Important PSA: Do you run a @discord server? Your private channels are probably not as private as you think. A thread. 👇 1/15
I recently discovered you can glean insights into the internal workings of any project that's using @discord because the Discord API leaks the name, description, members list, and activity data for every private channel on every server. 2/15
Lots of crypto projects use private channels in @discord to collaborate on not-yet-announced partnerships, upcoming product launches, exchange listings, and coordinate multi-sig signers. 3/15
I've always assumed that @discord's "private channels" were actually private. They have the little 🔒 icon next to them! It's obvious that other teams have made the same (incorrect) assumption: 4/15
The internal Discord channel for @binance is called "👔┃binance-staff". The description states that it's "hidden from all roles except for Binance staffs". Except it's not. 5/15
Not that it was ever a well-kept secret, but @opensea have a private Discord channel called "◎solana-launch-partners". 6/15
Similarly, @compoundfinance has a private channel called "💙coinbase". While their relationship with @coinbase is well known at this point, this could have been significant alpha when it was first created. 7/15
Multiple teams have "private groups" for their multi-sig signers with a publicly visible list of the specific individuals who are members of that channel. Some teams have even posted sensitive directions & wallet addresses in the publicly visible description field. 😬 8/15
An anonymous member of a DAO multi-sig could be outed and their physical safety put at risk due to public doxxing. Anonymous whistleblowers or others with a high need for privacy could have their cover blown due to their identities leaking. 9/15
You can also monitor how active a private channel is on @discord. It's not hard to imagine being able to find tradable insights using this data. For example, there may be a flurry of activity right before a big launch. 10/15
When I responsibly disclosed this issue to the team at @discord via @Hacker0x01. They quickly closed it as a "duplicate issue" with the following explanation: 11/15
Since we cannot expect @discord to prevent this data from leaking anytime soon, it's best that everyone is aware of the issue so they can take the appropriate precautions. 12/15
It's worth acknowledging that @discord was originally designed for gamers who have different privacy needs than the high-stakes world of crypto. @OriginProtocol was one of the very first teams to switch over from using @SlackHQ and it was 100% the right decision. 13/15
I'm an enormous fan of @discord and the product they have built. Their product is still the best I've seen for large communities who don't necessarily know or trust each other. 14/15
Please share this thread with anyone you know who is responsible for managing a @discord server.
If we're going to keep the cameras in the showers, people should at least know they are there. 15/15
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/ Very excited to see the positive community response to @OriginProtocol partnering with Google Cloud and wanted to elaborate on what this means for us as a company and for the Origin community. 👇
3/ This is not an empty partnership where we are just paying to use Google's services. We’re not like other crypto projects that make substanceless announcements. We’ve been working with Google for months on a number of different initiatives as explained in the announcement.