defirisk.co
rubric v1.7.0

Sybil surge of identical-pattern transactions

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when multiple new EOAs — accounts with no prior transaction history or with very low nonces — submit identical or near-identical transaction patterns to the protocol within a short time window (default: 10 or more new addresses within 15 minutes with the same function selector and similar calldata). The signal is generated by clustering new-address transactions and flagging when the pattern diversity falls below a configurable threshold. Category 6 context: sybil transaction surges are a setup pattern for certain exploit classes — particularly airdrop farming attacks and coordinated pool-manipulation setups.

**Why it matters** Rhea Finance NEAR ($18.4M, April 2026) provides the clearest documented example of coordinated multi-wallet exploit setup: 423 wallet fan-out seeded fake liquidity pools, with the oracle accepting spot prices from these newly seeded pools to enable fake-token borrowing. The pattern of many new wallets performing identical transactions is a structural signature of this attack class. Sybil patterns are also documented in flash-loan amplified governance attacks where multiple wallets are used to distribute voting power before consolidation. The signal is P2 due to the high computational cost of real-time clustering across all new addresses.

**Green / Yellow / Red** Green is the baseline when new-address transaction patterns are diverse and distributed across different function selectors and calldata values. Yellow fires when a moderate cluster (five to ten) of new addresses submits identical transactions within a short window — plausibly a bot farming but worth monitoring. Red fires when ten or more new addresses submit identical transactions within 15 minutes, particularly if the transactions involve liquidity provision to the same pool or approval of the same contract.

**Common gray cases** Gray applies during protocol launches or major incentive events when legitimate sybil-adjacent behavior (airdrop farming) creates high false positive rates for this signal.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect multiple new EOAs submitting identical transaction patterns within a short window (sybil setup pattern).

Data & output #

Data source
On-chain tx clustering by calldata/function selector + new-wallet detection
Output format
Green / Yellow / Red
Evidence artifact
Cluster of tx hashes + EOA list + pattern signature
Confidence signal
green = signal not firing; yellow = elevated identical-tx rate but below sybil threshold; red = sybil threshold exceeded; gray = clustering algorithm not deployed

Scored protocols 80 carry this factor #

Protocol RD-F-097
Aave v3 ethereum not_assessed Across Protocol ethereum green Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum green Chainlink CCIP ethereum gray Circle USYC binance not_applicable Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum not_assessed Ethena ethereum green ether.fi ethereum green Euler V2 ethereum not_assessed Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum gray Jito solana not_assessed Jupiter solana not_assessed Jupiter Perpetual Exchange solana green JustLend DAO tron gray Kamino Lend solana green Kinetiq hyperliquid gray Lido ethereum green Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc gray Lombard Finance ethereum gray M^0 ethereum green Maple Finance ethereum green Marinade Finance solana gray Meteora solana green mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum gray Orca solana green PancakeSwap bsc not_assessed Pendle Finance ethereum not_assessed Polymarket polygon not_assessed QuickSwap polygon not_assessed Raydium solana not_assessed Rocket Pool ethereum gray Sanctum solana green Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar not_assessed Stake DAO ethereum green StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum not_applicable Uniswap (v2 + v3) ethereum gray USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc not_assessed Wormhole ethereum green Yearn Finance ethereum gray
0 red · 2 yellow · 24 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-097 category 6 carried 80 critical no