On Friday afternoon, decentralized finance (DeFi) users discovered a researcher for Divergence Ventures, a crypto venture firm, was receiving hundreds of ETH from wallets selling recently airdropped RBN tokens – a sign of an airdrop exploit to which Divergence later admitted.
The episode presents the largely unregulated, permissionless DeFi community with yet another chance to debate the nature of fair play in an increasingly powerful, $200 billion ecosystem where the only governance is on-chain rules and some modicum of common sense.
“Airdrops” are a token distribution method that allows users to claim tokens if they’ve completed certain actions or fulfill other parameters, such as having deposited into a vault or participated in a project’s governance.
In Friday’s exploit, the Divergence researcher allegedly used dozens of wallets to fulfill bare-minimum parameters to claim $2.5 million in RBN tokens – an exploit that some have labeled a sybil attack on the distribution.
this @divdotvc analyst @_bridgeharris has made 652 $ETH and counting from @ribbonfinance airdrops, quite impressive. finding wallets like their's and copytrading them is probably the best way to make it tbhhttps://t.co/vqC1LjyfT3
— Gabagool.Ξth 🥀 (@gabagooldoteth) October 8, 2021
The crypto community responded with ire, noting that Divergence is an investor in Ribbon and speculating that the researcher may have successfully gamed the distribution using insider information. A Ribbon community manager denied these allegations.
Divergence has since published a tweet thread acknowledging the sybil attack in which it said it “crossed a line” and said it would be “better contributors to the community going forward.”
Divergence also sent the ETH back to the project’s treasury, and the Ribbon community is now debating what to do with the funds.
1/6@_bridgeharris is a brilliant young woman new to crypto and still in college. Don't drag her, drag us (@glambeth94 @cjliu49) we run Divergence, and we've been in the space for many years.
We realized that in sybil-ing the $RBN airdrop, we crossed a line. A few notes:
— Divergence Ventures (@divdotvc) October 8, 2021
A Ribbon Finance representative declined to comment. Divergence Ventures did not respond to a request for comment by press time.
The airdrop exploit was first flagged by pseudonymous self-described “ex-academic” Gabagool.eth. In an interview with CoinDesk, he said the episode is a prime example of a nascent ecosystem still trying to determine the rules of the jungle.
“There are rules we enforce socially, and this is an important example of that playing out,” Gabagool said. “Divergence responded in a few hours and returned 705 ETH because an anon with a ‘Sopranos’ joke as a name tweeted an analysis? That is the opposite of ‘code is law.’ That’s community law, and I don’t think that’s a bad thing. We’re making up the rules as we go along.”
Gabagool told CoinDesk that he spotted the exploit as a result of his day-to-day research. He’d bought Ribbon tokens pre-launch from a friend and was doing due diligence after adding to his position on Friday.
“Today I bought Ribbon in size, so I was looking at the Uniswap v3 pool, checking out some of the wallets buying and selling Ribbon,” he told CoinDesk. “I was curious, primarily to find out what people were doing with their airdrops.”
He said that he noticed a 17 ETH sale by “happenstance,” a sale whose proceeds were subsequently sent to another wallet. The new wallet, he noted, was funded with ETH that “all came from wallets that had received a Ribbon airdrop and sold a Ribbon airdrop.”
The parent wallet also linked to a wallet containing bridget.eth – an Ethereum name service domain that identified the owner as a Divergence Ventures researcher.
“Crypto people are very good at [operations security], but ENS is a weak point,” he cautioned.
Initially Gabagool reached out to Divergence Ventures’ Calvin Liu to compliment his firm on the windfall, but another friend tipped him off that Divergence was actually an investor in Ribbon – a sign that it may have been acting on insider information.
“That’s when I sent my tweet, because I said, ‘That’s interesting, a fund that’s invested in this protocol has a rogue analyst or is doing something people won’t like,’ based off what I know about crypto.’”
Worse than it looks
Gabagool told CoinDesk that, despite appearances, he leans towards believing there was no insider information at play.
“I tend to land on the side of trusting [Ribbon Finance founder] Julian Koh, but that’s purely my gut. The way Julian responded to this seems pretty above the board,” he said.
There was a lot of speculation of insider information between team and investors, but I'd like to clarify what we did and did not disclosehttps://t.co/4KbEdo331l
— Julian 🤹 (@juliankoh) October 8, 2021
Gabagool also noted the farming was part of a broader strategy executed by the analyst’s wallets, indicating that this is a tactic that was tried in the past with other drops and not the product of insider knowledge.
