Skip to main content
SearchLoginLogin or Signup

Compressed to 0: The Silent Strings of Proof of Personhood

This paper chronicles Idena’s experiment in Proof of Personhood from launch in August 2019 to a crisis in May 2022, which prompted a pivot towards a novel experiment in sublinear identity staking.

Published onJan 03, 2025
Compressed to 0: The Silent Strings of Proof of Personhood
·

Abstract1 2 3 4

Experiments in Proof of Personhood—where each person has a single, unique identity—have increasingly been touted as a mechanism for tracing information provenance, distributing Universal Basic Income, and facilitating democratic governance over systems of artificial intelligence. This paper chronicles Idena’s experiment in Proof of Personhood from launch in August 2019 to a crisis in May 2022, which prompted a pivot towards a novel experiment in sublinear identity staking. We show how despite verifying humans, hidden pools rapidly emerged—some cooperative, but most controlled by “puppeteers” who, at best, remunerated participants for periodically proving their uniqueness in exchange for access to their secret keys and controlling their accounts. Instead of fostering an egalitarian network of unique identities, the protocol fractured into hidden subnetworks vying for control over an economic pie with economies of scale trending towards oligopoly, undermining the protocol’s security and ambitions for democratic governance (one-person, one-vote) and UBI rewards (one-person, one-reward). By giving humans economic incentives to periodically differentiate themselves from bots—even as low as $2 to $14 every few weeks—the protocol gave more informed, resourceful humans financial incentives to puppeteer less informed humans like bots. Notably, by May 2022, 23 entities constituting less than 0.6% of the network’s distinct entities controlled at least ~40% of accounts and the distribution of almost half (~48%) the network rewards. More striking, 3 entities controlled ~19% accounts and ~24% rewards. An off-chain system trending towards oligopoly subsumed an on-chain egalitarian system, quietly and opaquely. Achieving de jure sybil-resistance (filtering humans from bots) revealed a deeper challenge of de-facto sybil resistance (filtering humans acting like bots), which could not coherently or computationally be disentangled from the problem of collusion-resistance.

I. Introduction

As generative foundation models achieve faster-than-human proficiency in mimicking essential identity markers—such as writing style, vocal subtlety, and visual representation—Proof of Personhood protocols have been touted as a way to establish provenance and authenticity in the wake of deep-fakes, as well as facilitate democratic governance (one-person, one-vote) and distribute a universal basic income (one-person, one-reward). Experiments in Proof of Personhood aim for “sybil-resistance,” where verified unique humans control corresponding unique accounts 1:1.

Idena is an open-source, Proof of Personhood blockchain that launched with the egalitarian goals of one-person, one-vote, one-reward in August 2019, before pivoting in May 2022 towards a novel experiment in “sublinear identity staking”—an intermediate between Proof of Personhood and Proof of Stake. This paper is an empirical study about Idena’s first experiment in Proof of Personhood, saving the pivot for our next essay. We show how despite filtering bots and verifying humans, pools rapidly emerged—some cooperative but most controlled by “puppeteers” who, at best, paid participants to periodically prove their uniqueness in exchange for access to their private keys and controlling their accounts. By giving humans economic incentives to differentiate themselves from bots—even as little as $2 to $14 UBI for 30 minutes of work every 1 to 3 weeks—Idena gave more informed, resourceful humans economic incentives to control less informed humans like bots and extract greater rewards. Notably, by May 2022, 23 entities constituting less than 0.6% of the network’s distinct entities controlled at least ~40% of accounts and the distribution of almost half (~48%) the network rewards. More striking, 3 entities controlled ~19% accounts and ~24% rewards, with a trendline towards oligopoly. Instead of an egalitarian network of unique identities, on-chain, asocial personhood credentials collapsed into off-chain social arrangements that obfuscated power at best, or reinforced it at worst.

Proof of Personhood protocols differ widely in their technological and political architecture: how they validate unique identities, achieve consensus (if there is a blockchain), govern the protocol, protect privacy, or conceptualize “personhood” philosophically. While one-person, one-vote has been a motivating use-case for Proof of Personhood, one-person, one-reward UBI is a more recent innovation accelerated by blockchains, which enable global distribution of transferable tokens. When referring to “Proof of Personhood,” this paper narrowly refers to the subset of blockchain protocols that seek to offer a more egalitarian alternative to Proof of Work and Proof of Stake; rather than confer votes and economic rewards to participants who already can afford to buy compute or stake, these protocols aim to verify unique humans controlling corresponding unique accounts, thereby enabling democratic processes and a more egalitarian rewards distribution (one-person, one-vote, one-reward).

Why Idena?

This paper is a case study in the unintended and unequal consequences of wedding egalitarian goals with economic and political incentives to verify biological uniqueness. We eschew a comparative overview of competing Proof of Personhood protocols (e.g., Worldcoin, Proof of Humanity, Humanode) in favor of an empirical audit of Idena. Through this deep-dive, we aim to set a standard for analysis and disclosure for global identity protocols, especially those that tout similar egalitarian ambitions. Idena offers a benchmark, having technically succeeded in filtering bots, validating humans, and undermining account trading for the study’s period—a problem which beleaguers several protocols today. Instead, the protocol had to grapple with a deeper social problem: an ongoing economic relationship between a verified human participant and operator—a principal and agent, or puppet and puppeteer, depending on the depth of asymmetry and who captured the benefit of the bargain.

Roadmap

This paper starts technically and ends pragmatically in a discussion about power: we first explain how Idena verifies unique humans (Section II) and then chronicle the protocol’s outcomes, from launch in August 2019 (Section III) to delegation in March 2021 (Section IV), ending in a puppeteering crisis a year later. We then pivot to a discussion (Section V), where we match the egalitarian ambitions of democratic governance (one-person, one-vote) and UBI rewards (one-person, one-reward) against the reality of a protocol fractured into off-chain subnetworks vying for control over an economic pie and, by extension, participants’ time, attention and their accounts. We then extrapolate to the future; as humans further integrate biologically with information technology, the distinction between filtering humans from bots (de jure sybil-resistance) and filtering humans acting like programmable bots (de facto sybil-resistance) will blur more, if not collapse, underscoring a more foundational challenge than establishing biological uniqueness: establishing the informational uniqueness of participants—or the extent to which they cluster with the same interests and biases, leading to tacit collusion that risks monopoly and majoritarian capture. Rather than presuming all participants to be informationally the same in one global identity game, we offer an alternative starting point: acknowledging informational differences which arise from talking and trading in markets and politics—our social ties—for many identity games as varied as the diversity of human associations.

Contributions

We offer unique contributions to fields at the intersection of decentralized identity, information theory, computational democratic governance, and voting security:

  • Empirical Study: We present a first empirical analysis of a Proof of Personhood protocol, checking the egalitarian ambitions against the outcomes of a network trending towards oligopoly.

  • Puppeteering: We offer definitions of “puppeteering,” distinguishing between “strong” and “semi-strong,” and contrast puppeteering against accountable principal-agent relationships.

  • Sybil-Resistance: In the context of Proof of Personhood, we refine the concept of sybil-resistance to acknowledge two forms: de jure sybil-resistance (filtering humans from bots where each humans controls a corresponding account 1:1) and de facto sybil-resistance (filtering humans acting like programmable bots).

  • Collusion-Resistance: We bridge “de facto sybil resistance” and “collusion resistance” as equivalent computational, or informational challenges.

  • Computational Democratic Governance: We reframe the goals of democratic governance away from simple one-person, one-vote towards checking faction to surface broader public goods, which in turn requires acknowledging the informational uniqueness (or clusters) of participants.

