3.5. Sybil Bidding Mitigation
In anonymous blockchain environments, malicious actors frequently deploy hundreds of Sybil (ghost) accounts to flood auctions, artificially inflate perceived demand, disrupt settlement queues, or waste the seller’s time. Traditional platforms combat this through KYC gatekeeping or IP-based rate limiting, both of which compromise decentralization and user privacy.
Fhenix-FairMarket v2.0 enforces a Collateral-Pegged Entry Barrier that attaches real economic weight to every bid without exposing participant identities or financial intent. By requiring a public dummy ceiling deposit (lockEscrow) and validating encrypted solvency homomorphically, the protocol ensures that only serious, capital-backed participants enter the registry. Coupled with automated seller penalties routed through SlashedPot.sol, Sybil attacks become mathematically expensive and economically irrational.
Core Mitigation Mechanisms
| Mechanism | Implementation | Impact on Sybil Behavior |
|---|---|---|
| Dummy Ceiling Deposit | Users invoke lockEscrow() to deposit a visible maximum spending ceiling (e.g., 5 ETH). | Ghost accounts must lock real capital to participate; spam becomes financially unsustainable. |
| Encrypted Solvency Gate | FHE.lte(encryptedBid, escrowBalances[msg.sender]) validates bid legitimacy on-chain. | Invalid or over-extended bids revert instantly; no wasted gas or coprocessor queue pollution. |
| Seller Accountability Penalties | cancelAuction() during ACTIVE state confiscates 100% of seller deposit. | Sellers cannot shill-bid or cancel strategically without facing severe financial loss. |
| Pro-Rata Compensation Routing | Confiscated deposits route to SlashedPot.sol for equitable distribution to valid bidders. | Victims of manipulation are compensated; platform takes 0% cut, aligning incentives with fairness. |
| NFT Asset Locking | NFTGuard.sol atomically transfers and locks seller assets during ACTIVE state. | Prevents double-selling or rug-pulls; assets remain cryptographically sealed until resolution. |
️ Technical Implementation
1. Capital-Backed Entry & Solvency Validation
The protocol decouples public capital commitment from private bid execution. Users lock funds once, then submit multiple encrypted bids against that balance.
// packages/contracts/core/FhenixFairMarket.sol
/**
* @notice Locks public ceiling deposit for encrypted bidding
* @dev Non-reentrant, supports ETH/WETH
*/
function lockEscrow(uint256 auctionId) external payable nonReentrant {
require(auctions[auctionId].state == AuctionState.ACTIVE, "Auction not active");
require(msg.value > 0, "Zero deposit");
escrowBalances[auctionId][msg.sender] += msg.value;
lastBlockTimestamp = block.timestamp;
emit EscrowLocked(auctionId, msg.sender, msg.value);
}
/**
* @notice Encrypted bid submission with solvency gate
* @dev Reverts if encryptedBid > public escrow balance
*/
function placeBid(uint256 auctionId, InEuint32 calldata encryptedBid) external {
require(auctions[auctionId].state == AuctionState.ACTIVE, "Invalid state");
require(block.timestamp < auctions[auctionId].endTime, "Expired");
// Homomorphic solvency check: Reverts instantly if bid exceeds deposit
FHE.lte(encryptedBid, FHE.asEuint32(escrowBalances[auctionId][msg.sender]));
// O(1) Storage: Only hash is stored
bytes32 bidHash = keccak256(abi.encode(encryptedBid));
auctions[auctionId].ciphertextHashes.push(bidHash);
emit BidPlaced(auctionId, msg.sender, bidHash);
}2. Cancellation Penalty & Pro-Rata Distribution
When a seller aborts an active auction, the protocol enforces economic accountability. The confiscated deposit bypasses direct transfers and enters SlashedPot.sol for equitable distribution.
// packages/contracts/settlement/SlashedPot.sol
/**
* @notice Distributes seller cancellation penalty pro-rata to participants
* @dev Platform takes 0% cut. Funds go entirely to bidders.
