Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

passport score of at least 10 #220

Open
LiuZhuJunYa opened this issue May 1, 2024 · 18 comments
Open

passport score of at least 10 #220

LiuZhuJunYa opened this issue May 1, 2024 · 18 comments

Comments

@LiuZhuJunYa
Copy link

I think it was to hard for me, I am just a beginner in Web 3. I tried my best and could only achieve about 1 point.
@pk910
Copy link
Owner

pk910 commented May 1, 2024

Heya, thanks for your feedback.
Yea, I got quite many reports that the required score is too high.
I've lowered it to 5 on both instances now.

However, the number might still change.
As of now it still seems a bit over-protective as the number of sessions dropped by more than 90% since activation of the minimal passport score 😅
Will keep an eye on it over the next days to collect more data & make a reasonable decision on the limit.

@LiuZhuJunYa
Copy link
Author

I present my own perspective as a blockchain research student:

  1. I have looked into the Gitcoin Passport project, and I think it's not very student-friendly because some of the ways to earn points require interaction with the actual blockchain. As students, we might be experimenting on testnets precisely because we lack substantial financial support.
  2. Additionally, I do not think the Gitcoin Passport project effectively prevents Sybil attacks. I tested the scoring potential of three components: Github Contributions on at least 30 distinct days, Discord, and Google. I found that it is possible to reuse these for different addresses to repeatedly gain points. Therefore, I believe the current reduction in session numbers to over 90% might only be due to the initial implementation of restrictions. Once Sybil accounts are verified, I expect the session numbers could rise again.
  3. Users who obtain test coins from your project also expend electricity and computing power. Why not reward them accordingly? I assume your PoW algorithm hasn't been compromised so far.

@pvnotpv
Copy link

pvnotpv commented May 2, 2024

Yep the best I could do is discord, google and linkedin account which got me around 2.5 points; all others require some sort of other interaction with the main network.

@pk910
Copy link
Owner

pk910 commented May 2, 2024

I've further lowered the required score to 2.
This should really be easily achievable by just some social media accounts.
At the end I don't want to exclude anyone from mining. The PoW stuff should still be the primary protection.

Regarding @LiuZhuJunYa's points:

  1. Yea you can use the same accounts to sign stamps for multiple accounts, however, these points are only counted if the stamp hasn't been used for another account within the last 30 days. This deduplication is done on faucet side, so the faucet keeps track of which stamps have been used for previous sessions.

  2. You're right, the PoW algorithm hasn't been compromised, but the sybil protection with captchas & IP checks has been compromised. There are public available tools out there that allow using my faucet with no user interaction and on a list of proxies. I can unfortunately also see that such tools are used a lot, it literally lead to tripling the mining activity just over the last 4 weeks. Farmers using such tools are luckily not very intelligent :D Spinning up like 100 sessions in seconds is quite obviously done from a automation tool and not a natural user activity.
    The holesky faucet has a fixed limit of 50k HolETH per day. I've constantly increased that limit over the last weeks according to the activity, so each session is still able to gather a meaningful amount. Unfortunately, I can't go higher than that to be able to keep the faucet online till the planned end of the network. The same applies to sepolia.
    So, to keep the faucet useful for normal users, I somehow have to limit the amount of bots & farmers. Obviously, I can't block them completely, but I can make farming with hundreds/thousands of addresses from cloud machines as hard as possible.
    If I wouldn't do that and just keep relying on the PoW protection, the mining rewards will become very very low at come time.
    End-users with normal computers or even mobile devices just can't compete against a fleet of extremely powerful cloud machines.

@pk910
Copy link
Owner

pk910 commented May 2, 2024
edited

If anyone knows about captchas that are not covered by automated captcha resolvers like rucaptcha / 2captcha / ..., that'd be a suitable alternative to using passports.
Unfortunately I haven't found one yet.

@pvnotpv
Copy link

pvnotpv commented May 2, 2024

I've further lowered the required score to 2. This should really be easily achievable by just some social media accounts. At the end I don't want to exclude anyone from mining. The PoW stuff should still be the primary protection.

Regarding @LiuZhuJunYa's points:

  1. Yea you can use the same accounts to sign stamps for multiple accounts, however, these points are only counted if the stamp hasn't been used for another account within the last 30 days. This deduplication is done on faucet side, so the faucet keeps track of which stamps have been used for previous sessions.
  2. You're right, the PoW algorithm hasn't been compromised, but the sybil protection with captchas & IP checks has been compromised. There are public available tools out there that allow using my faucet with no user interaction and on a list of proxies. I can unfortunately also see that such tools are used a lot, it literally lead to tripling the mining activity just over the last 4 weeks. Farmers using such tools are luckily not very intelligent :D Spinning up like 100 sessions in seconds is quite obviously done from a automation tool and not a natural user activity.
    The holesky faucet has a fixed limit of 50k HolETH per day. I've constantly increased that limit over the last weeks according to the activity, so each session is still able to gather a meaningful amount. Unfortunately, I can't go higher than that to be able to keep the faucet online till the planned end of the network. The same applies to sepolia.
    So, to keep the faucet useful for normal users, I somehow have to limit the amount of bots & farmers. Obviously, I can't block them completely, but I can make farming with hundreds/thousands of addresses from cloud machines as hard as possible.
    If I wouldn't do that and just keep relying on the PoW protection, the mining rewards will become very very low at come time.
    End-users with normal computers or even mobile devices just can't compete against a fleet of extremely powerful cloud machines.

thanks a lot mate <3 <3 <3

@pk910
Copy link
Owner

pk910 commented May 2, 2024

@LiuZhuJunYa can you please do me a favor and remove that link from your post? :D
Yea, it is one of the tools I'm talking about, it's obviously available with some research, but I don't think it should be liked here...

