The world of web3 is filled with hackers, scammers and tricky data attacks. This isn’t meant to intimidate you, rather inform you on the best ways to protect your assets. It’s important to make sure you have the best security process implemented, and that your larger ecosystem does as well. Below are a few high-level access control security best practices that we recommend as a start.
Use TweetDeck to delegate access to your Twitter account for those who should not have custody of authentication keys. TweetDeck also allows for multiparty approval checks for tweets and admins can delegate/revoke member access at will
Utilize multi-factor authentication and consider purchasing a YubiKey if managing an account that may be targeted
Discord
Disable webhooks.
Carefully vet bots and consult others on the legitimacy of the bot. Just because a bot is used by millions of servers does not guarantee its security. Be sparing with the number of bots you invite to your server
Enforce that all members with moderator or admin privileges are using two-factor authentication or multi-factor authentication
Censor all links on your Discord. Only 1–3 core members of the team should be able to post links
Create a strict and rigid verification process to disallow bots from entering your server
Members with moderator or admin privileges should disable DMs from server members and use a ticketing service to handle special cases
Announcements channel should regularly announce that
moderators will never DM you first
and thatthe only channel with links is 'announcements' and a 'links' channel
Communications
Advise your community on a regular basis that moderators will not DM community members first on Discord or Twitter
Advise your community on a regular basis that the only platforms for relevant links will be on Twitter, announcement/link channels on Discord, and email. Limit the sources of links and important announcements to your community through as few channels as possible
Instagram is rumored to have password leaks. Advise your community that mint websites will not be posted from this platform
Securing your Keys
Use a hardware key for your crypto wallets. Buy at least two
Use YubiKey for your accounts. Buy at least two
Use a Password Manager such as LastPass, for keys that must be shared across teams
Have any questions about security best practices? DM us on Twitter and we’ll be happy to help. Stay safe and LFG!