Polkadot Ecosystem Discord Risk Mitigation

TL;DR:

Lock down and secure Polkadot's main Discord.
Offer 10 additional audits to Polkadot ecosystem Discord servers.
JonHQ is industry-known for providing Discord security audits and risk remediation.
This is an 11 week project.
Total cost of 9,507 DOT (~$65,600 @ $6.9 DOT).
Total estimated savings for the community and innocent users of $200,000+

Objective:

Conduct thorough Discord audits and remediation for the main Polkadot Discord server and ten Polkadot parachain servers. The selection for these audits will be prioritized based on the active user count in each Discord, adhering to a first-come-first-serve policy w/final selection discretion residing with JonHQ and 0xTaylor. The aim is to conduct one audit per week to ensure quality and attention to detail.

About Us:

JonHQ brings to the table a wealth of experience in Discord security, having conducted audits for prominent projects across various sectors. Additionally I'm usually the first call when servers do get compromised, I have reconstructed many attacks and keep detailed notes on exactly how attackers compromise accounts or escalate permissions. My expertise is recognized in the industry, and I employ a systematic approach to ensure comprehensive security coverage.

0xTaylor is a long-time Polkadot stakeholder, ChaosDAO co-founder, and Polkadot Assurance Legion curator. He is known for providing commentary on security threats and incidents as well as providing assistance to projects and individuals. 0xTaylor is a senior information security consultant who conducts offensive penetration tests against major corporations to assist them in proactive threat identification and mitigation.

We are members of the Discord Security community known as ServerForge.

Rational:

Discord hacks are a paramount threat to the ecosystem at large. Securing Discord servers effectively is a difficult task that requires special knowledge not just about Discord and the security bots, but also attacker techniques and the ever evolving threat landscape. JonHQ and 0xTaylor are well positioned to help the Polkadot ecosystem address those concerns. Mitigating even one attack would most likely cover the entire cost of this proposal.

When the BAYC Discord was compromised, $360,000 was stolen from the community. Another smaller community, Rare Bears, lost $790,000 after a compromise. As the saying goes, "an ounce of prevention is worth a pound of cure", and this initiative is a testament to that wisdom.

This proposal does not imply that the Polkadot Discord server or parachain Discord servers are currently vulnerable to immediate compromise but instead seeks to help further limit potential risks and edge cases. JonHQ did a preliminary check of the Polkadot Discord server for free at 0xTaylor’s request and identified 16 potential points of weakness. JonHQ provided suggestions to the Polkadot Discord Administration team to help mitigate those risks. That thread is the impetus for this proposal.

Mister Cole who is part of the Polkadot Discord server Administration team and Head Polkadot Ambassador provided the following feedback following Jon’s recommendations:

NOTE: The free review provided in the X thread by Jon_HQ was not from a privileged perspective and thus does not cover all potential risks.

The Process:

Each audit involves a detailed examination of server settings, bots, roles, channels, and user permissions. The process is designed to identify and rectify vulnerabilities, ensuring minimal risk in the event of account compromises. This is not a cursory glance but a deep dive into the intricacies of each server’s setup. The goal of each audit is to mitigate potential threats, given a team member or moderator is compromised by an attack, the attacker should not be able to post announcements or otherwise disrupt the server. We will work with the teams to not just identify but also mitigate these risks.

Deliverables:

Pre-audit Review
Server and Bot Configuration Analysis
Role and Channel Security Assessment
Implementation of Security Bots and Tools
Comprehensive Checks and Re-checks of All Settings

Cost and timeline:

The cost for each audit is set at $5,500, amounting to a total of $60,600 for the Polkadot Discord server and 10 Polkadot parachain discord server audits. 0xTaylor will receive a $5,000 fee for assisting in the creation, selection, and coordination of this proposal. Bringing the total cost to $65,600 priced in $DOT at the EMA30 which at the time of writing is $6.9/$DOT. Upon approval and completion of preliminary steps by the team, each audit will be conducted within a standard timeframe of one week. There may be gaps between audits if teams are not ready or have scheduling conflicts but ideally these would be delivered back-to-back.

Long-term:

If this pilot program is proven successful, we would look to expand this initiative to all Polkadot parachain teams and potentially other ecosystem projects such as wallet providers and application layer teams.

Conclusion:

Your consideration of this proposal is highly appreciated. JonHQ and 0xTaylor look forward to the opportunity to contribute to the security and integrity of the Polkadot ecosystem.

Q&A:

Q: Why does this only benefit the big teams?

