As of today, we're sharing monthly public updates on what we've been doing, what we're up to, and what's to come. This will help us stay accountable and committed to our work, while we experiment with a new way of opening ourselves to the community.
Today's update includes our work on ENS and Account Abstraction, our latest educational content (workshops and interviews), and our plans for the next month
Ready ? Let's start with the main highlight: our disclosure of a critical bug on ENS. And then move on to the next target we've chosen to explore.
Security spotchecks
ENS
Last month's highlight was our disclosure of a critical bug on ENS.
We published the technical article along with a Twitter thread to explain the details of the vulnerability.
We disclosed a critical bug on ENS.
— tincho (@tinchoabbate) March 28, 2023
It would've allowed anyone to take over DNSSEC names on ENS.
Luckily spotted before landing on mainnet. Want details ?https://t.co/4uCCu5q1vY https://t.co/2Iq336kiN1
In the meantime, we also provided feedback to the ENS team on the fix.
After the entire disclosure process, we still didn't feel we were done with ENS yet. So we started digging into one of the latest features of ENS, related to the Name Wrapper contract and fuses. After spending a few days exploring those contracts, we cut the exploration short as we started feeling diminishing returns.
Account Abstraction (ERC4337)
We've started a spotcheck on one implementation of ERC4337 for Account Abstraction. The review is in progress right now (well not really because we're writing this thing but you get the point).
There are two big components we want to look at: the smart contracts and the off-chain bundler. We began by reviewing the smart contracts. These have been audited multiple times by OpenZeppelin, which lowers the probability of finding severe security vulnerabilities. Still worth spending our time on it, if only to double check.
We're getting more and more familiar with the core contract of the system (the EntryPoint). Although we're moving rather slowly. The code is not as documented as we would've liked, and the spec is quite complex. Luckily there are other resources that have made our onboarding to account abstraction more pleasant.
As we make progress with the EntryPoint, we are also beginning to realize the importance of the off-chain bundler code. So we're finding ourselves coming and going from on-chain to off-chain code to understand how they interact.
Education and advocacy
We prepared and delivered a workshop for Hack ITBA. It's a 2-hour intro to security-oriented testing with Foundry. And its 100% in Spanish 🇪🇸.
theredguildSpeaking of publishing...
Have you watched our videos with Patrick Collins ? 🔥 We talked about smart contract security, the process for a security review, and much more. Full interview below 👇
Two more things!
First, we're creating and delivering at least one talk for the DeFi Security Summit. Looking forward to seeing you all there in the event.
And second, we're already working to do some in-person events in LATAM, starting with Argentina. Collaborating with some huge companies and institutions there. Make sure to subscribe to receive more updates on this!
Identity
We're paying more and more attention to crafting a public identity for the guild. One that genuinely represents and conveys our values and ideas.
We started by releasing a brief article summarizing the guild's vision and activities. Of course, Twitter thread included.
🔥 I am really proud to announce something I have been working side by side with @tinchoabbate:
— ᴍatías Λereal Λeón ⚡ (@mattaereal) March 28, 2023
The Red Guild ♦️
A group of dedicated security experts, educators, and advocates committed to safeguarding Ethereum applications.
Meanwhile, we've kickstarted our work with the coolest designer ever to help us produce delightful visual assets for the guild. Oh boy you'll love the stuff.
What's next ?
We're gonna be heads down working on the ERC4337 spotcheck. Not only continuing with the actual code review, but also thinking on what kind of educational content is best to share our learning of this promising project.
If you have anything in mind you'd like us publishing related to the ongoing security spotcheck or other educational content, let us know in the comments.
Oh, and for those asking how to support our work: we had submitted a grant for the current Gitcoin round on the "Web3 Community and Education" category. We were really hoping it to get through, so that once the round started you could express all your love and support us. But the sad news is we got rejected and still don't know why. Perhaps we'll be accepted in the next one.
We'll continue to keep you posted on the guild's quests!