Use case · Web3 Sybil
Sybil defense — the honest version.
Hardware attestation doesn't solve six-figure-per-wallet airdrop yields alone. It removes the cheap software-VM path entirely and forces what remains to be physical and clusterable: a layer under your wallet-graph filter, not a replacement for it.
Economics
Where the yield outruns the floor.
A Tier 1 VM-spawn Sybil costs ~$0.10 per wallet; a real-device farm costs $30–$200. MYX-class yield ($1.7M/wallet) clears every tier. We won't pretend the math works in your favor here; we tell you what the floor is and where the residual goes.
Web3 Sybil airdrops
MYX $1.7M/wallet · LayerZero ZRO ~$15K peak · typical L2 $500–$5K
Per-identity yield
$500 – $1,700,000
Rational ceiling
$500 typical, $1M+ at top events
Partial mitigation only. Forces farms physical + detectable; doesn't solve $1M-per-wallet airdrops alone.
What Root Herald removes
The cheap path.
The default policy (rootherald:builtin:strict-hardware) rejects every cloud-vTPM and emulated TPM. The 803K-wallet LayerZero exclusion was largely cloud-VM clusters, clusters that never attest under strict-hardware.
VM farms
Rejected at chain validation. NitroTPM, Azure vTPM, GCP Shielded VM all chain to provider PKI, not manufacturer roots.
swtpm in Docker
Rejected at EK-chain validation: a software TPM can't chain its EK cert to a pinned manufacturer root. Its issuer DN additionally labels it as an emulator.
Physical-cuckoo relay
Collapsed at EKpub uniqueness. 1,000 sessions through one real chip = 1 deviceId.
What remains
The honest residual.
Two attack classes survive strict policy for high-yield airdrops:
Refurb device farm.$30–$200 per device, 100–1,000 devices before logistics dominate. Detectable via EKpub clustering: same OEM model + firmware rev + ASN across "users" is a cluster signal your analytics can hit.
Compensated-user Sybil.Pay 1,000 real users $5 each. Every device is genuinely unique; every attestation genuinely valid. Cryptography can't stop this: behavioral signals, KYC, and wallet-graph filtering must.
The pitch
The hardware signal your wallet-graph analysis lacks.
Root Herald adds a spoof-resistant, hardware-rooted device signal generated at signup time, before any on-chain footprint exists. For an airdrop issuer: bind device to wallet at claim time (one allocation per deviceId, or weight by device-distinct wallets); store every (deviceId, wallet) pair over the snapshot window; surface clusters where one device claims via many wallets, or many devices share a single ASN / OEM model + firmware rev.
Layer Root Herald under your existing analysis.
Free up to 10K attestations a month. Drop a verify call at claim time, bind device.ueid → wallet, surface the clusters.