Compromised Discord servers, phishing attacks, NFT scams, DM harassment, spam in every channel. As you are building a web3 community you will encounter sybil attacks, security threats and malicious bots trying to take some advantage of you and your community.
Besides the obviously more dangerous aspects of getting scammed into giving up private keys to your wallet, personal information or compromising your whole server, we can collectively agree that we are all tired of taking 5 minutes every morning to block our scammer DMs, right?
I will introduce you to what you can expect from scammers, to the basics of security and what you can do today to protect yourself and your community better.
The problemo
As much as our tech stack and expertise is evolving these security breaches still happen even in larger, well-established communities.
BAYC, one of the largest blue chip NFT communities, got exploited on Apr 1st by a hack that happened to a ticketing bot.
https://twitter.com/crypto/status/1509969180149403650?s=20&t=Ye1zeuhxiRBnxtFv21jY_A
Moderators still have to make announcements like this on a regular basis - FWB is no exception,
We had one of these DM raids on our own server @guildxyz, before we shipped and started using Guild Guard (more on this later in the solutions section).
Bad actors are getting smarter. Some swindlers have well thought out operations to gain control over someone's Discord account and their whole identity there.
We gotta be smarter too. This is a real pain for operators, managers and the community as a whole.
Community security and individual privacy is too important, not to pay more attention to this.
The basics on Security
It's all about protecting access to your information. Your identity, wallet holdings, social connections, personal data, and so much more.
Security is having undisturbed power over sharing your information so NO ONE can dig in it and extract it. Self sovereignty over identity, assets and community is a double edged sword.
If your security is compromised, there is no one to protect these and the aftermath of a breach can expose you or even make you lose control over your information. In this scenario your privacy is also gone.
Bummer
In a server, security can mean having tools and mods protecting from bad guys,
It is our duty as builders, more experienced crypto folks to educate the newbies and establish a safer environment for all.
Available solutions
The more tools we use, the more we increase our exposure to breaches. Pick your solutions, and use them with caution.
There are a few "good” bots and authentication systems that filter out malicious bots, such as:
Discord native settings See this guide by @Jon_HQ, @lukenamop & @grassy.eth→ here
Manually granting membership upon request Common with social DAOs, such as @FWB or @BoysClub. Newbies are required to fill out a form to gain access to the Discord server.
Captchas, there are more bots that can get through this than not
Phone number authentication like in the @IndiGG server
Server auditing services
But c'mon now, we are web3 native. Let's use more advanced tech that is available for us. I suggest we combine the above with wallet authentication and more sophisticated tech that is available for us in web3.
What can you do today to make your server safer?
web2.5
Apply the following settings in your Discord. In any case, make sure to check permissions for each role within the server
Verification gate for newcomers: try Wick bot or Captcha Bot
Moderating spam: MEE6, Wick bot has these built in as well
web3
Implement Guild Guard for on-chain based extravaganza. By extravaganza I mean using Ethereum technology to keep out bots from Discord servers. Put everyone who doesn't have a role yet in an "empty" waiting room, so they can't access your server members or content. They only see the authentication flow which requires them to operate an EVM wallet. This way bots won't be able to DM your members with scams or post phishing links in the announcement channel.
Watch out for verifiable on chain credentials: PolygonID, Proof of Humanity, KYCDAO, Disco.xyz, Sismo.io, Proof of Personhood etc.These will eventually play a huge role in the way we access groups, prove our identities and participate in communities.
Users and consumers tend to not care about security too much until there is a problem. It is our responsibility as builders to find solutions that protect them and their information even from us, so data won't be as commodified as it has been in recent years.
I am not an expert, but I want to share knowledge I've gathered so far. If you have any Qs, feel free to reach out: @reka.eth
Big thanks to Evin, Nathan, Claude, D3v, Nasheq for oversight.
