Original link: PartyBid crowdfunding has the risk of "sybil attack", how should NFT fragmentation protocols deal with it? — DeBox Institute (mirror.xyz)

【DeBox Research Institute】 | Author: Crypto Ming; Huige; Ivan | Date of writing: September 5

Summary:

  • The underlying protocol for purchasing NFTs through PartyBid crowdfunding is NFT fragmentation, which means dividing a complete NFT into any number of equal parts, and holding these equal parts is equivalent to holding a part of the NFT. The current leader in the NFT fragmentation market is Tessera (formerly known as Fractional), and PartyBid and Tessera have also received large amounts of financing led by A16z and Paradigm respectively.

  • Judging from Dune's on-chain data, the activity of PartyBid and Tessera shows a strong positive correlation. When the NFT market heat decreases, the activity of PartyBid and Tessera shows an upward trend. This shows that the liquidity of NFT in a bear market may be mainly provided by some underlying protocols, and similar NFT fragmentation models are being recognized by users.

  • PartyBid crowdfunding to buy NFTs and Tessera auctioning NFTs can well realize the liquidity of NFTs, and this process is achieved through DAO. However, the process is vulnerable to "Witch attacks". Witches can obtain advantageous voting rights by holding more than 50% of the total number of NFT fragmented tokens, and then manipulate NFT auctions. Members participating in crowdfunding can only redeem part of the funds they participated in crowdfunding.

  • Although there is currently no mature and available DID system to help identify user identities, specifically for the PartyBid and Tessera projects, some on-chain tags (on-chain data dashboards) and binding to social media (Twitter, etc.) can be used to help users identify possible risks of witch attacks.

1. NFT fragmentation - the underlying protocol for crowdfunding to purchase NFTs

Do you want to own blue-chip NFTs such as BAYC, Doodles, and Azuki? You don’t need 80 ETH or 10 ETH. You only need to spend 0.01 ETH on PartyBid to participate in the crowdfunding and you can become one of the holders of blue-chip NFTs. Doesn’t it sound cool? This is thanks to NFT fragmentation, one of the mainstream liquidity protocols of NFT.

We all know that the non-homogeneous nature of NFTs leads to poor liquidity. You can only trade in units of the entire NFT, and if you want to sell it, someone must buy it or make an offer, otherwise you can only keep placing orders and cannot sell it. The NFT market is also gradually exploring how to improve the liquidity of NFTs. Currently, there are many common liquidity protocols such as NFT leasing, NFT lending, NFT fragmentation, and NFT-Fi.

Table 1 Overview of NFT liquidity protocol projects

Among the many NFT liquidity protocols, can NFT be traded in part like FT (homogeneous tokens) and can be bought and sold at any time? Especially for blue-chip NFTs with extremely high floor prices, the floor prices are often tens or hundreds of ETH. You can buy 0.1 BTC, but how do you buy 0.1 Cryptopunks? The NFT fragmentation protocol provides the answer.

Figure 1 Conceptual diagram of NFT fragmentation

On the surface, NFT fragmentation is to divide a complete NFT into any number of equal parts, and holding these parts is equivalent to holding part of the NFT.

From a technical point of view, NFT fragmentation actually transfers NFT into a newly created vault contract and creates any number of ERC20-Tokens. These tokens can be distributed to any address and can also be used for market making (AMM). Token holders have the right to vote on asset activities in the vault contract. The larger the number of tokens held, the higher the voting weight.

At present, the mainstream NFT fragmentation protocol applications in the NFT market include Tessera, Unicly, NFT20, ShardingDAO, and PartyBid. Among them, Tessera (formerly known as Fractional) is the leader of NFT fragmentation protocols. The original Shiba Inu The Doge NFT of Doge Coin was fragmented in Tessera. The NFT was fragmented into 16,969,696,969 DOG Tokens. There are currently 9451 holders or owners of The Doge NFT. Tessera has received $20 million in financing led by Paradigm.

Figure 2 The Doge NFT

PartyBid is a product launched by PartyDAO that uses crowdfunding from users to form a DAO to bid for NFTs. PartyDAO is a truly DAO-driven community, whose members include Dave White, research partner of Paradigm, Denis Nazarov, founder of Mirror, and other top Web3.0 industry leaders; currently, PartyDAO announced that they have received $16.4 million in financing led by A16z, with a valuation of $200 million, which is the highest valuation of community-driven DAOs to date.