  • Voting Security: We highlight how undermining vote-buying on-chain doesn’t solve for off-chain vote-buying in “meatspace,” but may encourage it as a low-cost alternative.

II. Overview of Idena Protocol

A. Filtering Humans from Bots

The Idena Protocol is an open-source Proof of Personhood blockchain.5 To gain the status of a unique identity or “human” in Idena, users synchronously participate in a series of 4 consecutive validation ceremonies, progressively increasing their status to “human.”6 Validation ceremonies are scheduled in advance (15:00 UTC7) every 1 to 3 weeks (“epoch”) based on the network size; the larger the network, the longer the epoch.8 In each validation ceremony, participants solve 6 FLIP (“Filter for Live Intelligent People”) puzzles within 2 minutes. A FLIP is a cognitive test, consisting of a series of photos generated by other participants that convey an intelligible human story in one configuration and are meaningless in another random configuration.9 FLIPS aim to be a reverse Turing test, verifying the presence of a human rather than a bot.10 For the period under analysis (August 2019 to May 2022), Idena’s FLIPS were successfully AI-resistant, where bots did not succeed in generating fake accounts.11 Other Proof of Personhood protocols prove uniqueness in other ways, relying on centralized identity verification (vulnerable to censorship), peer-to-peer validation (vulnerable to AI deep-fakes), or biometric information (vulnerable to leaks by surveillance).12

Figure 1: Sample FLIP Test

B. Synchronous Participation & Periodic Re-Authentication

Whereas FLIP tests aim to filter bot accounts, simultaneous validation ceremonies across all participants prevent participants from generating fake accounts, or “sybils,” because one person can only be in one place at one time.13 Given cognitive diversity, however, outliers may complete more than one validation ceremony within the allotted 2 minutes, but are nonetheless capped at 2 (rare) or 3 (very rare).14 Required periodic re-authentication every epoch (every 1 to 3 weeks) also increases the cognitive cost and lowers the chance of one person maintaining multiple accounts. Given this hard ceiling to multiple accounts—a ceiling that exists even if anecdotal estimates are challenged in the future— we characterize Idena’s sybil-resistance as “semi-strong,” filtering bots from humans and verifying mostly “unique” humans, except for cognitive outliers.15

C. Stymying Private Key Sales with Identity Staking & Identity Slashing

Validated accounts earn rewards by participating in periodic ceremonies every epoch (validation ceremony rewards)16 and by running a node and producing blocks as a validator (mining rewards).17 Rewards are IDNA tokens, split evenly between the validation ceremony and mining rewards pies. Whether earned through validation or mining, 20% of all earned rewards are automatically locked as “identity stake” while the remaining 80% are unencumbered in the account’s wallet as “transferable rewards.” Importantly, when a participant unlocks and withdraws their locked identity stake, their status as a unique identity in Idena is lost (or “killed”), along with the privilege of being a validator that can earn mining awards.18 Thus, locked identity stake undermines credible sales of private keys because sellers always have a financial incentive to withdraw their locked stake simultaneously or immediately after a sale.19 The older the account, the larger the identity stake, and the more powerful the financial incentive to not buy or sell an identity.

Periodic account re-authentication also discourages account trading by imposing ongoing cognitive costs to the buyer who periodically must re-validate the account. Missing a series of validation ceremonies (or failing them), results in a progressive degradation of account status over several stages until the account is “killed”—or the identity “slashed.”20 When slashed, 100% of the identity stake is burned (though transferable awards remain available) and the account loses its unique identity status, along with eligibility to earn rewards.

D. One-person, One-vote, One-reward….and One-node

Whereas Proof of Work and Proof of Stake require control over compute and stake respectively to participate in blockchain consensus, Idena requires a verified human account running their own mining node.21 The rationale behind accounts running their own nodes was the network would gain an excessive, redundant number of nodes for greater throughput (increasing speed)22 along with more diverse node operators less likely to collude in a 51% attack (increasing security).23 Politically and economically, each verified account running their own node was also necessary to achieve egalitarianism,24 enabling UBI rewards (one-node, one-mining reward) and egalitarian governance (one-node, one-vote), where a supermajority of nodes vote on-chain by upgrading their software (or “hard-fork”) to instantiate protocol changes. Notably, if each account failed to run their own node, governance and mining rewards from a fixed economic pie would concentrate in node operators, rather than distributing equally across human accounts, undermining egalitarianism.

III. Protocol Launch (August 2019)

A. Suspicious Transaction Patterns

The Idena protocol launched in August 2019. Anyone could join the protocol so long as they participated in the synchronous validations ceremonies (solving FLIP tests), held periodically at 15:00 UTC. Accounts steadily increased, reaching over 6,000 accounts within the first 18 months, generally among blockchain enthusiasts who learned about the protocol by way of word-of-mouth, articles, and blog posts. But as the network grew, on-chain data began to show a curious and increasing phenomena; some wallets were sending their unlocked, transferable rewards to the same address. Moreover, these rewards never returned on-chain back to participants, but instead proceeded to exchanges.

Figure 2: Snapshot of transactions from accounts to a Russian account in December 2020 (see blockchain explorer)25

Blocks of one-way transfers at the same time to the same wallet implied automation, which would require 3rd party access to a participant’s private keys. Either participants had unwittingly ceded their keys to a 3rd party, or never had them. The latter suspicion was confirmed when forked versions of Idena's software surfaced, where participants were accessing validation ceremonies through software clients that masked private keys controlled by a 3rd party.26 By December 2022, one participant admitted to running a “human pool,” finding over 500 participants willing to get paid in local currency in exchange for performing validation ceremonies, or finding others to do the same.

Figure 3: Private message from a Russian puppeteer to Idena Team (Dec 2, 2020)

These transaction patterns, messages, and forked versions of software were all suggestive of “human farms” or “puppeteering,” where high-information operators, at best, pay low-information participants —“puppets”—to periodically perform validation ceremonies and verify their uniqueness in exchange for access to their private keys and controlling their accounts. Puppets were either unaware of their account’s private keys (“strong puppets”), or “knew” their private keys but were unaware of their significance within the protocol (“semi-strong puppets”).27

Puppeteering was not a traditional (or de jure) sybil attack, where one person, a sybil, fakes many accounts, typically by way of bots.28 Validation ceremonies had succeeded in filtering out bots and authenticating flesh-and-blood humans. Instead, puppeteering was a de facto sybil attack of humans acting like programmable bots—lacking some combination of information and control to be considered an intentional “agent” acting with knowledge and consent.29 Because puppets ceded their private keys (or never had them), they lacked control. And because puppets were remunerated off-chain in local currency, it was unclear if they were informed about the protocol, understood the significance of their validation exercise, or were aware of the puppeteer’s cut from their rewards. In at least two confirmed locations of puppeteering, Indonesia and Russia, the median hourly wage was estimated at $0.72 and $2.18, respectively.30 Depending on the fluctuating token price, epoch rewards of a unique account ranged from an hourly wage of $6.40 at minimum to a median hourly wage of $56.31 Conservatively ignoring the maximum possible earnings, and assuming puppets were paid at least local market rates, puppeteers could capture anywhere between ~$4 to ~$55 per hour, or 2x to 55x a puppet’s market wages.

B. Muddied Waters: Puppeteering or Cooperation?

While concerns around puppeteering grew, pool operators began to offer a counter-perspective; they were offering a service to consensual participants and being remunerated. Some, including “awakened” puppets, were coming back.

