Ramblings of a Tampa engineer

Early this week I got an email that roughly said I had $2,200 in unclaimed money. That email is below.

Hello, Connor

I'm writing in regards to your github profile. I found your github profile username listed here. This is the repository of the project. They have been awarding their tokens (a form of cryptocurrency) to developers who have made commits to top repositories or any web3 contributions over the last few years. You can visit their repository yourself and find your profile name listed there. Your github profile is eligible to claim 1800 of their tokens, which is approximately valued at $2200. These tokens can be exchanged for USD on any exchange platform. I don't expect anything from you, however, if you do collect your tokens, it would be appreciated if you could share a percentage with me later for this information. If there are any additional questions, I will be happy to answer.

To make sure it's not a fraud, you can google "Starknet provisions" or there is official twitter post with claim link (340.000 followers): https://twitter.com/Starknet/status/1759966139780620797

best regards,

In the moment I deleted it and thought nothing about it. There were so many "scam" signs in the email like a seemingly random Google account & name mismatch that I was fine just deleting it, Until I got another email.

My name is _____ and I'm a crypto-degen

You are eligible to participate in the StarkNet airdrop program. Sounds like a scam, but read to the end. I am not a spammer or a scammer.

...

Many developers don't even know about this. I find such people in the github file, let them know about it and ask for a percentage of the drop for the information.

At this point I even had a new private message on Twitter of the same message! This I knew was going to be another blog, much like my tea.xyz experience and I got to work investigating.


In my research it appears this was about the provision program where Starknet Foundation was issuing 700 million STRK tokens around. I wondered how I (a random individual) was allocated some tokens despite no involvement with the project.

That didn't take long until I stumbled upon a pie chart that broke it down.

Official (6/12/2024) Starknet Allocation

This pie chart made it clear to me that I fit into a bucket of "Open-Source Developers" and 1 of the 137,256 people that were allocated some tokens.

That category is explained by Starknet:

As mentioned before, blockchain infrastructure, including Ethereum and Starknet, emerged as a result of previous science and engineering advances of what are now, in many cases, open-source public goods.
In order to acknowledge the contribution of the developers who worked on these projects, and in order to encourage more developers outside of blockchain to participate in the blockchain space, some of these developers will be able to claim tokens.

Criteria: Developers who committed at least three times before November 15th, 2023, and with at least one commit between January 1st, 2018, and November 15th, 2023, to one of the top 5,000 GitHub projects (ranked by GitHub stars), and their GitHub profiles can be extracted from their email through the GitHub API, are eligible for Provisions.

So then I wanted to figure out what the data structure of this scraped GitHub was and poked around the GitHub repository until I found a JSON file and found my username within.

{
    "identity": "ibotpeaches",
    "amount": "1911.1"
},

github-1.json

My first thought looking at this wondered why they picked usernames as those can change and sure enough my gut was right. I spotted only one other commit and the title of the commit caught my eye with "Add renamed (originally squatted) usernames"

https://github.com/starknet-io/provisions-data/commits/main/github

This commit called out some issues encountered with this approach.

The issue involves 1796 GitHub usernames identified as squatted. These usernames were originally eligible for provisions but were taken over by individuals who allegedly did not make qualifying contributions, thus being deemed ineligible for inclusion in the Provisions program.
...
We started the process with a list of 1796 squatted usernames. Of the eligible accounts, 866 were renamed, and for 930 accounts, no new username was found, possibly due to account deletion, inactivity during 2018-2023 period, or changing their username before 2018.

I mean who didn't see that coming? You scrape public events from an archive dataset that is 5 years old and work off the username? This explains the mass craze of these individuals frantically researching every username on the sheet in order to find missing usernames.

Once Starknet started noticing this abuse - they audited GitHub usernames which led this army of crypto individuals to find a new method to make money. So I wanted to open a bug report about this spam I was receiving for something I wanted no part in.

However, I wasn't the first to be annoyed by this. There was already 2 other bug reports about other individuals in the same situation as me.

I kept reading more of this GitHub repository and just felt fueled with anger. This is a huge public repository with a scraped collection of GitHub usernames and what do I instead see?

An army of people writing stories about how they were missed, wrong username, etc. Completely unverifiable stories with all the same intent - change something to move tokens elsewhere.

What continued to blow my mind is how many seemingly brand new GitHub accounts exist for every crypto project. We saw this same situation during the tea.xyz spam - all these new GitHub accounts are at the center of all the spam and questions.

Quickly registering accounts as quick as possible to reclaim old usernames? Who knows exactly what is occurring here.

I do know that as a citizen of the United States I cannot even legally use this platform as I'm blocked from accessing the provision panel.

Can’t reach the Starknet Provisions Program portal?
Note that due to regulatory constraints and/or an uncertain regulatory environment, the Starknet Provisions Program and STRK will not be available to the following entities:
...
Any person or entity in the US, and any countries designated by the US or the UK as sanctioned jurisdictions.

So instead I get my username included with a batch of others - leading to increased spam. People associated with Starknet appear (albeit very slowly) to be removing usernames as requested - I thought adding my 2c to the thread would include me in that bucket, but I guess not. Instead, I just opened my own bug report to get my name removed.

In the meantime I'll just blog about my displeasure about Starknet.io and this entire experience.


EDIT

It seems this is just starting to accelerate as 3 users asking for removals is now 8 a few days later.

https://github.com/starknet-io/provisions-data/issues/100
https://github.com/starknet-io/provisions-data/issues/102
https://github.com/starknet-io/provisions-data/issues/105
https://github.com/starknet-io/provisions-data/issues/106
You’ve successfully subscribed to Connor Tumbleson
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.