Defending Blockchain Networks Against Sybil Attacks on EOSIO-Based Blockchains

With the rise of decentralized blockchain systems, securing these networks against various attack vectors is increasingly critical. One of the most prominent threats to blockchain networks, particularly those using Delegated Proof of Stake (DPoS) consensus, is Sybil attacks. These attacks occur when malicious actors create multiple fake accounts to manipulate systems or extract disproportionate value. Due to the pseudo-anonymous nature of blockchain systems, coupled with low transaction costs, networks like EOSIO-based blockchains are particularly vulnerable.

Our study addresses this vulnerability by developing strategies to detect and mitigate Sybil attacks through clustering techniques and behavior analysis of blockchain accounts. By analyzing transaction histories, account configurations, and operational patterns, we implement an automated system to identify accounts engaged in Sybil attacks, validated through a combination of manual and automatic processes.

Sybil attacks have long been a challenge in distributed networks, particularly in social media and blockchain environments. In traditional social networks such as Facebook and Twitter, Sybil attacks are typically used to spread misinformation or spam. However, the nature of public blockchain networks exacerbates this issue due to the lack of centralized control and the anonymity of users.

Numerous solutions have been proposed to address Sybil attacks, primarily relying on social graph analysis to identify clusters of fake accounts based on their network behaviors. Algorithms such as SybilGuard, SybilDefender, and SybilLimit are well-known for their success in detecting Sybil entities by analyzing the relationships and behaviors of nodes within the network. These systems, however, were designed primarily for social networks and do not fully account for the distinct characteristics of blockchain systems, where user interactions often revolve around value transfers rather than social links.

In blockchain environments, previous studies have explored the use of behavioral analysis to detect Sybil accounts, leveraging features such as account creation dates, transaction patterns, and resource usage. These techniques are especially relevant for blockchains like EOSIO, where accounts interact through delegated resources (e.g., CPU and NET). While these methods show promise, Sybil detection in blockchain remains an evolving field, with substantial opportunities for improvement in accuracy and automation.

EOSIO is a DPoS blockchain platform that supports smart contracts and allows for pseudo-anonymous transactions. We selected this blockchain due to its low transaction costs, which make it a target for Sybil attacks.

We implemented several clustering algorithms to group blockchain addresses based on behavioral characteristics such as transaction timing, resource delegation, and account creation patterns. These included hierarchical clustering, temporal clustering, and heuristic-based methods for detecting correlations between accounts.

To gather the necessary data, we employed automated extraction processes via API queries to the blockchain nodes. This allowed us to obtain detailed transaction histories and account information for analysis.

We integrated machine learning models to improve the detection of Sybil behaviors. These models analyze the patterns of address activity and correlate them with known Sybil attack strategies.

While much of the detection process is automated, we developed tools for manual validation, allowing human operators to review and confirm suspected Sybil clusters identified by the system.

By combining these technologies, we were able to develop a robust system capable of identifying large-scale Sybil attacks in EOSIO blockchains. The following sections detail our methodology and the findings of this study.

Study Details

The primary goal of our study was to detect and mitigate Sybil attacks in blockchain environments, particularly in EOSIO-based blockchains like Telos, WAX, and EOS. These blockchains, using the Delegated Proof of Stake (DPoS) consensus model, are highly susceptible to Sybil attacks due to the negligible transaction costs and pseudo-anonymity of users. Our aim was to develop an automated system capable of detecting these attacks by analyzing blockchain data and identifying patterns indicating the presence of multiple accounts controlled by a single entity. This included:

• Data Collection and Analysis: Develop methods for collecting transaction and account data from the blockchain for analysis.
• Behavioral Profiling: Identify common behavioral patterns of Sybil accounts, including transaction frequency, account creation, and resource usage.
• Clustering: Implement clustering techniques to group accounts with similar behaviors and detect groups of Sybil accounts.
• Automation: Develop an automated system for detecting Sybil accounts, minimizing the need for manual intervention while ensuring high accuracy.
• Practical Application: Apply the system to a live blockchain event (airgrab) to test its efficacy in detecting and mitigating Sybil attacks.

To collect relevant blockchain data, we utilized EOSIO blockchain nodes, focusing on extracting transaction histories, account creation information, and resource delegation details (CPU, NET, RAM). We developed an automated data extraction tool that interacted with these nodes using HTTP requests to pull transaction data, storing the results in a relational database for further analysis.

We knew that understanding the behavior of accounts would be key. Sybil attackers often exhibit distinct patterns in how they create and manage multiple accounts, from the timing of account creation to transaction behaviors and resource management. Recognizing this, we designed a behavior analysis framework aimed at uncovering these patterns. By examining these behaviors, we were able to identify links between accounts that were otherwise hidden, allowing us to detect large-scale Sybil attacks. Below is a breakdown of the clustering techniques we applied to achieve this, each targeting a different aspect of Sybil behavior:

• Clustering by Parent-Child Relationship (Hierarchy): We grouped blockchain accounts based on their hierarchical relationships, where a parent account is responsible for creating child accounts. This approach is particularly effective in detecting Sybil attacks, as attackers often use one account to generate many others in a hierarchical chain. By identifying large chains of parent-child relationships, we were able to pinpoint cases where a single entity was controlling multiple accounts, a key indicator of Sybil activity.
• Temporal Clustering by Account Creation and Registration in Airgrab: This technique involved clustering accounts that were created and registered for airgrab events within close timeframes, often within 1-2 days for creation and 1-2 hours for registration. Attackers typically automate the creation and registration of large numbers of accounts, performing these actions in rapid succession. By identifying accounts with near-identical creation and registration times, we could detect automated, bot-driven behavior indicative of a Sybil attack.
• Clustering by Transaction Amount and Timing: Accounts were clustered based on their transaction behavior, specifically focusing on accounts with similar average daily transfer amounts and closely aligned transaction timing patterns. Sybil attackers frequently create multiple accounts to perform repetitive transactions with identical or nearly identical amounts. These consistent patterns reveal coordination between accounts, and clustering them based on these similarities allowed us to identify groups of accounts involved in orchestrated fraudulent activities.
• Clustering by Public Key Reuse: We clustered accounts that shared the same public key, which corresponds to the private key used for authorizing transactions. Attackers often reuse the same public/private key pairs across multiple accounts to simplify control and management. This clustering method provided a direct link between accounts that were clearly under the control of the same individual, as the reuse of public keys is a strong indicator that the accounts are not independent.
• Clustering by Resource Delegation (CPU and NET): In EOSIO blockchains, accounts require CPU and NET resources to execute transactions. We clustered accounts that received CPU and NET resources from the same source, a behavior common among Sybil attackers managing multiple accounts. By examining resource delegation patterns, we could connect seemingly independent accounts that were all receiving resources from a central controlling account, revealing the attacker’s attempt to operate multiple accounts efficiently.
• Clustering by Common Destination for Transfers: This technique clustered accounts that frequently transferred funds or tokens to a common destination address. Sybil attackers often create many accounts to funnel tokens into a central account, which they can use for staking or selling. By identifying clusters of accounts consistently sending assets to the same address, we uncovered groups of accounts working in coordination to centralize their illicit activities, a hallmark of Sybil attacks.
• Clustering by Account Creation After Airgrab Announcement: Accounts created immediately after the announcement of the airgrab event were clustered together, as these accounts were likely created specifically to exploit the event. Attackers often take advantage of such opportunities by quickly generating new accounts to participate in token distribution. By clustering accounts created during this critical period, we identified accounts that were highly likely to be part of an orchestrated Sybil attack aimed at exploiting the airgrab.
• Clustering by CPU and NET Delegation to the Same Address: Similar to the resource delegation clustering, we grouped accounts that delegated CPU and NET resources to the same address. This clustering focused on cases where multiple accounts pooled their resources into a single target address. This behavior often indicates coordination between accounts, as they work together to accomplish tasks like executing smart contracts or manipulating voting mechanisms. By clustering accounts with this shared delegation behavior, we could reveal groups of accounts being centrally managed for malicious purposes.

Validation

Initially, clustering results were manually reviewed. Each identified cluster of accounts was evaluated by examining the account data, including transaction history, resource delegation, and public keys. This manual validation helped refine the clustering algorithms, building a strong rationale for determining Sybil accounts.Once the manual validation confirmed the accuracy of the system, we automated the validation process, integrating the criteria developed during the manual review into the automated detection system.

Practical Application – Airgrab Event

The system was tested during a series of airgrab events, where users registered their blockchain addresses to receive tokens. Airgrabs are highly susceptible to Sybil attacks because they distribute tokens to any registered address without immediate verification.Over the course of six monthly airgrab events, the system processed registrations and applied the Sybil detection algorithms. During each event, the system identified large numbers of fraudulent accounts, significantly reducing the distribution of tokens to attackers. The results of the study were highly encouraging, demonstrating the efficacy of our approach in detecting and mitigating Sybil attacks:

Event 1 (First Airgrab)

• Total Registered Addresses: 21,000
• Detected Sybil Accounts: 11,872 (56% of total)

We were surprised by the sheer volume of Sybil accounts registered for the first airgrab. After manual review and algorithm refinement, our system successfully blocked these accounts from receiving tokens.

Event 2

• Total Registered Addresses: 27,000
• Detected Sybil Accounts: 13,596 (50% of total)

Although more accounts registered in the second month, the system maintained its accuracy, detecting and excluding a significant portion of Sybil accounts.

Event 3

• Total Registered Addresses: 5,000
• Detected Sybil Accounts: 3,302 (66% of total)

By the third event, the number of registrations dropped, but Sybil accounts represented a larger percentage of the total. The system continued to perform well, blocking these fraudulent accounts.

Subsequent Events

Events 4 to 6 saw decreasing registrations (2,500, 1,600, and 900, respectively), but the proportion of Sybil accounts remained high. The detection system identified between 500 and 1,268 Sybil accounts in these events.

Analysis

Our methodology proved effective in reducing the number of fraudulent accounts participating in the airgrab events. Manual validation in early stages was crucial for refining the automated process, ensuring high accuracy in subsequent events.

This study successfully demonstrated the feasibility and effectiveness of detecting Sybil attacks in EOSIO-based blockchains. By combining behavioral analysis, clustering algorithms, and automated validation processes, we were able to identify and block thousands of fraudulent accounts from participating in airgrab events. These findings have significant implications for the broader blockchain ecosystem, offering a scalable solution for mitigating Sybil attacks in decentralized systems.

Future work will focus on generalizing the approach for broader applications beyond airgrabs, potentially releasing the code as an open-source project to benefit the larger blockchain community.