Figure 4: Private message from a Russian puppeteer to Idena Team (Dec 2, 2020)

Earning rewards on Idena presented a number of hassles: continuously running a node on a personal computer for mining rewards, maintaining stable internet connections for validation ceremony rewards, updating software, exchanging rewards into local currency—to name a few. In exchange for ceding exclusive control over private keys, pools could coordinate these tasks better than participants on their own, without interruption, minimizing the risk of identity slashing for failing a validation ceremony or penalties for failing to attest to a block as a validator.

Figure 5: Private message from a Russian puppeteer to Idena Team (Dec 2, 2020)

If puppeteering was one extreme, then cooperative, voluntary pools were another possible extreme—coordinated not by puppeteers but by intentional participants who voluntarily shared information and control (including their private keys) to a pool operator who could better run their nodes, coordinate validation ceremonies and distribute their rewards, thereby capitalizing on economies of scale.32

Figure 6: Range of Puppeteering and Cooperation

Yet, without knowing off-chain interactions with the operator or other circumstantial evidence (e.g., telegram chats, photos, etc.), it was impossible to decipher the nature of pools. Theoretically, the same transaction pattern of blocks of one-way transfers at the same time to the same wallet were consistent with puppeteering and voluntary cooperation. Both extremes differed not in their coordination on-chain, but in the distribution of information and control—or power— off-chain. In “puppeteering,” operators have control (private keys), more information (how the protocol works, the social network of puppets, how to cash out rewards into local currency), and capitalize on their asymmetry to control accounts in exchange for minimum wage payments, while maximally extracting to their own advantage. In contrast, “cooperation” has greater symmetry in information and control.33 Participants may know how the protocol works and control their keys, but nonetheless find it mutually beneficial to pool resources and delegate control (including their secret keys) to an operator for greater rewards with economies of scale, holding operators accountable off-chain.

To muddy the waters, a pool didn’t have to be either-or. Even if cooperators voluntarily delegated control (including their secret keys) to an operator, they were also vulnerable to the same principal-agent asymmetries of puppets and at risk of sliding under the thumb of a puppeteer.34 Depending on the off-chain governance to audit and hold the operator accountable, pools could slide along the spectrum between “puppeteered” and “cooperative.” Some pools might be more corporate with fiduciary-like duties, or democratic with greater checks and balances to correct for asymmetries, delivering participants more value (a greater benefit of the bargain). Whereas other pools might be more autocratic, extracting with minimum payments and maximum asymmetry. And then there were family-sized pools with strong ties and repeat interactions that might split rewards according to their needs as a group. Similarly, whether a participant was a “puppet” or “cooperator” wasn’t either-or, but could change over time, depending on what they knew, what they could do, and more fundamentally to whom they were socially tied from talking and trading.35

Whether composed of duped puppets, informed cooperators, or a mix—pools redistributed money and votes unequally, undermining Idena’s egalitarian ambition for one-account, one-vote, one-reward. Contrary to the aspirations of a transparent, open network of solo accounts (or “sovereign individuals”) the protocol instead devolved into hidden groups and subnetworks (autocratic, corporate, democratic) competing for control over a fixed economic pie.

C. Waking Up Puppets?

The community began to contemplate strategies to “awaken” puppets. But the breadth and depth of pools could not be quantified easily. Each pool ran a different server for each node with their own IP address, with the optics of individual accounts running their own nodes. Without expensive chain-analysis, the protocol could not readily identify the automated flow of funds. And even if such wallets were identified, off-chain bargains and payments (or lack thereof) couldn’t be inferred from on-chain data. Moreover, conversations with participants were strategic; for example, a participant asking for improvements to the mobile client interface in September 2021 later revealed themselves to be an Indonesian pool operator with over 1,400 paid accounts.36

In December 2020, the protocol began to wrap the user experience with watermarks on the website URL during FLIP tests, both to alert participants and to also prevent FLIP harvesting by pool operators.37 But these measures were generally ineffective.38 One-way transaction patterns continued, and the watermarks program terminated in August 2022. Flooding information cannot awaken participants if they cannot read, understand the watermarks, aren’t motivated to pay attention, or more cynically, are easily replaced.39

Figure 7: Frame of the video from Egyptian pool operator
https://youtube.com/shorts/ecJW4CDB2ec?feature=share (Idena Discord Discussion October 2022)

IV. Pivot towards Delegation (March 2021— May 2022)

As pools became common knowledge, the community debated remedies. Hard forking out known pooled accounts wouldn’t eliminate hidden pools, but encourage them to re-emerge under new guises. Rather than fight pool coordination—whether cooperative or puppeteered—the community settled on drawing them out of the unquantified shadows with “delegation” in March 2021.40 Delegation enabled accounts to band (or be banded) together as groups under a single pool account and node, thereby saving pool operators the hassle (attention, time and money) of running a node for every account while making an account’s membership to the pool visible.41 Importantly, for participants, delegation enabled operators to handle operational hassles without needing to know participants’ private keys. The bargain was three-fold:

  • pool operators could withdraw an account’s identity stake (20% of all earned rewards) and “terminate” a pooled account (reducing the account’s status from “human” or “verified” to “killed”), all without a participant’s secret keys.

  • pool operators distributed 80% of earned rewards (transferable rewards) at their discretion, which streamed into the pool operator’s wallet.

  • pooled accounts gave up their voting power, consistent with one-node, one-vote. Notably, if an account undelegated from pool, their voting power as a new node would re-instantiate only after 3 epochs (the same time for a participant to validate a new account to “verified” status and gain voting power).

With delegation, participants retained control over their wallets holding their transferable rewards, but otherwise pool operators had significant (almost totalistic) control: the power to distribute transferable rewards, terminate accounts, and seize identity stake. Thus, informed participants considering delegation had strong incentives to delegate to trusted operators: a friend, family member, or operator with reputation and off-chain accountability. Notably, delegation did not change the relationship of puppets under the thumb of a puppeteer; a participant who had already unwittingly ceded their private keys to a puppeteer could not reclaim them (or control over their transferable wallet). To reclaim control, a participant would have to validate a new account and race to transfer their funds before the puppeteer.

A. Proliferation of Pools

Delegation succeeded in making pools transparent, but also strengthened incentives to form them with economies of scale. Specifically, pools could now earn the same rewards from validation ceremonies (c) and mining (m) for every pooled account (a) only incurring the time cost of validation ceremonies (t) without the hassle of running an account-specific node continuously (n). Operational costs decreased from an to n, increasing the pool’s profit (P).

Pre-delegation: Ppool = apool (c + m - t - n)

Post-delegation: Ppool = apool (c + m - t ) - n

Pools were now cheaper to operate with greater economies of scale than “solo” accounts running their own node. As the network grew—peaking to 15,778 accounts in mid-April 2022—account growth was notably among large pools (>15 accounts). Solo accounts flat-lined (hovering between ~4100 and ~5400), constituting a smaller proportion of the network over time.

Figure 8 : Idena Network History42

From June 2021 to May 2022, solo accounts shrunk from 62% to 27% of the network. Large pools (> 15 accounts) had the reverse trend, ballooning from 22% to 61% of network accounts. Family pools (<15 accounts) hovered consistently between ~12% to 15% of network accounts.

Figure 9: Idena Network Breakdown (post-delegation)

Given one-account, one-reward, as large pools ballooned into a larger share of the accounts, they also ate a larger share of rewards from the fixed rewards economic pie, thereby squeezing rewards from solo accounts, which had now become a minority. And because large pools consistently ran their nodes to earn mining rewards, they earned proportionally greater rewards than solo accounts. By mid-May 2022 (May 7), solo accounts constituted 27% of the network accounts but captured 18% of rewards, while large pools (>15 accounts) constituted 61% of network accounts and captured 70% of rewards.