A: We want to make the most impact in proving the success of this program thus will focus our efforts on the largest potential targets. Our goal is to prove this is a success and expand the program to include all ecosystem projects.

Q: Why not just audit the Polkadot Discord server and then make a guide for others to replicate?

A: No two Discord servers are configured the same. They use different bots and the bots can be configured in many different ways. Even a checklist would not address all potential issues and it’s not feasible to write it in the context of all bots. To effectively mitigate the risks, audits are required.

Q: I don’t like that the parachain teams don’t need to pay anything, why are we paying to help them?

A: We considered putting forth the proposal with only a partial subsidy similar to PAL (80/20) but ultimately decided this is a pretty nominal cost given the potential impact and did not want to deal with the added work paying out partially and then getting the parachain teams to pay out their portion separately. From a more philosophical perspective, we feel we should do more to support parachain teams. A rising tide lifts all boats

Q: Why not just prove this with the Polkadot Discord?

A: Because OpenGov is a lot of work and time, it isn’t worth our effort for such a small effect if we only do one Discord.

Q: Why don’t you just make a guide that people can follow to setup a Discord server correctly?

A: Jon_HQ has created a Discord server template and an accompanying hour-long Youtube video on how to set it up: https://www.youtube.com/watch?v=BSDPYIfcoXk This also doesn’t account for servers that are already built-out and need correction which has potential unseen edge cases such as bot misconfigurations.

Q: Why not just build a bot that does this?

A: Bots don’t understand context. For example, the server may have multiple announcement channels and they may not be named #announcements. How would the bot know it's an announcement channel if it's named something arbitrary like #shouts? The Admin role may not be named admin, what if it was named pleb? How would the bot know it was supposed to have administrative privileges?

Q: Don't all these security countermeasures usually render discord servers unusable or at least less desirable to join and chat?
A: No not at all and that is why it is important to hire a professional because they find creative ways to not inhibit the community. For example, adding a 2FA control to announcement channel posts severly limits an attackers capabilities but does not affect the users.

Edited

Objective: Conduct Discord security audits for the main Polkadot server and 10 parachain servers over 11 weeks.
Team: JonHQ and 0xTaylor, known for their expertise in Discord security and risk mitigation.
Cost: Total cost is 9,507 DOT (~$65,600), with each audit costing $5,500.
Benefits: Estimated savings of over $200,000 for the community by preventing potential hacks.
Process: Detailed examination of server settings, bots, roles, and permissions to identify and fix vulnerabilities.
Deliverables: Pre-audit review, configuration analysis, security assessments, and implementation of security tools.
Long-term Goal: Expand the program to all Polkadot parachains and other ecosystem projects if successful.

Source

TL;DR:

Lock down and secure Polkadot's main Discord.
Offer 10 additional audits to Polkadot ecosystem Discord servers.
JonHQ is industry-known for providing Discord security audits and risk remediation.
This is an 11 week project.
Total cost of 9,507 DOT (~$65,600 @ $6.9 DOT).
Total estimated savings for the community and innocent users of $200,000+

Objective:

Conduct thorough Discord audits and remediation for the main Polkadot Discord server and ten Polkadot parachain servers. The selection for these audits will be prioritized based on the active user count in each Discord, adhering to a first-come-first-serve policy w/final selection discretion residing with JonHQ and 0xTaylor. The aim is to conduct one audit per week to ensure quality and attention to detail.

About Us:

JonHQ brings to the table a wealth of experience in Discord security, having conducted audits for prominent projects across various sectors. Additionally I'm usually the first call when servers do get compromised, I have reconstructed many attacks and keep detailed notes on exactly how attackers compromise accounts or escalate permissions. My expertise is recognized in the industry, and I employ a systematic approach to ensure comprehensive security coverage.

0xTaylor is a long-time Polkadot stakeholder, ChaosDAO co-founder, and Polkadot Assurance Legion curator. He is known for providing commentary on security threats and incidents as well as providing assistance to projects and individuals. 0xTaylor is a senior information security consultant who conducts offensive penetration tests against major corporations to assist them in proactive threat identification and mitigation.

We are members of the Discord Security community known as ServerForge.

Rational:

Discord hacks are a paramount threat to the ecosystem at large. Securing Discord servers effectively is a difficult task that requires special knowledge not just about Discord and the security bots, but also attacker techniques and the ever evolving threat landscape. JonHQ and 0xTaylor are well positioned to help the Polkadot ecosystem address those concerns. Mitigating even one attack would most likely cover the entire cost of this proposal.