“I mean, clearly just from this one analyst’s wallet – and this is just one linked to many other wallets – they’re airdrop-farming. They’re doing this on a pretty mass scale,” he said.
In an apology tweet today, Divergence seemed to confirm that the Sybil exploit (of using multiple identities) was part of a purposeful strategy it deploys with other projects as well:
In playing this game, we try many tactics, all the time. Most fail. This one "worked", and obviously worked in a relatively big way.
We are TINY investors in Ribbon – $25k in a round from January. We had NO insider information. We simply guessed there would be an airdrop.
— Divergence Ventures (@divdotvc) October 8, 2021
Gabagool said that the episode is a “bad look” for Divergence, and will likely contribute to the community’s mistrust of VC firms.
“My experience in DeFi and crypto generally is that whatever you think is happening behind the scenes, it’s probably worse in fact – there’s more of it happening, or it’s happening at a larger scale. These people have privileged information, and they use it.”
Only wrong if you get caught
The discovery of the Sybil attack and the subsequent donation has prompted significant social media debate concerning the ethics of gaming distribution events.
Airdrops can be tremendously lucrative. Tracking down potential upcoming targets is a popular pastime, and likewise savvy DeFi users spend ample energy trying to predict the manner in which the drop will be conducted in order to maximize gains.
“In my original tweet, I said, ‘Copytrade this wallet.’ Everyone in DeFi is looking to do what this person did, and they’d be lying if they said otherwise,” said Gabagool.
Read more: Users Celebrate Massive DYDX Token Airdrop as Transfer Restrictions Lift
Last December, one trader narrowly missed out on $1.8 million from the 1INCH airdrop using a similar Sybil attack – in that instance users commiserated that he was foiled in his efforts, and largely refrained from chastising him for trying.
Much of the consternation for Divergence seems to focus on the fact that many observers initially believed the firm to have executed the Sybil attack with insider information and/or that it was sloppy with operational security – not that the firm executed it in the first place.
“I do think they f**ked up, if not just because they got caught,” said Gabagool.
To this end, he cautioned against users attacking the researcher simply for “being good at DeFi.”
Oh shit! Bullish $RBN, today has been quite interesting. Please do not attack @_bridgeharris for being good at DeFi btw that was never the point https://t.co/XZRlwzxMKl
— Gabagool.Ξth 🥀 (@gabagooldoteth) October 8, 2021
“At no point was I intended to draw personal attacks towards this researcher,” he told CoinDesk. “The ethical fault here comes from Divergence.”
He noted that the Sybil strategy prevented other users from entering vaults and subsequently claiming tokens of their own – ultimately denying a broader swath of the community a share of the airdrop.
This incident is not the only example of moral debates and questions of intentionality clashing with on-chain rules and logic in recent weeks. Last week, a bug in decentralized money market Compound’s code led to the erroneous distribution of nearly $150 million in tokens intended as community liquidity mining rewards.
Compound founder Robert Leshner called the unintended distribution a “moral dilemma” and called on users to return the funds. So far, users have returned over 163,000 COMP tokens worth $53 million.
Likewise, last month the developers for an exploited non-fungible token (NFT) project, Jay Pegs Auto Mart, expressed disappointment the attacker didn’t manage to get away with what it admitted was a “pretty smart” attack vector.
The team discovered the exploiter’s identity and successfully pressured that person into sending the funds back.
Read more: $3M Was Stolen, but the Real Steal Is These Kia Sedonas, Say Anonymous Developers
“He’s a dweeby NARC who failed to execute,” the developers told CoinDesk at the time.
Winners and losers
Gabagool speculated that such attacks are inevitable, given the current state of DeFi and the incentives that push it forward.
“It’s interesting because you have a system that people are actively trying to build gamification into, and the problem with gamification is that there are winners and losers,” he said.
Still, to whatever extent there are ethics in DeFi, they were violated here: Gabagool noted that the fund also has a sizable liquidity pool position in the project, usually a display of confidence or a longer-term investment.
“They clearly were signaling one thing in their public wallets, and doing another thing in private wallets,” he said.
Ultimately, however, episodes like today excite rather than depress him.
“To me, the power of decentralization is that thing are messy, things are in flux – and there’s kind of a creative potential in that,” Gabagool said. “The weakness is that there’s plenty of gaps to be exploited. And that’s what obviously fascinates me – those kind of in-between moments where people expose faults in popularly accepted logic.”