Figure 10: Idena Rewards Breakdown (post-delegation)

As single-node pools bloomed to constitute a larger proportion of the network, nodes as a percentage of the network in turn precipitously dropped, leading to a loss in throughput and security (See Fig. 11).43 In the early days of delegation (June 2021), there were 395 pools and nodes constituted 40% of the network. Roughly a year later, by mid-April 2022, when the network peaked at 15,778 accounts and pools climbed to 554, nodes dropped to just 9% of the network. Unless solo accounts with their own nodes captured a larger share of the network, nodes as a percentage of the network would continue to decline.

Figure 11: Idena Pool & Nodes History (post-delegation)

Given one-node, one-vote, although nodes as a percentage of the network declined precipitously, the voting power of solo accounts increased. By May 2022, large pools (>15 accounts) constituted a majority of accounts (~61%), but only controlled a minority (~2.4%) of votes. Meanwhile, solo accounts were a minority (~27%) of the network accounts, but controlled a supermajority (~89%) of votes.

B. 3rd Party Key Access in Top Pools

The purpose of delegation was to make coordinated pools visible and enable operators to handle operational hassles for participants (e.g., running a node) without needing to know their private keys. But oddly, large pools continued to show signs of 3rd party key access.44 A tell-tale sign was the unlikely coincidence of simultaneous or sequential transactions from different accounts in the same pool (e.g., “account delegations” or “account terminations”). Funneling transactions were also corroborative:

  • pool operators withholding (rather than distributing) transferable rewards, often then funneling them to an exchange or a hive wallet

  • delegated accounts funneling all transferable rewards earned before delegation to the pool operator, before the pool operator provided any service

  • delegated accounts funneling all identity stake after the account was terminated to the pool operator45

Looking at these factors, we examined all 31 “top pools” that had ever been delegated more than 100 accounts in the protocol’s history, including pools that had been delegated more than 100 accounts after May 2022. All top 31 pools exhibited all signs of 3rd party key access—both simultaneous/sequential transactions along with funneling—with minor exceptions. One pool showed funds flowing back to some accounts, which suggested the operator might be a service provider. But upon closer examination, this pool belonged to an Egyptian pool operator, with photographic evidence of child puppets (see Fig 7. & Appendix B).46 Another pool appeared to have accounts that didn’t funnel rewards earned before delegation, but showed all other signs. This pool was later revealed to be part of a larger network of puppeteering pools making inter-pool transfers in a complex web of transactions (see Appendix B).

C. An Emergent Puppeteering Oligopoly in Top Pools

All top 31 pools showed evidence of 3rd party key access, raising another question: were these pools distinct and independent, or did they share the same operator? The Russian operator who first admitted to running a human pool in 2020, for example, revealed controlling multiple pools in 2021(see Appendix B). Cursory chain-analysis showed financial transfers between pools, confirming a shared operator. Extending the analysis to the remaining pools, if pools with financial ties were treated as the same entity (or subnetwork), the 31 top pools were in fact 23 entities. Moreover, by May 2022 almost half of all accounts in the top 31 pools were distributed to just 3 entities, or sub-networks: 24% belonged to the Russian enterprise (yellow), 10% to an Indonesian entity (blue), and 13% to an entity with unknown social origins (red) (see Appendix B). There was an emergent oligopoly of 3 entities among the top 31 pools.

Figure 12: History of top pools accounting for ties among top pools (>100 accounts) & May 2022 Snapshot

Zooming out to the broader network, since all 23 entities (and their constituent 31 pools) had strong evidence of 3rd party key access, and 3rd party key access confers pool operators totalistic control over accounts, we could reasonably infer that by May 2022, 23 entities constituting less than 0.6% of the network’s distinct entities controlled at least ~40% of accounts and the distribution of almost half (~48%) the network rewards, and 3 entities (or sub-networks) controlled ~19% accounts and ~24% rewards.

Figure 13: Idena Network May 2022 Snapshot

D. From 3rd Party Key Access to Puppeteering

Philosophically, a “puppet” connotes a participant who lacks information and control to be considered a meaningful participant acting with knowledge and consent. In the context of a blockchain protocol, secret (or “private”) keys are the locus of account control, logically implying two kinds of puppeteering:

  • Strong Puppets: “low-information” participants who are unaware of their account’s secret keys, which are controlled exclusively by a 3rd party (exclusive 3rd party control)

  • Semi-strong Puppets: “low-information” participants who “know” their secret keys but are unaware of their significance and share access with a 3rd party (non-exclusive 3rd party control)47

To some—particularly those who subscribe to “not your keys, not your coins”—3rd party key access is prima facie evidence (or a sufficient condition) of a “low-information” participant, or puppet.48 Under this logic, 3rd party key access confers totalistic control to an operator who can in turn loot wallets with impunity—a risk only a “low-information” participant either wouldn’t know about or unwittingly assume (especially after participants could delegate operational hassles to an operator without ceding their private keys). Given the strong evidence of 3rd party key access in the top 31 pools, the conclusion is that their delegated accounts—at least ~40% of Idena’s network—were puppeteered, where “low-information” participants were unaware of their account’s private keys (“strong puppets”), or knew their private keys but were unaware of their significance (“semi-strong puppets”).

From another perspective, however, 3rd party key access doesn’t sufficiently imply puppeteering and could be a voluntary choice by a “high-information” participant. Although delegation eliminates operational hassles for participants without an operator needing to know their private keys, the hassle of managing private keys remains, akin to managing a password without reset or recovery options.49 Under this view, Idena is one system, embedded among others, where participants have varying opportunity costs of time and attention. 3rd party key access could be a voluntary “custody-as-a-service” choice by a “high-information” participant, presuming they could hold operators accountable off-chain, either informally (social pressure, reputation) or formally with legal recourse. With robust accountability, the relationship implied by 3rd party key access is not puppeteering per se, but could also be a principal-agent relationship where optimistically, agents disclose relevant information to their principals and have sufficient feedback to represent their principals’ interests, for a fee.

Figure 14: Simplified Representation of a “Agency” in a Single Game 50

But delegation has risks, particularly when the incentives between principals and agents are misaligned.51

Without accountability mechanisms to surface relevant information from both parties for continued alignment and ensure the agent prioritizes the principal’s interests above their own, a principal-agent relationship (yellow zone) risks devolving to puppeteering (red zone), where “high-information” principals become “low-information” puppets.52 From this standpoint, the combination of 3rd party key access and lack of accountability constitute sufficient conditions for puppeteering.53 Specifically, an absence of accountability explains why a participant becomes a “low-information” participant:

  • Strong Puppets: “low-information” participants who are unaware of their account’s secret keys, which are exclusively controlled by an unaccountable 3rd party.

  • Semi-strong Puppets: “low-information” participants who know their account’s secret keys but are unaware of their significance and share access with an unaccountable 3rd party.