What puzzles me is why they would engage in such work that is "all harm and no benefit," since these currencies are only for test sites and do not possess real value.

Yea, that's the core problem :(
I see two reasons for that:

  1. Most impact is probably caused by crypto projects who abuse public testnets as their incentive test environment...
    These projects put a value on testnet funds as it makes their testers eligible for future airdrops, which naturally attracts airdrop farmers on farming funds to be more eligible.
    Most recent example for this is eigenlayer, who dropped a massive amount of tokens to former goerli operators. But also various L2s that used their goerli/sepolia based testnets as base for their token airdrops.
  2. Users remember what happened on goerli, where a previously worthless testnet token suddenly became valuable and could be traded for mainnet funds. With recent testnets (sepolia/holesky), there's a significant higher amount of funds available, so that hopefully won't repeat. However, we can still see various testnet traders that put a value on these testnet funds, which attracts users on farming those funds..

It could be all soo much easier if testnets are really used for testing only.

@LiuZhuJunYa
Copy link
Author

Thank you for your reply, and I wish you all the best!

@pk910
Copy link
Owner

pk910 commented May 2, 2024

Your feedback is welcome :)

I really try to make the faucet more user friendly and not just more complex to use.
The new limitation I've introduced is obviously annoying, but I've seen the farmer problem getting out of control, which directly affects regular miners as the mining rewards got lower and lower.

I see from the feedback and session numbers that the score of 10 was way too high to start with and I appreciate that feedback.
I'll further monitor the situation for further adjustments, but also open for alternative Ideas :)

@pvnotpv
Copy link

pvnotpv commented May 2, 2024

Hi @pk910 holesky faucet is having issues, sepolia faucet is just working fine.

rand

In the homepage it's showing just 2 passport score is required but here it's showing 10.
Also my IP seems to be blocked , no issues with sepolia faucet so it has to be something with the website right, not using any proxy or vpn btw.

@AIWhispererDev
Copy link

worst idea ever

@pvnotpv
Copy link

pvnotpv commented May 10, 2024

worst idea ever

Huh how exactly ?, If you can't get a passport score of 2 then you're literally a bot.

@AIWhispererDev
Copy link

worst idea ever

Huh how exactly ?, If you can't get a passport score of 2 then you're literally a bot.

Am I a bot because I don't want to use a crap service that sells my data and thinks it can really find out who is human or bot?
Then how do I write this message? maybe I am using a bot to reply to you and I shitpost about gitcoin being the worst idea ever implemented in crypto.

@pvnotpv
Copy link

pvnotpv commented May 11, 2024

worst idea ever

Huh how exactly ?, If you can't get a passport score of 2 then you're literally a bot.

Am I a bot because I don't want to use a crap service that sells my data and thinks it can really find out who is human or bot?
Then how do I write this message? maybe I am using a bot to reply to you and I shitpost about gitcoin being the worst idea ever implemented in crypto.

Dude all you have to do is just sign up for Discord , LinkedIn and Google to get a passport score of 2. You can sign up for them with just temp accounts and use them for passport verification.

@AIWhispererDev
Copy link

worst idea ever

Huh how exactly ?, If you can't get a passport score of 2 then you're literally a bot.

Am I a bot because I don't want to use a crap service that sells my data and thinks it can really find out who is human or bot? Then how do I write this message? maybe I am using a bot to reply to you and I shitpost about gitcoin being the worst idea ever implemented in crypto.

you understand that what you said is the definition of sybil and gitcoin does nothing to prevent the bots, so it is useless right?

@pvnotpv
Copy link

pvnotpv commented May 11, 2024

worst idea ever

Huh how exactly ?, If you can't get a passport score of 2 then you're literally a bot.

Am I a bot because I don't want to use a crap service that sells my data and thinks it can really find out who is human or bot? Then how do I write this message? maybe I am using a bot to reply to you and I shitpost about gitcoin being the worst idea ever implemented in crypto.

you understand that what you said is the definition of sybil and gitcoin does nothing to prevent the bots, so it is useless right?

Isn't that what the whole above discussion was about ? Still something is better than nothing right.

@pk910
Copy link
Owner

pk910 commented May 12, 2024

The combination of various protection methods is the key here.
The gitcoin passport alone doesn't prevent sybils, especially as the required score of 2 is very low.
Mining alone also doesn't prevent sybils. Even with Captchas and IP based restrictions, the number of bots constantly increased over time.

The combination of both (mining & passport) works very nice at the moment, because the passport lowers the number of eligable addresses from basically unlimited to a semi-limited amount, just because farmers have to put in some effort to make an address eligible for mining (registering fake accounts, etc).
At the same time it doesn't affect regular users that much as everyone should be able to reach such a low passport score.

Tbh. I'm aware that this step won't protect the faucet from bots forever, but it's temporarily very effective.
I'm sure farmers are already preparing hundreds if not thousands account to make them eligible for mining.
And I'm looking forward to make that effort useless again once I see the bot activity raising again.

I'll revise the changes once the bot problem gets out of control again.
I've quite a few methods and changes in the pipeline to piss off farmers, and I'll continue activating them on purpose.

Apart from that, I'm very sorry for any regular user that get's locked out due to my protection efforts.
That's really not the plan, but if users have to compete against a fleet of bots, the mining rewards gets so low that the faucet is unusable for everyone.

@AIWhispererDev
Copy link

Tbh it affects me who I am not a sybil, bot and just a regular user who doesn't want to use a service like gitcoin and just wants to mine some tokens to test out services. I think you might be just lazy to implement your own criteria like connect with twitter+discord+telegram or email (or whatever) than use gitcoin or maybe gitcoin pays you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pk910 @LiuZhuJunYa @pvnotpv @AIWhispererDev