A Slack to Combat Phishing Scams
Recently, several blockchain community Slacks have fallen victim to phishing scams in which malicious users create deceiving slack handles such as @GnosisOfficial and directly message other users for their private keys.
Unfortunately, there are currently no Slack settings to directly combat this. Naturally, team admins have the ability to ban and block specific users and emails from the Slack. However, once banned, there is nothing stopping an attacker from creating a new email and joining under another deceiving handle.
After contacting Slack engineers, they explained that you cannot revoke a user’s ability to directly message other users and recommended that Gnosis only invite users onto the Slack who we personally trust. We proceeded to take down the public invite link to the Slack and think of a better solution.
The Gnosis Solution
In order to verify that users joining the Gnosis community Slack are seeking to positively contribute to the development and discussion of Gnosis, we have created a new tool using the Slackin invitation app and MetaMask. New users that wish to join the Slack will be directed to https://slack.gnosis.pm/.
Following the instructions on the website, users should proceed to download and install the MetaMask Chrome extension and import a wallet that holds a GNO balance greater than 0.1. When the user inputs their email address into the form, they will sign a message with their MetaMask account. The signed message is sent to our server where we’ll derive the Ethereum account key from the signature and validate that this account holds GNO. If the account holds GNO, we send the invite to the user's email. Otherwise we let the user know that they cannot signup.
This idea was inspired by Alex Miller and his article on using Ethereum and MetaMask instead of passwords. This is a simple, short term solution to a bigger problem. It adds inconvenience and raises the barrier to entry sufficiently to deter most scammers who hit many Slacks to bait a single victim, it’s just not worth the effort. We haven’t had another attack in our Slack after implementing this measure. In the future, we are considering making it a requirement to deposit GNO into a contract where we can burn/transfer them in case the user misbehaves to further discourage scammers.
How to deploy it for your own community Slack:
If you wish to use this technique in order to verify token holders on your own community Slack, then fork this repo and proceed to enter the contract ABI and address of your Token where specified.
Got feedback? Email me at collin.chin@berkeley.edu or ping me on Slack:@collinc
Thanks to Denis, Giacomo, Alan, and Stefan in the completion of this project.