Assuming this stricter definition, we argue that at least ~40% of Idena’s network was puppeteered (strong or semi-strong) given the evidence of 3rd party key access paired with an unlikely silence from participants: an improbable lack of marketing and disputes that otherwise would accompany off-chain accountable custody relationships where agents have been conferred totalistic control over principals’ accounts. Given the breadth of accounts with 3rd party key access—at least 40% of the network accounts—at least a few complaints of broken bargains would be expected (for example, by participants who voluntarily entered into custody relationships, but were never adequately remunerated off-chain by the operator).54 Yet, formally, there was no evidence of legal disputes nor marketing around key custody services. Notably, the jurisdictions of known large pools—Russia, Indonesia, Egypt—combined cheap labor with poor rule of law, making legal recourse a challenge.55 Informally, and to our knowledge, the community forums also lacked complaints from participants seeking recourse from pool operators. To the contrary, pool operators were vociferous in how to grow pools or retrieve “stolen” funds from participants (or possibly managers) who had exited with “their” funds.56 If there were informal accountability mechanisms, they would more likely be present in smaller family-sized pools (<15 accounts) with strong social ties and less likely with larger pools (>100 accounts) with weak social ties.57 Yet, as new accounts ballooned, solo accounts and family pools flat-lined, while new accounts quickly delegated to large pools—a signal of paid recruits. By May 2022, only ~12% of accounts were in family pools, while ~40% of the network’s accounts were in large pools (>100 accounts).

The admissions of the largest pool operators also corroborated puppeteering. Two from Russia and Indonesia—controlling ~14% of the network accounts by May 2022—openly confirmed they paid participants to perform validation ceremonies (see Appendix B). Finally, the 3 largest networks (Russian, Indonesia, and unknown) constituting ~19% of the network by May 2022 had meteoric rises and subsequent falls (see Appendix B), consistent with the hypothesis that they were paid enterprises sensitive to unit economics (strong puppeteering), or vulnerable to participants “waking up” and exiting their accounts (semi-strong puppeteering).

Combined, the fact pattern around the top 31 pools, where 3rd party key access conferred operators totalistic control over ~40% of the network accounts, was more consistent with puppeteering than an accountable off-chain custody relationship:

  • Silence: absence of advertising around accountable key custody services, formal legal disputes, and informal customer complaints on the community forum.58

  • Rule of law: the known jurisdictions of 3 large pools were weak in rule-of-law (Russia, Egypt, Indonesia).

  • Pool size and growth: solo accounts and family pools with strong social ties flat-lining, while large pools (> 100 accounts) with weak social ties blooming.

  • Communication: conversations with the top “human pool” operators controlling ~14% of accounts confirming they pay participants to perform validation ceremonies, including photographs of child participants (see Figs. 3-5, Fig. 7, Appendix B).

  • Meteoric rise and fall: the top 3 networks (Indonesian, Russian, and an unknown network) controlling ~19% of the network accounts having meteoric rise and falls (see Appendix B).

Our analysis of 3rd party key access in May 2022 was limited to the top 31 pools with more than 100 accounts. We ignore 411 family pools (<15 accounts) and 84 large pools (15<n<100 accounts)—roughly 30% of the network’s accounts. But there is reason to suspect that many (if not most) of the 84 large pools—delegated 21.5% accounts—were also puppeteered. Confirmed puppeteering pools show low average transferable wallet balances relative to family pools, consistent with puppeteers cashing out regularly.59 The unanalyzed 84 pools also show this skew in low average wallet balances. Moreover, identity stake—which was locked and accrued at an automatic rate of 20% rewards per epoch—illustrated a distribution of what transferable wallet balances would look like if puppeteers could not cash out, with average stakes being within the same order of magnitude.60

Figure 15: Idena Network Snapshot of Pools on May 7, 2022

We welcome readers skilled in chain analysis to continue this research effort and confirm 3rd-party key access for these unconfirmed 84 large pools. In addition, we welcome further chain-analysis examining the pool funnel to and from solo accounts, pool shopping, pool churn and lifespan (see Appendix B).

E. Panic and Threat of Collapse

The intended model of one-person, one-vote, one-reward had not simply collapsed to one-pool, one-vote, n-accounts rewards for ~73% of the network, but for at least 40% of the network, it was one-puppeteering enterprise, one-vote, n-puppet-account rewards. And yet our analysis was cursory, excluding 84 large pools (100>n>15 accounts ) and 411 family pools (<15 accounts)—in total 94.6% of pools. The statistics could only get worse, not better.

As human farms proliferated and captured a larger share of the rewards, large pool operators (puppeteers) were also selling these rewards immediately, increasing the selling pressure of the community IDNA token. At a low enough price, pools would become unprofitable to operate. For the time being, however, pools were growing, despite the dropping price. Presuming participants were being paid, the account rewards earned per epoch fluctuated between roughly $14 and $2, which was enough to pay market rates in Russia or Indonesia.

Figure 16: Approximate Epoch Rewards earned per Account in USDT

But unchecked, the trajectory of human farms and large pools risked collapsing the protocol. Morally, solo accounts who joined because of the protocol’s egalitarian ambitions were wary of staying in a network captured by puppeteers who extracted disproportionate rewards; less than 0.6% entities controlled the distribution of almost half the network’s rewards. Economically, puppeteers were not just capturing a larger piece of the economic pie in every epoch, they were also shrinking the economic pie because they aggressively cashed out their rewards (compared to family pools and solo accounts). If the trend continued, solo accounts would continue to drop in absolute and proportional terms, and the number of independent nodes—already at 10% of the network—would shrink more, undermining security. With fewer unique participants in the network, the greater risk of 51% attacks, through collusion among pools or strategic un-delegation, where a pool un-delegates accounts to individual nodes to increase their voting power.61 Even if the rapidly shrinking minority of solo accounts hard-forked out attackers in strategic un-delegation and formed a new chain, malicious actors could re-join the new fork to repeat the attack. Without modification, the protocol would collapse.

Figure 17: Community discussions on Idena discord server (May 2022)

Yet, when it came to voting protocol changes, one-node, one-vote offered an important advantage: accounts in large pools were treated as the same entity with discounted influence. So although solo accounts were only ~27% of the network accounts on May 7, 2022, they controlled ~89% of the voting power, offsetting the otherwise puppeteering and plutocratic majority. In another essay, we unpack how discounted influence enabled solo accounts to pivot the Idena protocol towards a novel experiment in sublinear identity staking that shifted incentives away from puppeteering, while introducing a different set of challenges.

V. Discussion

A. A Failure in Egalitarianism (one-person, one-reward, one-vote)

Human identity is as diverse and dynamic as the unique combination of associations that individuate a person. Yet, Proof of Personhood is reductive, compressing identity into a standardized binary (“verified” or “not verified”) and overlooking the social and economic ties from talking and trading that differentiate people. When power is at stake—money, votes—such global identity systems with uniform rules for qualifying as “human” pave the way for those who already have power—those with resources, knowledge, or status—to find loopholes, align interests, and collude to exploit the system’s simplicity to their advantage. Idena offers a cautionary tale. Despite technically proving biological uniqueness, the protocol’s initial experiment with Proof of Personhood had a range of unintended social consequences that departed from egalitarian aspirations of one-person, one-vote, one-reward, fracturing instead into groups and subnetworks—some cooperative, most puppeteered—competing over an economic pie to the detriment of solo accounts. Notably, a few dozen enterprises rapidly rose to the top, controlling at least ~40% of the network’s accounts and the distribution of almost half (~48%) the network rewards. Just 3 controlled ~19% accounts and ~24% rewards. An off-chain oligopolistic system subsumed an on-chain egalitarian system, giving rise to a shadow power structure that operated opaquely and silently. On-chain, asocial personhood collapsed into off-chain social arrangements that obfuscated power at best, or reinforced it at worst.

