ModarBot

What it does

ModarBot is a real-time anomaly detector for Reddit communities, built entirely on Devvit. It watches a subreddit's live event stream — posts, comments, reports, mod actions, and vote patterns — and alerts the mod team the moment something unusual is happening.

Six independent statistical detectors run continuously:

• Account-age anomaly — detects sudden floods of new accounts (<30 days) posting in the sub
• Report storm — catches when ≥5 distinct users report the same person within 15 minutes
• Comment cascade — flags threads where comment velocity spikes ≥5× the prior pace
• New-account cluster — identifies ≥4 accounts created within 14 days of each other posting in the same thread
• Cross-post influx — spots bursts of inbound posts referencing external subreddits
• Vote-pattern anomaly — monitors per-post upvote ratio drops between scheduled snapshots every 2 minutes

The Watchtower is a custom post that lives in the sub's mod area. It displays a status orb (green/yellow/red) at a glance, a live anomaly feed with severity bars and time-ago labels, and a drill-down modal where mods can inspect offending accounts and take bulk actions (ban, remove, lock) — always with an explicit confirmation step. Dismissed anomalies can be re-investigated if needed.

When severity crosses the sub's configured threshold, ModarBot sends a throttled modmail alert (one per anomaly type per 10 minutes) so mods who aren't watching the Watchtower still get notified.

No AI. No external APIs. No publisher API key. $0 ongoing cost.

How we built it

• Frontend: Devvit Web with React 19, Tailwind CSS 4, and Vite — the Watchtower UI runs as a webview inside Reddit posts
• Backend: Hono server with tRPC v11 running on Devvit's serverless Node 22 environment
• Storage: Devvit Redis for the 24-hour rolling event log, EWMA rolling baselines, per-sub settings, anomaly records, and vote snapshots
• Real-time updates: Devvit Realtime pub/sub pushes anomalies to the Watchtower instantly; 15-second polling serves as a fallback
• Scheduled jobs: Devvit Scheduler runs a cron task every 2 minutes to capture vote-pattern snapshots (since Devvit triggers don't fire on votes)
• Detection engine: Pure statistical/heuristic detectors using EWMA (Exponentially Weighted Moving Average) with 3-sigma thresholds — no machine learning, no external models

The entire signal pipeline — ingestion → detection → deduplication → publish → alert — runs in a single cycle() function triggered on every Reddit event.

Challenges we ran into

• Devvit Realtime channel naming: Channel names only allow letters, numbers, and underscores. Our original colon-separated naming (modarbot:subname) broke at runtime — we had to switch to underscore separators and sanitize all sub names.
• Vote-pattern detection without triggers: Devvit doesn't fire triggers on vote changes. We solved this with a Scheduler cron job that polls reddit.getNewPosts() every 2 minutes and compares upvote ratios between snapshots.
• Webview security gap: We discovered that forUserType: "moderator" in devvit.json only gates the menu button — it does NOT gate the webview's API endpoints. Any user viewing the Watchtower post could have called /api/anomaly/:id/bulk and used the app's mod credentials to ban users. We built a requireMod middleware that verifies the caller via reddit.getModerators() on every mutating route.
• Bulk action tampering: The drill-down modal sends entity IDs from the client side. A malicious mod could have forged IDs to ban users not related to any anomaly. We added an entity allowlist intersection — only entities the anomaly actually detected can be acted on.
• Splash vs expanded mode: Devvit's dev simulator opens in expanded mode by default, which caused requestExpandedMode() to throw. We added a try/catch with a fallback redirect to handle both inline and expanded contexts gracefully.

Accomplishments that we're proud of

• Zero-cost architecture: The entire app runs on Devvit's built-in infrastructure with no external dependencies. When judges ask "how does this stay running after the hackathon?" the answer is: it already does — there's nothing to pay for.
• Sub-minute detection: In testing, ModarBot detects a simulated brigade within 15 seconds of the first anomalous event. Current tools take hours.
• Explainable alerts: Every alarm has a deterministic, human-readable reason: "5 accounts under 30 days old posted in this thread in 8 minutes." No black box. Mods can verify, push back, or tune thresholds.
• Security-first design: Server-side mod verification on every mutating endpoint, atomic dedupe locks (Redis SET NX), entity allowlists on bulk actions, rate-limited demo triggers, and no auto-actions without explicit confirmation.
• Six independent detectors shipped in under 48 hours, each with its own statistical model, deduplication, and severity scoring.

What we learned

• Statistical anomaly detection (EWMA + sigma thresholds) is surprisingly effective for brigade detection — you don't need AI to catch coordinated behavior patterns.
• Devvit Web's webview model requires careful handling of splash-to-expanded transitions, especially in the dev simulator vs production Reddit.
• The "no AI, $0 cost" constraint actually forced a better architecture — more explainable, more sustainable, and faster (statistical checks run in milliseconds vs API latency).
• Security review before submission is essential — we caught two HIGH-severity authorization bypasses that would have been exploitable in production.

What's next for ModarBot

• Mute schedules — time-based alert suppression so mods can silence specific signals during known-busy periods
• Historical analytics dashboard — trends beyond the current 24-hour rolling window to help teams understand their sub's long-term health
• Community-sourced threshold presets — pre-configured sensitivity profiles for small, medium, and large subs
• AutoMod integration — when ModarBot detects a recurring pattern, suggest an AutoMod rule the team can install with one click
• Reddit Developer Funds — apply for ongoing funding to support feature development and reach more communities

Built With

• devvit
• devvit-realtime
• devvit-redis
• devvit-scheduler
• devvit-web
• hono
• node.js
• react-19
• tailwind-css-4
• trpc
• typescript
• vite