Almost every NFT project has a Discord server. Discord servers full of hope for whitelisted access, constant stream of @everyone announcements, countless users using fake accounts and bots to "level up" in the server, etc.
Among these users, some are scammers. They're monitoring the servers, they're watching the admins, they're looking for vulnerabilities.
Their goal is to steal money from unsuspecting people inside the server, and if we don't set it up properly, they have a good chance of success.
first level title
2FA
If you are using Discord, you will need to activate 2FA. Whether it's an admin or a member of a server.
Download and setup Google Authenticator (and every other account that supports it!) on Discord
first level title
Don't Give Up Your Discord Login Token
A Discord login token is an authentication token that allows direct access to our Discord account. They are useful, but also dangerous because they can directly access our accounts. They also bypass 2FA entirely.
Our Discord login token gives access to Discord through dev tools, and many scammers will try to get it from us, asking us to:
share our screen with them
Open our dev tools
Navigate to an area where they can see our login token
Use a login token to access our account
first level title
Do not use webhooks
Like many other things, webhooks make life easier, but they also bring additional dangers.
first level title
watch out for robots
Most popular Discord bots are risk-free, and it is very rare for a major bot to be hacked. However, rare doesn't mean impossible.
Once, the popular MEE6 bot was hacked and used to post fake messages to a Discord server. The false information caused a stir, but no damage was done.
first level title
Don't let scam bots see our membership list
One of the most frustrating things on Discord is getting spam from bot accounts who either want us to create exciting new NFTs or make us visit a phishing site and lose all our money.
The bots just join the Discord server so they can see the members list and then DM everyone, but we can add an extra hoop to hide our members list until the bots take the extra step of proving they want to be the server a member of
Create a #welcome/#rules channel that all users will enter when they first join our server.
Use carl bot to create a react role so that when users react to messages in that channel, they get a "member/user/guest" role added to their account.
When they get that role, all other channels in the server become visible, and the #welcome/#rules channels are no longer visible to them. (This requires manually changing the channel's visibility, and setting all channels to be private, but visible to all users with the "member" role.)
This makes it so that if we don't have the default "Member/User/Other" role, on the server we can only see "Other" people (aka all scam bots) who don't have that role in the members list.
But if you have a default member role in the server, you can't see others who don't have that role (and therefore can't see the bot, and the bot can't see us). This stops scam bots that don't have enough funds to react to the rules/welcome message, they just sit in the lobby and can only see other scam bots. So they can't DM all actual users of your server.
This won't stop human users who knowingly go into the server and post scams and whatever.
first level title
Don't give unnecessary permissions to our mod/admin
In addition to our own accounts, our administrators are the line of defense that protects our servers.
Protect our servers by granting permissions conservatively.
This is especially important since crooks have tools to snoop on user permissions.
summary
summary
Original link