Proof of Personhood protocols such as Worldcoin62 and Proof of Humanity63 have also been riddled with exploits, underscoring that Proof of Personhood’s challenges are not accidental, but systemic. Notably, Worldcoin WorldID has had to grapple with allegations of account trading—one-time sales of private keys which allow buyers to control accounts and accrue UBI rewards.64 While a one-time account sale is different from an ongoing relationship of puppeteering, it does not imply immunity to puppeteering. To the contrary, in Idena, puppeteering came after protective mechanisms that stymied account trading, not before; these mechanisms included identity staking, identity slashing, periodic re-validation (or re-authentication),65 and simple account revocation and re-registration.66 After successfully discouraging account trading, the next best strategy to game disproportionate rewards in Idena became buying cheap labor (participants’ time and attention) to control accounts. Thus, illicit account trading in protocols should not be treated as evidence of advanced mechanisms or protections; to the contrary, illicit trading may signal a lack of them and be a precursor to puppeteering.67 Given global economic disparities, the rewards need not be significant to incent strategic behavior: just $2 for 30 minutes of work every few weeks, as the Idena experiment proved. Even charitably assuming operators paid participants, they could extract up to the delta between labor market price and the account’s epoch rewards, which in at least two confirmed locations (Russia and Indonesia) ranged anywhere between 2x to 55x of a participant’s market wages, depending on the fluctuating value of the IDNA token. Worldcoin WorldID’s ambition for an AI-funded UBI anticipates significantly greater rewards (and greater deltas) to motivate off-chain strategic behavior, whether account trading or puppeteering.

B. Democratic Governance in a Network

Idena offers a cautionary tale about naive attempts at democratic governance with one-person, one-vote. A condition of democracy is that participants can express their will and intent without coercion.68 In Idena, some participants preferred joining a pool, and delegating voting and partial economic control. But many gave up totalistic control—ceding their private keys—without understanding the significance of their participation, or that they could express an intent. In the optimistic case, participants traded their time for a paycheck. Yet, this trade became akin to vote-buying, where the well-resourced could buy more time and therefore more votes, transforming a system that was intended to be one-person, one-vote into one-token, one-vote where plutocrats and puppeteers gain outsized influence. Were it not for Idena’s pivot to delegation which discounted the voting power of pools—one-pool, one-vote—plutocrats and puppeteers would have continued to wield outsized influence, where outcomes disproportionately reflected their interests, not the underlying participants, undermining legitimacy, compromising protocol security and consensus, and eventually risking protocol collapse.

Idena was a small experiment in Proof of Personhood, peaking at 15,778 participants. Protocols like Worldcoin have onboarded more than 3,000,000 participants,69 with a greater ambition to serve as an identity substrate for global democratic processes, including governance over AI and a distribution channel for AI-funded UBI.70 Worldcoin’s network effect arises from verifying unique individuals; with every new participant, the greater likelihood Worldcoin emerges as the frontrunner platform for global AI governance and UBI “windfall”71 distribution, if materialized.72 However, this network effect also undermines democratic ambitions, particularly when one-person, one-vote partially corrupts to one-token, one-vote through account trading or puppeteering. Because the incentive to join the network increases super-linearly as the network grows, new participants may lack alternatives but to join a partially corrupted network in order to have any influence over governance or to earn UBI. As non-participation becomes synonymous with socio-economic exclusion, participation risks becoming quasi-mandatory. Thus, new participants might find themselves ensnared in a dilemma: entering a system not out of genuine belief in the system’s legitimacy but to counterbalance coordinated, plutocratic factions that will otherwise dominate them. From an atomic perspective, individual participation may appear consensual,73 but from a broader, network perspective, participation is more compelled as the network grows—the paradox of a “free but forced” Hobson’s choice.74

In a winner-take-all race for global UBI and voting infrastructure, network effects mean that a one-person, one-vote network that corrupts to one-token, one-vote nonetheless has staying power. The dilemma in network legitimacy from partial corruption prompts us to consider broader democratic principles beyond one-person, one-vote. Wary of majoritarianism and faction, James Madison advocated for a bundle of mechanisms: separation of powers, checks and balances, federalism, bicameralism, and representation—to name a few. Combined, these checks would temper the tyrannous majorities and factions that might otherwise capture power to advance their narrow interest—or biases, transforming public goods into private goods.75 The problem is Proof of Personhood only seeks to differentiate humans from bots, not their biases. And as Idena demonstrated, when given incentives to differentiate themselves from bots, humans also have incentives to align, control and puppeteer other humans like bots to amplify their biases. As humans further integrate with information technology—even biologically with neural interfaces—the distinction between filtering humans from bots (de jure sybil-resistance) and filtering humans acting like programmable bots (de facto sybil-resistance) will blur more, if not collapse, revealing a more foundational challenge than establishing biological uniqueness: establishing the informational uniqueness of participants—or the extent to which they cluster with the same interests and biases. This is the old problem of faction under new computational guises, but no longer constrained by geography—as in Madison’s days—but instead limited only by the breadth and depth of a digital interface.

However, just as one-person, one-vote misses the essence of democratic governance—checking faction—similarly it would be a mistake to naively transpose systems of representation, separation of powers, and checks and balances to a global protocol. Before the 21st century’s digital age, democratic governance could rely on geography to roughly correlate with biases, or informational clusters.76 Thus, systems of representation roughly surfaced diverse interests that could be reconciled and bridged across multiple perspectives (e.g., U.S. Congress) and checked by other branches to yield policies in the “the public good.” But in the digital landscape, communication networks cut across geography, clustering biases and correlating beliefs and desires in unpredictable ways (e.g., attention auctions).77 Participants immersed in correlated information channels are prone to aligning around the same biases, forming opaque and tacit majorities among otherwise geographically diverse participants—structurally similar to the problem of tacit monopolies in markets among otherwise seemingly diverse firms.78 The challenge in democratic governance is to find new, computational ways to surface overlapping and recombining informational (or bias) clusters consensually without succumbing to a surveillance panopticon and before transposing analog systems of representation. In future work, we argue social identity systems rich in subsidiarity (e.g., federalism)—both physical and digital—are key to surfacing bona fide commitments and bias, challenging the utility of global identity protocols for democratic governance.

C. From Sybil-Resistance to Collusion-Resistance

“Proof of Personhood” seeks to offer a more egalitarian alternative to Proof of Work and Proof of Stake, where influence does not confer to participants who already have it by virtue of their wealth. This ambition has motivated sybil-resistance, where each unique human “controls” a corresponding unique account 1:1, and each account becomes a vehicle for distributing money (UBI) or votes. Yet, if an unintended consequence is humans being controlled by groups coordinating for more power and influence, sybil-resistance is under-specified.79 The optics of a participant controlling their account on-chain account—for example through re-validation or re-authentication—ignores the substance of control: the sources of information that influence a participant to make a decision off-chain to, for example, cede their private keys in exchange for a paycheck, or delegate control to a 3rd party who makes choices to their detriment. A lesson from Idena’s experiment with Proof of Personhood is that whenever power is at stake—money or votes—myopically differentiating humans from bots (de jure sybil resistance) is to the detriment of overlooking the broader informational problem: differentiating humans acting like programmable bots (de facto sybil resistance). Just as information and control are two sides of the same coin, so are de facto and de jure sybil resistance.80

Yet, de facto sybils (“programmed puppets”) is not a technical problem, but a social one. Human motivation is not de novo. Instead, beliefs and desires vary in correlation with whom we communicate information through a range of interactions from talking and trading—in short, our social ties.81 De facto sybils (“puppets”) are merely correlated in beliefs and desires to a socially tied 3rd party (“puppeteer”) who wields a corresponding information and control (or power) advantage over them, because they control more (e.g., channels, resources, status), have more information, or some combination of the two.82 Members of a puppeteering enterprise (“colluders”), on the other hand, are correlated with each other in beliefs and desires, wielding an information/control advantage over others. Thus, de facto sybils (puppets) are the natural objects of “colluders” (puppeteers), in the same way principals are the objects of agents. By extension, de facto sybil resistance is a mutually-implicated (or mirror) challenge to “collusion-resistance:” neither can be solved independently but both must be tackled simultaneously.

