In the crypto world, attacks, hacks, and scams are unfortunately all too common. Phishing links can be found everywhere - on Twitter, in seemingly harmless blog posts, and in personal emails. We’ve not been immune to them either! As a popular tool for decentralized decision-making, Snapshot.org is an attractive target for scammers looking to manipulate governance proposals for their own gain.
Ok, so how can you minimize the risk of scam proposals on your space? Read on!
Define your own rules
Each space has the possibility to fully customize its voting process.
Unfortunately, many spaces stop at selecting the Voting Strategies and do not implement any further settings, including proposal validation.
This means anyone is able to create a new proposal.
While casting a vote on Snapshot does not pose any threat to user’s funds we cannot fully control the content of the proposal itself. Hackers have mastered the art of hiding malicious links behind legit-looking URLs, images or even checkboxes, and it’s getting incredibly difficult to block the scam content without blocking the actual valid proposals.
Currently, Snapshot does not allow using short URLs which are an easy way to hide a dangerous link.
Which spaces are targeted?
Most often than not the scammers are taking the easy way and attack spaces which don’t have any validation for proposal creation in place. This way they can create scam proposals without holding any funds in their wallet.
Moreover spaces which have very low requirements for proposal creation, for example a user has to hold $5 worth of a token, are also an easy target as the barrier of entry is very low.
Some of the most effective anti-scam solutions are:
-
Roles management - set moderators who can archive or hide proposals, or authors who can always create proposals regardless of other settings.
-
Enable Authors only mode - don’t allow anyone else apart from whitelisted addresses to create new proposals.
-
Snapshot's Discord Bot - get notified by Discord or other bots to monitor new proposals.
-
Validation strategies - use the logic of existing voting strategies to set a higher threshold (~$100 worth of the token) or a more complex requirement for the user like Gitcoin Passport Validation to create a proposal.
Let’s have a look at all of them in more details.
Space members
Before we dive into the Validation Strategies let’s first understand what are the different permissions of the roles defined in the Members tab of the space settings:
-
Controller - in full control of the space, the only role able to change the Controller of the space.
-
Admin - able to modify the space settings (apart from the list of Admins), manage the space’s proposals and create proposals.
-
Moderator - able to manage the space’s proposals and create proposals.
-
Author - able to create proposals without having to go through proposal validation.
Moderators
Even though we provide several automated mechanisms to minimise the risk of harmful proposals it is still important to have to ability to review the created proposals by an actual person.
The Moderator role enables just that - without having the access to space settings moderators can hide proposals. It is a great way to have more organisation members involved in keeping the governance safe without requiring Admins to be available at all times.
Discord Bot
A great addition to the Moderators is a notification system which will inform you and your community about newly created proposals. If your organisation uses Discord, you can easily activate our Discord Bot on your server.
To do so, invite the bot with this link.
Then type / to see the commands (require administrator role):
Voilà! Now you and your Moderators can keep an eye on the notifications and react much quicker when a scam proposal has hit your space.
Authors
It is also possible to whitelist accounts which will be allowed to create new proposals regardless of the chosen Validation Strategy (more on the strategies in the next section).
Once added as Authors in the Members tab in the space settings they will surpass the validation process and will be able to create new proposals in the space.
Authors only mode
If you wish to limit proposal creators to Admins, Moderators and Authors only, you can do so by enabling the Authors only setting in the Proposal tab in the space settings. Make sure to give the Author role to the users you trust!
Validation Strategies
In technical terms a Validation Strategy is a JavaScript function that returns a boolean (true or false) for the connected account to define if someone is eligible to create a new proposal.
Each space can use one Proposal Validation for all of its proposals at a time.
Validation strategy can check both for monetary and non-financial assets of the user like POAPs, Gitcoin Passport stamps.
Basic Validation
The Basic Validation Strategy allows you to specify multiple Voting Strategies to determine if a user is eligible to create a proposal.
Voting Strategy is a set of conditions used to calculate user's voting power. Strategies enable Snapshot to calculate the final result of voting on a given proposal.
When setting the Validation Strategy up it’s important to keep in mind that it is meant to make it difficult for users outside of your community to post scam proposals.
Therefore make sure to use a high threshold, for example $100 worth of your organization’s token. A good idea would be to check the holdings of previous proposal creators, both legitimate and scammers, to assess a reasonable value.
In case the threshold you’ve set is too high for some of your community members, don’t forget that you can always add the trusted addresses as Authors, thanks to which they will surpass the Proposal Validation stage.
Below you can see an example of the Basic Proposal Validation using Voting Strategies set for the space:
If you want to set up a more complex validation, you can use custom strategies as shown on the screenshot below:
Gitcoin Passport Validation
While Basic Validation focuses on the monetary assets, this validation allows you to set requirements protecting your space against Sybil attacks by checking the Gitcoin Passport stamps which serve as validation for user’s identity and online reputation.
You can select individual or multiple stamps that matter for your space. You can also decide if they need to meet all of these criteria or only one. The more criteria you select, the more sybil resistant your space is.
Conclusion
To prevent scam proposals from being created, Snapshot spaces should proactively adjust their settings and define how they would like to validate users eligible to create new proposals, and implement additional solutions to manage proposals effectively.
There are several solutions that can be implemented. Spaces can adjust their settings by defining specific roles, such as moderators and authors, and using Validation Strategies. They can also utilise Snapshot's Discord Bot to monitor new proposals and react
If you have any additional feedback or ideas on how to increase the barrier of entry for scammers on Snapshot, do not hesitate to contact us on Discord!