to see the discourse, and honestly an interesting problem… “Whats a good enough approach”
Kyle here from Gitcoin Passport. I wanted to offer a few thoughts as an octant app user, but then also an operator of Passport.
Octant is using the default score of 20 to confirm humanity. For some, that bar feels too high. ie, they cannot verify based on the numerous available options without KYC (because of new wallets, because activity is spread across lots of wallets, etc.).
If Octant was interested, you all could lower the threshold to 15 or 10 (perhaps even to 5 like Giveth does). Then do an analysis to see if there was a Sybil attack. The suggestion of 20 is based on the modeling and analysis we have done to prevent 80% of sybil actors, but that threshold is arguably geared towards very large ecosystems (think L2 communities).
Loosening the requirements may lower the friction, and still offer some basic protection still.
I would love to dig into the UX issues. We have been really focused on improving this, but it sounds like we have a ways to go still
This is actually good feedback and we’re going to have a long discussion about this next week. With the analysis that is done afterward, any idea around the confidence of detecting sybil if the score is reduced to 10 or 15? We also do have the advantage of being able to do a large amount of analysis on the frontend before the round as well if that helps?
I like a layered approach, especially with community endorsements. Though community endorsements do come with the issue of sybil’s potentially trying to endorse themselves. You can avoid that a bit when you combine it with Passport and a few other options:
Weighted trust - endorsements from users with higher trust scores carry more weight. New or less trusted users need endorsements from more trusted members to be validated.
Mutual endorsement networks - Requiring mutual connections for endorsements adds to the difficulty for sybils. If two users need a third, trusted member to endorse them, it strengthens the network.
Limitations - limiting the number of endorsements a user can give and reguarly analysing endorsement patterns.
Combining community endorsements with Passport would be stronger than one on its own. But I think the critique I’ve read was more about using Passport to begin with.
Reading FDD’s post here, I like his wrap up comment
FDD should stop asking “How do we stop fraud”? and start asking “How can we optimally allocate capital”
I feel we are allocating more optimally with the changes introduced for Epoch Four. Definitely a lot more potential to improve though!
By the way, did DisruptionJoe elaborate on why FDD option isn’t an option right now? @james
Hmm this is a good question and it’s one I’ve been thinking about. The issue I felt was it was easier to game the score by staking GTC (having such a high score), and some of the stamps would be tougher for newbies.
That said, I know the reason for going with Passport was it is one of the best solutions (despite its faults). I’m curious to what a good sybil mechanism or solution can be.
Would be curious if Holonym can be an option here based on a brief discussion (although don’t have specifics on what this could look like in our context).
Compared to other QF rounds, I imagine the cost of forgery for Sybils is higher in Octant—one ought to buy the GLM to earn the reward and then allocate it for QF. This leads me to think a lower Passport Score might reduce friction without significantly compromising the mechanism’s integrity.
Out of the Sybils that still get through, the ones that lock a large sum and might non-trivially sway the distribution of the matching pool are the most concerning. There is a variation of QF where individual contributions are not awarded to the project—this might help disincentivize some Sybil attacks. Here’s a link to the paper, and below is the relevant section.
zk.me offers verifiably anonymous 'zk’KYC and Anti-Sybil services.
UX is one of the best in the industry. User scans face, a fully-homorphic-encrypted faceprint is created locally on compared against all other anti-sybil attempts. A couple of seconds later the user is whitelisted. Super easy.
If legal KYC services are needed (e.g. if there is a risk to airdropping to sanctioned individuals), an additional passport scan can be added, which is also processed fully locally on device.
No one besides the user ever touches private data.
I really appreciate this reply, but this feels like going from 1 to 100 real quick. With a decent pulse on the community, I would be willing to bet this would be a hard pass for many users. Until scanning your face becomes more normalized and people can be sure that their data won’t be leaked, this is going to be a tough sell.
Hey @James! I think it is great you all are thinking about Sybil resistance in such an intentional way at Octant! I wanted to share my perspective as someone who’s been studying social networks for about a decade now in my academic days and now as a practitioner working at Holonym. I’ll try to keep my framing as neutral as possible but I do think Holonym is a wonderful solution and I’ll explain why in a moment. Before I do so I wanted to introduce two terms I’ve recently helped introduce that I think can provide a good context setting for what Octant is trying to achieve.