Paradoxically, while social groups are the root of “collusion” (and de facto sybils) they also are the remedy. A naive conclusion would be to stomp out “collusion” and remove all asymmetries to make participants informationally the same, only to end in the worst power asymmetry: surveillance. Rather than control the causes of collusion, a better approach is to check its effects, or excesses.83 Specifically, if the excesses are capture, then a remedy starts with checking groups from over-influencing (or “programming”)—often innocently, accidentally and weakly—other participants to the detriment of capturing public goods for their narrow interests.84 One way is to consensually expand social ties, broadening the set of conversations and by extension beliefs and desires which may motivate a participant. Another is to reconcile diverse, informationally unique perspectives to find broader, shared public goods. In this way, the goal of collusion-resistance (and its mirror problem of de facto sybil resistance) dovetails with the goal of democratic governance: checking faction.

How do we temper collusion and awaken de facto sybils without global surveillance and gaming? For now, we leave readers with a sketch of “plural attention mechanisms” and explore their tools and conditions (e.g., subsidiarity, privacy as contextual integrity, social identity) in future work. One mechanism already emphasized is consensus across difference, which elevates agreed proposals by participants (or informational clusters) who otherwise generally disagree—a signal that a proposal is more likely to be bridged across divergent interests, and therefore in the broader public good. Another is peer prediction, which surfaces expertise and elevates truth. Combined, both mechanisms enable participants to direct their attention to ideas and policies grounded in truth, with broad-based support and eschew narrow policies biased towards special interests (mitigating “collusion”).85 At the same time, these mechanisms encourage puppets to “awaken” with novel information. Because proposals endorsed by adversarial groups receive more attention and ascend to prominence, participants have an incentive to bridge social distance, or “cross long bridges,” to find new points of consensus among groups with whom they might typically disagree.86 Such atypical conversations yield novel information which, in turn, fosters social recombination, the formation of new groups and solidarities, and ultimately increases the cost of influencing a participant (mitigating de facto sybils).87 Thus, bridging (or anti-correlation) mechanisms that check faction coupled with peer prediction that elevate truth interweave solidarities across distance. Conversational webs thicken in a virtuous cycle of social recombination and deepening informational diversification.88 Instead of reinforcing old divisions, power is ceaselessly cut across new lines, revealing and reconciling adversarial interests, reconfiguring old asymmetries, carving new cleavages, and incrementally building more adaptive, cooperative networks resistant to collapse.89

D. Dark DAOs & Voting Security

Pools—whether cooperative or puppeteered—were an instance of off-chain coordination easily detected through chain-analysis and then later through economic incentives for delegation. However, in the future, coordination could also go undetected, or “dark;”90 for example, in a trusted execution environment, a participant running their own node could auction off their vote and prove to a 3rd party (briber or coercer) they have voted in a certain way without knowing how they were deputized to vote.91 This has spurred innovation towards ex-post measures, such as “receipt-freeness,” which thwart a participant from proving to a 3rd party that they voted a certain way, even if they want to. Similarly, and more recently, it has motivated ex-ante measures, such as Proofs of Complete Knowledge92 that rule out partial or whole key encumbrances before a vote occurs; the rationale is that if a participant can furnish a proof that they can use their private key in whatever way they want, by extension, they cannot furnish a proof of encumbrance to a 3rd party, thereby undermining their ability to credibly sell their voting right (or vote in a certain way without knowledge).93

While salutary advancements in voting security, Idena’s experiment also highlights limitations to exclusively on-chain, technical approaches. Specifically, a Proof of Complete Knowledge may establish that someone has direct access to a private key, but doesn’t guarantee that the intended or designated participant does. Notably, at least ~40% of Idena’s network accounts had evidence of 3rd party key access by pool operators, where the most plausible explanation was puppeteering:

  • Some operators controlled keys wholly from the outset at the registration phase, masking the existence of private keys and reimbursing participant’s for their time in periodically performing validation ceremonies (strong puppeteering).

  • Other participants “knew” their key material, but did not understand their significance and unwittingly rented them (and their vote) in exchange for a paycheck from operators (semi-strong puppeteering).

Thwarting on-chain vote-buying doesn’t solve for off-chain vote-buying into “meatspace,” and may encourage it as a low-cost alternative. Idena undermined account trading (buying and selling accounts) with identity staking—a mechanism similar to voting deposits in MACI.94 The next best alternative for off-chain vote-buying became puppeteering (buying participant time). Both cases—account trading and puppeteering—present a security conundrum: participants may sell, rent, or unwittingly share their unencumbered keys off-chain with 3rd parties, thereby undermining measures to keep keys unencumbered on-chain. In future work, we explore how the social layer (off-chain social encumbrances) may be harnessed to reinforce (rather than undermine) on-chain security and define the scope of legitimate encumbrances.

VI. Conclusion

In the wake of advancing frontier models, experiments in Proof of Personhood to achieve one-person, one-vote, one-reward have focused on biological uniqueness to the detriment of overlooking the underlying social reality that people talk and trade. Even if biologically verified, people are not informationally the same. As Idena’s experiment showed, when presented with economic incentives to differentiate themselves from bots, people also have incentives to align and control the less informed like programmable bots. Groups quickly coalesce and coordinate to their advantage for more control and economic rewards, undermining the egalitarian goals with a trendline towards oligopoly.

Yet, quashing social coordination to make one-person, one-vote, one-reward “work” would be a greater folly, ending in greater harm. Both “cooperative” and “puppeteered” groups emerged in Idena’s experiment to take advantage of economies of scale. But the difference was not of kind but degree, depending on who captured the benefit of the bargain: the principal or agent, the puppet or puppeteer. Given this spectrum and the complexity of social reality (people delegate control and groups mix, recombine, nest, and dissolve), quashing “bad” puppeteering to keep the “good” kind of cooperation would be naively fraught. Enforcement would require either total surveillance to decide what is “good” or “bad” communication, or simply manipulating communication until all participants are informationally the same, leaving no differences to coordinate around. Both correctives conjure failed experiments in 20th century communism, where the dogged pursuit of equality and “perfect enforcement” progressively centralized power until social and economic collapse. Rather than ignore social ties (and succumb to oligopoly), or try to control or eliminate them (and succumb to totalitarian uniformity), a better approach is to presume them as a starting point.

Within the pursuit of egalitarianism, the choice is two-fold: level the playing field, or expand it. Experiments in Proof of Personhood that compress identity to one global game opt for the former, seeking to brute force one-person, one-vote, one-reward. A better alternative is to expand into a plurality of identity games as broad, deep, and infinite as the combinatorial possibilities of human association that arise from talking and trading—the sources of our informational differences. When identity is expressed as a dynamic constellation of memberships to groups, participants reveal different, partial aspects of their identity in communication, depending on how many dimensions they are associated. No two participants share the same perspective and a participant’s identity does not neatly reduce to being a “puppet” or a “colluder;” participants can be both, neither, and either, depending on the partial perspective of the observer. Similarly, nested groups (individuals within groups, groups within pools, pools within megapools, and protocols within other systems), invites a more networked conception of “cooperation,” “consent,” “corruption,” “collusion” and “coercion”—depending on the differentials in information and control (or power) of underlying groups across different systems. With many identity games—instead of just one—even if all groups succumb internally to oligopoly, groups may overlap, intersect, and recombine, canceling power out. Thus, whereas a single identity game has inevitable economies of scale towards one global oligopoly, a plurality of games open the possibility space for a normal (Gaussian) distribution of power, achieved through diversity, not brute-forced equality.

