GIP-47: Discord server security audit

Authors: RP2743

Summary: Goldfinch aims to further increase Discord server security by reducing the probability of different attacks on community members. For this reason we ask Goldfinch community to approve a transfer of 5,000 USDC from the budget for community driven activities [according to GIP-36] to compensate expenses of Warbler Labs team for security audit handled by Jon_HQ#0001, who is a well known Discord Security Specialist.

Motivation: On the 17th of April, Discord account of @RP2743 (one of the community managers) got compromised due to a phishing attack from a malicious community member. Once fraudsters hacked his account they posted a malicious announcement on Goldfinch server, containing a phishing link. Thanks to a quick reaction from other community managers, including @RP2743 himself, and a few members of the Warbler Labs team, the malicious announcement was deleted quickly and access to the @RP2743 account was restored. No damage was caused to anyone from the community and no complaints were received from community members either. However, the Warblers Labs team was motivated to solicit Jon_HQ#0001 to carry out a security audit to improve server security.

Jon_HQ#0001 has already completed Discord Security audits for large projects like Pudgy Penguins, Mutant Hounds, Street Machine, Chubbiverse, and many others. He is well known in the space for providing this service.

Jon_HQ#0001 Socials:

LinkedIn profile:
Twitter account:

Audit report usually consists of the following checks:

Pre-audit Review
Cold Admin Setup
Bot Installation and Coverage Review
User Webhook Review and Deletion
Bot Generated Webhook Inspection
Server Settings Analysis
Channel Usage Overview
Role Usage Review
Role Permission Overhaul
Dangerous Role Permission Removal
Set up Announcement Bot
Category Permission Setup
Channel Permission Sync + Modification
Automoderator Bot Setup
Wick Bot Configuration
Anti-webhook Bot Setup
Team/Staff Training + Command Guide
Second Full Check of All Roles and Channels on an Alt
Third Full Check Using Bot Export Of Perms

The audit report is designed to consider and minimize the following attack vectors:

Team Vectors

Server Owner Phish
Team Admin Phish
Collab Manager Phish
Moderator Phish
Team or Moderator Insiding
Bot Vectors

Bot with Admin Perm Compromise
Bot with Dangerous Perm Compromise
Non-security Bot Compromise
Fake Bot Install
Bot Misconfiguration
User Vectors

Ping Permission Error
Self-bot Raid
Fake Trade or Fake Collection Links
Impersonation Bot DM Spam
User Permission Escalation

Discord security audit will include going through every setting, inspecting every single bot, every role and channel, and then lots of testing to make sure that in the case of a compromised account there is minimal damage.

For example, a recent audit for Mutant Hounds had 2 558 different individual channel permissions that were flagged as a soft fail when Jon_HQ#0001 did an automated check on their setup. Each of those failures needs to be checked, understood, and then secured properly. There is no one size fits all solution for each community.

Desired Outcomes and Success Metrics: When the audit is completed, we expect to receive both the summary and report. They should be delivered to the Warbler Labs team and to the community.

Once the audit is complete, the compromise that occurred previously will no longer be possible to occur again, as all announcements from hot accounts will have to go through a 2FA Announcement bot.

Downside: We see no downside in improving Goldfinch server security

YES - means allocate $5,000 USDC from the budget for community driven activities
NO - means do nothing

GIP-36: Budget for community driven activities
LinkedIn profile:
Twitter account:


I definitely support this proposal. Strengthening security is a positive and effective solution. Many similar cases happened in other projects, in which fake announcements about drops and other things were made on behalf of the administration, and many users went to scam links and lost their funds.

100% YES!

Jon has been very professional to work with and boasts a ton of experience making other notable projects and Discord servers safe.

Strong yes to use these funds towards improving Goldfinch server security.

Defi projects have been seeing a slew of additional attacks lately - It’s really good that Goldfinch is taking security seriously!

My setups are focused on allowing teams to function while granting them the bare minimum of permissions.

This means even if there is an another compromise that the attacker doesn’t get access to post announcements or ping everyone.

Happy to answer any other questions about the audit process!


I, too, once almost fell for the trick of scammers and I think that the safety of the server is above all.

I will definitely vote YES. Given the increasing number of attacks and hacks on Discord servers, it is very important that our community members be protected from these threats

The basis for the development of any project is its security, so I fully support the initiative and vote YES

I think security is very important in the current environment, especially since there have already been attacks. In order to fully trust the messages in the goldfinch discord in the future, I think doing this audit will be the right decision. I vote yes!

This is a necessity for any major project, I vote yes.

The exclusion of the possibility of publishing fake ads and scam links is the basis for the stable operation of the Discord server and the community’s trust in the activities of admins. Therefore, I fully support this proposal in terms of conducting a security audit of the Discord server.
Not being a security expert, I can’t assess whether the budget of 5000 USD is small or large for such an audit. If the project team considers the indicated amount to be adequate, then I fully support this proposal.
My vote is “YES”.

I totally support this proposal. Reducing scammers and attack threats are a must.

Safety is the most important thing, you can save on safety, and then lose a lot … I vote for

Council has approved the proposal

This is a necessity for any project, I vote yes.