As of today, we're sharing monthly public updates on what we've been doing, what we're up to, and what's to come. This will help us stay accountable and committed to our work, while we experiment with a new way of opening ourselves to the community.

Today's update includes our work on ENS and Account Abstraction, our latest educational content (workshops and interviews), and our plans for the next month

Ready ? Let's start with the main highlight: our disclosure of a critical bug on ENS. And then move on to the next target we've chosen to explore.

Security spotchecks


Last month's highlight was our disclosure of a critical bug on ENS.

How to almost take over any DNSSEC name on ENS
Nick from ENS has just announced that ENS received a report of a critical bug that “would have been catastrophic if deployed”. I’m recommending the @ENS_DAO ecosystem stewards pay out a bounty of $100k - our largest ever - for a vulnerability found in an undeployed version of our

We published the technical article along with a Twitter thread to explain the details of the vulnerability.

In the meantime, we also provided feedback to the ENS team on the fix.

After the entire disclosure process, we still didn't feel we were done with ENS yet. So we started digging into one of the latest features of ENS, related to the Name Wrapper contract and fuses. After spending a few days exploring those contracts, we cut the exploration short as we started feeling diminishing returns.

Account Abstraction (ERC4337)

We've started a spotcheck on one implementation of ERC4337 for Account Abstraction. The review is in progress right now (well not really because we're writing this thing but you get the point).

There are two big components we want to look at: the smart contracts and the off-chain bundler. We began by reviewing the smart contracts. These have been audited multiple times by OpenZeppelin, which lowers the probability of finding severe security vulnerabilities. Still worth spending our time on it, if only to double check.

We're getting more and more familiar with the core contract of the system (the EntryPoint). Although we're moving rather slowly. The code is not as documented as we would've liked, and the spec is quite complex. Luckily there are other resources that have made our onboarding to account abstraction more pleasant.

As we make progress with the EntryPoint, we are also beginning to realize the importance of the off-chain bundler code. So we're finding ourselves coming and going from on-chain to off-chain code to understand how they interact.

Education and advocacy

We prepared and delivered a workshop for Hack ITBA. It's a 2-hour intro to security-oriented testing with Foundry. And its 100% in Spanish 🇪🇸.

GitHub - theredguild/workshop-hackitba-2023: Repositorio del taller “Intro a testing y seguridad de smart contracts con Foundry” dictado el 30 de Marzo del 2023 para HackIT/BA>.
Repositorio del taller "Intro a testing y seguridad de smart contracts con Foundry" dictado el 30 de Marzo del 2023 para HackIT/BA>. - GitHub - theredguild/workshop-hackitba-2023: Repo…

Speaking of publishing...

Have you watched our videos with Patrick Collins ? 🔥 We talked about smart contract security, the process for a security review, and much more. Full interview below 👇

Two more things!

First, we're creating and delivering at least one talk for the DeFi Security Summit. Looking forward to seeing you all there in the event.

And second, we're already working to do some in-person events in LATAM, starting with Argentina. Collaborating with some huge companies and institutions there. Make sure to subscribe to receive more updates on this!


We're paying more and more attention to crafting a public identity for the guild. One that genuinely represents and conveys our values and ideas.

We started by releasing a brief article summarizing the guild's vision and activities. Of course, Twitter thread included.

The Red Guild is born
A group of dedicated security experts, educators, and advocates committed to safeguarding Ethereum applications.

Meanwhile, we've kickstarted our work with the coolest designer ever to help us produce delightful visual assets for the guild. Oh boy you'll love the stuff.

What's next ?

We're gonna be heads down working on the ERC4337 spotcheck. Not only continuing with the actual code review, but also thinking on what kind of educational content is best to share our learning of this promising project.

If you have anything in mind you'd like us publishing related to the ongoing security spotcheck or other educational content, let us know in the comments.

Oh, and for those asking how to support our work: we had submitted a grant for the current Gitcoin round on the "Web3 Community and Education" category. We were really hoping it to get through, so that once the round started you could express all your love and support us. But the sad news is we got rejected and still don't know why. Perhaps we'll be accepted in the next one.

We'll continue to keep you posted on the guild's quests!