Appendix A

Methodology

This study triangulates information from a variety of sources: blockchain transactions, community conversations on Discord and Telegram, and the protocol’s website. For blockchain transactions, we sourced data collected by Idena's open-source indexer95 which provides transaction data in human-readable format, subsequently storing it in an SQL database, accessible via an open API96 and also available through Idena's blockchain explorer.97 Pools were discussed on community Telegram and Discord channels and conversations with several pool operators occurred through private Telegram messages with the Idena Team.98

This study has two phases: pre-delegation starting August 2019, and post-delegation, from March 2021 to May 2022. Pre-delegation, Idena’s indexer database is limited to account data (e.g., transactions, wallet balance, identity stake, identity status, age, issued invitations, generated flip tests, earned validation and mining rewards).99 We did not conduct formal chain-analysis examining transfers between all accounts to gauge the extent of pools. Instead, our window into pools was limited to anecdotal community and private conversations on Telegram and Discord, corroborated by patterns of one-way transactions on Idena's Blockchain Explorer.

Post-delegation, accounts could group under one pool account to piggyback on their node, making pools, their size, and members visible on-chain. To examine 3rd party key access (i.e. shared private keys) of accounts within pools, we formulated a criterion (elaborated in Appendix B) and manually examined 31 pools that had grown to more than 100 accounts at any point in the protocol’s history using the Idena Block Explorer. As a second step, we also examined ties between these pools by way of financial transfers. We did not systematically query all addresses or keywords in community channels, nor conduct systemic chain analysis of all pools with less than 100 accounts. We welcome readers skilled in chain analysis to continue this research effort and offer suggestions below in Appendix B.

Appendix B

Pool Analysis

Examining the 31 top pools alone (without acknowledging financial ties), accounts appeared evenly distributed, with the exception of 4 pools which held ~34% of top-31 pooled accounts.

Figure B.1 History of top pools (>100 accounts) & May 2022 snapshot showing the distribution of accounts across these top pools

Acknowledging collusive ties among the top 31 pools, the chart dramatically shifts. The below chart compares the top 31 pools to the 23 distinct entities with an extended timeline, from protocol launch to August 2023.

Figure B.2 History of Idena Pools from Launch to August 2023

The 31 pools below were analyzed. The top 3 puppeteering networks (evidenced by transfers) were Russian (yellow), Indonesian (blue), and a network of unknown social origins (red).

The most important sign of puppeteering was 3rd party key control, evidenced by the unlikely coincidence of simultaneous or sequential account transactions in the same pool, including “account delegations” to the same pool or “account terminations” from the same pool. All pools showed this transaction pattern. The other tell-tale signs of 3rd party key control were transactions patterns funneling rewards to pool operators, including:

  • a pool operator receiving all identity stake after the account was terminated (by the account through a “terminate identity” transaction) or by the delegator (through “kill delegator” transaction). All pools showed signs of this.

  • pooled accounts sending all transferable rewards earned as a solo account before delegation to the pool operator (presumably when the pool operator was not providing any value or service). All pools showed this, except for pool 31 (“Egyptian Pharaoh”), which had a mix of accounts and pool 9, which showed aspects of this but was part of a large complex network and composed of many accounts, meriting professional chainanalysis.

  • a pool-operator withholding transferable rewards, rather than distributing them back to member wallets, and eventually sending them to a hive wallet, or an exchange. All pools showed this, except for pool 31 (“Egyptian Pharaoh”) and pool 9, where accounts sometimes received rewards only to send them back to the operator or to another account part of a complex network, meriting further chainanalysis.

Russian Pool (yellow)

The largest Puppeteer was a Russian operator, controlling 5 pools. This operator was the most vocal, engaging in discussion with the Idena Team as well as the community on Telegram (see Figs. 3-5 & Fig. 7). Before delegation, the operator revealed themselves to be running the first “human pool.” After delegation, the operator revealed their pools’ wallet address prefixes (“0xdddd”) in the community discord. Two pools simultaneously emerged with ~250 accounts at the start of delegation in May 2021, peaking to over 500 accounts each in May 2022. The pooled operator generally sent funds to exchange100 and a treasury wallet,101 though contributing some identity stake to a handful of accounts.

Figure B.3 Message from a Russian puppeteer in Community Discord (May 2021)

Indonesian Pool (blue)

Another pool (color blue) emerged in January 2022, having a meteoric rise and collapse with over 1400 accounts within a year, consistent with the claims of the Indonesian operator who claimed to pay “workers.”102 This pool also did not distribute back to member accounts but transferred funds to an exchange.103 This pool died after IIP-6&7, terminating by sending their identity stake and transferable wallet balances to an exchange wallet.

Figure B.4 Message from Indonesian operator to Idena Telegram Administrator when the community was debating quadratic staking (Nov 2022)

Unknown Network (red)

A third network of 5 pools emerged gradually at the start of delegation, peaking to 1280 accounts in June 2022. Whereas other networks had telegram chats, the origins and social ties of these pools were unknown. In addition to signs of puppeteering, the rapid addition of over 500 accounts in May 2022 (epoch 86) was also suggestive. This network requires deeper chain-analysis, to flesh out the flow of funds between pools and possible ties to other pools, including pools with less than 100 accounts. This network eventually died after IIP-5 (experiment in sublinear identity staking).

Egyptian Pool

While this was not a top pool, we discuss it given the photos of child puppeteering (see Figure 7). The maximum number of accounts for this pool was 100 in April 2022, and the pool oddly showed signs of both puppeteering and consensual participation. On the one hand, there were batched delegations (e.g., Feb 2022), suggesting control over private keys. At other times, delegations were at different times, suggesting lack of control. Moreover, at times there were outgoing transactions of the same amount (Feb 2022), suggesting a return of mining rewards to accounts. Yet at other times (e.g., March 2022), different amounts were sent to different wallets, suggesting puppeteering as mining rewards were issued on a per account basis and should have been equally distributed. This pool merits further analysis.104

Figure B.5 Message from Egyptian Pool operator in Community Discord (2023)

Future pool analysis

In this paper, we offer a surface overview of the largest pools. There are many open questions on pool dynamics that would require deeper chain analysis, including:

  • Pool funnel (how often solo accounts became member pool accounts) & reverse-migration (how often pooled accounts became solo accounts)

  • Pool shopping (how often solo accounts “pool shopped,” jumping between pools)

  • Pool churn & lifespan (how frequent pools dissolved into solo accounts, or recombined into new pools)

  • Termination rates as a result of pool operators v. validation ceremony failures

  • Fund travel (the proportion of funds that left pools for exchanges, cold storage, new accounts, revived accounts, old pools and new pools)

  • Seizure risk (how often identity stake was seized by pool operators)

  • Nested networks of pools and cooperation with other pools (deep chainanalysis)

But chainanalysis also has its limits. It is costly in time and money, so protocols are not easily auditable by participants. And it reveals only the changing distributions of rewards and stake across accounts and pools, without revealing substantive off-chain economic arrangements and the kind of participants (puppets, agents, families, friends, puppeteers, companies) behind accounts. Puppeteers, for example, could control and operate a pool of undelegated solo accounts that appear to be independent, especially if they stand to benefit with more voting power. In future work, we propose identity systems which seek to avert these weaknesses and computational costs without a surveillance god's-eye-view.

Comments
0
comment
No comments here
Why not start the discussion?