At The Red Guild, we share periodic public updates on what we've done, what we're up to, and what's to come. This helps us stay accountable and committed to our work while we open ourselves to the community.
In case you missed the last one, you can find all our updates here:
The menu for today:
- Working on ETHRangers proposals
- Ongoing overhaul of the Phishing Dojo
- Making progress with SEAL Frameworks
- Security research on (i) EIP-7702 threats and (ii) VSCode extensions
- Improving our web3 security devcontainer
- Participating in the Remedy CTF
- Upcoming talks and workshops for ETHCC
ETHRangers
We've been spending lots of our time reviewing your proposals for ETHRangers - a joint effort between the Ethereum Foundation, The Red Guild, and Secureum to incentivize public goods security work in the Ethereum ecosystem.
Those who submitted their applications must have heard from us already. Having chosen the most promising ones, we're now following up with their authors to outline more concrete plans for each one. The goal is to achieve the largest impact possible in the security space with this first wave of ETHRangers.
Thanks to all applicants for their time and interest in ETHRangers. For sure, it wasn't easy to pick the most valuable projects. We'll keep you posted on progress!
Overhaul of the Phishing Dojo
At the end of last year, we released the Phishing Dojo:
tincho
We're glad to see how much the community loved it. It's proven to be an outstanding public good for the crypto community.
Everyone in crypto:
— Patrick Collins (@PatrickAlphaC) December 26, 2024
- developer
- security researcher
- degenerate
- financial product enjoyooorrr
- etc
Should pass the @theredguild phishing test/game with at least 85%.
Otherwise, you are at risk of being rekt 👇
today with @theredguild we're shipping a new security public good for you all.
— tincho 🪷 (@tinchoabbate) November 12, 2024
Say hello to: The Phishing Dojo.https://t.co/0IorYHQJDR
After all the feedback we gathered on this first version, we're now onboarding a dedicated developer to The Red Guild that's owning the Phishing Dojo.
For the short term, the goal is to improve usability, add new challenges as well as collect usage metrics. For the mid-to-long-term, we'll make a product out of the Phishing Dojo so that we can cater to those who wish to have an exclusive version for their teams.
SEAL Frameworks
We continue leading the SEAL Frameworks initiative. On top of organizing content, discussing future ideas, and gathering community support, we've worked on new practices for the Community Management framework.
In a few weeks, we will do an official launch of the initiative, but in the meanwhile, we will keep working under the GitHub repository and start releasing frameworks while experimenting with the .org and .dev domain.
The Community Management frameworks features recommended practices for Telegram, Discord, X, and Google.
If you'd like to contribute to this or any other category of SEAL Frameworks, check out the issues in the repository - many are perfect for first-time contributors!
security-alliance
Beyond the content itself, we're also exploring alternatives to freshen up the look and feel of the Frameworks. Right now, we're using some common mdBook templates. We'd rather have something more unique for it. If you have suggestions, please drop an issue in the repository.
Security Research
VSCode extensions
As we were iterating on a new version of our devcontainer, we got sidetracked by VSCode extensions. How could we easily tell whether the ones we wanted to include in the container were OK?
Chasing down that question, we explored different heuristics to detect malicious VSCode extensions in the public marketplace. Find out our results in the blog post we published 👇
matta
Every time you download a VSCode extension, you put your workspace at risk, and even if you do use containers, data exfiltration is still something possible.
— ᴍatías Λereal Λeón ⚡🪷 (@mattaereal) February 4, 2025
So, how do you protect yourself? How do you choose whom to trust? (cont.)
EIP-7702 accounts
With EIP-7702 rolling out soon to Ethereum's mainnet, we felt like joining the party. The goal, as always, was to understand and raise awareness about the security risks involved for users and developers. That almost nobody is talking about.
The result? A +1 hour video breaking down the whole thing for you. We want you to learn Ethereum 7702 accounts the right way. Security threats, footguns, risks, real testing, and ideas to build safer programmable accounts.
Find the video in our latest blog post and X announcement 👇
tincho
after a weeks-long rabbit-hole into Ethereum 7702 accounts, here's a +1 hour deep dive breaking it down.
— tincho 🪷 (@tinchoabbate) February 10, 2025
I go over the EIP with diagrams, explaining security risks, footguns and lots of testing of broken code of smart accounts.https://t.co/ADja4hiliL
Devcontainers
Following up on our initial work on devcontainers for web3 developers and security researchers, we spent some time revamping the devcontainer setup to reduce its attack surface.
Along with releasing the new version in our public GitHub repository, we published a blog post explaining the new hardening configuration step-by-step, setup of the Dockerfile and devcontainer.json files.
matta
You'll learn how we:
- Install as few packages as possible
- Use the principle of the least privilege
- Use efficient and isolated package managers
- Set pre-built binaries
- Isolate your host from the container
And more protections for mount isolation, filesystem configs, multi-stage builds, etc.
In the meantime, more people are spreading the container ethos in the web3 space! Although not authored by us, here's an outstanding piece of content by @PatrickAlphaC sharing his view and approach to containers:
You WILL get hacked by malicious scripts if you do not run your code in isolated environments.
— Patrick Collins (@PatrickAlphaC) January 14, 2025
- New Developers
- Security Researchers
- Anyone
Smart contract security researchers especially, I'm looking at YOU.
Here is how you can help protect yourself from random scripts 👇 pic.twitter.com/sQ9j4qAgmU
Remedy CTF
During January we participated in the Remedy CTF. Wouldn't say competed, because we only had time to play one challenge.
Still, it was an interesting learning experience. We published our writeup of the Diamond Heist challenge 👇
tincho
new writeup of one challenge in the @xyz_remedy CTFhttps://t.co/BxFZ9jZwD7
— tincho 🪷 (@tinchoabbate) January 30, 2025
Talks and workshops at ETHCC
ETHCC is happening in some months. Although the location isn't exactly what we'd hoped for, we might attend if we land a few talks and workshops there.
For now we've already submitted a talk on SEAL Frameworks and a security-oriented workshop to share the latest updates on our Phishing Dojo.
What's next
Here are a few things happening at The Red Guild in the upcoming weeks:
- Preparing for Aleph Buenos Aires! We're not only attending but also participating in many of the planned activities and likely contributing with fresh content to continue strengthening our dear LATAM community.
- Advancing ETHRangers proposals, as we continue to detail projects better.
- Further developing the Phishing Dojo. Heavy development and rework to be happening behind the scenes. Particularly on backend stuff. It should result in an overall better experience for all players.
- Improving design and visuals of all public assets. During February, we're starting to work with an awesome designer who will bring fresh magic to The Red Guild 🎨 🪷
And remember folks, always follow Patrick's advice 👇
If you don't follow @theredguild and read every post they put out, you are robbing yourself of some of the best security advice to level up.
— Patrick Collins (@PatrickAlphaC) January 29, 2025
See you on the next one! 👋