Blockstack PBC announced on Jan. 29 the completion of its “Milestone II” that unlocked $6.8 million from its 2017 initial coin offering. The project claims to have on-boarded one million verified users, an achievement that some in the community did not believe. Cointelegraph conducted an analysis of blockchain data to see if this claim could be confirmed.

The importance of the milestone

The Blockstack initial coin offering (ICO) was conducted in November 2017 through the CoinList platform. It was notable for being “SEC-qualified,” meaning that it had stronger reporting obligations to the regulators and implied that it was not at risk from getting prosecuted by the Securities and Exchange Commission. It was offered to both accredited and retail investors.

The offering was also structured in result-based milestones that would unlock portions of the collected funds. There were two of these milestones, with the first one requiring the successful launch of the network’s mainnet by January 2019. To unlock the second milestone, the project had to reach one million verified users, a result that would be checked by an ostensibly independent advisory board.

Notably, Blockstack pledged to return to the investors 80% of the funds locked by each milestone if it failed to deliver.

Blockstack’s core value proposition is to provide a verifiable identity secured by blockchain, which can be utilized by approved entities. This is being used to create an ecosystem of apps that are authenticated with Blockstack ID.

It stands to reason that given this system, the presence of one million verified users could be conceivably verified by analyzing Blockstack’s blockchain data. The definition used by the advisory board includes all possible manners of verification, including via social media accounts or government-issued ID. These should be visible on the platform’s API.

How a verified account looks on the platform — note the Twitter icon. Source: Blockstack Explorer

Methodology used

While Blockstack uses Bitcoin’s OP_RETURN operation to store data on the blockchain, it is not immediately readable. Blockstack provides its own Bitcoin explorer that includes detailed information on all the usernames saved on the blockchain.

We used penetration testing tools to crawl through the entire history of Bitcoin blocks until May 25, 2018 — the date of the first operation recorded on Blockstack’s wallet used for assigning names. We filtered through only the blocks that the API reported as having “name operations,” which netted a list of 17,000 blocks.

This list was fed into another crawler that extracted 1.5 Gigabytes worth of block data, which crucially included details on all name operations.

We filtered this list to only include usernames, without any additional data such as time of creation.

The blockchain recorded a total of 1,997,949 names, though this figure also includes duplicates from top level domains (about 15,000).

Seeking to fully confirm whether the users are verified, we set out to issue API requests for each user found through this method. However, the sheer time required to make 1.9 million requests, in addition to eventual server restrictions, meant that we had to limit ourselves to a sample of just 50,000 users.

Curious findings

While the research appears to at least confirm the user count reported on Blockstack’s explorer homepage, a deeper look shows some peculiar characteristics to the usernames.

Specifically, many usernames have either an “fc-” or “bc-” prefix on them.

A peek into some of the usernames on Blockstack. The list is ordered chronologically, not alphabetically.

In fact, there are 1,316,894 “fc-” names and 325,356 names with “bc-” in them. Searching for these names in the block explorer yields a “no results” page — which is distinctly different than querying for a user that actually does not exist.

Given these findings, it appears that only about 400,000 of Blockstack users are actually verifiable in some way through the platform. The API does return valid data for both “fc-” and “bc-” names, but after more than 2,000 probe requests the software did not provide verification details for a single one of these users — which led us to interrupt the search.

Out of the 50,885 users we sampled from the remaining 400,000, only 1,565 had any mention of a verification. This is a rate of approximately 3% verified users.

In a July 2019 filing with the SEC, Blockstack revealed its own figures:

“Of those 115,780 accounts, approximately 16,100 accounts had provided a “social proof” as evidence of having a human user, such as a GitHub link or Twitter message link.”

The figure of verified accounts amounts to 14% of Blockstack users. This would still be well short of the necessary 50% dictated by its total user count.

Are the weird names the answer?

Blockstack used several initiatives to onboard users toward the end of 2019. One of these is the Blockchain.com airdrop, enacted in October 2019. The company reported to have distributed Stacks tokens to over 300,000 users — which corresponds to the amount of “bc-” users. Each of those people was supposed to be verified by Blockchain, Inc. through a full know your client (KYC) procedure.

In a call with Cointelegraph, Blockstack PBC CEO Muneeb Ali explained that the blockchain does not contain any verification data that would expose private user information, such as phone numbers or government IDs.

He confirmed that the “bc-” names are indeed resulting from the Blockchain, Inc. airdrop. As for “fc-” names, Ali did not wish to disclose their origin, but he mentioned that they are part of a user acquisition strategy that “the company will announce in the coming weeks,” while emphasizing that all of them are verified.

Is Blockstack guilty of wrongdoing?

Commenting on the debacle, Ali believed it was a misunderstanding, saying that “people are under the impression we claimed to have one million active users.”

He explained that the milestone was defined in 2017 according to a very specific legal definition, which required users to be registered on the blockchain. However, it did not specify how they were supposed to be verified — this was at the discretion of the company.

An SEC filing reveals that Blockstack paid Blockchain, Inc. up to $3.85 million for the airdrop. Even though they were paid for, the KYC requirement ensures that all of the airdrop participants are real people — something that the social verification system does not guarantee.

Ali noted that the company largely moved away from social verification, precisely because it could be easily falsified. He also revealed that the team is working on creating blockchain signature records for other types of verification.

Ali emphasized that the milestone was a self-imposed requirement, which he described as a testament to Blockstack’s transparency.

While there is some ongoing uncertainty over the origin of the “fc-” names — which will hopefully be cleared soon — Blockstack could have easily created an army of fake social media accounts that would have passed a superficial blockchain test.

It also probably would have been cheaper than paying Blockchain, Inc. for an airdrop that only took it one third of the way.