Launching Your Web3 Community Safely
KEY TAKEAWAYS: |
— Launching and running a secure web3 community involves more than just releasing a token, coin, or platform. — You must have security measures in place to protect your community members and securely manage treasuries. — In this module, Ledger Academy and Boring Security will dive into everything there is to know about launching a crypto project securely. |
Ever thought about launching your own web3 community? Join Ledger Academy and Boring Security in this series of articles exploring all the things you need to know to launch a token, platform, or DAO securely. Make sure you take the Ledger Quest to prove your knowledge at the end of the module!
Not everyone plans a formal launch of a web3 community. Sometimes it starts as a group of a few mission-driven people in a group chat, and before you know it, you’ve launched a full-on DAO (speaking from experience!). Whatever your path, there are certain things to consider when it comes to creating and protecting wallet addresses, social media, and your brand.
Whether you are launching a project, starting a DAO, or just creating art for a (for now) small group of collectors, you owe it to your community, and yourself to not let either of you become victims of your mistakes. Sleepless nights in panic, while your Twitter/discord/wallet remains compromised, are not something you want on your bucket list, trust me!
Throughout this module, we’re going to focus on 5 key areas:
- Fostering a Culture of Security in Your Community
- How to Protect Your X Account
- Protecting and Launching Your Discord Server
- How to Manage Project Wallets and Treasuries
- What to do if your project gets Hacked
Foster a Culture of Security in Your Community
Security, as much as it is technical, is a value, and a cultural practice as well. Fostering a culture of security doesn’t just stop at having a boring Web3 Security seminar once a year for your holders/collectors/members, but rather baking it into the cultural cake that is your community fabric. So what does this mean? Well, it is hard to define, but here’s some advice.
Be Mindful of Creating Time Pressure for Your Community
Although Boring Security did a lot of analysis on contributing factors to those that have been scammed/phished in the past, we didn’t include FOMO (Fear of Missing Out) in our report, despite it probably being the underlying cause of a good many of wallet drains that occur in Web3. Creating these “Go to this link and mint this faster than others” scenarios not only creates an adversarial environment, but you often are inadvertently prioritizing the wrong kind of community members.
What you want are creative, passionate, and loyal community members. But with an open mint that incentivizes those to “mint first”, what you tend to get are bots, experienced flippers, and those that know how to interact directly with your smart contract to bypass hurdles or website issues that might occur during a hyped mint.
Reduce the Need to Connect Wallets Containing Value
Did you launch a successful NFT or token? Want to reward holders of other successful NFTs or tokens? Of course, you’ll want those folks to prove ownership of said assets, but the answer might not always require them to sign or make a transaction on that wallet. Many people are weary about signing with their “vault wallets”, and with good reason. Signatures can be dangerous and it is hard for someone who isn’t formally educated to have real confidence about the safety of what they are signing. Some practical suggestions on how to do this are:
- Utilize wallet delegation primitives such as Warm.xyz & Delegate.xyz which allow you to prove ownership of valuable assets in their vault without ever having to connect past the setup process. Boring Security has an in-depth article on this here.
- Consider using tools like Vulcan and Collabland to grant Discord roles to holders of certain tokens/NFTs (whether they are yours or partners). In addition to supporting the above primitives, they also allow you to give whitelists on platforms like Heymint and Subber where users can be vetted by Discord roles.
- Hosting some kind of event, or wanting to give discounts to holders of your token? Consider implementing Tokenproof. They have a Shopify extension and a suite of tools to handle IRL events, website connections, etc.
Building on top of the aforementioned primitives might be imperfect, but Web3 is still in its infancy. The idea behind utilizing these tools is that many users have already been onboarded to them safely, and leveraging those pre-existing wallet connections both reduces friction and risk to your users. The industry is attacking the problem of dangerous signatures from all angles, including here at Ledger by committing to reducing the prevalence of blind signing in the space.
3) Create Opportunities for Security Learning for Your Community
Just like in the Web2 world, where companies run annual and continuous Security Awareness Training, Web3 has its version of that. In the web2 world, the ROI (return on investment) of an average Security Awareness Training program is 37x according to the Ponemon Institute, an independent research arm.
Conservative estimates by Boring Security suggest that over 2% of each popular NFT collection’s assets have been stolen at one time or another. Aside from the financial damage that creates, it is painful emotionally for both you and your community. Luckily in Web3, there are an ever-increasing number of opportunities and outlets to offer education experiences to your community such as:
1) Ledger Academy: Ledger Academy allows community members to go through a wide variety of topics related to crypto onboarding, security, and how to survive and thrive in the web3 world!
2) Boring Security DAO: Boring Security’s approach is all about live classes, and experiences, as well as fostering a gathering place to ask questions. The DAO posts content and provides services specifically focused on web3 security.
Before starting a community of any kind we highly recommend baking in security mindfulness as a core value in your community. The one button between success for you, and total loss for them is the same, so be mindful to protect your community to reduce the likelihood of an all-too-common event. Stay safe!
This article was written by Feld from Boring Security. Follow him on X here, and check out Boring Security’s X account, Discord server, and official website for more information.
Finally, don’t miss the next article in the series where JonHQ dives into how to launch and manage a secure X Account. And, of course, test your knowledge via Ledger Quest!