Arbitrum Airdrop Research: Four Major Vulnerabilities in the Rules, Witch Addresses Profit Over 21%

Written by: X-explore & Wu Says Blockchain

Overview

The long-awaited Arbitrum has finally announced the airdrop news, and subsequently, they also released the rules for checking witch addresses.

Based on the described rules, we can infer that the project team:

1. Excluded cross-chain bridges, centralized exchanges, and smart contracts when detecting witches.

2. Adopted a relatively lenient detection method for small-scale and identical personal addresses.

3. Only used data prior to the snapshot (February 6, 2023) for witch detection.

4. Only used data from Arbitrum and Ethereum for witch detection, ignoring data from other Ethereum L2s, such as Optimism and Polygon.

We found that the aforementioned witch detection rules create significant loopholes. After multiple confrontations between the airdrop hunters and the project team, they often used exchanges on a large scale to deposit and withdraw funds. This will result in them not being excluded from Arbitrum's airdrop.

Through our internal model for identifying airdrop hunters/witch addresses, we successfully identified over 279,328 hunter addresses and 148,595 witch addresses that received the airdrop.

Hunter Addresses

Hunter addresses refer to addresses controlled by the same entity. We ran the Louvain community detection algorithm on a subgraph composed of all 624,136 EOA addresses that received the airdrop (by the way, there are also 1,007 contract addresses that received the airdrop, which we will disclose later). The results showed that a total of 279,328 addresses formed over 60,000 communities. Due to frequent fund transfers among personal addresses within the same community, they are considered hunter addresses. They account for approximately 5.57 billion tokens or 47.96% of the total Arbitrum airdrop tokens.

Below is the distribution of the size of hunter address groups and their corresponding number of addresses. From the chart, we can see that a large number of small-scale hunter communities received tokens in this Arbitrum airdrop event.

The following shows the distribution of the size of hunter address groups and their corresponding claimable tokens (unit: tokens).

Witch Addresses

We further examined these hunter addresses and established the strictest screening criteria to identify the witch addresses among them. A total of 148,595 witch addresses received the airdrop. They account for approximately 253 million Arb or 21.8% of the total airdrop tokens. The composition of witch addresses comes from two parts:

1. Communities with a large number of hunter addresses.

2. High-confidence witch addresses identified on Ethereum by X-explore and several Ethereum L2s (Arbitrum, Optimism, etc.).

To counter witch detection, airdrop hunters use cross-chain bridges, centralized exchanges, and smart contracts to prevent direct connections between a large number of addresses and make each address as independent as possible to evade witch detection. In Arbitrum's witch exclusion, the project team also removed entity addresses such as cross-chain bridges, exchanges, and smart contracts. According to our analysis, some airdrop hunter teams successfully countered the detection rules, and a large number of addresses received this airdrop.

Case 1: CEX Witches

Examples of CEX witches identified with more than 250 addresses.

1. From August 24 to August 28, 2022, a total of 2,997 addresses that received the airdrop withdrew funds from Binance (0xb38e8c17e38363af6ebdcb3dae12e0243582891d). The withdrawal amounts were very consistent, between 0.00114 and 0.00116 ETH (approximately $2). These addresses collectively received 1.83 million airdrop tokens.

2. Between June 3 and June 4, 2022, a total of 1,001 addresses that received the airdrop withdrew funds from FTX (0xa60113f7d43130919802b0863abdcdb956664fd5). The withdrawal amounts were very consistent, between 0.0022 and 0.0023 ETH (approximately $4). These addresses collectively received 1.04 million airdrop tokens.

3. From November 27 to November 30, 2022, a total of 645 addresses that received the airdrop withdrew funds from Binance (0xb38e8c17e38363af6ebdcb3dae12e0243582891d). The withdrawal amount was very consistent at 0.05 ETH (approximately $9). These addresses collectively received 700,000 airdrop tokens.

4. From October 29 to November 1, 2022, a total of 1,035 addresses that received the airdrop withdrew funds from Binance (0xb38e8c17e38363af6ebdcb3dae12e0243582891d). The withdrawal amount was very consistent at 0.003 ETH (approximately $5). These addresses collectively received 980,000 airdrop tokens.

5. On February 6, 2023, 294 addresses that received the airdrop withdrew funds from Binance (0xb38e8c17e38363af6ebdcb3dae12e0243582891d). The withdrawal amount was very consistent at 0.0008 ETH (approximately $1.5). These addresses collectively received 291,000 airdrop tokens.

