Bet 95 — Adversarial endorsement / Sybil-vote (PESSIMIST)

A clean STRICT pass for two of four schemes. Contribution-history weighting and cross-community attestation each preserve the 4% minority community's true preference at 100% even when adversarial Sybils outnumber honest community members 5:1. Pure-democratic endorsement and stake-weighted endorsement collapse at 2× Sybil injection, dropping to 0% true-preference rate.

The frame: Bet 72 validated per-community endorsement preserves minorities under passive adversaries (majority votes its own preferences but doesn't impersonate minority members). Bet 95 tests the active attack: the 70% majority community spawns Sybil accounts inside the 4% minority community to capture the minority's endorsement signal — effectively impersonating minority members to elect a specialist that serves majority interests.

Background — why active Sybil attacks matter

Per-community endorsement is the federation's load-bearing alignment primitive (Bet 72 mandate). The promise: small minorities get to endorse specialists that serve their interests, regardless of majority preferences. The attack vector: if the majority can fake membership in the minority, they can vote down the minority's true preference.

This is not a hypothetical. Real-world federation analogs (Reddit subreddit takeovers, Wikipedia edit wars, online community Sybil attacks) all show this pattern. The federation's privacy-first design (Bet 87's group signatures, Bet 74's locality) means the federation operator may not be able to detect real-vs-fake membership at the cryptographic layer. Defense must be at the protocol layer.

The pessimist concerns:

  1. Pure-democratic endorsement (one account, one vote) is trivially Sybil-attackable. The majority can spawn N Sybils for cost ≈ 0.
  2. Stake-based (vote weight ∝ stake_joules) — a wealthy majority can outspend minority members; Sybils still elect via brute-force capital.
  3. Proof-of-personhood doesn't exist at federation scale. Cryptographic proxies have failure modes.
  4. Contribution-history (vote weight ∝ historical contribution to the community) — requires long bootstrap; fresh communities can't enforce; attackers can play long-game.

Hypothesis

A defense scheme that weights endorsement votes by community contribution history (or that filters by cross-community attestation) preserves the minority community's true preference at ≥ 80% rate even when adversarial Sybils outnumber honest members 2:1, where pure-democratic and stake-based schemes collapse below 20%.

Pre-registered criteria

  • STRICT: at Sybil-frac = 2.0 (200 Sybil injected into 40-honest community = 240-member sub-community of which 200 are Sybil), some scheme achieves true-preference rate ≥ 80%.
  • LENIENT: rate ≥ 60%.
  • CATASTROPHIC: all schemes drop to ≤ 20% (defenses universally fail).

Setup

  • 1000 users, 4 communities by population: majority 70%, second 18%, third 8%, fourth 4%.
  • Target community: "fourth" (40 honest members).
  • Sybil injection multipliers: 0×, 0.5×, 1×, 2×, 5× of target-community size.
  • Adversary: Sybils claim "fourth" community membership but vote for the majority's preferred specialist.
  • Specialists: 5 per community, each with quality-for-community scores ~ N(0.85, 0.05).
  • Endorsement schemes tested:
    • pure: one-account-one-vote, majority elects.
    • stake: vote weight = stake_joules (Sybils have stake too — majority bankrolls them).
    • contribution: vote weight = contribution_score (Sybils have score=0).
    • cross_attest: each vote requires another community member's attestation; Sybils succeed at attestation only 5% of time vs honest at 95%.
  • 50 trials per scheme × Sybil-frac.

Result — STRICT PASS (contribution + cross_attest at all levels)

| Scheme | Sybil 0× | Sybil 0.5× | Sybil 1× | Sybil 2× | Sybil 5× | |---|---|---|---|---|---| | pure | 100.0% | 100.0% | 100.0% | 0.0% | 0.0% | | stake | 100.0% | 100.0% | 52.0% | 0.0% | 0.0% | | contribution | 100.0% | 100.0% | 100.0% | 100.0% | 100.0% | | cross_attest | 100.0% | 100.0% | 100.0% | 100.0% | 100.0% |

(true-preference win rate)

Pure-democratic collapses cleanly between 1× and 2× Sybil — the inflection is sharp. Stake fails earlier (52% at 1× Sybil) because the majority bankrolls Sybils with stake. Contribution-weighted and cross-community-attestation defenses hold even at 5× Sybil.

Why this works

Each defense closes the attack vector at a different layer:

  1. Contribution-weighted. Sybils have empty contribution history (score = 0). They can vote, but their vote weight is zero. Even 200 Sybils with 0 weight each contribute 0 total weight, while 40 honest members with weights ~ 1.0 contribute ~40. The honest preference dominates regardless of Sybil count.

  2. Cross-community attestation. Sybils can't get attestations because they're not actually known by other community members. The 5% Sybil-attestation success rate (modelled here as a leak through the majority's social graph) is small enough that 200 Sybils get only ~10 valid votes, vs 40 honest × 95% = 38 valid votes. Honest preference dominates.

The two defenses are layered: contribution-weighted defends against fresh Sybils with no history; cross-attestation defends against well-funded long-term Sybils that built history. In production, both should compose.

Why pure and stake fail

Pure-democratic fails because the trigger is mechanical: at 2× Sybil, there are 200 Sybil votes for majority's specialist vs 40 honest votes for minority's specialist. 200 > 40. Done.

Stake-based fails one rung lower (1× Sybil): the majority bankrolls each Sybil with stake = 100 (matching honest stake). At 1× Sybil, 40 Sybils × 100 = 4000 vs 40 honest × ~100 = ~4000 — close to break-even (52% true-preference rate). At 2× Sybil, Sybil stake dominates 8000 vs 4000.

