Hey there,
When we covered Soulbound tokens a few weeks back, I briefly mentioned Gitcoin Passport. It is an identity verification protocol to help users validate who they are while interacting with applications. We have since reached out to the Passport team to learn more about how it is used and why it matters. Today’s piece summarises my conversations with Jeremy, the product lead for Passport.
Here’s a quick reminder on Gitcoin and quadratic funding. Gitcoin enables public goods to raise funding from donors. The platform often matches pools of donations in proportion to the number of people who have contributed to a campaign. Each Gitcoin round runs for two weeks quarterly. At the end of each round, the platform verifies which public good had the most people donating and matches donations in proportion to the number of participants.
This differs from a single donor putting $1000 into a pool and having it matched in equal amounts. In such a model, products or services with more individuals donating to them are matched disproportionately.
The image above gives a quantitative breakdown of what it would look like in practice. In the case of project A, the final funding was an additional 35% ($1352) compared to the additional 164% project C raised from external sponsors.
Why does this matter? A simple heuristic is that the higher the number of individuals donating to a campaign, regardless of the sums they provide, the higher the likelihood that people find it valuable. This is a democratic approach to public goods funding. Whilst there are both good and bad aspects with such a model, it is worth noting that as of Q1 this year, Gitcoin has helped raise over $50 million from 3.8 million unique donations.
What does any of this have to do with the identity?
Given how easy it is to spin up wallets, a team listed on Gitcoin could spin up new wallets, split $1,000 into different wallets and end up with more in donations raised. They could require that wallets have a specific transaction history before they are considered for quadratic funding, but they would still be easy to Sybil.
So, the crew behind Passport decided to develop an internal solution for allocating a ‘trust’ score to wallets. But before I go into that, it helps to understand how Passport works.
Understanding Passport
When you sign in to your Gitcoin Passport, you are greeted with 25 services that can be used to add to a score. According to Gitcoin’s systems, you must have a minimum score of 20 to be considered verifiably human. Collecting individual stamps here refers to signing in with an external account (like Google) and offering API access to validate your claims. Doing so gives you a stamp, with a pre-designated score allocated in proportion to how human an activity could look.
Easy-to-Sybil accounts like Twitter or Google have a low score of 1, whereas having verifiable code that goes back considerably is weighed at 7.25. Externally validating your identity using a passport on services like Civic gets you around 6 points. Interestingly, having a single identity, such as a license or LinkedIn account, is not enough. Gitcoin requires you to add layers of information about your humanness before hitting the minimum score of 20.
Once sufficient stamps have been collected, users can also mint the stamps on-chain through a low-cost network like Optimism for about $2, but the minting is not necessary to use the protocol. Developers can also use API calls to Gitcoin to verify if a wallet has the required stamps. But minting on-chain reduces the dependency on a centralised provider. Note that a stamp expires every 90 days.
So if you issued a verification for the status of your LinkedIn account or showed that your passport had been validated on Civic, you would have to return to the product and reissue a stamp every 90 days. This procedure helps the network validate that you are who you claim to be and that a third party is not using the wallet on your behalf. It is also useful if a wallet is compromised and a user wishes to mint a verification to a different wallet.
Think of each stamp as part of your attire. You choose your clothing based on the event and nature of the place you are visiting. Gitcoin Passports serve a similar function. You put on additional stamps for increasingly sophisticated use cases. A simple community may require you to own an NFT. A more sophisticated fintech application could require that you validate your identity on Civic using a passport and tie your GitHub account to your wallet before they give you access to the product.
My point is that a fake one could be easily spun up when a user needs to validate a Twitter or Facebook account. But add layers of complexity, such as requiring a GitHub account with transaction history or passport verification, and suddenly, it becomes hard to Sybil a product for a quick buck.
Passport is an open protocol that allows users to plug in centralised services and on-chain activity to validate whether or not they are human. Once users mint their stamps as passports, Gitcoin is not directly involved in validating each claim once the stamp is minted. An external application like Uniswap could use the stamps to open access to certain parts of their product. One challenge is that the model still relies on Gitcoin if the user does not mint the stamps on-chain. A fully decentralised version is set to be released in the coming quarters.
Why does this matter? To understand why, it helps to have context on the benefits for both users and protocols.
Matter of Incentives
Let’s start on the protocol side. Whenever an airdrop occurs, on-chain activity is taken as proof of humanness. This activity offers token design experts some relief in the fact that the individuals getting the token are legitimate actors whose on-chain footprints validate that they are real people. But as I’d covered in our story on airdrops, teams looking to Sybil accounts have designed some complex operations.
The modus operandi is quite simple. You study the patterns of usage that could lead to a wallet being given an airdrop, replicate it across hundreds of wallets, claim the airdrop on the day a token is released and profit in the millions by selling it on an exchange.
The higher the incentives, the more likely that identity forgery on a protocol would occur. The higher the cost of forgery, the lower the probability that a person would try to Sybil a network.
Products like Worldcoin took a different approach to the matter. They had individuals scanning their eyeballs to validate that they were human. Since eyeballs are unique to the individual and hard to replicate, the network could claim they had the most ‘human’ network on-chain.
