I Was Spammed by 800 Bots: Sybil Attacks and the Economics of Buying/Selling Votes

in #bots8 years ago (edited)

Recently I was pleasantly surprised when one of my posts seemed to be gathering quite a bit of attention. Within an hour, it had received several hundred votes, and within several hours it finally topped out at ~900 votes. Clearly this was suspicious, considering the expected payout settled around $30, and the post had zero flags. Obviously I was being spammed with upvotes by hundreds of low Steem Power accounts.


Creative Commons: Source

At this point you are probably saying, "Why are you complaining? I would love to get hundreds of upvotes."

I consider this type of spam a form of Sybil attack. A Sybil attack is one in which an attacker spams some type of reputation system with forged accounts. For example, suppose payouts were calculated simply based on number of upvotes. Clearly this would become a race to create as many fake accounts as possible to upvote your own posts and grab as much payout as possible. This is one of the main reasons why rewards are calculated based upon the Steem Power held by voting accounts and not simply the number of voting accounts. Similarly, your reputation score is based upon both the reputation and Steem Power of those that upvote or flag your posts. This prevents a malicious actor from spamming their own accounts with many upvotes in order to improve their own reputation score.

However, Steemit is still vulnerable to Sybil attacks.

After receiving several hundred votes, my post was sitting at the top of the 'hot' news feed for nearly an hour, with the vast majority of it's upvotes being pure spam. This should not be the case. It has been at least two months since the ability to game the 'hot' algorithm was mentioned by @lafona. As long as the raw number of votes and/or comments are used for any type of calculation to identify 'hot' or 'trending' content, Steemit will be vulnerable to these types of attacks.

You might say, "Can this really be considered an attack or vulnerability? Nothing can be stolen, so the spammers are just wasting their time."

But that is not true, this spam voting put my post at the top of the 'hot' news feed for nearly an hour. The exposure of my post was artificially increased at the expense of the exposure of other, potentially more valuable content. That is a serious cost. This type of 'noise' provides false information to the community and makes it slightly harder to identify valuable content by affecting users' perceptions.

Psychological Sybil Attacks

Even if Steemit solves the Sybil attack vulnerability in the 'hot' algorithm to more accurately rank content, there are still potential negative consequences from these types of attacks as long as the raw numbers of votes are shown on posts. Even with the existing reputation system, we all still naturally form our own opinions of other users' trustworthiness and reputation. If someone repeatedly spams my posts with upvotes, people may begin to perceive me as a spammer trying to game the system for myself. Although that does not directly affect my reputation score on Steemit, it nonetheless has the potential to damage my perceived reputation on the platform, which in my opinion is even more important than any Steemit-calculated reputation score.

The clear solution is to filter votes and comments when displaying the total numbers of votes and comments on any post.

Raw numbers of votes and comments should never be used in any calculation, nor should they be displayed to any user. That information is far to subject to noise and far too easy to spam with Sybil-type attacks. Especially now that the @steemitmarket account is repeatedly offering hundreds of votes for sale. You can see them offering votes for sale here:

You can see them testing out their vote bot army here:

Filtering votes makes buying and selling spam votes irrelevant.

In order to buy all 800 votes at @steemitmarket's current price, it would cost $8. The ~2400 Steem Power behind those posts could potentially impact a post's rewards by a couple of cents. There is no financial incentive to purchase those votes. The only potential reason for buying votes like this is to either game the news feed algorithms, trick real voters into thinking a post is going viral such that they will vote it up, or to damage someone's reputation by giving the impression that they are a scam artist. All of these issues are solved by simply filtering votes before showing the totals. No one would even know without looking at the blockchain that hundreds of accounts are voting on a given post, except that perhaps the rewards would change by a few cents.

Make no mistake, a market for buying and selling votes will certainly develop.

These could either be malicious or provide a service. Imagine an advertising firm, for example, that purchases a large amount of Steem Power and then sells their votes in order to boost the exposure of certain posts in the news feeds. This could develop into a legitimate ad revenue structure on Steemit. I can also imagine, for example, rival news agencies that purchase valuable down votes against their competitors. Anything is possible. I'm sure these issues will arise. For now, low Steem Power spam accounts are a present situation which will probably continue to escalate unless a simple fix is implemented.

