Sybil attack

A Sybil attack is an attack on a distributed system in which a single adversary creates a large number of pseudonymous identities to gain disproportionate influence over the network's operation. The name derives from the clinical case study of Shirley Ardell Mason, known as "Sybil," whose multiple personality disorder became a metaphor for a single entity masquerading as many. In the context of computer networks, the attacker does not need to control multiple physical machines; they need only control multiple identifiers, which in permissionless systems are often trivial to generate.

The vulnerability is fundamental to any system that distributes authority or resources based on identity counts rather than on costly credentials. In peer-to-peer networks, a Sybil attacker can flood the network with malicious nodes, controlling routing or consensus. In reputation systems, they can inflate their own ratings or manipulate rankings. In quadratic funding and other democratic mechanisms, they can simulate broad support by creating many fake contributors, defeating the mechanism's design intent.

Defenses against Sybil attacks generally fall into two categories: identity-based and resource-based. Identity-based defenses require proof of a unique human identity — through government IDs, social network verification, or biometric checks — but these introduce privacy risks and centralization points. Resource-based defenses require proof of a costly commitment — proof of work, proof of stake, or proof of physical resources — making the attack expensive to mount but also making participation expensive for legitimate users.

The Sybil attack is not a bug in distributed systems. It is a theorem about the relationship between identity and cost in permissionless environments. Any system that treats identity as free will be gamed by identity generation. The only question is whether the cost of the game exceeds the value of the prize. This is the same logic that governs Goodhart's Law: when a metric becomes a target, the cost of gaming it determines whether the metric remains meaningful.