At The Red Guild, we share periodic public updates on what we've done, what we're up to, and what's to come. This helps us stay accountable and committed to our work, while we open ourselves to the community.
In case you missed the last one, you can find all our updates here:
A couple of conferences, foot massages, and flights later, we're wrapping up this year. As usual, we've been getting our hands dirty these past few months!
In today's update, we cover:
- Defi Security Summit participation
- DevCon participation
- The Rekt Games launch
- DevSecOps toolkit
- Damn Vulnerable Defi v.4.0.1
- Solidity Hikes
- Videos from Aleph's Security Day
Get ready, because this edition comes with a lot of media content!
Conferences
If you have seen any of our talks, we've been speaking a little bit more about the time and energy that we have poured into community-related events lately. So let's begin with that, shall we?
Aleph
Not a conference! But a pop-up city from the movement Crecimiento in Argentina. We've written a little about this in the past, and now we're carriers of great news.
If you want to read more of what we did there, reference our previous update where we shared it all.
tincho
The news is that all the videos of the contents that we had on the Security day have now been uploaded to Aleph's YouTube channel 😄.
Security Day
Here's the full list (Spanish only, for now, CC may work):
First, we had Nico Rey from Muun virtually speak about cloud security's first steps for startups. Steps that leave your organization in a position where many common hiccups can be avoided.
To re-introduce us to the decentralized realm related another Nico, this one from Balmy, posed the question: Can we fight back against hacks?
nvcho and his team won significant attention at Ethereum Argentina's hackathon while trying to wrap their heads around new ways of access controls. We decided to invite them to tell us more about it, it appears they found something worthwhile exploring: Consumables.
piña, an independent security researcher taught us how to navigate from web2 to web3 with his essential tips!
Have you ever wondered how could you circumvent attacks that modify protocol's original websites? Maybe because their site was vulnerable or because they lost momentarily access to their domain. Well, Agus, a technical Lead at POAP explains how SCI can serve as a proactive measure.
Do you know what the future of security audits would be like? Have you ever thought that an auditor is more similar to a Business Analyst? And what about the future of AI? Well, for this kind of thought, go check out Cristiano Silva's talk from Nethermind.
Almost getting to the end, matta and Pablo updated the talk they had already given at Ethereum Uruguay, where they shared some anecdotes and a strong comparison between different hacks and where attackers stroke. As you will see, Infra-related attacks are the top #1 cause for most rekts.
In the end, we left Pablo to share some of his knowledge related to operational security, although he had little time for the amount of content he brought. How do you think he did?
Public goods week
A week entirely dedicated to discussing public goods was also held during that month, and matta participated representing everything we believe in, and why the approach that we had taken is important to us.
Present
This December, some of us arrived in Argentina, directly to the second edition of Crecimiento's Aleph pop-up city.
Many colleagues and friends did not make it to Bangkok, so it was pretty obvious to us what we could provide as content when the organization reached out. We opted to give the same workshop we gave at Devcon since it wasn't recorded.
It was a different experience, we were only 16 people. But having this intimate space made for a much better engagement between everyone!
We would like to thank Aleph once again, and the usual suspects and followers that we have inside the community of Crecimiento, for backing us and taking an interest in everything we do, one step at a time.
Unfortunately, we did not stay long enough to meet Vitalik, but there will be time in the future! Great things are coming to Argentina, maybe Devconnect 2025?
Going back to Bangkok, let us continue with our trip!
Defi Security Summit
When we arrived in Bangkok, the first event that we participated in was DSS. We had the privilege to start this year's 101 with tincho hosting a workshop on smart contract security with the recently released version of Damn Vulnerable DeFi.
Thanks to all the jet-lagged-early-birds that were there since the beginning!
In the main conference, we gave a workshop on hardening development environments against repository backdoors, based on Ethereum Argentina's previous workshop, and inspired by the spike of malicious use or on-purpose misuse of the technologies every developer uses daily.
Note that there's no recording for this session. We leave you with two memorable pictures we took during its course!
During DSS, we hosted two karaoke sessions! The first was organized with the help of SEAL's supporters, focusing on creating a space for SEAL's friends to meet and relax with a specific purpose in mind in a hotel room. For the second, we chose a local venue, and well... it did not disappoint!
In case you didn’t know, karaoke holds a special place in many Asian cultures—not just as entertainment but perhaps even as a form of therapy.
We had a blast. Thanks to everyone that continues to cope with our silly, but yet fun and deconstructing ideas 😊.
DevCon
Our first Impact Team booth!
Impact booths are basically what you'd expect as a typical conference space for organizations (usually sponsors) to tell you more about their doings and evangelize attendees with their ethos. Only this time this was intended for teams that had provided a positive impact on the ecosystem, and committed to continuing doing so in the future, particularly in our case by doing public goods.
It was an honor to have been invited to participate and receive this type of recognition. Quite an experience.
We had fun but it was as intense as a toddler on a sugar rush. The majority of the communication or dynamics for the booth process weren't aimed at an organization like ours (really small, non-profit), so there were a lot of interesting but strange interactions that made for a memorable experience.
We gave away some spare tickets we had for the conference, due to the amount of content we were providing that came with them. Also since we had to leave the fort unattended for our contents, we got some more to invite "the rest of the team" to cover us, as if that was going to change the fact that we were only two at that time 😅. Nevertheless, we're thankful that the organizers did try to help us out!
Hopefully next edition we have enough experience to understand how to empower ourselves with the help of some of the amazing collaborators we've had in the past and throughout the next two years we have ahead before Devcon.