6. On December 12, 2022, 273 addresses that received the airdrop withdrew funds from Binance (0xb38e8c17e38363af6ebdcb3dae12e0243582891d). The withdrawal amount was very consistent at 0.0095 ETH (approximately $17). These addresses collectively received 242,000 airdrop tokens.

7. On August 19, 2022, 261 addresses that received the airdrop withdrew funds from FTX (0xa60113f7d43130919802b0863abdcdb956664fd5). The withdrawal amounts were very consistent at 0.003 ETH (approximately $5). These addresses collectively received 189,000 tokens.

We further extracted these witch addresses that withdrew funds from FTX. In addition to the consistent amount of funds, they also had very consistent smart contract calls.

Note: The nodes in the figure represent addresses, and the edges represent interactions between addresses.

Case 2: Cross-Chain Bridge Witches

Examples are as follows:

1. From November 2 to November 7, 2022, a total of 1,114 addresses that received the airdrop crossed to Arbitrum via the HOP bridge (0x33ceb27b39d2bb7d2e61f7564d3df29344020417). The deposit amounts were very consistent, and these addresses collectively received 1.08 million tokens.

Case 3: Smart Contract Witches

Address 0x922008a118feff7fb017ee67eb3b02371e559999 deposited funds into 1,274 airdrop addresses via the Disperse contract. The deposit amount was very consistent at 0.0005 ETH (approximately $8). These addresses collectively received 1.059 million tokens.

Similarly, the number of witch addresses that avoided direct connections through the Disperse contract (one address deposits funds into 50 different airdrop addresses) is 9,483. These addresses collectively received 10.98 million tokens.

Case 4: Witch Fund Gathering After Snapshot

We selected a representative example from this type of witch. The example witch has a total of 198 addresses and received 174,375 tokens. Although these addresses exhibit obvious gathering behavior, they were not excluded from the airdrop addresses because the gathering behavior occurred after the snapshot.

Case 5: Witches on Other Chains (Optimism)

We have selected a representative example of this type of witch. The example witch contains a total of 202 addresses and received 204,250 tokens. These addresses also have very similar transaction records on Arb, but the transaction amounts and times are slightly different, so they were not identified as witches. However, they also have the same transaction records on OP. It is worth mentioning that X-explore can identify witch addresses not only on Arbitrum but also supports Ethereum, Optimism, and other Ethereum L2s.

We can infer that the rules set by Arbitrum did not effectively prevent the following four types of witches:

● Witches with fewer than 20 addresses.

● Witches depositing and withdrawing through exchanges, cross-chain bridges, and smart contracts.

● Witches exhibiting obvious NFT or fund gathering behavior after the snapshot.

● Witches with obvious batch processing behavior on other chains, such as OP and Ethereum.

Smart Contracts Receiving Airdrops:

When we investigated witches, we also found some interesting examples. The winners of this ARB airdrop are not only EOAs (i.e., ordinary addresses), but some contract addresses also received airdrops. A total of 1,007 contract addresses received airdrops, with a total of approximately 1 million ARB tokens received.

Examples:

0x8c44c0ab9a15bacad7a4b663a89593c406c6b4ea

0x44e4c3668552033419520be229cd9df0c35c4417

0x6e87672e547d40285c8fdce1139de4bc7cbf2127

0x8585a10f59fd4dd6e7d5e19254d5a791dc25f3f4

Conclusion

Witch identification has always been a hot potato for project teams. On one hand, project teams need the airdrop hunters to support the project's popularity, while on the other hand, they have to bear the risks of witches profiting and the risk of market crashes after witches cash out. According to estimates by X-explore, the airdrop contains approximately 150,000 witch addresses and at least 4,000 witch communities, with total profits for witch addresses exceeding 253 million tokens.

Additionally, according to @BitcoinEmber's statistics, large airdrop hunters (studios) are collecting and aggregating $ARB from a large number of addresses eligible for the airdrop, with 0xe1…ab6e aggregating 2.1 million $ARB from over 1,200 addresses (3.2M); 0x77…195c aggregating 1.19 million $ARB from 1,375 addresses (1.81M); and 0xbd…9dcb aggregating 930,000 $ARB from 630 addresses (1.41M).