*/
function distributePenalty(uint256 auctionId, address[] calldata bidders) external onlyFairMarket {
uint256 penaltyAmount = auctions[auctionId].sellerDeposit;
uint256 participantCount = bidders.length;
require(participantCount > 0, "No bidders to compensate");
uint256 sharePerBidder = penaltyAmount / participantCount;
uint256 remainder = penaltyAmount % participantCount;
for (uint256 i = 0; i < participantCount; i++) {
uint256 payout = sharePerBidder + (i == 0 ? remainder : 0);
escrowBalances[auctionId][bidders[i]] += payout;
}
}3. Asset Custody Enforcement (NFTGuard.sol)
To prevent seller manipulation or double-spending, the NFT is transferred to a guarded vault upon auction creation.
function lockAsset(uint256 auctionId, address nftContract, uint256 tokenId) internal {
require(IERC721(nftContract).ownerOf(tokenId) == msg.sender, "Not owner");
IERC721(nftContract).safeTransferFrom(msg.sender, address(this), tokenId);
// NFT remains locked until state transitions to FINALIZED/CANCELLED/VOIDED
emit AssetLocked(auctionId, nftContract, tokenId);
}️ Security & Economic Alignment
| Threat Vector | Attack Mechanism | Protocol Mitigation |
|---|---|---|
| Sybil Bidding / Ghost Accounts | Fake accounts spamming bids to manipulate perceived demand | lockEscrow() requires upfront capital; empty wallets cannot participate |
| Seller Shill Bidding | Seller uses ghost accounts to artificially inflate price | Cancellation penalty (100% deposit to bidders) makes manipulation economically irrational |
| Bid Overextension / Insolvency | User submits encrypted bid > actual wallet balance | FHE.lte solvency gate reverts instantly; no gas wasted on invalid bids |
| Fund Trapping on Cancellation | Seller cancels, protocol holds deposits hostage | SlashedPot pro-rata distribution unlocks immediately; 0% platform fee ensures fairness |
| Asset Double-Spend / Rug-Pull | Seller transfers NFT away after auction starts | NFTGuard.sol atomically locks asset; IERC721 approval checks enforce custody |
Architectural Impact
| Metric | Traditional Escrow Model | Fhenix-FairMarket Collateral-Pegged |
|---|---|---|
| Capital Commitment | Full bid amount locked per transaction | Single ceiling deposit funds multiple encrypted bids |
| Seller Accountability | Often lacks financial disincentives for cancellation | 100% deposit penalty routed to bidders via SlashedPot |
| Platform Fee Extraction | Often takes 2-5% cut from penalties/refunds | 0% platform cut on cancellations; aligns protocol with user trust |
| Solvency Verification | Requires plaintext balance checks or oracle feeds | Encrypted FHE.lte validates capacity without exposing financial position |
| Asset Security | NFT held in standard escrow, vulnerable to proxy exploits | NFTGuard.sol + state-locked transfers prevents premature movement |
Audit Gate Compliance (P0)
The protocol enforces strict escrow and penalty verification gates. Progression to subsequent phases is blocked until all P0 items pass:
- [] Encrypted Solvency Enforcement:
FHE.lte(encryptedBid, escrowBalances)reverts any bid exceeding the public ceiling; no bypass paths exist. - [] Zero Platform Penalty Cut:
SlashedPot.soldistributes 100% of seller cancellation deposits to participants; administrative fees are strictly excluded. - [] NFT Atomic Locking:
createAuction()fails ifIERC721approval or transfer does not complete; asset custody is mathematically guaranteed. - [] Pro-Rata Distribution Integrity: Penalty shares are calculated deterministically; remainder logic prevents fractional ETH dust loss.
- [] State-Gated Refund Unlock:
claimRefund()only activates afterFINALIZED,CANCELLED, orVOIDED; premature withdrawals revert. - [] Zero Plaintext Leakage: Escrow balances and bid solvency checks execute without emitting or storing plaintext bid values.
Next Steps
- Proceed to 4. Execution Roadmap to review the 6-phase development timeline, audit gates, and deployment strategy.
- Explore 5. Technical Components for detailed contract references, function signatures, and integration patterns.
- See 6. Economic Model for fee distribution, treasury allocation, and keeper incentive mechanics.