Don’t get rekt: practical threat detection for users and devs
In this workshop, we extended the one we presented at DSS by adding a practical part and the release of our Phishing Dojo!
today with @theredguild we're shipping a new security public good for you all.
— tincho 🪷 (@tinchoabbate) November 12, 2024
Say hello to: The Phishing Dojo.https://t.co/0IorYHQJDR
In this session, we taught how to identify and defend against security threats in Web3. Attendees learned practical ways to spot dangerous websites, protect their wallets, and analyze suspicious interactions. We also showed you how to find hidden threats in code that could harm developers and users.
We also presented a proof of concept of something we call the DevSecOps toolkit, and with it, the DevSecOoops handbook (currently a work in progress).
theredguild
Security Frameworks by SEAL
We have written about SEAL's Security Frameworks, but now we have publicly spoken about it for the first time. Starting in an unusual way, join us to understand why they matter and how you can help us get to a better state of security.
Finding Bugs: 42 Tips from 4 Security Researchers
A shared presentation where four security researchers (including tincho) shared their combined wisdom on smart contract bug hunting, teaching practical approaches to find vulnerabilities in protocols that handle billions in assets.
Here we highlighted the importance of patience! Everything takes time, so if you're here for the long run... embrace it.
That's all we have to share regarding events for now! Let's move on to explain a little more in detail some of the things we released these past months.
Educational platforms
If you're a follower of the guild you've seen we kinda pivoted from mainly doing hard security research to more educational-focused content. Having an organization which gets shaped by the needs of the community means also having an open mind and a lot of flexibility.
We started The Red Guild with an idea in mind, and as time goes by, we expose ourselves even more to the ecosystem, we process the feedback and reinvent ourselves or redirect our energy to where it is needed. And you have talked, so here we show you some of our latest initiatives impulsed by community feedback.
The Rekt Games
This DevCon we released therektgames.com. The educational, gamified platform that englobes:
- Phishing dojo
- CTF & Scavenger hunt
- Damn Vulnerable DeFi
Damn Vulnerable DeFi
We understand how important DVD is to the field, it has even become a standard requirement when hiring auditors these days. That's why we've merged all proposed modifications and released a minor version update with these fixes.
theredguild
We will think of new ways to add value through it. Feel free to reach out with ideas or directly participate in discussing in the GitHub repository.
Phishing dojo
If you haven't tried this already, well... this is the sign you were waiting for!
The Red Guild
Having worked in the security field for many years, we decided to create a product that tries to be the opposite of what actual boring phishing awareness training tends to be. If you know what we mean by this, just give it a try and let us know what you think about it.
CTF & Scavenger hunt
tincho
An awareness campaign required too much work for this year's edition. We dedicated cycles of CPU to understand how to provide a fun yet insightful experience, and we came up with different challenges.
wrapping up The Rekt Games CTF today!
— theredguild (@theredguild) November 15, 2024
Here's the final leaderboard, with 3 players sharing the top @_nd_koo @shunduquar @BazziBazzani 🐐🐐🐐https://t.co/X27KmCYqDd
thanks to the +150 players who competed on this first edition, see you in the next one 🔥 pic.twitter.com/XpiAn0CMyJ
The CTF has now been disabled, but don't worry if you missed it, a snapshot of its current status has been saved for future deployments!
The overall experience involved helping organizations find secret key leaks, bugs, on-chain analysis, and some other activities such as trying to exploit some infra vulnerabilities and spoofing a transaction.
If you are into this type of challenge, hit us up so you can feature your own challenges inside our platform in the next iteration.
Proof of concepts
On a more underdeveloped stage, we have a few things more to showcase.
DevSecOops
The project initially began as an experiment, primarily aimed at enhancing the DevSecOps toolkit. It currently offers a hands-on tutorial or walkthrough for a select set of tools, providing practical guidance on their usage. The response has been rather positive! Although there are no definitive plans for future development at this time, the expressed interest in its continuation suggests that this may not be the end of it.
Solidity Hikes
Are you more on the visual side of things? Do you enjoy walkthroughs? Then maybe this is for you. Solidity hikes are Solidity contract implementations, –in the future exploitations too–, that you interact with by scrolling and watching literal code assemble/disassemble with comments while you progress in the content.
Though this isn't something strictly new from these past few months, it was an experiment we tried to make for this year's GEERS: Blockchain that many found interesting. We're actually wanting volunteers to contribute to this, or even make us requests.
Design
We explored new designs and released a new t-shirt as swag for the brave souls who actively participated in our activities at Devcon.
We did not catch a typo on time, so a great percentage of the stickers that we hoped to distribute were saved for another purpose. We will continue to explore this field since we want to do things people feel proud of using and avoid generating unnecessary waste.
Funding
Last update we shared we were going to apply for a new ESP grant with the EF, for a longer period of time. In this post, we're proud to announce that it has been approved! So we couldn't be more happy about it 🎉.
This will allow us to focus more on doing the actual work rather than constantly worrying about getting ends meet.
Until next year
Bangkok was an incredible city, packed with countless activities. We wrapped up our visit by joining a local ceremony, which coincidentally took place right at the conclusion of the conference.
You know how much we like flowers, even Devcon's theme included a lotus flower, so this was a very special ending.
Several things will remain untold, including our work with SEAL and the more social activities we were involved in. However, this post has become longer than expected, and we also decided to take December lightly to reorganize our future.
We anticipate that 2025 will focus more on education and developing products that address the needs of both end users and security professionals. Wish us luck!
Is there anything specific you'd like to see more of from us? Feel free to share your thoughts in the comments.
Wishing you a happy new year! 🎄🥳