Why Your SBTs Are Probably Leaking Your Identity Right Now

Your SBTs are nodes in a public knowledge graph. A single cross-chain transaction or off-chain attestation can link your entire pseudonymous identity.\n- Sybil resistance mechanisms become deanonymization vectors.\n- ENS names and POAPs are primary linking points.\n- Tools like Nansen and Arkham automate this analysis.

Schemas for SBTs (e.g., EAS on Ethereum, Verax on Linea) often store sensitive data on-chain or on IPFS/Arweave.\n- Public attestation graphs reveal social and professional connections.\n- Timestamp analysis exposes real-world activity patterns.\n- Immutable storage means leaks are permanent.

The only viable mitigation is moving proof-of-credential off-chain. This requires ZK-proof systems like zkSNARKs or zk-STARKs.\n- Sismo's ZK Badges prove group membership without revealing identity.\n- Polygon ID uses Iden3 protocol for private claims.\n- Without ZK, SBTs are a privacy anti-pattern.

Deploying SBTs on an L2 like Base or Arbitrum does not guarantee privacy. All data rolls up to Ethereum L1.\n- Cross-rollup messaging (e.g., LayerZero, Axelar) creates bridges for correlation.\n- Shared sequencers (e.g., Espresso, Astria) may centralize data access.\n- The interoperable future increases the attack surface.

Immutable, linkable identity tokens are a compliance nightmare. They create perfect audit trails for OFAC sanctions enforcement and tax authorities.\n- FATF's Travel Rule could be applied to SBT transfers.\n- Chainalysis and Elliptic already track tokenized assets.\n- Pseudonymity is a legal fiction with SBTs.

Wallet recovery mechanisms for SBTs (e.g., via social guardians) require trusted entities. This creates centralized identity oracles.\n- Lens Protocol handles social graph recovery.\n- Ethereum Attestation Service guardians become high-value targets.\n- The recovery system is a single point of failure for anonymity.

Storing credentials or attributes directly in SBT metadata is a permanent, public leak. This creates a global correlation database for any entity with an indexer.

• Data is immutable and permanent
• Exposes PII, affiliations, and reputation
• Enables mass surveillance and profiling

Even with private metadata, the transaction graph linking your SBT wallet to other activity (DeFi, NFTs, social) is fully exposed. This is the primary vector for deanonymization.

• Connects pseudonymous identities across protocols
• Reveals social graphs and financial behavior
• Defeats the purpose of a 'soul'

Move verification logic off-chain with ZKPs. Store only a cryptographic commitment (e.g., a hash) on-chain. This proves credential validity without revealing the underlying data.

• Leverage Semaphore, Sismo, or Polygon ID
• Selective disclosure of attributes
• Breaks on-chain linkability

Use a canonical registry (like Ethereum's ERC-5564) to generate a unique, unlinkable stealth address for each interaction. This severs the transaction graph.

• Prevents graph analysis from the root
• Each app interaction uses a fresh address
• Integrates with existing SBT standards

Maximum privacy (ZK + Stealth) can reduce composability. Protocols like Worldcoin or Gitcoin Passport show that some linkability is often required for sybil resistance and reputation.

• Architect explicit privacy tiers
• Use attestation aggregators like EAS
• Define clear data minimization policies

If you're building with SBTs, audit this now:

• Are any raw attributes stored on-chain?
• Can user activity be linked across dApps?
• Do you support revocation without revealing the holder?
• Is your indexer leaking correlation data via API?