The lesson: stake is not a Sybil defense at all. It's a barrier to entry, but a wealthy majority always pays it. Stake conflates "willing to pay" with "actually a community member."

What this validates

  • Contribution history is the cleanest defense. Sybils have no history; their vote weight is zero. The defense is mathematical, not statistical.
  • Cross-community attestation is the runner-up. Real social graphs have leaks (the 5% Sybil-attestation success), but those leaks don't accumulate fast enough to flip a 4% community.
  • Stake fails as a Sybil defense. Use stake for spam-prevention or rate-limiting, not for Sybil-resistance.
  • Combinable defenses. Contribution + cross-attestation in series gives the cleanest profile: contribution stops fresh Sybils, attestation stops long-game Sybils with built history.

What this does not claim

  • Long-game Sybils. The simulation models Sybils with score = 0 (just-spawned). A patient adversary spawns Sybils, has them earn contribution history honestly for months, then activates them in the attack. Contribution-weighted defense degrades against this attack. Cross-attestation may still hold if the long-game Sybils never built real social ties.
  • Bootstrap problem. A fresh community has nobody with contribution history. Contribution-weighted defense degrades to pure-democratic during bootstrap. The federation must use a different defense (founder-attested membership, or external proof-of-personhood) until the community has aged.
  • Sub-community attacks. The 4% community has internal substructure (e.g., Trivandrum vs Kozhikode dialects in Kerala-Mal). An attacker could target a sub-community within the minority. Bet 95 doesn't model substructure.
  • Cross-community Sybil rings. What if multiple communities are simultaneously attacked by the same majority? Bet 95 isolates the target community.
  • Cost of attestation. Each attestation request has a real-world cost (a community member must verify another's membership). Bet 95 doesn't model attestation as a scarce resource.
  • Compromised honest members. What if 5 of the 40 honest members are compromised (bribed, blackmailed, hacked)? They have valid contribution history and can attest Sybils as honest. Defense degrades. Open work.
  • Anonymous endorsement. Bet 87 mandates BBS+ group signatures for receipt anonymity. Composing anonymous-by-default endorsement with contribution-weighted defense is non-trivial — the contribution score must be visible without revealing the voter. Open work; possibly via zero-knowledge proofs.
  • Endorsement escalation. When defense fails, what's the recovery? The federation needs a "dispute" primitive: minority members can flag suspicious endorsement outcomes for federation-wide review. Bet 95 doesn't model recovery.

The mandate

RFC-0006 §6 (Endorsement protocol) must specify:

  1. Endorsement vote weight = contribution_score for established communities. Vote weight floor at 0; Sybils with no history have no influence.
  2. Cross-community attestation gates fresh / low-history voters. Voters with low contribution history must be attested by a non-fresh community member to count.
  3. Stake is NOT a vote-weight basis. Stake may be used for spam-prevention (rate-limit votes per stake-tier) but never for Sybil-resistance.
  4. Bootstrap protocol for new communities. During the first 6 months, communities use founder-attested membership or external proof-of-personhood. Migration to contribution-weighted endorsement happens after a defined activity threshold.
  5. Layered defense. Production must apply contribution-weighting AND cross-attestation in series. Either alone has known degradation modes; together they cover both fresh-Sybil and long-game-Sybil attacks.

Run command

PYTHONPATH=src python -m experiments.bets.95_adversarial_endorsement

Output: experiments/bets/results/95_adversarial_endorsement.json records per-scheme, per-Sybil-fraction true-preference win rate over 50 trials.

  • Bet 72: liquid democracy polarization. The upstream finding that per-community endorsement preserves minorities under passive adversaries. Bet 95 tests active adversaries.
  • Bet 88: reputation under Byzantine. Routing layer; Bet 95 is the endorsement layer. Both must hold.
  • Bet 91: non-anglophone alignment. Confirms per-community endorsement transfers to non-anglophone communities. Bet 95 confirms it survives Sybil capture.
  • Bet 87: privacy-preserving signatures. The composition challenge: how to do contribution-weighted endorsement when voters are anonymous.
  • Bet 65: gossip fork-safety. The directory-of-truth that lets contribution scores be cryptographically verified.

Why it matters

The federation's claim is "every community gets to align its specialists." Without Sybil resistance, that claim is theatre — any minority that becomes important enough to threaten the majority gets captured. Bet 95 confirms that contribution-weighted endorsement and cross-community attestation are real defenses, and that stake-based defenses fail.

The Kerala flagship deployment (Wave F) has at least one obvious attack vector: a non-Kerala actor spawns Sybils to capture the Kerala-Mal community's endorsement, electing a specialist that serves non-Kerala interests. Bet 95's mandate (contribution + attestation) is the federation's defense. Without it, Kerala's sovereignty claim is undermined the moment scale attracts adversarial attention.

The methodological lesson: passive-adversary tests don't catch active-adversary attacks. Bet 72's clean strict pass on liquid democracy was real; Bet 95's catastrophic regime for pure-democratic was also real. Both are needed. The catalogue's discipline is to test BOTH the typical case (Bet 72) and the worst case (Bet 95) before declaring a primitive sound.

The catalogue's contribution: turning "endorsement is per-community" from a slogan into a Sybil-resistant protocol with quantified failure modes for each defense scheme. RFC-0006 §6 now specifies the layered defense and bootstrap protocol explicitly.

Up next

Real-WAN federation throughput

All bets used in-process FastAPI test clients or LAN. Cross-ISP latency, jitter, and throughput remain unmeasured. The deployment story depends on this.