Figure 3: The establishment of PartyDAO

2. Data Correlation between Tessera and PartyBid

This article mainly discusses the two projects Tessera and PartyBid. We can use Dune’s data dashboard to understand the activity of PartyBid and Tessera.

Figure 4 Opensea, PartyBid, Tessera (Fractional) active data dashboard

Opensea is the main trading market for NFTs, and the trading volume of Opensea also represents the market heat of NFTs in the corresponding period. From the on-chain data, the activity of PartyBid and Tessera is negatively correlated with the market heat reflected by Opensea. Since June 2022, the market heat of NFTs has dropped sharply, while the activity of PartyBid and Tessera has shown an upward trend, indicating that the liquidity of NFTs in the bear market may be mainly provided by some NFT liquidity protocols. Similar models of NFT fragmentation are being recognized by users. Of course, it may also be related to project financing. PartyBid announced financing in June, and Tessera announced financing in August. In addition, the activity of PartyBid and Tessera is also significantly positively correlated, which also shows that the two projects are closely linked in on-chain activities. For example, after PartyBid crowdfunds to buy NFTs, it can auction NFTs through Tessera.

3. How to realize NFT liquidity? PartyBid crowdfunding to buy NFT and Tessera auctioning NFT

Fragmenting NFTs in Tessera can be understood as you want to sell your blue-chip NFTs bit by bit. However, most people do not have blue-chip NFTs such as BAYC or PUNK. It is meaningless for ordinary users to just fragment some low-value NFTs, because you cannot send or sell your fragmented tokens unless you own The Doge NFT. So how can ordinary users own a blue-chip NFT?

The PartyBid platform allows retail investors to initiate and participate in crowdfunding to buy NFTs. After success, the contract will fragment the NFT, and the participants will then hold a portion of the blue-chip NFT. Holders can buy and sell the NFT fragmented tokens they hold by establishing liquidity, and of course they can also call on members to sell the NFT through DAO auctions.

In the above description, we can see a widely used example, buying NFTs through crowdfunding on PartyBid, and then selling the NFTs on Tessera, thus realizing the full application example of DAO in executing NFT market trading activities, and perfectly realizing the flow of NFTs. Therefore, it can be said that PartyBid and Tessera complement each other.

Figure 5 Overview of the entire process of PartyBid crowdfunding and Tessera auction

4. Example of Sybil Attack on DAO

Currently, many KOLs on Twitter are launching crowdfunding through PartyBid, trying to buy some blue-chip NFTs, such as Doodles, Azuki, etc. The gameplay is also the PartyBid crowdfunding plus Tessera auction model. So for members participating in the crowdfunding, is there a risk of being fleeced or defrauded in this model?

Here is a more common method, witch attack. The witch attack is also called Sybil attack, which is named after the movie "Sybil", which tells the story of a woman with 16 personalities undergoing psychotherapy. In the blockchain, a witch attack refers to a malicious node illegally presenting multiple identities to the outside world. More specifically, in the application example of DAO, Web3.0's DAO brings together like-minded people through a common goal, and uses smart contracts to run voting, thereby promoting community development in a bottom-up manner. In DAO, a single user can own multiple wallets and hoard tokens to reach 51% of the voting rights, and then manipulate decisions.

A witch attack occurred in Lido DAO's proposal to sell 10 million LDO tokens to Dragonfly Capital. Dragonfly Capital, through its Dragonfly Liquid division, held an address of 1.5 million LDO tokens and voted in favor of the proposal that was favorable to it. It once accounted for 99.35% of the total voting weight and was almost passed. Although this fact was finally revealed by community members based on on-chain information, the proposal was ultimately rejected by the community, but similar witch attacks are difficult to prevent in the DAO voting and governance process.

Figure 6 Example of Lido DAO being attacked by a Sybil

It can be seen that witch attacks are a common situation in the DAO governance voting process. Back to the NFT crowdfunding and auction process of PartyBid and Tessera, when users who successfully participated in the crowdfunding to purchase NFTs claimed the fragmented tokens, they became members of the NFT crowdfunding DAO. In the subsequent auction of NFTs on Tessera, only DAO members were eligible to bid for NFTs, so this gave witches a good opportunity to attack.

Sybil attack mode 1: When the NFT crowdfunding amount is higher than the floor price of that type of NFT, the initiator will use the crowdfunding amount to purchase his own NFT at a price higher than the floor price. This type of attack requires that the initiator's wallet address contains at least one NFT with a higher price.

