Discord Security Audit

Hey folks, while we’re still finalizing some things with my early GIF proposal, it makes sense to try and push through another less expensive but critical proposal:

tl;dr: Jon is well known Discord Security Specialist, pay Jon 5ETH to secure the Doodles Discord. Mushy who currently handles everything in the Discord approves of this proposal.

I’ve done Discord Security audits for large projects like Pudgy Penguins, Mutant Hounds, Street Machine, Chubbiverse, and many others. I am one of the best known people in the space for providing this service.

One often asked question is what a Discord audit entails, to put it simply, I go through every setting, inspect every single bot, every role and channel, and then do a lot of testing to make sure that in the case of a compromised account there is minimal damage.

While some people think this shouldn’t take too long, the most recent audit I just completed for Mutant Hounds had 2558 different individual channel permissions that were flagged as a soft fail when I did an automated check (that I developed) on their setup. Each of those failures needs to be checked, understood, and then secured properly. There is no one size fits all solution for each community.

My audit report consists of the following checks:

• Pre-audit Review
• Cold Admin Setup
• Bot Installation and Coverage Review
• User Webhook Review and Deletion
• Bot Generated Webhook Inspection
• Server Settings Analysis
• Channel Usage Overview
• Role Usage Review
• Role Permission Overhaul
• Dangerous Role Permission Removal
• Set up Announcement Bot
• Category Permission Setup
• Channel Permission Sync + Modification
• Automoderator Bot Setup
• Wick Bot Configuration
• Anti-webhook Bot Setup
• Team/Staff Training + Command Guide
• Second Full Check of All Roles and Channels on an Alt
• Third Full Check Using Bot Export Of Perms

The audit report I’ve built is designed to consider and minimize the following attack vectors:

Team Vectors

• Server Owner Phish
• Team Admin Phish
• Collab Manager Phish
• Moderator Phish
• Team or Moderator Insiding

Bot Vectors

• Bot with Admin Perm Compromise
• Bot with Dangerous Perm Compromise
• Non-security Bot Compromise
• Fake Bot Install
• Bot Misconfiguration

User Vectors

• Ping Permission Error
• Self-bot Raid
• Fake Trade or Fake Collection Links
• Impersonation Bot DM Spam
• User Permission Escalation

Once the audit is complete, my report document is usually 20+ pages long. This report will be delivered to the Mushy and the Team. A summary will be provided to the community upon completion.

This is an extremely thorough and exhaustive process that is critical to ensure that the Doodles Discord and by extension, the community, remains secured.

In just the past year millions have been stolen from various communities through Discord compromises. This hits communities hard. The phrase an ounce of prevention is worth a pound of cure is extremely relevant here.

For the size and complexity of the Doodles Discord I am quoting 5ETH to complete the audit. This will come with 2 weeks of free support and includes custom Security bots I’ve created.

Quote/Ask: 5 ETH
Timeline to completion: After approval, and the team completes pre-audit steps, 4 business days.
Doodle ID: 2906
Needed Quorum: 5%

Thanks Jon for the proposal.

Usually a hacked discord that could do a massive damage is if the team members discord ID that got hacked and posted fake link.

I just have one question. Once you do the audit on Doodles discord and later on for some unintentionally act in unfortunate event, let’s say Mushy / Hank / Jonny / even Poopie clicked a link and got hacked, will any of your audit efforts could prevent the hacked ID to post a fake link in the Doodles discord?

Thanks Jon.

will any of your audit efforts could prevent the hacked ID to post a fake link in the Doodles discord?

A very good question! There will be multiple things in place to mitigate a compromise if one is to occur.

Reducing risk of a compromise:

The first and best step to stop compromises is just education. Part of my audit involves a meeting to teach the team, mods, and anyone with elevated permissions about existing phishing attacks, where your Discord token lives, and how to protect it. Stopping the compromise before it happens with education is hugely important.

If a compromise does happen:

Firstly, the entire audit is completed with the assumption that every team member and moderator is already compromised. Keeping that assumption in mind forces you to reduce the permissions of every team member in the Discord and finding new safer ways to manage the community.

To this end, dangerous permissions are shifted away from folks’ hot accounts to cold admin accounts (which are incredibly hard to phish).

Any permissions previously needed are replaced with more moderated bot commands instead. I.e. you are allowed to use /ban, but if you try to ban too many accounts at once and nuke the server you get quarantined.

Past that some automated protections are put into place as well.

Firstly an anti-link bot will delete any suspicious links, and any repeated spammy actions will lead to the compromised account getting quarantined and unable to do any additional harm.

Another core aspect is that those that will be able to make announcements on their hot accounts will have to enter in a 2FA code from their mobile app to get permissions to post announcements for only 5 minutes. This means if a user’s Discord token gets compromised, the attacker still won’t have the required permissions to post a fake announcement and ping the entire server. At most the attacker could post as the compromised user in general/holder chats, without the ability to ping, vastly reducing the harm done.

Ending the compromise quickly

And lastly, if a situation like that were to occur, team members on hot accounts have a panic button they can push at any point after entering in their 2FA to shutdown the server and stop an ongoing attack.

Thanks for the response Jon!! Good luck brotherman!

I like this. Security is important. I’ve got 2 questions:

Mind explaining how will the link filter work for holder channels? In our alpha channel, we share lots of mint links. Can/will the rules be relaxed for such, since we click on these links with full awareness of the risks associated?

Also, some doods whose names rhyme with “roops” like to spam copy pastas. Mind explaining how it will work for those sort of situations?

Great proposal. Lots of bells and whistles in there for the Mush Mush man to play with.

Mind explaining how will the link filter work for holder channels? In our alpha channel, we share lots of mint links. Can/will the rules be relaxed for such, since we click on these links with full awareness of the risks associated?

I usually loosen the filter on alpha channels, since there is a bit of understanding that normal project announcements wouldn’t go on there and that each link needs to be looked at with suspicion.

Also, some doods whose names rhyme with “roops” like to spam copy pastas. Mind explaining how it will work for those sort of situations?

This is fine too! I had to drastically reduce the spam filters for Pudgy Penguins because they liked to spam copy pasta as well. If you do too much spamming all you get is a temporary timeout anyways

Thank you for replying to the proposal!

Appreciate your responses fam… and the pudgies reference I see you… Usually we don’t realize the importance of these things until it’s too late and I like taking preventive measures.
This won’t be a creation of a new discord, but rather just an audit of the existing one and a splash of extra cool security stuff for Mush Mush to have a play day. We always like our ducky happy

I think I’m going to push this to a vote - little bit of a quick turn around but with the limited quorum we need I think it has a good chance.

As long as I can continue spam and shit post to my heart’s content I’m good. And ofc… mush mush is happy

Reminder to vote everyone!

Audit has been completed, here are the public report summaries:

Rest of the audit report has been shared with the team. Additional guidance for setting up cold admins is being given.

LFG
Jon is so OP
This is what we love to see
Great job