Note to Issuers: Website Security and Troubleshooting

Hey everyone!

In the wake of ETHDenver, I wanted to address a few issues we’ve been seeing with websites, and some common approaches to troubleshooting.

On Security
For those who aren’t aware, POAP Websites trade off ease of use for data integrity. We’ve historically seen bot attacks that drain POAP Websites that are discovered, which place a tremendous load on the system (in addition to not doing much for issuers). As a result, we tend to review Websites carefully for factors including how the website is shared, how easy the URL is to guess, issuer history, and the size of the drop overall.

Sharing your website
Great: Printed QR code at a location
Not great: People taking a photo with said QR code to post on Twitter
Really bad: Dropping the link to the website directly in Discord or on Twitter

URL difficulty
Great: Adding a hash somewhere in the URL
Not great: URLs that someone can brute force by scrambling the words in the title and description
Really bad: URLs that are just the name of the event in lower case

Issuer history
Great: A slow build up of experience starting with small, low-key events with more manual POAP issuance, and expanding to larger and/or more ambitious distributions.
Not great: Requesting 200 mint links and configuring a POAP website for 200 POAPs due to lack of familiarity with distribution methods.
Really bad: Requesting 20000 mint links and configuring a POAP website for 20000 POAPs “just incase”, due to lack of familiarity with distribution methods, about an hour before your event is supposed to start. This will generally not get through.

For distributions involving check-in like logistics, please consider using the Magic Dispenser as an alternative that is substantially more secure.

On Troubleshooting
The most common reason for a website “not working” after its been approved by far is some version of mis-configuring the minting window. For optimal results:

  1. Set the window as open from the time you’re configuring it, to the end time of your event (when you might feasibly want minting to stop.
  2. Test the website by visiting the URL (or scanning the QR code generated) and minting a POAP.
  3. Deactive your website until you want it to go live. You can do this from the admin section on the “Websites” page.
  4. After your drop: Deactivate your website if your mint window was longer than anticipated.
1 Like