We're sharing monthly public updates on what we've been doing, what we're up to, and what's to come. This help us stay accountable and committed to our work, while we experiment with a new way of opening ourselves to the community.
If you haven't read it, here's the update from last month:
Today's update features:
- The latest security spotcheck on Lido v2, featuring a bug we found in the oracle service.
- Content we're releasing for the community.
- Shout-outs for our new community friends.
- Upcoming events where you can meet us.
- How to support The Red Guild in the clr.fund round.
- What's to come for the next month.
We reviewed parts of the smart contracts and the off-chain services for their oracles. All components had already been audited multiple times by different firms, but it was still worthwhile, given Lido’s role in the Ethereum ecosystem.
We uncovered a flaw in their off-chain oracle that could make the service crash.
The issue isn’t exploitable by an attacker, and could only affect Lido in times on high network congestion, so we decided to report it publicly.
The developers have acknowledged our report, and will fix the problem in the next release.
A 1.5-hour-long walkthrough of Account Abstraction, going in-depth into the smart contracts and bundler’s code. It’s 100% in spanish!
The truth of The Red Guild: insightful article explaining our view of the smart contract security ecosystem and what we can do about it. It's our public go-to resource for anyone that wants to learn about the guild's value proposition for ecosystem.
Auditors: what do you ask developers?: a short article with advise for beginners in smart contract auditing, where we share questions they can ask developers before jumping into the review. Shared on Twitter with a thread. It was featured in Week in Ethereum News, and top 2 in most clicked. Top 2, like France.
What is a security spotcheck at The Red Guild: in this one we open the curtains of security spotchecks. What they are, and how we run them. In a nutshell, our approach, goals, and internal processes to do security work.
On the latest Lido spotcheck, we’re about to publish 2 new articles:
- An article explaining a new question-driven approach we took to review Lido’s codebase, that led us to finding the bug in the oracle.
- An article on how we used a new tool during the Lido spotcheck, which can be particularly useful for bug hunters.
On top of the above, we’re beginning to craft the talks and workshops for the upcoming events!
During the past month we met with lots of amazing creators, builders and influencers of the latinamerican web3 space.
The Red Guild is going live! These are our first introductions to the ecosystem as a guild - hope we meet you there.
- ETHBarcelona: We'll be delivering a 20-min. talk on how we can turn security research as a public good for the Ethereum ecosystem.
- DeFi Security Summit: we'll be speaking 30 min. about how to get started in smart contract security.
- Ethereum Argentina: closing details with the organizers - we'd really love to be there! More info soon.
- GEERS: Blockchain edition: we're co-organizing an Ethereum conference in Tandil, Argentina. Introductory talks, technical content and a hackaton! It's looking pretty awesome already.
We've got a few ideas in mind to integrate AI into our workflow. First one involves creating a bot to participate in the Code4rena bot races once they re-open applications. Interestingly, if we do well it could become a source of funding for the team.
We’re also started entertaining the idea to train our own model to use it as a tool to aid us in exploration of codebases and documentations for security spotchecks.
We thought of applying to the Run a Node grant of the Ethereum Foundation, to run our own nodes and create educational content for the community.
However, we found the requirements of the grant rather strict and limiting to our liking. So we’ve decided to not apply to the grant, and instead take our time to experiment trying to create and maintain our own nodes, without having to worry about uptime, for example.
If there's anything you'd like to know about how to setup a node securely, let us know! We're brainstorming ideas on what kind of content would be best for the community.
We keep entertaining the idea of running mentorships for beginners in smart contract security. Last month was rather deprioritized, but lately we've resurfaced the idea, and hope we can have something concrete to share during next month.
If you'd be interested, reach out to tell us! Shat you'd like the mentorship to include? How long would you like it to last?
Support us in CLR.Fund
We just opened a grant in the latest CLR.Fund round!
Click below to go to our project's page, and show your support! ❤️🔥
Contributions are done in Arbitrum's L2, so don't worry about fees, should be low enough.
What's next ?
We haven’t picked a target for the next security spotcheck. With the one on Lido over, we’ll be re-assessing priorities, wrap up any content related to Lido that we might be missing, and then choose a new target.
However, given we are attending and speaking at multiple events, it’s likely that in the next month we’ll prioritize educational content instead of a specific security work.
See you in the next update!