When the BAYC Discord was compromised, $360,000 was stolen from the community. Another smaller community, Rare Bears, lost $790,000 after a compromise. As the saying goes, "an ounce of prevention is worth a pound of cure", and this initiative is a testament to that wisdom.

This proposal does not imply that the Polkadot Discord server or parachain Discord servers are currently vulnerable to immediate compromise but instead seeks to help further limit potential risks and edge cases. JonHQ did a preliminary check of the Polkadot Discord server for free at 0xTaylor’s request and identified 16 potential points of weakness. JonHQ provided suggestions to the Polkadot Discord Administration team to help mitigate those risks. That thread is the impetus for this proposal.

Mister Cole who is part of the Polkadot Discord server Administration team and Head Polkadot Ambassador provided the following feedback following Jon’s recommendations:

NOTE: The free review provided in the X thread by Jon_HQ was not from a privileged perspective and thus does not cover all potential risks.

The Process:

Each audit involves a detailed examination of server settings, bots, roles, channels, and user permissions. The process is designed to identify and rectify vulnerabilities, ensuring minimal risk in the event of account compromises. This is not a cursory glance but a deep dive into the intricacies of each server’s setup. The goal of each audit is to mitigate potential threats, given a team member or moderator is compromised by an attack, the attacker should not be able to post announcements or otherwise disrupt the server. We will work with the teams to not just identify but also mitigate these risks.

Deliverables:

Pre-audit Review
Server and Bot Configuration Analysis
Role and Channel Security Assessment
Implementation of Security Bots and Tools
Comprehensive Checks and Re-checks of All Settings

Cost and timeline:

The cost for each audit is set at $5,500, amounting to a total of $60,600 for the Polkadot Discord server and 10 Polkadot parachain discord server audits. 0xTaylor will receive a $5,000 fee for assisting in the creation, selection, and coordination of this proposal. Bringing the total cost to $65,600 priced in $DOT at the EMA30 which at the time of writing is $6.9/$DOT. Upon approval and completion of preliminary steps by the team, each audit will be conducted within a standard timeframe of one week. There may be gaps between audits if teams are not ready or have scheduling conflicts but ideally these would be delivered back-to-back.

Long-term:

If this pilot program is proven successful, we would look to expand this initiative to all Polkadot parachain teams and potentially other ecosystem projects such as wallet providers and application layer teams.

Conclusion:

Your consideration of this proposal is highly appreciated. JonHQ and 0xTaylor look forward to the opportunity to contribute to the security and integrity of the Polkadot ecosystem.

Q&A:

Q: Why does this only benefit the big teams?

A: We want to make the most impact in proving the success of this program thus will focus our efforts on the largest potential targets. Our goal is to prove this is a success and expand the program to include all ecosystem projects.

Q: Why not just audit the Polkadot Discord server and then make a guide for others to replicate?

A: No two Discord servers are configured the same. They use different bots and the bots can be configured in many different ways. Even a checklist would not address all potential issues and it’s not feasible to write it in the context of all bots. To effectively mitigate the risks, audits are required.

Q: I don’t like that the parachain teams don’t need to pay anything, why are we paying to help them?

A: We considered putting forth the proposal with only a partial subsidy similar to PAL (80/20) but ultimately decided this is a pretty nominal cost given the potential impact and did not want to deal with the added work paying out partially and then getting the parachain teams to pay out their portion separately. From a more philosophical perspective, we feel we should do more to support parachain teams. A rising tide lifts all boats

Q: Why not just prove this with the Polkadot Discord?

A: Because OpenGov is a lot of work and time, it isn’t worth our effort for such a small effect if we only do one Discord.

Q: Why don’t you just make a guide that people can follow to setup a Discord server correctly?

A: Jon_HQ has created a Discord server template and an accompanying hour-long Youtube video on how to set it up: https://www.youtube.com/watch?v=BSDPYIfcoXk This also doesn’t account for servers that are already built-out and need correction which has potential unseen edge cases such as bot misconfigurations.

Q: Why not just build a bot that does this?

A: Bots don’t understand context. For example, the server may have multiple announcement channels and they may not be named #announcements. How would the bot know it's an announcement channel if it's named something arbitrary like #shouts? The Admin role may not be named admin, what if it was named pleb? How would the bot know it was supposed to have administrative privileges?

Q: Don't all these security countermeasures usually render discord servers unusable or at least less desirable to join and chat?
A: No not at all and that is why it is important to hire a professional because they find creative ways to not inhibit the community. For example, adding a 2FA control to announcement channel posts severly limits an attackers capabilities but does not affect the users.

Edited