Authors: RP2743
Summary: Goldfinch aims to further increase Discord server security by reducing the probability of different attacks on community members. For this reason we ask Goldfinch community to approve a transfer of 5,000 USDC from the budget for community driven activities [according to GIP-36] to compensate expenses of Warbler Labs team for security audit handled by Jon_HQ#0001, who is a well known Discord Security Specialist.
Motivation: On the 17th of April, Discord account of @RP2743 (one of the community managers) got compromised due to a phishing attack from a malicious community member. Once fraudsters hacked his account they posted a malicious announcement on Goldfinch server, containing a phishing link. Thanks to a quick reaction from other community managers, including @RP2743 himself, and a few members of the Warbler Labs team, the malicious announcement was deleted quickly and access to the @RP2743 account was restored. No damage was caused to anyone from the community and no complaints were received from community members either. However, the Warblers Labs team was motivated to solicit Jon_HQ#0001 to carry out a security audit to improve server security.
Jon_HQ#0001 has already completed Discord Security audits for large projects like Pudgy Penguins, Mutant Hounds, Street Machine, Chubbiverse, and many others. He is well known in the space for providing this service.
Jon_HQ#0001 Socials:
LinkedIn profile: https://www.linkedin.com/in/jonholmquist/
Twitter account: https://twitter.com/Jon_HQ
Website: https://jonhq.com/
Audit report usually consists of the following checks:
Pre-audit Review
Cold Admin Setup
Bot Installation and Coverage Review
User Webhook Review and Deletion
Bot Generated Webhook Inspection
Server Settings Analysis
Channel Usage Overview
Role Usage Review
Role Permission Overhaul
Dangerous Role Permission Removal
Set up Announcement Bot
Category Permission Setup
Channel Permission Sync + Modification
Automoderator Bot Setup
Wick Bot Configuration
Anti-webhook Bot Setup
Team/Staff Training + Command Guide
Second Full Check of All Roles and Channels on an Alt
Third Full Check Using Bot Export Of Perms
The audit report is designed to consider and minimize the following attack vectors:
Team Vectors
Server Owner Phish
Team Admin Phish
Collab Manager Phish
Moderator Phish
Team or Moderator Insiding
Bot Vectors
Bot with Admin Perm Compromise
Bot with Dangerous Perm Compromise
Non-security Bot Compromise
Fake Bot Install
Bot Misconfiguration
User Vectors
Ping Permission Error
Self-bot Raid
Fake Trade or Fake Collection Links
Impersonation Bot DM Spam
User Permission Escalation
Discord security audit will include going through every setting, inspecting every single bot, every role and channel, and then lots of testing to make sure that in the case of a compromised account there is minimal damage.
For example, a recent audit for Mutant Hounds had 2 558 different individual channel permissions that were flagged as a soft fail when Jon_HQ#0001 did an automated check on their setup. Each of those failures needs to be checked, understood, and then secured properly. There is no one size fits all solution for each community.
Desired Outcomes and Success Metrics: When the audit is completed, we expect to receive both the summary and report. They should be delivered to the Warbler Labs team and to the community.
Once the audit is complete, the compromise that occurred previously will no longer be possible to occur again, as all announcements from hot accounts will have to go through a 2FA Announcement bot.
Downside: We see no downside in improving Goldfinch server security
Voting:
YES - means allocate $5,000 USDC from the budget for community driven activities
NO - means do nothing
Resources:
GIP-36: Budget for community driven activities
LinkedIn profile: https://www.linkedin.com/in/jonholmquist/
Twitter account: https://twitter.com/Jon_HQ
Website: https://jonhq.com/