Airdrop Ethics: VC Firm Draws Ire Following $2.5M Ribbon Finance Exploit

The DeFi community has once again found itself embroiled in a debate concerning the nature of on-chain ethics.

AccessTimeIconOct 8, 2021 at 8:19 p.m. UTC
Updated May 11, 2023 at 4:49 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

On Friday afternoon, decentralized finance (DeFi) users discovered a researcher for Divergence Ventures, a crypto venture firm, was receiving hundreds of ETH from wallets selling recently airdropped RBN tokens – a sign of an airdrop exploit to which Divergence later admitted.

The episode presents the largely unregulated, permissionless DeFi community with yet another chance to debate the nature of fair play in an increasingly powerful, $200 billion ecosystem where the only governance is on-chain rules and some modicum of common sense.

“Airdrops” are a token distribution method that allows users to claim tokens if they’ve completed certain actions or fulfill other parameters, such as having deposited into a vault or participated in a project’s governance.

In Friday’s exploit, the Divergence researcher allegedly used dozens of wallets to fulfill bare-minimum parameters to claim $2.5 million in RBN tokens – an exploit that some have labeled a sybil attack on the distribution.

The crypto community responded with ire, noting that Divergence is an investor in Ribbon and speculating that the researcher may have successfully gamed the distribution using insider information. A Ribbon community manager denied these allegations.

Divergence has since published a tweet thread acknowledging the sybil attack in which it said it “crossed a line” and said it would be “better contributors to the community going forward.”

Divergence also sent the ETH back to the project’s treasury, and the Ribbon community is now debating what to do with the funds.

A Ribbon Finance representative declined to comment. Divergence Ventures did not respond to a request for comment by press time.

The airdrop exploit was first flagged by pseudonymous self-described “ex-academic” Gabagool.eth. In an interview with CoinDesk, he said the episode is a prime example of a nascent ecosystem still trying to determine the rules of the jungle.

“There are rules we enforce socially, and this is an important example of that playing out,” Gabagool said. “Divergence responded in a few hours and returned 705 ETH because an anon with a ‘Sopranos’ joke as a name tweeted an analysis? That is the opposite of ‘code is law.’ That’s community law, and I don’t think that’s a bad thing. We’re making up the rules as we go along.”

Due diligence

Gabagool told CoinDesk that he spotted the exploit as a result of his day-to-day research. He’d bought Ribbon tokens pre-launch from a friend and was doing due diligence after adding to his position on Friday.

“Today I bought Ribbon in size, so I was looking at the Uniswap v3 pool, checking out some of the wallets buying and selling Ribbon,” he told CoinDesk. “I was curious, primarily to find out what people were doing with their airdrops.”

He said that he noticed a 17 ETH sale by “happenstance,” a sale whose proceeds were subsequently sent to another wallet. The new wallet, he noted, was funded with ETH that “all came from wallets that had received a Ribbon airdrop and sold a Ribbon airdrop.”

The parent wallet also linked to a wallet containing bridget.eth – an Ethereum name service domain that identified the owner as a Divergence Ventures researcher.

“Crypto people are very good at [operations security], but ENS is a weak point,” he cautioned.

Initially Gabagool reached out to Divergence Ventures’ Calvin Liu to compliment his firm on the windfall, but another friend tipped him off that Divergence was actually an investor in Ribbon – a sign that it may have been acting on insider information.

“That’s when I sent my tweet, because I said, ‘That’s interesting, a fund that’s invested in this protocol has a rogue analyst or is doing something people won’t like,’ based off what I know about crypto.’”

Worse than it looks

Gabagool told CoinDesk that, despite appearances, he leans towards believing there was no insider information at play.

“I tend to land on the side of trusting [Ribbon Finance founder] Julian Koh, but that’s purely my gut. The way Julian responded to this seems pretty above the board,” he said.

