Methodology

CHI'26 Five-Indicator Sybil Detection Framework

Quick Reference

An address is sybil if ANY of:

BT ≥ 5 -- BW ≥ 10 -- HF ≥ 80% -- RF ≥ 50% -- MA ≥ 5

Score 0-19 = Clean -- 20+ = Sybil -- Higher = more indicators triggered

Use for: compliance checks, airdrop safeguards, research

1.Overview

HasciDB is a pre-computed sybil detection database covering 3,516,453 eligible addresses across 15 Ethereum L1 airdrop projects. All results are derived from the five-indicator framework validated through Delphi expert consensus (n=12) and published at CHI'26.

HasciDB provides a query interface to this database. It does not perform live on-chain analysis -- all indicator values are pre-computed from finalized Ethereum blocks. An address is classified as sybil if any single indicator exceeds its threshold (OR-logic). The number of triggered indicators (0-5) serves as a confidence measure.

2.Indicators

2.1 Operations Axis

BTBatch Tradingthreshold: ≥ 5

Co-occurring transaction fingerprints within 10-minute windows

BWBatch Walletsthreshold: ≥ 10

Mass wallet activation from single funder within 30-day periods

HFHigh Frequencythreshold: ≥ 80%

Transaction concentration in airdrop window (180-day cap)

2.2 Fund-Flow Axis

RFRapid Fundsthreshold: ≥ 50%

Token consolidation to single receiver within 30 days post-claim

MAMulti-Addressthreshold: ≥ 5

Circular ETH flow paths (2-hop and 3-hop) with ≥80% value retention

3.Classification Rule

ops_flag = (BT ≥ 5) OR (BW ≥ 10) OR (HF ≥ 0.80)

fund_flag = (RF ≥ 0.50) OR (MA ≥ 5)

is_sybil = ops_flag OR fund_flag

The classification uses single-axis OR triggering: any one indicator exceeding its threshold is sufficient. This is intentionally sensitive -- one strong behavioral signal is considered evidence of sybil activity. The dual-axis structure (operations vs fund-flow) captures both behavioral patterns and financial patterns.

4.Scoring Formula (0-100)

HasciDB adds a continuous score on top of the binary classification:

Score = Part A + Part B

Part A -- Trigger count (0-50 pts):

0 triggered: 0 pts (approach scoring, max 19)

1 triggered: 20 -- 2: 35 -- 3: 42 -- 4: 47 -- 5: 50

Part B -- Excess above threshold (0-50 pts):

Each triggered indicator: 0-10 pts

excess = (value - threshold) / (cap - threshold) x 10

Caps: BT=500, BW=200, HF=1.00, RF=1.00, MA=500

Invariant: score < 20 <-> is_sybil = 0

Invariant: score ≥ 20 <-> is_sybil = 1

For addresses appearing in multiple projects, the aggregate score uses the maximum value of each indicator across all projects.

Score	Level	Meaning
0	Clean	No suspicious signals
1-19	Low Risk	Some indicators approach threshold but none triggered
20-29	Medium	1 indicator triggered, barely above threshold
30-49	High	1 indicator significantly exceeded, or 2 triggered
50-69	Very High	2-3 indicators triggered
70-89	Critical	3-4 indicators triggered, severe excess
90-100	Extreme	4-5 indicators triggered, extreme values

5.Known Limitations

RF and DEX swaps: RF cannot detect consolidation via DEX swaps because exchange filter excludes DEX router addresses. A sybil operator who consolidates tokens through a DEX instead of direct transfer will evade this indicator.

BW first-appearance bias: BW may misclassify old wallets as "new" when first appearance is checked only within the target_txs subset rather than the full address history.

MA and NFT marketplaces: MA shows elevated trigger rates for NFT marketplace projects (e.g., LooksRare: 59.1%) because buy/sell flows through marketplace contracts resemble circular transfers.

Snapshot boundary: All data derived from finalized Ethereum blocks as of the respective project's airdrop snapshot date. Post-snapshot behavior is not captured.

Coverage: Only addresses eligible for at least one of the 15 analyzed airdrops are included. Addresses not in the eligible set cannot be queried.

6.About

Lab: UW Decentralized Computing Lab