SOTER-GUARD

monitor.soter.fun

Real-time community monitoring. Detects wallet drainers, phishing, and suspicious links.

Features

Live Feed Monitoring: scans community posts as they come in.
Heuristic Risk Scoring: each message gets a risk score based on multiple signals (not just keywords).
Combination Detection: scores increase when multiple risk factors combine (e.g., vulgar language + unknown link + URL shortener).
Audit Queue: flagged items route into a clean queue for human review.
Resolved Memory: already-handled items don't reappear in the feed.
Moderator Invites: invite teammates via X handle — they see pending invites on login and can accept/decline.

Risk Categories

Risk Scoring Engine

The risk engine analyzes each message and returns a score (0–100) with categorized reasons:

type RiskCategory =
  | "PHISHING_LINK"
  | "WALLET_DRAINER"
  | "FAKE_SOCIAL"
  | "SUSPICIOUS_DOMAIN"
  | "SHORTENER_LINK"
  | "OFFENSIVE_LANGUAGE"
  | "EXTERNAL_INVITE";

interface RiskResult {
  score: number;           // 0-100
  reasons: string[];       // Human-readable explanations
  categories: RiskCategory[];
  isHighRisk: boolean;     // score >= 60
}

function assessRisk(text: string, urls: string[]): RiskResult {
  let score = 0;
  const reasons: string[] = [];
  const categories: Set<RiskCategory> = new Set();

  // Check for offensive language
  if (hasOffensiveLanguage(text)) {
    score += 25;
    reasons.push("Contains offensive or abusive language");
    categories.add("OFFENSIVE_LANGUAGE");
  }

  // Analyze each URL
  for (const url of urls) {
    if (isKnownPhishing(url)) {
      score += 40;
      reasons.push(`Known phishing domain: ${extractDomain(url)}`);
      categories.add("PHISHING_LINK");
    }

    if (isWalletDrainer(url)) {
      score += 50;
      reasons.push("Link associated with wallet drainer");
      categories.add("WALLET_DRAINER");
    }

    if (isUrlShortener(url)) {
      score += 15;
      reasons.push("Contains URL shortener (potential redirect)");
      categories.add("SHORTENER_LINK");
    }

    if (looksSuspiciousDomain(url)) {
      score += 20;
      reasons.push(`Suspicious/unknown domain: ${extractDomain(url)}`);
      categories.add("SUSPICIOUS_DOMAIN");
    }
  }

  // Combination bonus: multiple categories = higher risk
  if (categories.size >= 2) {
    const bonus = (categories.size - 1) * 10;
    score += bonus;
    reasons.push(`Multiple risk factors detected (+${bonus})`);
  }

  return {
    score: Math.min(score, 100),
    reasons,
    categories: Array.from(categories),
    isHighRisk: score >= 60
  };
}

Offensive Language Detection

Pattern-based detection for common abuse vectors:

const offensivePatterns = [
  /\b(scam|rug(ged)?|drainer)\b/i,
  /\b(f+u+c+k+|sh+i+t+|a+ss+)\b/i,
  /\b(kill|die|threat)\b/i,
  /rug\s*(you|me|us)/i,
  /dm\s*(me|for)\s*(airdrop|whitelist)/i,
  // ... extended pattern list
];

function hasOffensiveLanguage(text: string): boolean {
  return offensivePatterns.some(pattern => pattern.test(text));
}

URL Analysis

Multi-layer URL inspection:

// Known shortener domains
const URL_SHORTENERS = [
  "bit.ly", "t.co", "tinyurl.com", "goo.gl",
  "ow.ly", "is.gd", "buff.ly", "shorturl.at"
];

// Fake social patterns (typosquatting)
const FAKE_PATTERNS = {
  discord: [/disc[o0]rd[^.]*\./i, /d[i1]sc[o0]rd/i],
  twitter: [/tw[i1]tt[e3]r/i, /x\.c[o0]m(?!$)/i]
};

function analyzeUrl(url: string): UrlAnalysis {
  const domain = extractDomain(url);
  
  return {
    isShortener: URL_SHORTENERS.includes(domain),
    isFakeSocial: checkFakePatterns(url),
    isKnownSafe: WHITELIST.includes(domain),
    suspicionScore: calculateDomainSuspicion(domain)
  };
}

Scan API

The monitor endpoint scans recent community posts:

// POST /api/monitor/scan
interface ScanRequest {
  communityId: string;
  minRiskScore?: number;  // default: 25
  windowMinutes?: number; // default: 1440 (24h)
}

interface ScanResponse {
  scanned: number;
  detected: number;
  escalated: number;
  items: {
    postId: string;
    author: string;
    text: string;
    risk: RiskResult;
    timestamp: string;
  }[];
}

Case Management

Flagged items become "Cases" in the audit queue:

// Database schema (Prisma)
model Case {
  id          String   @id @default(cuid())
  communityId String
  xPostId     String   @unique
  contentText String
  sourceUrl   String?
  riskScore   Int
  riskReasons Json     // string[]
  status      CaseStatus @default(OPEN)
  resolvedBy  String?
  resolvedAt  DateTime?
  createdAt   DateTime @default(now())
  
  community   Community @relation(fields: [communityId], references: [id])
}

enum CaseStatus {
  OPEN
  RESOLVED
  IGNORED
}

How It Works

Scan: SOTER monitors the community feed.
Score: Each post gets a risk score (0–100) with reasons.
Queue: High-risk items auto-escalate to the Audit Queue.
Decide: Mods review, resolve, or escalate.
Learn: Resolved items are excluded from future scans.

PreviousSoter Ecosystem NextSOTER-BOUNTY

Last updated 1 day ago

Good night