Re: Auroracoin exposed

The post by Dogeconomist on Auroracoin almost a week ago led to a small storm of controversy over the national cryptocurrency. It was revealed that the number of new Airdrop claims dropped strongly since the official launch, and that a significant portion of all claimed Airdrop coins show signs of fraudulent activity at an increasing rate. The conclusion was based on all Auroracoin transactions on the blockchain up until the moment of writing, derived from transactions with a value of 31.8 coins (the available amount per Icelander). As a result, there were 0.40 percent more transactions than actual claims. This is a minor difference that doesn’t affect the main conclusion, but it does create a problem when examining the data in more detail. These differences could have a significant impact on the breakdown of the data.

Data breakdown and claim types

It is, however, important to check further details for more conclusive evidence of actual fraudulent claims. Not every additional claim on a single address is a fraudulent claim by definition. Fraud is defined as using someone’s account data to ultimately only benefit yourself. Couples could be sharing their account data and make a claim to a single address, which would clearly be impossible to classify as a fraudulent claim. People could also give their share to, for example, charity directly which wouldn’t be fraudulent either, and might lead to many claims going to a single address.

On the other hand, people could convince their family and/or friends to give them their share. This still means other people’s identities are used to make a claim one is not entitled to, to benefit only oneself, even though no security is actually breached. It doesn’t help the cryptocurrency to spread beyond the current user base, it just allows the current user base to claim more coins. In fact, it even creates an incentive to withhold some information when it comes to this cryptocurrency. The previous is worse than a security failure, as it is an inherent flaw in the design of national cryptocurrencies such as Auroracoin which cannot be patched.

Capturing fraud

It would follow that a fraudulent claim is most likely to be the case when there is more than one excess claim on a single address. This means it should be examined how many times two, three or more claims are made on a single address. To get the exact numbers, a new method to extract claims from the Auroracoin blockchain was applied. Rather than looking at transactions with a value of 31.8 coins, it is also possible to follow the original premined amount until it splits into an amount of 31.8 coins. The latter case would indicate a successful claim. This method produces an exact match with the official reported number (shown below), which was captured before getting the latest blockchain data.

Airdrop

It was established that the last completed block at this time was block 9,525, hence all data up until this point was collected. The discussed method leads to the following results, exactly matching the official number. The complete data file can be retrieved here (19 MB).

AUR Claims

With this data, it becomes easy to break the number of excess claims down further into the number of cases where two, three or more claims have been made on a single address. The following table shows the distribution of the number of excess claims per address.

Distribution of excess claims

Given the fact that couples might share an address, or that people may gift directly to organizations, it can be observed that between one and a half and two percent of all available Auroracoin Airdrop coins have likely been fraudulently acquired so far.

Classification

Update April 21, 2014: In a response to this article the Auroracoin creator stated that: “I can see who claims what, and where from. Fraudulent claims are extremely rare.” This response seems to apply to security breaches only, as it doesn’t correspond to the definition of a fraudulent claim as used in these articles. It should be noted that the articles already included feedback from another Auroracoin team member, who stated “Sadly I personally know a lot of people here in Iceland who convinced their entire family to just give them their Auroracoins.” As discussed, this can still meet the definition of a fraudulent claim: “Not every additional claim on a single address is a fraudulent claim by definition. Fraud is defined as using someone’s account data to ultimately only benefit yourself.” Furthermore it can be noted the final contents of this article were considered a fair representation.