Gabagool also noted the farming was part of a broader strategy executed by the analyst’s wallets, indicating that this is a tactic that was tried in the past with other drops and not the product of insider knowledge.

“I mean, clearly just from this one analyst’s wallet – and this is just one linked to many other wallets – they’re airdrop-farming. They’re doing this on a pretty mass scale,” he said.

In an apology tweet today, Divergence seemed to confirm that the Sybil exploit (of using multiple identities) was part of a purposeful strategy it deploys with other projects as well:

Gabagool said that the episode is a “bad look” for Divergence, and will likely contribute to the community’s mistrust of VC firms.

“My experience in DeFi and crypto generally is that whatever you think is happening behind the scenes, it’s probably worse in fact – there’s more of it happening, or it’s happening at a larger scale. These people have privileged information, and they use it.”

Only wrong if you get caught

The discovery of the Sybil attack and the subsequent donation has prompted significant social media debate concerning the ethics of gaming distribution events.

Airdrops can be tremendously lucrative. Tracking down potential upcoming targets is a popular pastime, and likewise savvy DeFi users spend ample energy trying to predict the manner in which the drop will be conducted in order to maximize gains.

“In my original tweet, I said, ‘Copytrade this wallet.’ Everyone in DeFi is looking to do what this person did, and they’d be lying if they said otherwise,” said Gabagool.

Last December, one trader narrowly missed out on $1.8 million from the 1INCH airdrop using a similar Sybil attack – in that instance users commiserated that he was foiled in his efforts, and largely refrained from chastising him for trying.

Much of the consternation for Divergence seems to focus on the fact that many observers initially believed the firm to have executed the Sybil attack with insider information and/or that it was sloppy with operational security – not that the firm executed it in the first place.

“I do think they f**ked up, if not just because they got caught,” said Gabagool.

To this end, he cautioned against users attacking the researcher simply for “being good at DeFi.”

“At no point was I intended to draw personal attacks towards this researcher,” he told CoinDesk. “The ethical fault here comes from Divergence.”

He noted that the Sybil strategy prevented other users from entering vaults and subsequently claiming tokens of their own – ultimately denying a broader swath of the community a share of the airdrop.

Dilemmas abound

This incident is not the only example of moral debates and questions of intentionality clashing with on-chain rules and logic in recent weeks. Last week, a bug in decentralized money market Compound’s code led to the erroneous distribution of nearly $150 million in tokens intended as community liquidity mining rewards.

Compound founder Robert Leshner called the unintended distribution a “moral dilemma” and called on users to return the funds. So far, users have returned over 163,000 COMP tokens worth $53 million.

Likewise, last month the developers for an exploited non-fungible token (NFT) project, Jay Pegs Auto Mart, expressed disappointment the attacker didn’t manage to get away with what it admitted was a “pretty smart” attack vector.

The team discovered the exploiter’s identity and successfully pressured that person into sending the funds back.

“He’s a dweeby NARC who failed to execute,” the developers told CoinDesk at the time.

Winners and losers

Gabagool speculated that such attacks are inevitable, given the current state of DeFi and the incentives that push it forward.

“It’s interesting because you have a system that people are actively trying to build gamification into, and the problem with gamification is that there are winners and losers,” he said.

Still, to whatever extent there are ethics in DeFi, they were violated here: Gabagool noted that the fund also has a sizable liquidity pool position in the project, usually a display of confidence or a longer-term investment.

“They clearly were signaling one thing in their public wallets, and doing another thing in private wallets,” he said.

Ultimately, however, episodes like today excite rather than depress him.

“To me, the power of decentralization is that thing are messy, things are in flux – and there’s kind of a creative potential in that,” Gabagool said. “The weakness is that there’s plenty of gaps to be exploited. And that’s what obviously fascinates me – those kind of in-between moments where people expose faults in popularly accepted logic.”


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Andrew Thurman

Andrew Thurman was a tech reporter at CoinDesk with a focus on DeFi.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.