First time? Go read The Truth of The Red Guild so you are more in tune with what follows next.

At The Red Guild, we share periodic public updates on what we've done, what we're up to, and what's to come. This helps us stay accountable and committed to our work, while we open ourselves to the community.

If you haven't read it, here's the previous update:

The state of The Red Guild #10
What we’ve been up to during April, and what’s next.
The Red Guildtincho
updates - The Red Guild
All updates from The Red Guild in a single place.
The Red Guild

In today's menu we've got:

  • Participation in security contests
  • New features in our public devcontainer (+ a new article!)
  • Experience attending the Spearbit X Euler HackerHause
  • New content for... ETHCC?

Security work

May found us heads-down participating in security contests. Not that we're so keen on the competition. We see contests as an opportunity to collaborate in reviewing projects we care about, earn some bucks for the guild, and later produce educational content from what we learned.

Optimism

This time we participated in the Optimism contest in Cantina, reviewing the Safe-related contracts and modules. The scope was narrow and the contracts straightforward. There were some interesting behaviors we explored, but it seemed clear from the contest's rules that the team was only interested in specific types of attacks.

We didn't uncover anything of relevant severity to report, though we learned some things about ownership management in Safe contracts! Article in the making ✍️

As usual, many """issues""" seem to have been reported during the contest. These were then misjudged, and then escalations popped up everywhere. Nothing new – players keep playing the game 🤷

Arbitrum

Once done with the Optimism contest in Cantina, we joined the Arbitrum BOLD review in Code4rena. A safe and sound challenge mechanism is fundamental for these type of rollups to continue evolving toward full decentralization. So we wanted to help raise any security concerns before BOLD goes to prod.

This was the first time any of us reviewed this type of challenge mechanism for a rollup. Tough codebase! We probably used +50% of the time just getting familiar with the system, reading whitepapers, documentation, understanding the terminology, and trying to map all this novel knowledge to the actual Solidity implementation. Bumpy ride for sure.

In any case, the Arbitrum developers were always available. We appreciated their quick and thoughtful replies during the two weeks.

The contest's come to an end, and we didn't have anything too relevant to report. Looking forward to seeing the community's reports and learning from them.

Devcontainers

During May we continued improving our devcontainer focused on web3 tooling for security reviews.

GitHub - theredguild/devcontainer: The Red Guild’s devcontainer focused in web3 and security.
The Red Guild’s devcontainer focused in web3 and security. - theredguild/devcontainer
GitHubtheredguild

The setup feels cleaner now. We also fixed some bugs and added more features. It uses things like zsh, asdf, nvm, latest versions of a few libraries, and other niceties 💞

Make sure to check it out and reach out with feedback.

In our previous update, we wrote a piece about our experience in muBuenos, where we delivered a workshop on devcontainers. A few days ago we published an article based on that experience, where we walk you through the importance of devcontainers and how to build (and use) one that best suits your needs.

Where do you run your code? - an intro to devcontainers
An introduction to devcontainers. One way to isolate your environment is one step closer to being more secure than before.
The Red Guildmatta

If you don't want to miss future publications like these, subscribe to be one of the first to read it! 🙌

Finally, we're building a more comprehensive hands-on workshop to show the importance of sandboxed environments. We'll walk you through tips, techniques, and must-have defenses to prevent attack vectors that leverage misconfigurations in repositories, polluted dependencies and extensions, etc. We want you to start hardening your dev environments now!

Events

ETHCC

Bad news first. The ETHCC organizers rejected our workshop on hardening dev environments. We wanted to share with you many of these tips and techniques IRL at the conference, but sadly the organizers weren't interested in it.

But don't be sad! Some of us will still be at ETHCC hanging around, attending talks and just chatting with other security nerds.

Will you be there? If you do, come say hi!

The Spearbit X Euler HackerHaus

At the end of May, we attended the HackerHaus organized by Spearbit and the Euler team. It was a great experience to connect and chat with security folks in the space.

Spearbit X Euler | HackerHaus · Luma
Welcome to the first-ever Spearbit X Euler Hackerhouse. The mission is simple: get the world’s best web3 security talent under one roof and hack away at the…
Omar Bheda

The event featured several talks by the Euler development team, as well as another talk on fuzzing Euler's codebase.

Although we're not sure whether we'll participate in the contest, we do appreciate the teams for organizing this meetup and opening themselves to live questions and comments. Hopefully, this was just the first of many similar events in the future.

What's next

  • Going back to developing Damn Vulnerable DeFi v4.
  • Deciding our next target for a spotcheck or research project.
  • Continue discussing a new iteration of a support framework we're planning for the guild.
  • ETHCC plans, any recommendations?