Our Blog

How Gitcoin Passport Protects Testnet Funds: A Case Study with PoWFaucet

Ethereum testnets provide a safe space for developers to test their applications without risking real funds. However, the Goerli testnet has faced challenges with the scarcity of testnet Ether (GoETH) and the presence of malicious bots. To address these issues, the PoWFaucet has implemented innovative measures, including integrating Gitcoin Passport and Scorer API, to protect testnet funds and enhance the legitimacy of users.

This case study explores the challenges faced by the Goerli testnet, the approach taken by PoWFaucet, and the role of Gitcoin Passport in streamlining Sybil protection for a better developer experience.

About Ethereum testnets

Ethereum testnets are alternative versions of the main Ethereum blockchain. They allow developers to test and experiment with new features, smart contracts, and decentralized applications (dApps) without needing real Ether (ETH) or risking funds on the mainnet. Testnets are designed to replicate the behaviour and characteristics of the mainnet but with a smaller user base and lower fees. Testnet tokens can be used instead of mainnet Ether tokens as a test currency that allows you to validate your Ethereum application before going live on the mainnet. Goerli and Sepolia are two testnets that Ethereum developers use to test their applications. Each test network has its own technical specifications, features, and tradeoffs where selecting the right one can save you time and resources.

Goerli testnet challenges

Sepolia started as a private test network but became available to the public during the Shapella upgrade in March 2023. This meant that Goerli was the only testnet available for testing validator setups. However, when it became the home testnet for the transition to Proof of Stake, it became less accessible to the average smart contract developer looking to obtain Goerli testnet Ether (GoETH). The increasing number of dApp developers has led to a spike in demand, making distribution methods for GoETH less reliable than in the past.

As of October 2022, Goerli had a total supply of 115M GoETH, with 80-90% of the total supply in "circulation" or locked-in deposit contracts. Additionally, obtaining GoETH from faucets is a well-documented challenge, as these faucets are often spammed or botted. One major issue is the lack of a "faucet for unlimited funds," which cannot be enabled without a protocol upgrade.

Due to its scarcity, GoETH has been traded over the counter since 2021. Introducing a price on Goerli funds caused massive speculation on GoETH's price. Sepolia's total number of testnet tokens is uncapped, unlike Goerli, which means that developers using Sepolia are less likely to face testnet token scarcity. However, if developers need to test beacon chain validators, node setups, and client versions, or want to try out protocol upgrades before deploying to the main network, Goerli is the closest testnet to the Ethereum mainnet and can also be useful for testing complex smart contract interactions. Note that Goerli will be deprecated in Q1 2023 but will be supported until Q4 2023. Holešky will replace Goerli as a staking, infrastructure and protocol-developer testnet in 2023. For testing decentralized applications, smart contracts, and other EVM functionality, Sepolia is the recommended testnet.

PoWFaucet's approach to protecting testnet funds

PoWFaucet is a proof-of-work secured faucet for EVM-based blockchains created by pk910 with instances for Georli Testnet and Sepolia Testnet. Unfortunately, many faucets for the public ETH testnets have been drained by farmers and bots, leading to a lack of working faucets and a poor developer experience. This faucet aims to solve these problems by providing a reliable way to gather small amounts of funds at all times. To prevent malicious users or bots from draining all available funds, this faucet uses a process based on proof-of-work.

The hashpower is only used as a protection method. Basically, users pay for the mined funds with the processing power they use, which is a limiting factor for everyone. In addition, IP-based restrictions are enforced to prevent mass-mining from single entities. To keep the project going long-term, the faucet restricts the outflow to a specific amount (1k GoETH/day since Oct 2022). To meet that outflow limit, the faucet automatically lowers the rewards for eligible hashes. This ensures that there are a maximum of 1k GoETH mined per day on average. Unfortunately, this has led to relatively low mining rewards for users with low-power hardware and has made the faucet difficult to use for anyone. Users are now essentially competing against each other to get their portion of the daily rewards.


A battle against bots using Gitcoin Passport and Scorer API

Gitcoin Passport enables users to showcase the evidence that they are unique and real humans, signalling their trustworthiness to dApps. It provides a method for collecting and presenting data without exposing it or giving up ownership. To integrate identity verification functionality into their apps, developers can use the Gitcoin Scorer API. This API offers a straightforward way to read and score the identities of Gitcoin Passport holders by applying scoring mechanisms to verifiable credentials.

The PoWFaucet's current implementation requests the user's passport during mining session creation. Once a passport is found, the signed stamps are checked and scored, and the Passport score is used to calculate a reward boost factor. This factor is applied to all rewards during the mining session, with the highest factor currently at 6x for a total score greater than 32. However, even lower scores receive an increased reward factor. To prevent abuse, the faucet limits the mineable amount per address (currently set at 3 GoETH every 5 days for each address on Goerli). Using the passport boost score improves the efficiency of this limit, as it incentivizes legitimate users to use their primary address for mining instead of creating random throwaway wallets.

"Gitcoin Passport looked very promising as it was usable freely and offered a way to prove a unique identity without leaking a lot of private information," explained pk910. "The additional Sybil protection was never meant to be a strict barrier to mining. The idea was to give users a bonus reward to prove their identity somehow. The Passport score concept fits perfectly into that use case," pk910 added.

The statistics captured over a window of a week showcase that on average, users got twice as much as they would have received without a Passport. Approximately 15% of the Goerli faucet funds were awarded to users who validated their identity with their Passport.

Streamlining Sybil protection

Pk910 provided more details on their experience integrating Passport. "I believe that Gitcoin Passport is an excellent way to implement user-friendly Sybil protection that is also easy to implement from a developer's perspective. It is completely open, and you can use a passport score provided by Gitcoin or even create your own scoring/access logic. This way, you can use all these identity providers independently without having to implement the full verification logic for any of them yourself. Additionally, it significantly enhances the user experience, as users can easily use their Passport with multiple services without having to perform various verifications in each app separately."

The faucet limits the rewards to 1k ETH per day for the Goerli instance. Passport-enabled rewards shift some daily amounts from less-legitimate users to more legitimate users. Without the passport, it would be difficult for legitimate users to get a meaningful amount of funds from the faucet as they would be competing against less-legitimate users like farmers and bots with their mining power.

Assigning a monetary value to a resource like GoETH, which is intended to be free, can have serious implications. Instead, we should focus on ways to facilitate the onboarding of new developers, rather than creating more obstacles for them. The initial design of PoWFaucet enables users to pay with used processing power for the mined funds, preventing malicious users or bots from draining all the available funds. The integration with Gitcoin Passport increases the cost of forgery for bad actors and boosts rewards for legitimate users of a scarce resource.

You can easily integrate Gitcoin-grade protection with just a few lines of code, benefiting from years of institutional experience safeguarding the Gitcoin Grants program. For more information, you can access the Passport Documentation or join the Gitcoin Passport Builders Telegram if you’re interested in getting help from the Passport team in integrating Passport into your project or community.

Read more

Featured Posts

Educating Your Team and Users for a Smooth Gitcoin Passport Integration

How to protect your Discourse Forum from bots and Sybils with Gitcoin Passport

Building a Sybil-Resistant Future Using Gitcoin Passport Onchain Stamps

loading
loading