Skip to content

Use case · Web3 Sybil

Sybil defense — the honest version.

Hardware attestation doesn't solve six-figure-per-wallet airdrop yields alone. It removes the cheap software-VM path entirely and forces what remains to be physical and clusterable: a layer under your wallet-graph filter, not a replacement for it.

Economics

Where the yield outruns the floor.

A Tier 1 VM-spawn Sybil costs ~$0.10 per wallet; a real-device farm costs $30–$200. MYX-class yield ($1.7M/wallet) clears every tier. We won't pretend the math works in your favor here; we tell you what the floor is and where the residual goes.

Web3 Sybil airdrops

MYX $1.7M/wallet · LayerZero ZRO ~$15K peak · typical L2 $500–$5K

Partial
$30 floor

Per-identity yield

$500 – $1,700,000

Rational ceiling

$500 typical, $1M+ at top events

Partial mitigation only. Forces farms physical + detectable; doesn't solve $1M-per-wallet airdrops alone.

What Root Herald removes

The cheap path.

The default policy (rootherald:builtin:strict-hardware) rejects every cloud-vTPM and emulated TPM. The 803K-wallet LayerZero exclusion was largely cloud-VM clusters, clusters that never attest under strict-hardware.

VM farms

Rejected at chain validation. NitroTPM, Azure vTPM, GCP Shielded VM all chain to provider PKI, not manufacturer roots.

swtpm in Docker

Rejected at EK-chain validation: a software TPM can't chain its EK cert to a pinned manufacturer root. Its issuer DN additionally labels it as an emulator.

Physical-cuckoo relay

Collapsed at EKpub uniqueness. 1,000 sessions through one real chip = 1 deviceId.

What remains

The honest residual.

Two attack classes survive strict policy for high-yield airdrops:

Refurb device farm.$30–$200 per device, 100–1,000 devices before logistics dominate. Detectable via EKpub clustering: same OEM model + firmware rev + ASN across "users" is a cluster signal your analytics can hit.

Compensated-user Sybil.Pay 1,000 real users $5 each. Every device is genuinely unique; every attestation genuinely valid. Cryptography can't stop this: behavioral signals, KYC, and wallet-graph filtering must.

The pitch

The hardware signal your wallet-graph analysis lacks.

Root Herald adds a spoof-resistant, hardware-rooted device signal generated at signup time, before any on-chain footprint exists. For an airdrop issuer: bind device to wallet at claim time (one allocation per deviceId, or weight by device-distinct wallets); store every (deviceId, wallet) pair over the snapshot window; surface clusters where one device claims via many wallets, or many devices share a single ASN / OEM model + firmware rev.

Layer Root Herald under your existing analysis.

Free up to 10K attestations a month. Drop a verify call at claim time, bind device.ueid → wallet, surface the clusters.