On the notion of token gated attestations
Around 6-12 months ago I helped deploy a decentralized web forum for a series of online communities who were extra concerned about privacy, credibility, and vulnerability of their users. The group wanted a solution that helped ensure one account = one unique person and they also wanted a way to assign certain trust scores to other users. The solution? A ZK ID gated p2p attestation network that is permissionless to join so long as you verify proof of uniqueness with a government id or phone number (Holonym also offers NFC Passport verification for added privacy and resistance to deepfakes).
The solution is rather elegant with a straightforward user flow:
Users verify with Holonym to prove uniqueness
Holonym verified users are able to attest to other users/wallets
In order to become a trusted user on the forum you must receive at least three attestations from other verified users
Once a verified user is consider trusted they may post on the forum and interact more freely with others (or in your case they may vote)
This accomplished a few things. 1) It kept spam virtually nonexistent. Malicious actors needed to not only prove uniqueness but receive attestations from other unique users. These extra steps deterred bad actors rather effectively. 2) It increased the quality of users on the platform. People willing to verify others and themselves in good faith was a strong signal our user base was of high quality. 3) It allowed us to combine the benefits of zero trust protocols with p2p attestation networks to create a sybil resistant attestation network. We then gated the forum using these token gated attestations as a means to verify unique users that were also vouched for by other unique users. You can think of these vouchers/attestations as community endorsements. People were then able to vote on the forum as truly unique verified users without risk of sybil attacks.
As an additional option to further reduce attack vectors you can have a rule that the attestations should come from accounts with somewhat uncorrelated networks. This helps prevent someone from paying people to get verified by their phones or IDs and then attesting all of their sybils on each other.
Why we need sybil resistant attestation networks
The best way to approach the problem of sybils in distributed systems is with zero trust and verify all the way down to the user. We decided the best way to do this was via a peer-to-peer feedback network where verified Holonym users were able to attest to other wallets using Ethereum Attestation Service (EAS). This allowed us to not only prove that each node in the p2p network was unique but also measure the strength of ties between each user. In doing so we created a sybil resistant attestation network that can be used to enforce things like token gating or voting. If you found this example compelling you can read more about it in this tutorial overview I wrote about building the forum here: https://paragraph.xyz/@holonym/building-an-attestation-gated-web3-forum-with-holonym
Holonym Overview
Over 200 countries are supported and users can verify with their phone, government ID or passport.
UX is conveniently wrapped by a fully embeddable MPC wallet that makes user verification flows very lightweight and effortless.
Phone numbers can be checked for
Length of history with a single owner
Cross-referenced against carrier-published risk scores
Whether they appear in bot farm lists
If its a contract, or a burner phone
Government ID can check against sanction lists
NFC Passport is free and combats against deepfakes
If you found my brief writeup interesting we’d love to talk more to you about building sybil resistant networks for your community:) I think a combination of proof of uniqueness + p2p attestations (community endorsements) makes a lot of sense for you all.
Funny you mention this, we are planning to soon implement QF the way it was described in the original paper. Rather than a set matching pool distributed regardless of the amount donated, it dynamically allocates based upon actual interest by the community.
I agree here, and I really appreciate this comment!
Thanks for sharing @reneedaos !! Holonym has been on our radar for a bit. A few things I’m wondering:
Could this be used side by side with Gitcoin passport, or does it have to be 1 or the other?
Could we implement a verified list of addresses that already have trust within our system, or do we need to essentially onboard every new user through Holonym?
Are we able to gate VoIP phone numbers? It is really easy to set these up at a low cost and would then allow sybils to attack through this vector.
We’ve been recommended Holonym by a few folks on Twitter since yesterday. Privacy seems to be top of mind for folks. The recent Fractal.ID hack, especially given how they were the KYC provider for a bunch of programs, rightfully has people concerned about sharing info that’s so personal. Can you share more on how you counter that + maintain privacy (if you do)? If I’m understanding correctly the ID gating has ZK?
Yeah, we don’t store any user information, so even if our database were to be breached, user data would not be compromised. It’s possible because of ZK. The user verifies with us, we issue credentials, and then they use their credentials to generate ZKPs. No sensitive information is stored during verification, but the user’s information does pass through RAM in our server so that we can sign off on it. The ZKPs hide all personal information but still establish that the user has verified and is unique. Our SBT attests that the user has a valid proof.
Yeah I could see this working well for us. I sent you a DM on Farcaster.
Follow up question, if they verify through Holonym on Farcaster, is this a stamp they need to get periodically, or can we set it to where once they are verified, they don’t need to come back again?
