J.Hackworth

Posted on Sep 14, 2022Read on Mirror.xyz

Gnosis Safe Aridrop Farmer Detection

Introduction

While crypto and web3 are aiming to build a better society and the internet, there are a lot of bad actors taking advantage of the current system. Sybil attackers and airdrop farmers are just. These are users who create multiple accounts or just do the bare minimum to collect free money. Once they receive their rewards, they will sell. To help defend against this behavior, Gnosis Safe has tasked the community to help identify potential airdrop farmers. Gnosis Safe is a multi-signature smart contract wallet that allows users to define a list of owner/signer accounts and a threshold number of signers required to confirm a transaction. Once the threshold of owner accounts have confirmed a transaction, the Safe transaction can be executed. I first noticed the issue of airdrop farmers after an analysis I did with Uniswap where most airdrop receivers dumped their tokens and did not participate in governance as intended.

I decided to try and use my data analysis skills and on-chain sleuthing experience to discover Gnosis Safe Addresses that may be farming rewards. Bad on-chain behavior should not be awarded but should be rooted out by looking at abnormal on-chain activity and previous negative events such as dumping previous airdrops. Through this process, I discovered XX potential farmers/ sybils. Going beyond this, I decided to create a cluster analysis / nearest neighbor model to identify if certain behaviors may detect airdrop farming beforehand (this will be used in a later analysis)

Methodology

Full Jupyter Notebook can be found here: https://github.com/jhackworth42/-Gnosis-Safe-Farmer-Detection/blob/main/GnosisSafe_AirdropFarmer_Analysis_v2.ipynb

To achieve this, I utilized a python Jupyter Notebook that queried on chain directly via Flipside’s ShroomDK (side note: this was my first time using it and it was awesome). I made the following queries to better understand the behavior of Gnosis Safes:

  1. Query to collect all Safe Addresses, the time they were created, and who all were the original owners (multiple owners would be separated into different rows)

  2. Query to collect all Safe Addresses, the time they were created, and who all were the original owners (multiple owners would be separated into different rows)

  3. List of addresses that dumped previous airdropped tokens within the first 14 days of the airdrop

I then did some feature engineering to better group and create potential flags for airdrop farmers Below are some of the features I created:

  • ‘Low txs’: if the owner/safe has less than 5 transactions.

  • ‘Short Activity’: if the owner/safe has an activity span of fewer than 3 days.

1 represents Safes that have an activity span of fewer than 3 days

  • ‘Low From’ / ‘Low To’: if they have only interacted with 2 or fewer addresses’

  • “# of Airdrops”: How many airdrops did they dump?

  • “# of Wallets”: If the owner has multiple wallets there is a greater chance that they may be creating safes just to receive the airdrop

Only a small amount of users own more than 4 Gnosis Safes

The reason behind these features is that if they are not actively using the wallet, have a short span, or dumping tokens, they may have just created the safe for obtaining the airdrop

To figure label safe addresses as a “farmer” the following logic was applied with the following reasoning :

  • 'Multiple Wallets, Low Safe Activity': They created multiple wallets and didn’t use them just to get the airdrop

  • 'Dumped Previous Airdrop, Low Safe Activity': If an address dumped a previous airdrop that may not necessarily be a bad thing, but if they did that AND have low safe activity this is concerning.

  • 'Dumped Two Airdrops': Dump Token once shame on me, Dump Token Twice and you can’t get fooled again. If an owner dumped two tokens within 14 days then they are most likely doing some sort of farming.

  • 'Low Owner Activity, Low Safe Activity': If a wallet and safe were used for less than three days, this may also be an alarm for concern

  • 'Low Safe Activity, "Created Safe on Same Day': The safe was only used for a short time and the wallet and safe were created on the same day. This may be a set it and forget it where a wallet was created specifically for the purpose of farming.

In the following output, we can see the outputs for the potential farmers, the number of flags, and each of the flags a safe address has (ex. Dumped $UNI, Dumped $1INCH, 'Dumped Two Airdrops', 'Low Owner Activity, Low Safe Activity')

List of potential farmers and data :https://github.com/jhackworth42/-Gnosis-Safe-Farmer-Detection/blob/main/Potiential%20Airdrop%20Farmers.csv

Insights

For airdrops, we identified plenty of Gnosis Safes owners that dumped previous tokens within 14 days. The largest two were $SOS and $LOOKs with over 1000+ addresses dumping them within the first two weeks. For the most part, addresses did not dump tokens. $SOS and $LOOKs may have not been considered great airdrops, but others such as $ENS, $HOP, and other may be worth paying attention to those who dumped quickly. Those that sold multiple coins could also be considered airdroppers

# of Dumpers

Looking at the list of flags, we see the following for potential flags:

This is a quite large amount of safes. To further narrow down the list, I decided to keep only those that had dumped previous airdrops and then had a combination of more than 2 of the combined features. This resulted in the following:

To explore the full list of addresses check out here the csv file on github here:

Bonus: Clustering

To further my analysis, I wanted to see if clustering safe addresses and owner behavior could lead to further insights and drive future post facto airdrop decisions on whether someone airdropped. I used a kmeans cluster with 4 clusters (via elbow method) and got the following groups derived via PCA component analysis

Clustering of Gnosis Safe Addresses Using PCA Components

The X axis is more focused on the amount an owner dumped and time components, whereas the y axis seems to be more focused on some of the feature variable inputs

# of Clusters for Each

Looking below, most farmers are in clusters 1 or 3 whereas nonfarmers are mostly in 0. When looking at new future safe address behavior we could predict which far group they may be a part of.

Cluster Groups for Potential Farmers vs Non Farmers

Additionally one of the reasons I did this was to help create a labeled dataset for future airdrops. By creating a labeled dataset, after the airdrop, we can see who did and did not drop and use the dataset to see how accurate a supervised method would be to predict farmers and which features were important. From there the results could be used to detect further sybil attackers/ farmers for other airdrops

Conclusion

In this analysis, I tried to find airdroppers by looking at suspicious on-chain behavior such as low activity, dumping previous airdrops, creating wallets on the same date as the safe address, and owning multiple wallets, I then created a cluster to help segment similar behavior of safe addresses to find similar behavior. The curious piece will be what happens after the airdrop. I have a pretty well-engineered dataset for suspicious behavior. How well could we predict those that dump? Through supervised learning classification we could predict how likely an airdropper is to dump and what features were critical in making that decision. For now, hopefully, we rooted out a few bad actors from the Gnosis Safe Network!