Enhancing Security of NFT Discord Servers using advanced Discord Bots

One of the biggest NFT collections ever — Yuga Labs’ Otherside Discord server got hacked earlier today.

What happened?

The Discord account of one of the moderators got hacked, and the attacker gained security privileges granting him the right to post in the #announcement channel of the Discord server.

The attacker announced an exclusive giveaway for BAYC, MAYC, and Otherside holders — instructing them to go to an unofficial website link to claim/mint the rewards.

As you can guess, people who went in and “claimed” the reward ended up with their NFTs stolen. Several Otherside Deeds, BAYCs, MAYCs, Bokis, Invisible Friends, etc., were stolen.

You can look at the activity of the attacker’s wallet here: https://opensea.io/0x1079061D37f7F3FD3295E4aAd02EcE4a3f20DE2d?tab=activity

Consequences

It is extremely saddening to witness events like these. It’s not just the people who lost their NFTs that lost today — it’s the entire NFT space/industry that’s at a loss. Events like these fuel the fire and hatred towards the whole industry and prevent us from growing and expanding.

Although there is no official response from Yuga Labs yet, the question is what we, as members of the NFT industry and many communities, can do about it?

Besides stating the obvious and making efforts to educate market participants on how to recognize and protect against scams like these, it’s up to the builders to come up with and create tech solutions that will help protect other community members and market participants.

How can a Discord Bot prevent this?

We at 0xRebels are both holders and big fans of The Otherside, and we were present when the attack happened. This unfortunate event sparked an internal conversation about what kind of a Discord bot could have prevented this or at least reduced the possibility of this kind of attack occurring.

The main problem is that the attacker compromised an account of one of the moderators and thus was able to post an announcement on the official channel.

After some brainstorming, we came up with a solution proposal where a 2FA authorization would be required before posting to an official #announcements channel.

How would a 2FA Discord Announcements Bot Work?

Imagine there is a 0xRebels 2FA Announcement Bot.

Here is how would the bot would work in action:

Step 1: Configuring Discord channels

To begin with, an announcement channel would be set up in such a way that only admins and the 0xRebels 2FA Announcement Bot can post to it. Nobody else, including moderators, can post to the announcement channel.

Next, set up an additional channel called #announcement-proposals. This channel would only be visible to admins, moderators, and the 0xRebels 2FA Announcement Bot.

Step 2: Configuring access rights

The next step in the process is to configure the access rights.

First off, make sure that the 0xRebels 2FA Announcement Bot role is above the moderator role. Also, make sure the 0xRebels 2FA Announcement Bot role can tag @everyone.

The steps described above are to make sure that if any moderator accounts are hacked, the attacker can not remove the bot and make sure that the announcements made by the bot can reach everyone on your server.

Next, configure the 0xRebels 2FA Announcement Bot to monitor the #announcement-proposals channels for any new announcements and post approved announcements to the #announcements channel.

Next, configure the 0xRebels 2FA Announcement Bot for moderator accounts. This would require moderator user ID, moderator email, and/or moderator phone number.

For example: !2fa 123456789012345 moderator.john@mynftcollection.com +17241234566

This will instruct the 0xRebels 2FA Announcement Bot to only consider the announcements made by one of the specified Discord User IDs.

The 0xRebels 2FA Announcement Bot in action

So, after the configuration steps have been completed, here is how the actual process of posting an announcement would work:

1. First, the moderator would post the announcement to #announcement-proposals.
2. If the announcement is coming from one of the configured moderator accounts, the 0xRebels 2FA Announcement Bot will send a verification code to the moderator’s email and a text message verification code to the moderator’s phone number.
3. The 0xRebels 2FA Announcement Bot would prompt the moderator in the #announcement-proposals channel to enter both email and phone verification codes.
4. The moderator enters both codes.
5. If the codes match, the 0xRebels 2FA Announcement Bot will take the announcement message posted by the moderator in the #announcement-proposals and send it to the #announcements channel.

What’s the benefit of doing this?

1. Even if the moderator’s Discord account is hacked, the attacker can not make any official announcements unless the attacker is in possession of both the email and phone of the moderator.
2. This is removing the Social Engineering/Human Factor as a threat.
3. This is introducing an extra layer of protection for all community members.
4. This bot could be built so that only official links can be included in the announcement messages.

Next steps

At 0xRebels, we decided to explore the concept of the 2fa announcement bot further, and we started building one. If you are working on an NFT collection and would like to be among the first to get a chance to try it, please reach out to us on Twitter.

If you have ideas on how to improve the security of the NFT Discord servers or the 0xRebels 2FA Announcement Bot — we would love to hear from you, leave a comment or a tweet.

Edit:

We developed the bot, it’s currently in beta. You can read about and see how it works in our next article — https://medium.com/@0xRebels/2fa-secured-announcements-for-nft-discord-servers-36c1ec73f747