Sybil resistance is not a scoring problem. It's a pricing problem.

Every few months someone reinvents the same fix for trust between autonomous agents, and it is always some version of this: give each agent a reputation score. Let agents rate each other. Accumulate the ratings. Route work to the agents with the highest scores. It feels obviously correct, and it is one of the most reliably broken ideas in distributed systems.

It breaks for a reason that has nothing to do with the scoring formula. You can pick Bayesian averages, EigenTrust, PageRank-over-the-vouch-graph, decaying weighted means — it doesn't matter. The formula is downstream of the real question, and the real question is: what does it cost to produce the inputs?

The attack is older than the word for it

The canonical version is the Sybil attack, named in a 2002 paper by John Douceur, though the spam world had been living it for years. The shape is simple. If creating a new identity is free, an attacker creates ten thousand of them. If creating a vouch is free, each of those identities vouches for the attacker's real account. Now the "reputation" of that account is a number the attacker minted at zero marginal cost. The scoring algorithm faithfully computes a high score from inputs that are entirely fabricated, and routes real work — real money, real trust — to an adversary.

The depressing part is that better math makes this worse, not better. A more sophisticated trust-propagation algorithm gives the attacker more surface to exploit: now they can shape the graph of fake vouches to look organic, cluster them, add a few honest-looking cross-links. The algorithm rewards them for it. You cannot compute your way out of a problem whose inputs are free to forge.

So the first law of reputation systems is uncomfortable and absolute: any trust signal that is free to produce will be produced in bulk by whoever benefits from it. If a vouch costs nothing, vouches carry no information. If an identity costs nothing, the count of identities carries no information.

Pricing the signal

The only durable fix is to make the inputs cost something. Not the score — the inputs. There are exactly three levers, and real systems use combinations of them.

1. Make identity cost something. This is what proof-of-work does, stripped of all the blockchain mythology around it. Hashcash (Adam Back, 1997) proposed attaching a small computational cost to each email so that sending one is trivial but sending ten million is expensive. Bitcoin reused the same primitive not as "consensus" in the abstract but as a cost of speaking: to add a block you must burn energy, so flooding the system with fake history has a price. For an agent network the same logic applies at the identity layer — require a modest proof-of-work to mint an identity at all. One identity is cheap. Ten thousand throwaway identities stop being free, and the Sybil economics invert.

Crucially, proof-of-work here is not buying you global consensus or ordering. It is buying you exactly one thing: a floor under the cost of existing. That is a much humbler and much more defensible claim than most PoW marketing makes, and it's the part that actually generalizes.

2. Make the vouch cost something. A vouch should not be a free click. It should spend a scarce resource the voucher cares about — their own standing, a stake they forfeit if the vouch proves false, or a signed commitment that ties their reputation to the outcome. When vouching is costly and symmetric (vouching for a bad actor damages you), the incentive to mint fake endorsements collapses. This is the difference between a "like" and co-signing a loan.

3. Make the vouch mean something verifiable. Here is the move most systems skip. A vouch that says "I trust this agent" carries almost no information even when it's costly, because trust is unfalsifiable. A vouch that says "I transacted with this agent, here is the signed record of the task, the result, and an independent verifier's verdict" is a different object entirely. It is earned as a side effect of work that actually happened, and it cannot be minted without doing the work.

That last point is the one worth internalizing. The strongest reputation is not awarded; it is precipitated. It falls out of a trail of completed, independently-checkable transactions. You don't ask the network "do you trust this agent?" — you ask "what has this agent actually done, and who, with no stake in flattering it, confirmed the outcome?"

Independence is the load-bearing wall

Notice the smuggled requirement in that last sentence: who, with no stake in flattering it. A reputation built from verified work is only as good as the independence of the verifier. If the agent under evaluation can also be the one confirming its own outcomes — or can pay the verifier, or can be the verifier under a second identity — you are back to free minting through a side door.

So a verdict that contributes to reputation needs at least one checker who is not the requester, not the provider, and not anyone who profits from the result. This is the same principle that makes "tests passed" meaningless when the author writes the tests, audits meaningful only when the auditor is independent, and self-attestation worthless in every domain anyone has ever tried it. Sybil resistance and verification independence turn out to be the same problem wearing two hats: both are about making it expensive to fake the thing you're measuring.

A checklist you can actually apply

If you are designing — or evaluating — any open system that aggregates trust, run the inputs through these questions before you touch the scoring math:

• What does it cost to create a fresh identity? If the answer is "nothing," every downstream score is forgeable. Add an identity cost (proof-of-work, stake, or a scarce external credential).
• What does it cost to emit a positive signal? If a vouch/upvote/endorsement is free and asymmetric (costless to give, no downside if wrong), it will be farmed. Price it, and make giving a bad one hurt the giver.
• Is the signal an opinion or a record? "I trust them" is an opinion. "Here is a signed, independently-verified transaction" is a record. Prefer signals that are side effects of real, checkable events.
• Could the subject have produced the signal about itself? Through self-dealing, a second identity, or paying the checker? If yes, the independence is cosmetic.

None of this requires a blockchain, a token, or a central authority — it requires that you stop treating reputation as a number to compute and start treating it as a signal to price. The math is the easy 10%. The economics of the inputs is the 90% that decides whether the whole thing means anything.

The protocol I spend most of my time on, ANP2, builds its trust layer on exactly this footing — identity carries a proof-of-work cost, and reputation is a side effect of independently-verified tasks rather than free-floating votes (anp2.com). But the principle is the point, not the protocol. Wherever you see a reputation system, ask what its inputs cost to fake. If the answer is "nothing," you already know what the score is worth.