Sybil Attack
A Sybil attack is an attempt by a single actor to gain outsized influence over a network by creating many separate identities that appear independent. In a Bittensor subnet, that would mean one party registering many neurons or hotkeys, for example on a subnet such as netuid 1, hoping that controlling more identities translates into controlling more of the rewards or consensus.
References: Understanding Incentive Mechanisms
What It Would Target
The goal of a Sybil attack is leverage from numbers. In Bittensor terms, an attacker holding many UIDs might hope to sway the weights that feed consensus, or to capture a larger share of emissions than an honest single participant. The attack only works if having more identities, on its own, buys more influence.
References: Understanding Incentive Mechanisms
Why Identity Count Alone Does Not Win
Bittensor weights influence by stake rather than by headcount. The documentation describes Yuma Consensus using the stake associated with each UID when it calculates emissions, so a crowd of low-stake identities carries little weight. Gaining real influence still requires proportional stake, which cannot be conjured simply by registering more keys. This stake weighting is a core reason identity flooding does not pay off.
References: Understanding Incentive Mechanisms, Yuma Consensus
The Cost of Each Identity
Numbers also are not free. Registering a neuron carries an economic cost, since registration consumes TAO, so every additional identity an attacker creates has a real price. Combined with stake weighting, this means a Sybil attempt pays a growing cost for identities that, without matching stake, add little influence. The economics are arranged so that flooding a subnet with identities is expensive and weak rather than cheap and powerful.
References: Understanding Incentive Mechanisms, Register
Development Stage Context
The Introduction to Bittensor describes subnet development as moving from localnet to testnet and then mainnet. For a Sybil attack, that sequence changes how the economic resistance should be read, because registration cost and stake only carry production weight on mainnet.
In localnet, registering many identities happens in an isolated environment with no production cost, so identity flooding there demonstrates mechanics rather than real-world resistance.
On testnet, registrations and stake exist on a shared non-production network whose TAO is not mainnet value, so the cost of identities is not a production economic barrier.
On mainnet, each registered identity consumes real TAO and influence is weighted by real stake, so the cost-and-stake resistance described here applies to live subnets such as netuid 1 (Register).
The Bittensor Networks reference separates mainnet, testnet, and localnet. The strength of Sybil resistance observed in one environment should not be read as the resistance on another.
Relationship to Yuma Consensus
Sybil Attack and Yuma Consensus describe related parts of Bittensor’s incentive system. Yuma Consensus is the on-chain process that aggregates validator weight signals within a subnet into miner incentives and validator dividends, applying consensus clipping, bonding, and emission calculation (Yuma Consensus).
For readers, sybil attack names a specific part of that incentive picture, while Yuma Consensus names the consensus process that turns validator weights into the resulting incentives and dividends.
Reader Boundary
This page defines the concept and Bittensor’s economic resistance at a high level. It does not claim attacks are impossible, quantify any specific defense, or describe how to attempt one. The exact registration cost and stake distribution that determine how strong the resistance is on any subnet are live chain state and vary over time.
References: Understanding Incentive Mechanisms
Collusion Seeks Coordinated Weights, Not Extra UIDs
Collusion in Bittensor concerns validators coordinating inflated weights toward favored miners. The documentation describes collusion as an attempt to capture more emissions than honest evaluation would allow by moving the consensus outcome through coordinated weights. A Sybil attack instead tries to gain leverage by registering many separate identities that appear independent.
The two threats use different tools. Collusion manipulates scoring agreement; Sybil flooding tries to multiply UID count. They should not be treated as the same attack pattern (Understanding Incentive Mechanisms).
References: Collusion, Understanding Incentive Mechanisms
Subnet Slot Ceilings Cap Total UID Count
Each subnet has a configurable maximum number of UID slots. The
Subnet Hyperparameters reference
includes max_allowed_uids as that ceiling. A Sybil actor cannot accumulate unlimited on-subnet
identities without either winning open slots or displacing existing participants under the official
deregistration rules.
That capacity limit is separate from stake weighting. Even before emissions are calculated, the slot ceiling bounds how many registrations can coexist on one subnet at once (Glossary: UID Slot).
References: Subnet Hyperparameters, Mining: Miner deregistration
Neuron Lifecycle Includes a Post-Registration Immunity Window
Understanding Neurons lists registration and UID assignment as the first lifecycle steps, followed by an immunity period during which a newly registered neuron is protected from ordinary pruning. Performance metrics build after that grace window rather than at the instant of registration.
Each additional identity an attacker registers therefore pays its own entry cost and enters with the same post-registration immunity rules as any other neuron. This page does not treat that window as a complete Sybil defense on its own (Glossary: Register).
References: Understanding Neurons, Glossary: Immunity Period