There is no doubt that web3 is gaining popularity today, but flaws and issues will inevitably arise as with any new concept. The sad reality is that 40% of web3 users are bots, which devastate game economies, eat up marketing budgets, and overwhelm with spam.
Denis Ilin, a lead engineer at Jig Analytics, which provides anti-bot software, gave me some insight into the issue. With previous experience working at Lido, a decentralized liquid staking platform, Denis could speak from a wealth of experience about web3 technologies.
We began our interview by discussing web3 bots and why they harm the industry.
“Bots are actually a buzzword for a wide range of general automated programs. In particular, there are bots that automate specific processes that take too much time for people to do it manually. Perhaps the negative connotation of the term 'bot' stems from Elon Musk referring to spammers flooding Twitter. Here, we consider bots that perform certain tasks automatically or even smart contract bots to gain an unfair advantage,” Den said.
Den gave a simple example of the Cookie Clicker bot that automatically clicks on cookies in the game. He said the more sophisticated versions of these bots can handle multiple accounts and do the same on a much larger scale, as opposed to a human doing it manually. This would result in 200 Cookie Clicker bots generating x200 profit for their owners instead of one, he said.
“Market economics underpin play-to-earn and web3, making bots that operate at scale a destructive force. They will devalue your assets and eventually cause your product's economy to collapse. Not only are these bots detrimental to your business, but also to the industry as a whole,” Den said.
Good bots vs bad bots
Den went on to explain in detail how bots work by using move-to-earn games as an example. “Suppose you download an app that counts your steps and rewards you for the distance you walk. Its game economy assumes that most people walk 10k steps per day. This is an average step count, although you can take more steps on a trip, or less when you just walk to and from work.
By completing steps, you'll earn in-game assets that you'll be able to exchange for bitcoin, ether, or other cryptocurrencies. Bad actors use the following tactics. To deceive the app provider, they use hundreds of thousands of bots that mimic real mobile devices. Through a move-to-earn app, they simulate steps using the smartphone's gyroscope and update its location information to show movement. In the end, the innocent app developer, who wanted to improve people's health while making money, ends up with a broken economy,” he explained.
Nevertheless, there are also good bots out there. According to Den, automation is a natural process of development.
“Again, it all boils down to defining bots. There are arbitrage bots and trading bots that are pretty useful, creating buzz and benefiting the market. A call center bot that connects you to the right specialist is definitely not a bad thing. It is generally true that good bots outweigh bad ones, but bad ones tarnish the reputation of automation programs," Den said.
Web3 bots go beyond play-to-earn
It's interesting to see how bots can be used in so many different web3 environments. According to Den, they can be incorporated into blockchain governance systems, among other things. He gave the example of quadratic voting (QV).
As a quick note, the QV system transcends traditional one-person-one-vote decision-making by allowing participants to express not just their support for or opposition to an issue, but also how strongly they feel about it. A participant has a certain number of credits to use to vote. An additional vote costs a quadratic more than an earlier vote. So, through quadratic voting, only voters who care deeply about the issue will vote additional times, increasing their chances of winning.
One of Jig Analytics’ customers used this QV system to vote on grant allocation within its DAO, which they didn't want to be manipulated by bots. In this case, Jig's bot fingerprint mechanisms were successful in detecting tainted votes.
Airdrops, marketing, etc. are also susceptible to bots. Bots, for example, can take everything given away in whitelists by brute forcing them.
“Let's say there's a whitelist for 5,000 people, and bots can create all 5,000 wallets, leaving no room for competition. Thus, marketers blow through their entire budgets on fruitless campaigns,” Den said.
Web3 bot protection methods
It’s obvious that revealing user identities would help prevent bot attacks. The challenge in this case is pseudonymity, which is a core web3 concept. In contrast to complete anonymity, pseudonymity allows transactions associated with the same identity to be monitored even if the identity is unknown. There are basically three ways in which identity confirmation needs are handled in the crypto industry.
- Centralized KYC
A centralized KYC process involves sharing your name, photo, and other personal information. A KYC provider approves your identity on behalf of other third-party services integrated with it. Automating this would be difficult because a bot would need quite a bit of personal data and a phone/email/credit card verification.
“Users get access to these services but can't do much except hope their data won't leak. In a similar vein to Orwel's "Big Brother is watching you," it essentially means "We don't trust you" – hardly a privacy-preserving strategy,” Den said.
- Analyzing wallet behavior
According to Den, a privacy-conscious approach and a desire to eliminate entry barriers are at the core of Jig's strategy. It identifies wallet fingerprints associated with humans and flags all other ones as suspicious after analyzing a large amount of data.
“Jig Analytics allows product makers to ensure their economy and community’s safety by invisibly analyzing its users' on-chain behavior. It makes the end-user experience frictionless and privacy-preserving, which is an essential component for the ongoing mass adoption of crypto in the real world industries," he added.
- Reputation-based mechanics
Asking a member of a crypto community to confirm your identity is another method of verification. This is similar to invitation-only Web2 services like Clubhouse, which was once popular. The system is, however, not scalable, and it has risks being compromised. The whole system could be hacked once a bad actor is inside. It may not be a huge problem for social networking services, but whenever finances are involved, vulnerabilities of this nature carry tremendous risks, Den explained.
Smart contracts & bots
Another question I had was whether smart contracts can be exploited by bots. In Den’s view, smart contracts can play the role of bots if they behave unfairly within a system. For example, mimicking a legitimate service, they can entice users to take action in exchange for some reward. In any case, they won't last long since the community will soon flag and blacklist them.
“The entire concept of bots manipulating smart contracts is a form of social engineering that is not protected at a system level. Voluntary or unconsciously, people make choices that may harm them,” Den said.
Automation is inherently good. Unlike humans, bots do not have souls and act according to their programs. Whenever bots are in a system and controlled by it, they are harmless. In cases where bad actors use them to exploit existing systems, it's critical to raise awareness and have solutions available. This is exactly what Denis Ilin and his Jig Analytics teammates do.
NB! This interview appeared first at FXStreet.com