Anti-fraud and sybil resistance

If we don't solve sybil, the platform turns into a farm. Streamer pools get drained by bot networks, real viewers earn nothing and quit, and the streamer's spend produces zero engagement signal. The whole loop fails.

This page is the layered defense.

The threat model

Actor	Goal	Resources
Solo cheater	Run 10–20 alt accounts on their home network	Cheap, opportunistic
Click-farm operator	Run 1K–10K accounts via a small VPS fleet	Moderate budget, repeat-offender
Industrial sybil network	100K+ accounts, rotating IPs, captcha solvers	Funded; would only hit BitView if rewards > cost
Compromised real account	Real Twitch account whose credentials were stolen and used to claim against a stranger's wallet	Single-incident

Our job is to make the cost of farming exceed the rewards available. We don't need perfection — we need economic disincentive.

The defenses, layered

Layer 1 — Account age + activity

Twitch account age ≥ 30 days at link time.
Twitch account must have a positive history: at least one PRIVMSG or follow event recorded by Twitch in the prior 30 days. Brand-new dormant accounts don't qualify.
Email-verified Twitch accounts only (Twitch's own verification flag).

This kills the trivial "create account, link, farm" attack.

Layer 2 — BTV stake requirement

Viewers must hold ≥ 100 BTV in the linked wallet for accruals to count.
New viewers receive a one-time onboarding bonus of 100 BTV (sourced from the 30% viewer-rewards emission), redeemable once per Twitch-account-id.
The bonus is non-transferrable for the first 7 days (enforced via a short-lived non-transfer attribute on the SPL account).

This makes 1,000 alt accounts cost 100,000 BTV (acquired at market price) or require the operator to onboard 1,000 distinct Twitch accounts, each with 30+ days of pre-history. Both are expensive.

Layer 3 — Activity weighting in the accrual loop

The accrual loop already snapshots present users. We weight per-tick share by engagement quality:

Signal	Weight
Connected to chat (JOIN only, no messages)	0.25×
Has sent a PRIVMSG in the last 10 minutes	1.0×
Has any badge (sub, mod, vip, founder)	+0.25× bonus
First time in this channel (welcome bonus)	+0.50× bonus, capped at first hour
Account age ≥ 1 year	+0.10× bonus

A pure lurker farming 50 channels in parallel earns at 0.25× per channel. A real engaged viewer earns at 1.25–1.85× per channel they're actually in.

Note: The exact weights are tunable per distribution by the streamer (within bounds — we don't let a streamer set "no PRIVMSG = 0×" because that would punish polite lurkers). Defaults above are the platform baseline.

Layer 4 — Per-IP / per-fingerprint limits

The frontend and backend share an anti-sybil session token that encodes:

Hashed device fingerprint (canvas + UA + timezone + language)
IP address (truncated to /24 for IPv4, /48 for IPv6 to avoid over-blocking)
Recently-linked wallet count

Limits:

Max 5 distinct wallets per /24 + fingerprint per 30 days. Hard cap.
Max 1 wallet linked per Twitch user_id, ever. (Already enforced by the _id constraint on the users collection.)
Max 3 simultaneous active accruals per fingerprint. A single fingerprint earning across 50 channels is a farm signal.

These limits are deliberately not advertised to users (only to streamers and to compliance, in aggregate). Real users almost never hit them.

Layer 5 — Slashing for detected fraud

When the fraud-detection pipeline flags a wallet:

Soft flag — accruals stop crediting; existing balance frozen. No public action. Manual review queue.
Confirmed flag — wallet's BTV stake is slashed to the protocol treasury. Existing accruals across all distributions are zeroed out. Twitch user_id is marked ineligible for re-link for 90 days.
Severe (industrial network) — public on-chain blocklist, all linked wallets and Twitch ids marked permanently ineligible.

The slashable BTV stake is the economic incentive that makes this work. Sybil networks now lose their stake instead of just losing access.

Layer 6 — Detection pipeline

The detection signals we monitor in real time:

Signal	Pattern indicating fraud
Wallet age	Wallets created within 24h of first claim, en masse
Funding source	Multiple wallets funded from a single source within 1 hour
Behavior	Identical PRIVMSG patterns across N "different" accounts
Timing	Identical join/part timestamps across N accounts
Twitch account history	Cohorts of accounts with statistically-improbable similar metadata
Network graph	Wallets that always claim from the same IP+fingerprint

These are scored by a simple ensemble. High-confidence hits go to soft-flag automatically; medium-confidence hits go to manual review.

Layer 7 — Streamer-side controls

A streamer can configure per-distribution:

Minimum BTV stake — raise above 100 if they want extra-strict onboarding (e.g., for a small-but-loyal community distribution).
Channel-specific badges required — only subscribers, only mods, only members of a specific Discord with a verified linked role.
Geographic blocks — exclude regions where they don't want to reward (sometimes for ToS reasons with their sponsors).
Per-viewer cap — already in the data model; default to "even share" but a streamer can cap individuals to prevent a single account from accidentally winning the pool.

Streamers don't need to think about anti-fraud in detail because the platform defaults are sensible. Power users can dial it tighter.

Layer 8 — Compromised-real-account protection

A user's Twitch account gets compromised, the attacker links a wallet they own, claims accruals.

Mitigations:

Wallet signature on every link or relink. A new wallet replacing an existing link is a high-friction event — requires fresh Twitch OAuth + fresh wallet signature + email confirmation if Twitch has an email on file.
30-day cooling-off on relinks. A linked wallet can't be replaced for 30 days after first link. Forces the attacker to wait, which reduces value.
Public link history. Each Twitch user_id has its link history visible. A user notices someone else linked their account.
Revocation flow. Frontend has a clear "I think my account was compromised" button that pauses accruals pending review.

What we don't do

We don't:

Require government ID for normal viewer onboarding. That's a trust-killer for people who already self-custody. KYC only kicks in for Plus-tier streamers and brand sponsors (who are paying funds in).
Run real-time face-recognition / proof-of-personhood. Worldcoin-style approaches are an option for Phase 4+ if sybil pressure increases, but we don't ship them by default.
CAPTCHA every claim. Adds friction with marginal anti-fraud value.
Whitelist trusted viewers. The system has to scale to millions of unknown viewers; we can't curate that.

Measuring success

The KPI for anti-fraud is earned-by-real-users / total-earned. We measure this two ways:

Streamer feedback — they tell us if their pool seems to be going to bots. Streamers see their distribution leaderboard; if it looks weird, they ping us.
Auditable cohorts — we publish (in the quarterly transparency report) the % of total earned that went to wallets above a "engaged real user" heuristic. Target: ≥ 95%.

If the ratio drops, we tighten Layers 4–7. The framework is designed to be tunable without breaking onboarding for honest viewers.

The threat model​

The defenses, layered​

Layer 1 — Account age + activity​

Layer 2 — BTV stake requirement​

Layer 3 — Activity weighting in the accrual loop​

Layer 4 — Per-IP / per-fingerprint limits​

Layer 5 — Slashing for detected fraud​

Layer 6 — Detection pipeline​

Layer 7 — Streamer-side controls​

Layer 8 — Compromised-real-account protection​

What we don't do​

Measuring success​