Just trying to point out this issue to the unaware, and hopefully no one else will be spammed in this way and have their reputation negatively affected.

Best,

Trogdor :)

Sort:  

After watching all of the action on Steemit. I think it's possible that what could evolve is a massive bot war, controlling the voting, leaving the newbie behind. However, there was one article stating that good content will still persevere weeding out the garbage content..... that statement could hold true. Dantheman seems to be monitoring closer in regards to the bots, so possibly everything will be adjusted accordingly as time goes on.

There's already a kind of bot war going on with the curation rewards, but it seems like it is a race to the bottom, and the main side effect is that bots get less curation rewards and authors get more, so I'm not sure how exactly that is gonna play out or if that is a problem. I don't want to see a voting war though, where some posts have like 1000 flags, etc..., especially when it's just noise. Thanks for the comment :)

I've never seen a 1000 flags on a post, that's pretty outrageous. What I did see are bots with lots of money in their wallet.

Hey @trogdor - I read your post the other day about being spammed by these bots and it, actually, really bothered me. I am truly enjoying steemit for all it has to offer - all the really amazing content on such a wide range of topics, is amazing in my opinion. If these spam bot creators would just create something that would benefit this community, instead of trying to hedge it -- what a great place this world would be. I guess we can dream. CHEERS!

Thanks for the comment. I'm really enjoying the community too. I'm pretty sure these issues will all get sorted out eventually. We just have to be patient and get through the beta phase, hopefully.

Bots will always be programmed to be most profitable. If that includes providing something useful it will happen when its more profitable. Hopefully bots evolving to be more useful is the course the platform will take.

hi, i am @steemitmarket/ now we work on how to derive benefit of our army of boats that all were happy. there are no orders all the same because many zero likes do not bring benefit.

Yeah, it is a little bit frustrating. Whenever one of the accounts loses reputations from downvotes, they just start advertising on another.

Yes an endless game which is contraproductive for Steemit and the fun of the Steemians.
Hope such things will get solved soon.
And here is the next one
https://steemit.com/bots/@tygranadar/2xhxcg-upvote-follow-flags-per-0-01usd-accs-contract-price

Steemit Follow replied to my Facebook message.

Account creation shouldn't be free. Now Steemit is wasting steem worth of thousands of dollars to create bot armies.

If somebody wants to make a new account, they should pay for it (with cryptocurrency). Or get an invitation from users with high reputation (not distributed to low rep users).

Thanks for bringing this issue attention. I had assumed that these kind of problems were less relevant now but clearly I was wrong. I'm not sure people would be happy to have vote numbers hidden though.

I remember you talking about this earlier. I'm glad you posted about it here as well. I hope this issue gets more attention because it certainly will become a problem in the future.

Hi, i am @steemitmarket. the system of encouragement in steemit is badly ready. on my eyes beginners spread excellent posts, and have not earned anything, but then whales copy and changed them, and received $1000 / it shall disturb you. and problems which are created by me can easily be corrected/

and thanks for free advertizing. I only try to earn several dollars the living. and I do not do a lot of harm, but if the problem remains, will be that who will order 10000 flags

I'm a little confused about what you mean by filtering votes... Do you mean just hiding how many votes on the front-end? And if so, how would this prevent this spamming to occur on the hot list if they are still getting the votes from what the blockchain can tell?

Hi beanz, thanks for the comment. What I mean was that they could hide votes from low rep accounts. You've probably noticed that they already hide comments on some posts at the very bottom and you have to click to reveal the hidden comments. They could do the same with votes. As far as the hot list goes, there is already a plan to change the way it works so that the raw number of votes will not matter anymore. That way no one can buy 1000 votes and get to the top of the list.
Best,
Trogdor

Excellent idea. :)

I am in love with your posts and I would LOOOVE if you joined our #steemitwriteoff . Check out the details at https://steemit.com/steemitwriteoff/@truthmomma/steemit-write-off-1-theme-announcement-or-aug-18-22 . Winners take all Steem Dollars earned as well as money from donations!

This post has been linked to from another place on Steem.

Learn more about linkback bot v0.3

Upvote if you want the bot to continue posting linkbacks for your posts. Flag if otherwise. Built by @ontofractal