Insights: Understanding the Ribbon Finance Airdrop
Analysis of on-chain data and how ARCx custom scores could have protected against exploitation
TLDR: by using ARCx, Ribbon finance could have potentially saved 1.23M (4.15%) RBN at a minimum and potentially up to 8.12M (27.3%) RBN. We calculated this by qualifying the number of unique days a transaction was made, the number of addresses the owner sent tokens to and the number/or distinct tokens traded.
Over the past week, Ribbon Finance, an upcoming DeFi project that sells structured option products, airdropped tokens to their early users. However, through some on-chain analysis members of the community found certain addresses had exploited the airdrop by spinning up many Ethereum addresses and claiming many tokens across numerous wallets then dumping the tokens.
At ARCx we’re building the DeFi Passport, a product that creates various scores derived purely from someone’s on-chain behaviour. Given our expertise in on-chain data, reputation and analysis we thought we’d dig in and understand what happened with more nuance.
The initial findings of the crypto community found a single entity to exploit the airdrop for ~$2m. However, in our findings, we found that the amount of money lost or distributed ineffectively by the Ribbon DAO was much larger.
In our sample of Sybil attackers, the profile of the malicious addresses used in the attack was consistently low on Ethereum activity, diversity in assets traded, and any version of exposure to ARCx (including being a passport holder).
By using ARCx, Ribbon finance could have potentially saved 1.23M (4.15%) RBN at a minimum and potentially up to 8.12M (27.3%) RBN. We calculated this by qualifying the number of unique days a transaction was made, the number of addresses the owner sent tokens to and the number/or distinct tokens traded.
Now to go to the moment you’ve been waiting for, an analysis of the data itself. The first graph we looked at when analyzing the airdrop was looking at how many distinct ERC20 tokens each address had traded with, the number of days of transaction history and how many RBN tokens did they receive from the airdrop. The graph below shows this data in a convenient way that helps visualise the data.
What’s interesting to note in the above graph is the clustering of addresses in the bottom left quadrant. We define this quadrant as Q1 (where the number of distinct tokens traded is less than 5 and the number of days active on-chain was less than 10).
From our analysis, we found that the wallets that engaged in the Sybil attack represented 4.15% of the airdrop or about $5m worth of RBN.
When you think about it conceptually though, addresses with only 10 days of active history aren’t really that high value. They contain little history and don’t really indicate any solid traits of Web 3 experience. Ideally in our research, you want wallets that are more experienced on-chain as they represent valuable identities and a lower probability of being gamed.
We dug into what percentage of the rewards went to wallets that were in Quadrant 1 (in the bottom left corner of the first graph) and found that a staggering 27% of $32m of RBN went to these addresses.
Ribbon Finance had one of the more sophisticated ways of distributing tokens to users of their product however this did not make their token distribution Sybil resistant.
ARCx has been pioneering many custom scores to model consumer behaviour on EVM blockchains. One such metric we’re working on is a “Web 3 Citizen” score that determines how actively engaged and valuable an identity is. While still in development, the “Web3 Citizen” score has many metrics that we consider such as:
How often are they doing things on the blockchain?
How many different kinds of assets are they transacting in?
How many distinct addresses do they interact with?
Have they been dormant for a significant amount of time?
Many of these features, while internal are used to determine passport eligibility at ARCx
By using such a score, protocols can receive numerous benefits that include but are not limited to:
Remove the universe of Sybil attackers
Remove individuals who do not participate in blockchain-based activity
We consider activity as opposed to wealth or the value or token assets held
An individual in the Philippines who feeds his family playing Axie Infinity WOULD be whitelisted in a universe where this score is widely applied to prospective airdrop recipients
Notable in our analysis as well, is the fact that individuals who were recipients of the RBN airdrop also happened to be involved with ARCx.
Without saying that any individual who has been added to our waitlist was not one of the sighted ones involved in the Sybil attack
The thesis that tying an individual cost of identity to trust in web3 is further validated by these results
At ARCx we are pooling data from multiple EVM chains to create a historical profile we can leverage to score users probabilistically. As profiles expand, communities can leverage the data on their users in public to profile the best citizens they can work with and reward.
If you’re a protocol that wants to understand your user’s on-chain behaviour and create smart contracts and applications that can leverage this analysis, reach out to us!
Special shoutout to @metaversephd in the ARCx Machine Learning team for putting the analysis together.