Sybil attack mode 2: The attacker can use multiple wallets to participate in crowdfunding, hold more than 50% of the total number of fragments, obtain advantageous voting rights, and then manipulate the NFT auction. According to Tessera's auction rules, the Sybil can control the auction reserve price and the time of auction selection, and finally obtain the NFT at a price far below the floor price of this type of NFT, while the members participating in the crowdfunding can only redeem a small amount of the funds they participated in the crowdfunding.

For example, Xiao Ming is a KOL. He launched a crowdfunding campaign on PartyBid to buy an Azuki worth 10 ETH. When the crowdfunding amount reached 49% of the Azuki floor, Xiao Ming quickly made up the remaining 51% of the crowdfunding amount through his 20 wallet addresses. After the purchase was successful, Xiao Ming held more than 50% of the fragmented Azuki. At this time, although other members set the NFT auction reserve price on Tessera, since they hold a total of 49% of the Azuki fragments, which does not exceed the 50% limit, as long as Xiao Ming does not participate in setting the auction low price, he will not be able to make the next bid, and this Azuki will be temporarily locked in the contract (vault).

After waiting for 3 months, the floor price of Azuki suddenly rose back to 2 times of the purchase price. Xiao Ming thought he could sell this Azuki at this time, so he used his own fragmented Azuki address to set the auction floor price very low (the more you hold, the greater the weight of setting the auction floor price). Moreover, since the auction process only lasted for 3 days, the members would not be notified when the auction started. In the end, the NFT was sold at the auction floor price of 3ETH. Xiao Ming obtained this Azuki and then sold it on the NFT market at a price of 20ETH. At this time, the DAO fund of the crowdfunding member only had 3ETH, of which 1.5ETH was the proportion of Xiao Ming's token holdings. The other crowdfunding participants shrunk by 66.7% compared to the amount of 10ETH they paid at the beginning, and shrunk by 85% compared to the actual transaction price of 20ETH of the NFT sold by Xiao Ming. In the end, Xiao Ming completed this witch attack.

In this case, the witch attacker does not need to be the initiator of the crowdfunding. She only needs to hold more than 50% of the NFT fragmented tokens to launch an attack. Therefore, the witch can collect chips by establishing a liquidity pool of NFT fragmented tokens.

5. How do PartyBid and Tessera deal with Sybil attacks?

Some time ago, Vitalik proposed a non-transferable token called Soulbound Token, which will be used to build the user identity system of Web3. After the concept of SBT was proposed, the DID track began to become one of the hot topics of public attention. DID (Decentralized Identifier) ​​is a user's decentralized identity.

The DID system will use information from multiple dimensions, such as on-chain activity data, social media activities, etc., to form a comprehensive image of Web3 users. DID can distinguish between real users and potential robots and reduce the risk of Sybil attacks. If an account address lacks a diverse real resume, we can immediately identify them as robots.

Although there is currently no mature and available DID system for everyone to use, specifically for the PartyBid and Tessera projects, some on-chain tags and social media binding methods can be used to help users identify possible risks of witch attacks.

For example, PartyBid classifies the addresses participating in crowdfunding and makes a data dashboard, which includes information such as how many times the address has participated in crowdfunding, whether it has ever participated in Uniswap or Opensea interactions in addition to crowdfunding, what proportion of the total crowdfunding these addresses account for, and whether these addresses have frequent transfer transactions with each other.

Allow participants to bind their social media accounts (such as Twitter, etc.). Even if a user finds that a crowdfunding campaign has been attacked by a witch, they can report it and label this NFT crowdfunding or certain suspicious addresses to let participants know this fact.

Tessera's auction process can also use these methods to defend against witches.

Through the above means, the cost of witch attacks and the risk of attack failure can be greatly increased, and witch attacks can be effectively prevented to a certain extent.

References:

1. The story of PartyDAO - How a group of strangers turned a tweet into a $200 million product DAO in one year

2、Things to Know Before Fractionalizing NFT(s)

3、Reserve Price — A Key Attribute of Fractional Vaults To Understand

4. Victory of DAO governance: The whole story of Lido DAO’s proposal to sell tokens to Dragonfly Capital

5. Analysis | Comprehensive Overview: Sybil Attacks and Defense Methods

6. Vitalik: “Soul-bound” coins will become your blockchain passport