Paymaster Sybil Defense

We all know what Sybil attacks are and they can be the worst event for an infrastructure project like Zyfi. It is always better to prevent a negative event than to react after it occurs. That's why this section exists: to prevent Sybil attacks and ensure that no one is affected.

Signature Based paymaster

The most important concept to understand is our signature-based technology. When you integrate our erc20_sponsored_paymaster or erc20_paymaster APIs, you're making a call from your front-end to the API, which constructs a transaction to be signed by the end users. This signature is validated by the paymaster contract, which means it is not possible to directly interact with Zyfi's paymaster contract unless it comes through Zyfi's API. Therefore, a malicious actor would need to go through our front-end or one of our partner's front-ends to execute any action.

Extracted value

A malicious actor's only option would be to consume all the sponsored transactions offered by a Dapp partner using the erc20_sponsored_paymaster. Unlike the erc20_paymaster, which doesn't require an API key and has no financial value attached (no vault contract), the attacker would need to exploit the gas provided through the sponsored paymaster API. However, this would not lead to any profit for the attacker—only the depletion of gas that Dapps generously provide.

Prevention and Solutions

To ensure the Zyfi API is secure for its partners, we have considered various scenarios and developed specific configurations to mitigate them:

1. Scenario 1: A malicious actor spamming the API with a single account to extract value.

   Zyfi has provided a way for Dapp partners to set a limit on free transactions per address. For example, Zyfi has implemented a restriction for NFT collections to provide 10 free transactions per holder with a limit per NFT. This prevents actors from spamming and consuming all the gas.

2. Scenario 2: A user creates multiple wallet addresses to consume gas across different addresses. To combat this, Zyfi will introduce a global daily limit. For example, a Dapp can set a daily limit of $100, equivalent to around 1,000 free transactions. This way, only a portion of the vault can be consumed daily.

   Zyfi is working to monitor sudden rise in API calls and notify partners if strange activities detected.

How to Set Up These Prevention Measures?

In the first scenario, Dapps can already limit the number of sponsored transactions per user or wallet address, which can be configured directly with the Zyfi team.

For the second scenario, development is still underway to enable Dapps to set a global daily limit to prevent this type of activity.

To keep things as straightforward as possible and provide a clear developer experience for our integration partners, all these settings will be configurable through the dashboard for partners