Web3 Discord server security
0xc84F
August 26th, 2022

Web3 communities are a prime target for scammers, especially as their popularity grows. With all the ways that Discord users can be reached, how can you consistently protect your community? Thankfully, the security you need is now built in to Discord. Their security help article covers the basics, but this will get you the rest of the way.

Basics

Content

Large numbers of spammers can flood your server with low quality content to distract administrators and moderators from threats, as well as flood your server logs with events such as role assignments and members joining to hide the changes they make. This is sometimes referred to as a server raid. They may also post unapproved links in an attempt to steal community member credentials and tokens. Always configure the following settings to help protect your server from this:

  • Choose the Highest option in Safety Setup so that only Discord accounts with a verified phone number can join your server
  • Set up Rules Screening so that all members must perform manual actions before posting messages, decreasing the ability for bots to post unwanted content
  • Do not allow any users except for moderators and administrators to post links, including bots, unless this is absolutely necessary for verification or security
  • Configure the AutoMod feature to Block Spam Content in all public channels

Permissions

  • Two-factor authentication (using authenticator apps that generate six digit codes, such as Google Authenticator on Android OS or iOS) should be enabled on every account that can use @mentions or post to announcement channels
  • All moderators and administrators should revoke (and not grant) permissions for other apps to administrate your server or post as them
  • Try using a test Discord account on your server to post links and perform other actions that can be abusive, or use the View Server as Role feature if your test account can’t join your server because it doesn’t have a verified phone number

Advanced

Audit

If you know of an individual or team that can be trusted to secure your server or verify that it has been secured, and you have time to schedule an audit, it’s worth the time and cost to have them identify risks. If you want have a good understanding of what permissions could put your server at risk, the auditor join you in a screen share so you can make the changes yourself. The auditor should check for the following, and more:

  • Bots and integrations that are not widely used, or clones of popular ones
  • Webhooks and announcement channel following that can deliver bad content
  • Verify that bots can’t assign roles that let users post announcements or view private channels

Logs

Designate administrators or senior moderators to monitor logs for administrator activities to see if bots or other administrators are performing suspicious tasks, such as granting elevated permissions. Some bots can post specific log entries to a channel.

Lockdown

If you're concerned about security threats due to other Discord servers being attacked, or during important times such as your project minting a token, there are ways to quickly protect your existing community from attacks while focusing on crafting clear announcements and answering questions. These changes can also be quickly reverted.

  • Pause Invites for your server in Server Settings > Invites > Pause Invites
  • Turn on Slowmode for all public channels, with a setting of at least 1 minute, so that moderators and administrators can keep up with questions... I recommend a Slowmode of 5 seconds in all public channels at all times on most Discord servers
  • Temporarily stop members from editing their roles by denying bots the permission to manage roles, improving security while making your logs more clear for audits

Conclusion

As ways to exploit users continue to evolve, so does security. Contact me on Discord at Tidus#7150 or mention @tidus on Twitter at any time with feedback and questions.

Subscribe to tidus.eth
Receive new entries directly to your inbox.
Collectors
View
#1
#2
#3
View collectors
This entry has been permanently stored on-chain and signed by its creator.