Table of Contents
Fetching ...

Detecting Sybil Addresses in Blockchain Airdrops: A Subgraph-based Feature Propagation and Fusion Approach

Qiangqiang Liu, Qian Huang, Frank Fan, Haishan Wu, Xueyan Tang

TL;DR

This work tackles sybil address detection in blockchain airdrops by introducing a supervised Subgraph-based lightGBM that operates on two-layer transaction subgraphs across levels $l\in\{-2,-1,0,1,2\}$. It combines lifecycle-driven temporal features with network and amount features, propagated and fused through cascading subgraphs to produce a 75-feature representation per address. On a dataset of 193,701 addresses (including 23,240 sybil addresses) from the Binance Account Bound BAB airdrop, the proposed method outperforms baselines and Trusta, achieving an AUC of $0.9806$, F1 of $0.9303$, and Recall of $0.9182$, demonstrating strong practical applicability for fair token distribution. The approach emphasizes interpretability and scalability, with potential extensions to other on-chain security tasks such as transaction manipulation detection and liquidity risk assessment.

Abstract

Sybil attacks pose a significant security threat to blockchain ecosystems, particularly in token airdrop events. This paper proposes a novel sybil address identification method based on subgraph feature extraction lightGBM. The method first constructs a two-layer deep transaction subgraph for each address, then extracts key event operation features according to the lifecycle of sybil addresses, including the time of first transaction, first gas acquisition, participation in airdrop activities, and last transaction. These temporal features effectively capture the consistency of sybil address behavior operations. Additionally, the method extracts amount and network structure features, comprehensively describing address behavior patterns and network topology through feature propagation and fusion. Experiments conducted on a dataset containing 193,701 addresses (including 23,240 sybil addresses) show that this method outperforms existing approaches in terms of precision, recall, F1 score, and AUC, with all metrics exceeding 0.9. The methods and results of this study can be further applied to broader blockchain security areas such as transaction manipulation identification and token liquidity risk assessment, contributing to the construction of a more secure and fair blockchain ecosystem.

Detecting Sybil Addresses in Blockchain Airdrops: A Subgraph-based Feature Propagation and Fusion Approach

TL;DR

This work tackles sybil address detection in blockchain airdrops by introducing a supervised Subgraph-based lightGBM that operates on two-layer transaction subgraphs across levels . It combines lifecycle-driven temporal features with network and amount features, propagated and fused through cascading subgraphs to produce a 75-feature representation per address. On a dataset of 193,701 addresses (including 23,240 sybil addresses) from the Binance Account Bound BAB airdrop, the proposed method outperforms baselines and Trusta, achieving an AUC of , F1 of , and Recall of , demonstrating strong practical applicability for fair token distribution. The approach emphasizes interpretability and scalability, with potential extensions to other on-chain security tasks such as transaction manipulation detection and liquidity risk assessment.

Abstract

Sybil attacks pose a significant security threat to blockchain ecosystems, particularly in token airdrop events. This paper proposes a novel sybil address identification method based on subgraph feature extraction lightGBM. The method first constructs a two-layer deep transaction subgraph for each address, then extracts key event operation features according to the lifecycle of sybil addresses, including the time of first transaction, first gas acquisition, participation in airdrop activities, and last transaction. These temporal features effectively capture the consistency of sybil address behavior operations. Additionally, the method extracts amount and network structure features, comprehensively describing address behavior patterns and network topology through feature propagation and fusion. Experiments conducted on a dataset containing 193,701 addresses (including 23,240 sybil addresses) show that this method outperforms existing approaches in terms of precision, recall, F1 score, and AUC, with all metrics exceeding 0.9. The methods and results of this study can be further applied to broader blockchain security areas such as transaction manipulation identification and token liquidity risk assessment, contributing to the construction of a more secure and fair blockchain ecosystem.
Paper Structure (13 sections, 3 figures, 1 table)

This paper contains 13 sections, 3 figures, 1 table.

Figures (3)

  • Figure 1: Community detection on asset transfer graphs (ATGs), via GitHub (https://github.com/TrustaLabs/Airdrop-Sybil-Identification).
  • Figure 2: Example of 2 levels features fusion.
  • Figure 3: The top 10 important features.