Wormhole Discloses Witch Detection Method and Airdrop Reward Details, to Re-examine Some Users
TechFlow Selected TechFlow Selected
Wormhole Discloses Witch Detection Method and Airdrop Reward Details, to Re-examine Some Users
Key points for responding to witch detection include withdrawing funds from exchanges, transferring funds with irregular or long intervals, and avoiding singular interaction behaviors.
Navigating Web3 tides with focused insightsAuthor: Wormhole
Translation: Nan Zhi, Odaily Planet Daily
Since its launch in 2020, Wormhole contributors have spent over three years building and expanding Wormhole, and have begun planning an egalitarian airdrop that maximizes rewards for legitimate users of the protocol. The focus is placed on two main groups:
-
Multichain applications and cross-chain users built on Wormhole;
-
Key multichain community groups.
Over the past three years, on-chain users have sent over one billion messages via Wormhole’s message protocol from millions of wallets, using multichain applications across 30 blockchains. These users will receive 81% of this airdrop—approximately 549 million W tokens.
Wormhole conducted Sybil analysis on users, reviewing ownership clustering and behavioral patterns of interacting wallets, weighting wallets based on transaction volume, duration of use, consistency of on-chain activity, and other key factors. This Sybil analysis was specifically carried out by Allium.
The airdrop targets over 400,000 wallets across more than 30 chains. Airdrop details are as follows:
-
Snapshot time: February 6, 2024, 23:59 (UTC+8);
-
Total number of eligible wallets: over 400,000;
-
Airdrop amount: 678,823,000 W, accounting for 6.78% of total supply;
-
Distribution breakdown: On-chain users account for approximately 81% of the airdrop allocation (about 549 million W), while community groups account for approximately 19% (about 129 million W).
Sybil Detection Rules
Ownership Graph
Ownership clustering is a core aspect of the analysis. Because Wormhole connects many different ecosystems—EVM, Solana, Move, etc.—multichain airdrops are extremely challenging.
To maximize each user's chance of qualifying for the airdrop, Wormhole built an ownership graph that assigns a unique user ID to a set of wallets belonging to that user, including wallets that interacted with any Wormhole ecosystem application (such as Pike, Mayan, Allbridge, Portal, and many other DApps).
The ownership graph consolidates all transactions a user may have conducted across different ecosystems under one user ID. This ensures user evaluation is based on their full transaction history rather than fragmented actions within any single ecosystem. This technique also serves as the first step in several processes used to manually flag contracts, protocol relay hot wallets, and large Sybil ownership clusters containing hundreds or even thousands of wallets.
In the example above, interconnected wallet ownership can be attributed to a single user ID. This is used to determine a single user’s reward, even if certain wallets did not directly interact with each other. The total eligible reward is distributed across all wallets identified within the cluster. Therefore, it is crucial to check all wallets that ever interacted with Wormhole ecosystem applications—whether receiving or sending tokens—to claim the full reward.
Funding Source Analysis
Sybil actors typically fund clusters of hundreds to thousands of wallets from a single source, after which each wallet performs its own set of transactions within the protocol. Wormhole examined whether the funding sources of each wallet exhibited clear Sybil characteristics.
This analysis revealed two types of original funding attacks:
-
Spread funding:
Wallet A → Wallets B, C, D…Z
-
Sequential spread funding:
Wallet A → B, Wallet B → C, …
Behavioral Clustering Analysis
While Sybil funding source detection is effective, Sybil strategies have advanced significantly over time. More sophisticated actors may fund large numbers of wallets individually from exchanges to evade funding-source detection algorithms. However, executing such activities at scale requires automation and often exhibits behavioral patterns that distinguish them from legitimate users. By applying the Louvain community detection algorithm on a transaction similarity matrix of ownership clusters, Wormhole was able to differentiate Sybils based on repetitive actions and similar timing intervals. The figure below provides a simplified example of this behavior:
(Note from Odaily Planet Daily: Louvain community detection is a widely used community discovery algorithm that identifies communities where nodes are densely connected internally but sparsely connected externally, thereby identifying dense regions as communities—in Web3 terms, Sybil attackers.)
The algorithm maps transactions to unique IDs based on time, rhythm, and actions, matching identical or nearly identical behaviors. This separates high-density, large-scale automated wallet operations from low-density, genuine user activity. Wormhole contributors used this identification strategy only in combination with other Sybil detection mechanisms.
Spam Transaction Analysis
Another common large-scale tactic involves rapid, consecutive transactions of identical token amounts, either between two chains or across multiple chains. During a massive Sybil campaign beginning in December 2023, wallets exhibiting transaction frequencies abnormally consistent with such activity were flagged and disqualified from the airdrop.
Wormhole noted that the algorithm inevitably includes some regular users. Over the coming weeks, Wormhole will carefully re-evaluate eligibility within the user base, and qualified recipients’ rewards may change.
Reward Algorithm
Rewards are determined based on time and transaction value, with key factors including:
-
Users active for 3 months or longer receive additional airdrop multipliers;
-
User activity prior to December 1, 2023, receives additional airdrop multipliers;
-
Users active during the last bear market (June 2022 to October 2023);
-
Users active in the first year after mainnet launch;
-
Users with cumulative transaction value exceeding $10,000;
-
Transactions involving commonly used chains (e.g., ETH);
-
Transactions involving BTC, ETH, stablecoins, and other assets critical to DeFi;
-
Transactions involving assets where liquidity on the destination chain is extremely low or nonexistent will be assigned negative multipliers.
Targeted Community Airdrops
Wormhole allocated 19% of the airdrop to specific communities, including Wormhole Zealy participants, Pyth stakers, DeGods and y00ts holders, Bad Kids role holders on Discord, Mad Lads holders, and Monad community members.
Conclusion
Wormhole innovatively used behavioral clustering to define addresses, then applied funding source analysis, operational similarity, and spam operation detection to identify Sybils. Key mitigation strategies include withdrawing funds from exchanges, transferring funds irregularly or over long intervals, and avoiding uniform interaction patterns.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@wormholecrypto