Here’s the problem, though: Nothing stops users from setting up a booth to scan eyeballs and split the airdrop with participants. While we have no evidence of such large-scale Sybil attacks, there have been reports that the financial incentives partly drove unknowing users to the network.
Why does this matter? It matters because understanding who constitutes a ‘user’ in crypto has been one of the hardest challenges so far. Blockchains are payment networks, so it is natural that hundreds, if not thousands, of bots will do millions of transactions on these networks. But until a network is verifiably transitioning into being used by humans (or, as in the case of ETH, bots are paying large fees), it is hard to argue that value is accruing to the network itself. The more human a network is, the higher its relative value.
Gitcoin Passport gives developers a simple way to verify whether a user is human and has the credentials to partake in an early-stage product. The following are a few ways this could have been used today:
Lens Protocol could allow early access to Twitter users with over 10,000 followers.
A protocol focused on on-chain data could verify and offer airdrops to individuals who have worked with one of the Big Four audit firms by checking their LinkedIn history.
A protocol could airdrop only to users that could verify they are humans using a passport on Civic ID.
I believe a generation of applications that could historically not vet whether a user is who they claim to be could now be built using Gitcoin Passport. There are a few distinctions to be made here. Unlike when you do AML/KYC on Binance using a third-party service provider, Gitcoin’s Passport Stamps don’t require you to upload a passport for every application you do – a single API call checks whether a user’s stamp is valid.
Once they have validated (and minted) a stamp, they could use it across applications in an ecosystem using the standard. Present-day identification products often struggle with the network effects of multiple applications using the same standard. Gitcoin Passport, given the savings in time and costs, could make a meaningful dent here.
Users can mint multiple stamps for the same identity proof (like a passport) in different wallets. Depending on the use case, they may want a pseudonymous identity. However, an application could discern if a person is spinning up multiple identities using hashes on the stamps.
I could have multiple wallets where I have linked my GitHub, Twitter and Linkedin, but I could not claim I am a different individual with each wallet, as the developer could see I have used the same identity proofs. It is important to note here that whilst your off-chain identity proofs (like Passport or Github profile) could be replicated to new wallets, a wallet’s history itself cannot be replicated easily
The combination of on-chain transaction history validated through a tool like Degenscore with a primitive like Passport helps developers quickly identify human users with an on-chain history of expertise.
The most obvious use case for such a product (after quadratic funding) is for incentivised testnets and grant programmes.
For instance, several ventures that have received tokens under Arbiturm’s grant programme are redistributing the tokens to their products’ users as shown in the image above. How do you ensure the people receiving tokens don’t dump them immediately? How can you minimise the chances of a user running thousands of bots on a product?
A requirement could be to have a Passport score of 20 to ensure actual users receive tokens from such incentivised testnet programmes. This instance may seem far-fetched, but recently, Shapeshift used Gitcoin Passport to determine how OP tokens are passed on to some 6,000 users.
Beyond Transactions
In my previous article, I wrote that apps will eventually have to build context on users by collecting behavioural data to build moats. I also clarified that the approach felt like a repeat of what we already had with Web2 native surveillance capitalism. Gitcoin's Passport is interesting because it creates an open graph of verified product users. Why do you need verification? What role does having stamps that validate your activities elsewhere play on the web? A good start would be understanding the web's nature today.
In 2018, some ⅔ of all links posted on Twitter were by a bot. Between 43–60% of all internet traffic occurs from a bot. The web can afford this because of the decades of work that has gone into building the infrastructure that carries bits and atoms to your devices. In India, where I grew up, 2 Mbps internet was a luxury.
In Dubai, 600 Mbps internet has become the norm on 5g devices. (You can download entire movies in under ten seconds). Blockchains will undergo a similar trajectory. And before we realise it, an increasing number of users on applications with financial incentives in the form of token rewards will be merely bots.
Tools like Gitcoin Passport allow newer primitives – like Web3 social networks – to have a community of verifiably human members. The use-case goes even further when you think of models like guilds in gaming. Surely, smart enough individuals will learn how to programmatically engage in a game to generate rewards. In such instances, apps being able to verify if a user is human or not with a single API call or on-chain query is powerful.
A recent paper by Karthik Srinivasan from Booth School of Business explains why user verification would matter in simpler terms. He studied how online creators behave in response to getting attention for their posts across TikTok and Reddit. The researcher used generative AI to synthetically boost engagement with posts to understand how creators would behave.
He noticed that a creator receiving 50 upvotes or three comments would be twice as likely to continue posting. But scale that up to 500 upvotes or six comments, and the creator would have no visible increase in the frequency of their posts.
I found the study interesting because it is tangible evidence that
Generative AI can synthetically show engagement to a degree where creators don’t realise it.
Bots can influence the behaviour of not just consumers but also creators.
Past a point, more attention has no impact on how frequently creators post.
Any new-age social network – Lens, Mirror, Farcaster or Mastodon – will inevitably need tools like Gitcoin Passport to ensure their users are actual humans in the age of generative AI. In my mind, it is only when we realise that we need better tools to verify who is creating the content we consume that we will eventually embrace primitives like Gitcoin Passport.
It is a minor tool that could fuel a more human, verifiable internet, which has value at a time when social networks are tearing apart our democracies.
Still reading Creativity Inc,
Joel John