Nostr Web Client

So the other day, nostr:npub1zfs0all2dz43da3gh5ghm53jjaufkqlyvsxydpz73r00hzd2hdaqt3vd2n promised 10k sat zaps to all that boost his job offer:

nostr:nevent1qvzqqqqqqypzqynqlml7569tzmmz30g30hfr99mcnvp7geqvg6z9azx7lwy64wm6qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qg4waehxw309ahx7um5wghx77r5wghxgetk9uqzqff2cxscqyj5heff285jtsdcan0ec7n87qt8dfmlv2kg2pgmlu0n4glpqp

Understandably the post got swarmed by legit and not so legit accounts and several of my follows did boost.

nostr:npub1vl38mdazffm0u644zj9lqt00lthuqwvnclqdxzvu0y2cvw4s539s3a5l7q even coded a tool to help them find the relevant accounts:

http://bounty-hunter.solajpafistoj.net/

but to this day, only a small selection of users did receive zaps as detected by that tool:

And here are some that did not get zapped:

Of course, nostr is not consistent, so late entrants could always fake the time and claim the bounty. Just be careful to not boost before the OP 🤯.

The tool appears to generate naked hex pub keys, not npubs but I don't see much motivation from nostr:npub1zfs0all2dz43da3gh5ghm53jjaufkqlyvsxydpz73r00hzd2hdaqt3vd2n to resolve these issues.

Is nostr:npub1zfs0all2dz43da3gh5ghm53jjaufkqlyvsxydpz73r00hzd2hdaqt3vd2n scamming us? I don't think so but apparently Sybils got zapped while high profile accounts did not get zapped. I guess fulfilling the promise just went over their head, where they had the honest intention to pay up.

We need better tools and a more robust concept of WoT cause Sybil attacks will only get worse.

brightfuture 3mo ago 💬 1

I don't personally believe I owe an explanation, as can be seen I paid out some ~400k sats.

But I will echo the point that NOSTR is not consistent. Even in the screenshot you provided of the tool, I know I paid out people that don't show up as paid.

nostr:npub17nd4yu9anyd3004pumgrtazaacujjxwzj36thtqsxskjy0r5urgqf6950x was paid I'm sure, nostr:npub1wmr34t36fy03m8hvgl96zl3znndyzyaqhwmwdtshwmtkg03fetaqhjg240 surely was paid.

The problem I encountered is I lost track of who was paid and who wasn't. I am even sure I double paid somebody.

Each time I took a break, reloaded the pages, switched client, I was asking myself who I paid already. The lists keep reshuffling, accounts came and went from the lists and in the end I was using my own spreadsheet to track.

Honestly, the truth of it is that I got fed up and did not have the time to do the manual labour required to check if all accounts were real, already paid and logging in my personal sheet. Clients load too slowly for me, creating a lot of dead time waiting for loading each user profile before I can even begin my checks.

The way I move forward now, is just to accept that it could have been handled better, so for future zapvertisements I will change my approach.

Setting a total sat limit, asking for a reply to the thread, and setting an end date in the OP would be changes I would make next time.

Up to you if you see me as "scamming". I find it a rather large stretch though, I don't know many scammers parting with 400k sats..

Further, most of my DM's to potential candidates seem to have been lost. So after all this, I am left feeling NOSTR could really do with more user experience consistency somehow.

Reply to this note

Please Login to reply.

Discussion

Leo Wandersleb 3mo ago 💬 1

Sorry if my post offended you. My closing statements were that I don't think you were scamming us but just were overwhelmed by the lack of tooling and defenses against Sybil attacks.

Your definition of "at least 100 followers" is trivial to fake so scammers could make sure to zap themselves before anybody sees the post by generating 40 accounts with +100 followers, creating the post and the 40 boosts but publishing them late by one hour. Now others see the post, don't bother to count and boost, too - for free, as the 400ksat budget already went to the sock puppets.

You did not do that but what would be a more robust bounty? I think it has to involve follows, not only followers. Limit the campaign to follows of your follows. If an account can't be reached via one hop from your follows list, it doesn't qualify. You could of course follow your own Sybils but very simple heuristics could expose that if more devs would take the follows graph into account. If all the zapped accounts form an island in the follows graph, the scheme gets exposed. Any site supporting this type of campaign could expose this trivially.

Maybe nostr:npub1vl38mdazffm0u644zj9lqt00lthuqwvnclqdxzvu0y2cvw4s539s3a5l7q wants to continue work on his too 🤔 or at least share the code for others to improve upon?

Morgan William 3mo ago

If you've been a victim of an online scam, getting your money back can be tough. Our team is here to help with everything from finding where your money went to providing the legal paperwork, and we keep everything confidential.