Try Quests to earn cryptoWhat's Going On With Gnosis?
There’s been some unusual activity with Gnosis as pointed out by our community. Time to figure out exactly what’s going on. Take a deep dive into recent activity on Gnosis, especially recent rapid rises in the number of active users, transactions, and more. Make any hypothesis you can about what is driving this activity. Is there a new dapp that launched? Is there some incentive program going on? Or is the spike in users/txns due to some sybil attack? Note any trends or outliers you see.
Quick introduction
What is Gnosis?
Gnosis is an open-source, decentralized prediction market built on the Ethereum blockchain. Users are able to create markets where they can speculate on any event or arbitrary outcome. By using the Ethereum Protocol, Gnosis is able to guarantee a secure and transparent ecosystem.
What is xDAI?
xDAI is a cryptocurrency that is pegged to the US Dollar*, has super low transaction fees, and fast transaction times. These features make it an ideal cryptocurrency to use for every day transactions like retail stores or peer to peer transfers.
What is a Sybil attack?
A Sybil attack is an attack against peer-to-peer networks in which a single attacker creates many fake identities to gain an advantage in the network. Other users do not recognize these identities as fictitious, which gives the attacker a disproportionately large influence over the network.
:red_circle: Sybil attacks on blockchains:
Sybil attacks are more common than one would expect. For instance, something as innocent as social media influencers, who buy likes and views to grow in popularity, is considered a Sybil attack. More serious cases are also quite common, such as corrupt politicians, who circumvent the authorities to cast illegitimate votes in their own favor. Sybil attacks usually take place on networks, where there is no direct human interaction, which makes blockchain networks a target.
> The name Sybil comes from the title of a 1973 book by F. R. Schreiber, whose titular character suffered from dissociative identity disorder, causing her to assume multiple identities.
When launching a Sybil attack, a single adversary creates multiple identities on a peer-to-peer network that are indistinguishable from genuine peers. These could be computers, virtual machines, identities with different usernames, emails etc. But on blockchains, these identities are nodes.
Since nodes are pseudonymous, there is no clear connection between a node and an offline entity (the person or institution owning the node). This makes weeding out fake nodes from genuine ones a difficult task, which thus makes the Sybil method all the more inviting for an attacker.
An attacker can flood the network with nodes that they control and theoretically surround individual honest nodes, thus isolating them from the rest of the network. This allows them to focus their attack on a particular node and alter the transaction data relayed to it or cease relaying blocks and transactions to it, which effectively disconnects it from the network.
Such an attack is usually not absolute: it would be very difficult to achieve the complete isolation of a node on a peer-to-peer network. An attacker only needs to gather sufficient influence in the network to be able to mislead honest nodes into accepting an alternative truth. Even a portion of the nodes in the network working in unison against honest nodes can lay the groundwork for launching an attack.
Weaknesses to Sybil attacks
Vulnerability to Sybil attacks depends primarily on how quickly and cheaply new nodes can be created. If the generation process is free and requires little to no computational effort, launching a Sybil attack is easy. Furthermore, vulnerability is also a question of trust, insofar as trust is a vital component of a blockchain’s operation. A system that places trust in peers based on no evidence of their honesty is easily exploitable, whereas a system that requires peers to prove their trustworthiness (by revealing their offline identities, for example) is difficult to launch a Sybil attack against. [Source]
Methods
:ballot_box_with_check: In this dashboard, we first checked the number of transactions, the number of active users and the number of new users on Gnosis in the last month (:spiral_calendar:last 30 days).
:bar_chart: To better understand the sudden changes of activities on gnosis, the charts are displayed in 2 forms, daily and weekly.
🔢 To check if the activities were normal or unusual, I looked at 2 important metrics that are important when investigating Sybil attacks:
> 1- The number of user transactions during the times when unusual activities occurred > > 2- The success rate of transactions and the number of successful transactions versus unsuccessful transactions
↘️ The following tables are used in this dashboard:
> :one: gnosis.core.fact_transactions > > :two: gnosis.core.fact_token_transfers > > :three: gnosis.core.ez_xdai_transfers
💲 Also, at the end, we compared the number of users who transferred the xDAI token in the last 30 days against the transfer of other tokens, and interesting results were discovered!
