Identity Graph

The foundational identifier in a Web3 identity graph. A DID is a globally unique, cryptographically verifiable identifier controlled by the user, not a central authority. It is the root node in the graph, linking to various Verifiable Credentials (VCs) and attestations.

• Example: did:ethr:0xab32...1c
• Key Property: Self-sovereign, portable, and resistant to censorship.

Tamper-evident, cryptographically signed attestations linked to a DID. These are the edges and attribute nodes in the identity graph. A VC can represent a KYC check, a proof-of-humanity attestation, or a guild membership.

• Structure: Contains claims, issuer's DID, proof (signature), and expiration.
• Standard: Based on the W3C Verifiable Credentials Data Model.

The core data model that connects DIDs, VCs, and on-chain/off-chain activity into a network. This structure enables complex queries about reputation, social connections, and sybil resistance that a simple list cannot.

• Nodes: Represent entities (users, organizations, contracts).
• Edges: Represent relationships (holds credential, interacted with, is member of).

A primary function of identity graphs is to distinguish between unique humans and duplicate or bot-controlled identities. This is achieved through attestation graphs and consensus mechanisms among trusted issuers.

• Methods: Proof-of-personhood protocols (e.g., Worldcoin, BrightID), social graph analysis, and biometric verification.
• Goal: Enable fair distribution of resources (airdrops, governance power) and prevent spam.

Identity graphs allow for the computation of portable reputation scores based on the aggregated history and quality of a DID's connections. Different applications can define their own scoring algorithms over the same underlying graph.

• Inputs: Transaction history, credential age, social connections, governance participation.
• Output: A context-specific score for undercollateralized lending, governance weight, or access control.

A well-designed identity graph is not siloed within a single application or chain. It uses open standards (DIDs, VCs) to allow users to port their identity and reputation across different blockchains and dApps.

• Standards: W3C DID, Verifiable Credentials, Ethereum's EIP-712 for signed typed data.
• Benefit: Reduces onboarding friction and creates network effects across the ecosystem.

Projects use on-chain identity graphs to filter out Sybil attacks—where a single entity creates many fake accounts—to ensure fair distribution of tokens or rewards. By analyzing transaction patterns, social connections, and credential attestations, protocols can construct a graph to identify unique humans. This is critical for retroactive airdrops, quadratic funding, and governance systems where one-person-one-vote is desired.

Identity graphs enable soulbound tokens (SBTs) and reputational data to serve as collateral for under-collateralized loans in DeFi. A user's graph, built from verified credentials like payment history, educational attainment, or professional licenses, creates a reputation score. Protocols like ArcX and Spectral use this to assign on-chain credit scores, allowing trusted borrowers to access capital without over-collateralization.

Users can control and monetize their own identity graph through zero-knowledge proofs (ZKPs). Instead of revealing raw data, users generate ZK proofs that attest to specific claims (e.g., "I am over 18" or "my credit score is >700"). Projects like Sismo and zkPass facilitate this, allowing users to aggregate credentials into a private, user-controlled graph and selectively disclose verifiable statements to applications without exposing the underlying data.

An identity graph links pseudonymous addresses to a single entity, creating a comprehensive behavioral profile. This process inherently risks deanonymization, where a user's real-world identity can be inferred by correlating on-chain activity with off-chain data leaks or metadata. The primary threat is the aggregation of data across multiple protocols and chains, which can reveal sensitive financial patterns, social connections, and transaction histories that were intended to be separate.

Most blockchain identity graphs are constructed without explicit user consent, operating on the principle that public ledger data is free to analyze. This raises critical questions about data sovereignty and the right to control one's digital footprint. Key considerations include:

• Opt-out mechanisms: The lack of standardized tools for users to prevent their addresses from being linked.
• Data provenance: Users often have no visibility into who has built a graph containing their activity or for what purpose.
• Immutability conflict: The permanent nature of blockchain data clashes with concepts like the 'right to be forgotten' found in regulations like GDPR.

For DeFi protocols and dApps, integrated identity graphs can become an attack vector. Risks include:

• Sybil resistance flaws: Over-reliance on graph-based scoring for airdrops or governance can be gamed by sophisticated actors who understand the linking algorithms.
• Targeted exploits: Attackers can use graph data to identify and target 'whale' wallets or specific user cohorts for phishing, social engineering, or tailored smart contract exploits.
• Oracle manipulation: If governance or pricing oracles incorporate reputation scores from a graph, compromising the graph's integrity could have systemic consequences.

Emerging cryptographic methods aim to enable graph analysis while protecting user privacy. These include:

• Zero-Knowledge Proofs (ZKPs): Allowing users to prove attributes (e.g., 'I have >X reputation') without revealing the underlying transaction graph.
• Secure Multi-Party Computation (MPC): Enabling collective computation on encrypted address data so no single party sees the raw links.
• Differential Privacy: Adding statistical noise to graph query results to prevent the identification of individuals while preserving aggregate insights. These techniques represent the frontier of balancing utility with privacy in on-chain analysis.

The construction and use of identity graphs intersect with several regulatory frameworks, creating compliance overhead for the firms that build and use them. Key areas of scrutiny are:

• Financial surveillance: Graphs used for Anti-Money Laundering (AML) and Know Your Transaction (KYT) must themselves comply with data handling and reporting regulations.
• Cross-border data transfer: Graphs that aggregate global data may violate data localization laws.
• Consumer protection laws: Misleading scores or discriminatory outcomes based on graph data could lead to liability under unfair practice statutes.

The entity that controls the definitive identity graph holds significant power in the ecosystem. This creates a centralization risk in a decentralized network. Concerns include:

• Single point of failure/censorship: A dominant graph becomes critical infrastructure; its failure or bias can exclude users from financial services.
• Gatekeeping: The graph operator can effectively decide which addresses are 'reputable,' influencing access to credit, governance, and rewards.
• Opaque algorithms: The proprietary linking heuristics and scoring models are often black boxes, making it difficult to audit for fairness or accuracy.