We're sharing monthly public updates on what we've been doing, what we're up to, and what's to come. This help us stay accountable and committed to our work, while we experiment with a new way of opening ourselves to the community.
If you haven't read it, here's the update from last month:
Today's update includes our work on Account Abstraction, our latest educational articles, and our plans for the next month.
Security spotchecks
Account Abstraction (ERC4337)
The last month we ran a security spotcheck on the implementation of ERC4337 for Account Abstraction. While we mainly focused on the smart contracts, we also explored parts of the off-chain bundler code.
We didn't uncover any significant security vulnerabilities during the time we reviewed the code. We did report one minor oversight in the reference bundler implementation.
Despite not finding relevant issues, we can use what we learned in future spotchecks to either take a look at updates to the system, or new components, or integrations of other protocols building upon the code base we reviewed.
Not only that, but also use it to craft content! So we've published three different educational articles where we distilled bits and pieces of our explorations.
We've also recorded an hour-and-a-half-long deep dive into the codebase of Account Abstraction. It's currently in editing phase - it's coming!
Next stop: Lido v2
Once we felt diminishing returns in Account Abstraction, we decided to switch targets. And chose our next one.
So for the next weeks we're going to be exploring the latest release of Lido, who’ve recently launched their v2 on mainnet. Lido continues to be one of the most relevant key players in staking pools for Ethereum. So it’s important for us to spend time doing vulnerability research on their latest smart contracts - particularly now that they can handle ETH withdrawals from the beacon chain.
We're also using this spotcheck to try out new approaches to reviewing code - if they work, in the next update we'll tell you more about it!
Education and advocacy
Meetup in Buenos Aires
We sponsored a local meetup of web3 devs in Buenos Aires, Argentina, collaborating with other local communities. Here’s a fun pic of the meetup 😄
Bigger events
Remember those in-person LATAM events we told you about in our last update ? They're taking shape!
Most of the work is behind the scenes right now. It involves deciding venues, confirming awesome speakers and mentors, preparing content, creating coding challenges, setting up landing pages, etc, etc, etc. Dates and more info soon!
Mentorship?
After several people reaching out to us, we started considering offering mentorships for beginners in smart contract security.
It's still an early idea. Although we've already started gathering great feedback from potential mentees. We're working on a more structured form to reach out to the community mode widely.
Subscribe if you want to be the first to receive it.
The Gitcoin Grant
We managed to open a grant in the latest Gitcoin round.
Initially got rejected for unclear reasons, and after some back and forth with the Gitcoin team they finally accepted it. This meant we had little time to promote it.
In any case, we didn’t have high expectations, as this was our first time doing something like this. It's a pity that the process to just be there was so cumbersome. And expensive. Not a good experience overall, but we learned, and we'll do better in future opportunities.
We really thank those of you who supported us, and those who wanted but couldn't afford the crazy gas fees.
What's next ?
Heads down working on the Lido v2 spotcheck. As usual, this not only involves reviewing code. But also crafting educational content that you can learn from!
We have some more content on Account Abstraction that is in final stages - we'll be sharing that as well, once it's ready.
If you have anything in mind you'd like us publishing related to the ongoing spotcheck or other educational content, let us know in the comments.
See you in the next update!