Gitcoin Passport Scoring Algo One Sheet (November 2023)
Context
A lot of people ask for this.
This is a reference sheet for people who want to protect their projects from bots and Sybils.
What is the Unique Humanity Score and how is the score calculated?
Does it get updated? Why?
Roughly what do Gitcoin Passport holders get when they achieve different Unique Humanity Scores?
What Unique Humanity Score should an app developer who wants to keep out Sybils set? Could you discuss the considerations involved in potentially filtering out real humans?
What is the Unique Humanity Score and how is the score calculated?
The Unique Humanity Score is our way of assigning a confidence level to an address in terms of how likely it is to be a human versus a bot or a Sybil. Currently, the threshold is set at 20. We evaluate various identity providers and third parties, which we refer to as stamps, such as our newly launched Guild stamp, which offers three credentials.
Each credential is assigned points, and we evaluate the weight of these points across all different identity providers and data we have so far, with about 450,000 individual end users using Passport. We use datasets of known Sybils and known humans to analyze how credentials are used by good and bad actors, and assign weights accordingly.
While it's not a perfect system and we can't entirely eliminate Sybils with a score of 20, the data suggests it's a good starting point. Users may choose to set a higher threshold for increased protection, but our default is currently set at 20.
Itβs important to note that our algorithm for calculating the Unique Humanity Score updates regularly, and stamp weights might sometimes be lowered.
This is because we're engaged in an ongoing effort against Sybils, which can be seen as an infinite game. We establish thresholds and standards, and Sybils attempt to game these for their advantage. Our job is to continually assess the data, making adjustments to improve our effectiveness against Sybils while making it easier for genuine humans to prove their humanity.
We cater to a wide range of users. Some are Web3 natives, and we have stamps that allow them to prove their humanity easily. Others are newer to Web3, so we provide options like KYC or biometric stamps for them.
This continuous assessment leads to changes in our system. For example, we found that the POAP and GitHub stamps were easily abused. We've removed the POAP stamp for now and lowered the point total from the GitHub stamp, as we discovered that Sybils were creating their own social graphs within GitHub. They would generate hundreds of repos, share them, star them, and replicate other activities that real humans would do, thereby accumulating a lot of points.
In contrast, most of our genuine human users couldn't gain many points from this stamp, turning it into a signal of Sybil activity instead of a signal of humanity. Therefore, we made the change, and similar adjustments will continue in the future. We may introduce new stamps, remove existing ones, change weights based on data, or modify credentials. It's a continuously evolving product aimed at maximizing its effectiveness against Sybils.
Β
Does it get updated? Why?
The more integration partners we have, the more rapidly we can respond to challenges. We can observe an attack vector on one 'blue team', whether it's ours or a partner's, and use that knowledge to bolster defenses for all other blue teams.
Our objective is to improve the entire ecosystem, maintaining privacy while establishing data feedback loops. There's still a considerable amount of work to be done in this area. Regarding the identity providers that are part of the Passport system, we're continually seeking to add more providers, which in our terminology are 'stamp providers' or credential providers. These include identity systems like our friends at BrightID.
We aim not only to add more systems but also to improve those already in place as they gain new signals. For example, we might find that Twitter serves as a strong signal today, but two weeks from now, it might not. In such cases, we might remove it, replace it, or alter the credentials associated with it. We're constantly observing these vectors and figuring out how to enhance them.
What's really exciting is the anti-fragility of this pluralistic system. We're not only making it more robust, but we're also accelerating the feedback loops. If an attack occurs in one place, the defensive mechanisms across all other areas, even those not yet attacked, are already alerted. If we can start rapidly iterating with a broad community, we can achieve a more potent and faster immune response."
Β
Roughly what do Gitcoin Passport holders get when they achieve different Unique Humanity Scores?
Your users may be wondering what the benefit of creating a Gitcoin Passport is beyond
Gitcoin Passport holders are assigned Unique Humanity Scores to allow easy access and filtering within the Web3 ecosystem. The score determines what activities or experiences a user can partake in. Here's how different scores might be used by integrators such as yourself:
- A score over 20 might be required for certain NFT collections to filter out bots and symbols.
- An airdrop might have a score threshold of 25, to ensure that rewards go to unique humans.
- Exclusive Gitcoin events may have a high threshold, such as a score of 35 and up, to provide access to specific participants.
The Unique Humanity Score in a Gitcoin Passport can now make screening and permitting unique humans much easier for projects within the Web3 space. Though there might be limited experiences initially tied to the Gitcoin Passport score, having this score allows users to effortlessly gain access to passport-protected experiences for at least 90 days. The goal is to work towards a future where there are hundreds of high-value experiences accessible through the Gitcoin Passport by the end of 2024. The importance of this score is emphasized by its role in sybil defense and the recognition of unique humanity, both of which are essential to the future of Web3 and the internet.
Β
What Unique Humanity Score should an app developer who wants to keep out Sybils set? Could you discuss the considerations involved in potentially filtering out real humans?
There are two extremes to this spectrum. On one end, you may prioritize allowing all genuine humans through, even if it means a significant percentage of Sybils get through as well. On the other end, you may prioritize completely blocking Sybils, even if it means screening out some genuine humans. It's a delicate balance.
Currently, in the Web3 landscape, most people lean more towards the human side of the spectrum, which means allowing all humans through and tolerating a reduced percentage of sybils. Given this preference, I would recommend community administrators set a score of 20. This is our default threshold and has proven quite effective.
You might consider going up to 25 if you require a higher level of protection for certain reasons. Only in the most extreme cases would I suggest a score of 30 or more. This could apply to a community or a role that requires a very high level of assurance that a participant is human, perhaps due to rewards, NFT drops, and so on.
However, for the vast majority of communities, I'd recommend setting a score threshold of 20. The beauty of the integration is its adaptability over time. Setting a score of 20 lets you experiment and see how that score works for your specific needs, then adjust it as necessary.
| Unique Humanity Score | Effectiveness at Keeping Out Sybils | Risk of Humans That May Be Blocked |
| 20 | Effective | Low |
| 25 | More Effective | Medium |
| 30 | Most Effecitve | High |
Β