📝 To check if users have had one transaction or more, the following code is used: (left join worked wonders here❕)
WITH transactions_per_users AS (
SELECT
date_trunc('day', block_timestamp) AS date,
from_address AS wallet,
COUNT(distinct tx_hash) AS "# Transactions"
FROM
gnosis.core.fact_transactions
where
status = 'SUCCESS'
GROUP BY
date,
from_address
ORDER BY
date
),
more_one_transactions AS (
SELECT
date as date1,
COUNT(wallet) AS addresses
FROM
transactions_per_users
WHERE
"# Transactions" > 1
GROUP BY
date
),
one_transaction AS (
SELECT
date,
COUNT(wallet) AS addresses
FROM
transactions_per_users
GROUP BY
date
)
SELECT
date,
one_transaction.addresses as "# Users with 1 transactons",
more_one_transactions.addresses as "# Users with more 1 transactions"
FROM
one_transaction
left join more_one_transactions ON (date = date1)
WHERE
date >= CURRENT_DATE - 30
ORDER BY
date desc
📊 Statistics:
:chart: Analyze
As we can see, in the ==last 30 days==, except for 2 days, October 4 and 5, the trend of the number of transactions is normal and decreasing with a slight slope. But according to the weekly chart, we do not see such a noticeable change in the number of transactions.
:arrow_down: Next, we want to check the number of active users and the number of new users in the last month, we will see interesting results❕
:chart: Analyze
Yes! View the daily chart!
On October 5th, we had about 54.7K new users on Gnosis! For example, we had only 107 new users the day before and 214 new users the day after that. So it is a very strange number!
Of course, we had a sudden increase in users on September 27 and 28.
The weekly chart also shows this increase of unusual users. :heavy_check_mark:
:chart: Analyze
The daily or weekly chart of the number of Gnosis active users is almost the same as the charts in the previous section. On October 5, we had 57K active users, which is almost ==25 times== the number of active users on October 4! So we should be a little suspicious of this process! It is better to check different criteria of user behavior especially in these days.
:chart: Analyze
First, we want to check if the users have had normal activity in these days when they have suddenly increased?!
So we check the number of user transactions, we see that out of 57K active users on October 5, only== 2,340 users have made more than one transaction! Also, if you look at September 27 and 28, you will notice that the number of users with more than one transaction on these days is the same as other days. According to the normalized chart, on October 5, ==3%== of users have made ==more than 1 transaction==.
:chart: Analyze
For the second criterion, we want to ==compare== successful transactions with failed transactions.
As it is known, the success rate of transactions will decrease:chart_with_downwards_trend: sharply from October 5 for 5 days and will be close to 0.15! It can be assumed that Sybil attacks have happened!:stop_sign:
Considering the large number of failed transactions in a few days and the decrease in the success rate of transactions, as well as the significant increase of users who had only one transaction, it can be clearly said that Sybil attacks have occurred.
:chart: Analyze
In the last part, we want to compare the number of users who have transferred xDAI token and other tokens. As you can see, 73% of xDAI token users have transferred, and 56,000 users doing so on October 5th alone! In contrast to 1347 users who have transferred other tokens.
:white_medium_square: I suggest that you definitely see the above timeline chart and pay attention to the comparison of the number of users of the 2 groups in the last 30 days and the percentage of their changes.
Probably, the attacker sent xDAI token to Rinkeby-xDai AMB from different addresses and the transactions have all failed. It can also be assumed that the transfers happened with a very small amount of xDAI. I emphasize again that this was a Sybil attack and nothing else!
⚠️ Sybil attack?
Conclusion
-
By analyzing the information and charts of this dashboard, we can conclude that the sudden increase of users in Gnosis was a Sybil attack. In fact, the attacker has done this by sending a small amount of xDAI token from different addresses to the Rinkeby-xDai AMB bridge, and the transactions have also failed.
-
The fact that this happened on a specific day and the growth of users was not continuous, proves that this was a Sybil attack and not the implementation of a new dapp or program.
-
We observed that this attack took place in the last month on October 5 and with a smaller percentage on September 27 and 28. On October 5th, we had 54,000 new users, which is about 250 times more than normal days, but the number of successful transactions on this day was only nearly 2 times that of other days, which means that most of the transactions were unsuccessful.
-
We also saw that the success rate of transactions will decrease sharply from October 5 for 5 days and will be close to 0.15.
-
And we observed that on October 5, out of 60,000 active users, only 4% of them made more than one transaction, and 57,300 users had only one transaction.
\
Thanks for reading!
This analysis was created on 2022–10–17 for a bounty at Flipside Crypto by Hesam to answer the following questions: #Gnosis - Take a deep dive into recent activity on Gnosis, especially recent rapid rises in the number of active users, transactions, and more. Make any hypothesis you can about what is driving this activity. Is there a new dapp that launched? Is there some incentive program going on? Or is the spike in users/txns due to some sybil attack? Note any trends or outliers you see.
All data used are from Flipside Crypto.
Twitter:
