First time? Go read The Truth of The Red Guild so you are more in tune with what follows next.
At The Red Guild, we share periodic public updates on what we've done, what we're up to, and what's to come. This helps us stay accountable and committed to our work, while we open ourselves to the community.
If you haven't read it, here's the previous update:
This update includes:
- 30 min. talk on operational security + our ongoing participation in muBuenos.
- A lightweight devcontainer for easy and secure code review, with out preferred tooling and extensions.
- Starting a new Ethereum Foundation Ecosystem Support Program grant.
- The latest review of an upcoming version of the Protocol Guild contracts.
- A technical article on cool details you didn't know about Solidity external calls.
- Ongoing work in a crypto safety handbook, with tips and best practices to stay safe while navigating the crypto world.
- Kickstarting the development of Damn Vulnerable DeFi v4.
Events
Ethereum Argentina - Mendoza edition
In our previous update we told you about our participation at the latest edition of Ethereum Argentina.
Today we bring you the recorded talk we delivered there, about Operational and Individual in(Security). Full of insights into the state of opsec in the crypto world, along with recommended practices to stay safe.
Let us know what you think about the English captions (because matta's performances include Argentinian slang and might get lost in translation).
muBuenos
muBuenos is a dev-focused 6-week popup city happening in Buenos Aires, Argentina.
This event by the mu is a kind of Zuzalu. If this is the first time you read about Zuzalu, follow up by reading Vitalik's post.
We are already hanging out in muBuenos, coordinating multiple social events:
- Bouldering sessions for puzzle solvers.
- Slack line sessions for people seeking balance.
- Movie theater for the cinephiles.
- Asados (our kind of ceremonial bbq).
- Walking tours around San Telmo, karaoke and more!
As well as some security-related activities:
- A talk, mostly based on the one we delivered at Ethereum Argentina.
- A hardening space & workshop, to share and discuss how to secure assets, hardware devices, appliances and more.
- A hackathon to contribute contents for our upcoming crypto safety handbook.
Pretty much involved, aren't we? Living the mu!
Ethereum Uruguay
The Ethereum Uruguay community confirmed a conference, probably around August. It'll include a hackathon too. We might be helping with some coordination and content curation if needed to make it happen.
Of course, we'll also be sharing new educational content there!
Tooling
As part of the spotchecks we perform, we have to download and execute untrusted code into our machines. Because that's too risky, we've decided to start experimenting with different forms of virtualization in secure and isolated development environments.
We've developed and published a first version of a devcontainer that we're testing out.
It's super lean, lightweight and simple. It only comes with the essential tooling and extesions we use. Although, it should be fairly easy for you to extend!
Grants
Big news: we've started a new Ethereum Foundation Ecosystem Support Program grant 🎉
The Ethereum Foundation has been supporting The Red Guild since its inception and its security work for the public benefit.
We're thankful to their whole team who reviewed and provided comments on our grant proposal, and are glad to continue having their support for this next stage of The Red Guild 🚀
Security work
Protocol Guild contracts
In the last month we provided security-related feedback on the V2 of the weighting calculations of the Protocol Guild contracts.
We reviewed the codebase and the integrations with different protocols, such as Connext and 0xSplits, looking for potential threats and security risks that could negatively impact the system if deployed to production.
Quite an interesting project! We learned a lot about the on-chain mechanisms that support the Protocol Guild's operations, which we weren't familiar with.
There are some cool cross-chain interactions worth digging into if you feel like contributing to this project's security. Here's a quick diagram we put together to get you started:
We also built some fuzzing tests the that we've passed to their team, which we used to validate some properties of the library that calculates weighted allocations.
Content
Based on our learnings during a recent competition in Cantina, we published a new article sharing insights into how external calls actually work in Solidity.
We realized that Solidity's documentation could be improved on this topic, so we've published a PR to improve them:
Hopefully with these changes we'll help raise awareness in developers and security researchers on the intricacies of external calls in Solidity.
Ethereum Protocol Fellowship Study Group
The Ethereum Protocol Fellowship Study Group (EPFsg) is a learning community formed to gather knowledge and educate itself about the Ethereum protocol.
We're participating async in the study group, watching the recorded videos to learn more about the inner workings of the protocol.
We hope that by learning we can then contribute to the protocol's security, or at least have a more detailed understanding of the base layer that supports the apps that we usually target in our spotchecks.
We highly recommend you to join the study group! Lots of alpha from top developers and researchers of Ethereum's core. And for free. It doesn't get better than this!
Safety handbook
As we shared in our latest talk at Ethereum Argentina, we're working on a comprehensive safety handbook with best practices to stay safe in crypto.
You'll find safety tips in categories like wallets, private keys, data encryption, development-related security, hardware hardening, and much more.
This is a work in progress, and week by week we continue pouring down more content and new sections with summaries, action points and real examples.
Soon it'll be accessible online, so subscribe and stay tuned!
Damn Vulnerable DeFi V4
Yes, it's happening! 🎉
We've began planning the next long awaited release of Damn Vulnerable DeFi. We envision many new changes and features to the best wargame to learn DeFi security.
We don't want to spoil any surprises, but here's a snippet of some of our epics:
We'll keep you posted on progress and release dates. In the meantime, if you still haven't, go play V3 before it's too late!
What's next?
- Participating and contributing in muBuenos, where we're helping coordinate social events, workshops, and more to connect with mind-alike web3 contributors, developers and researchers.
- Iterating on our published devcontainer. As we keep reviewing Solidity apps, we'll determine what's the best configuration. We'll also be producing educational content on how to use it and extend it with your own tooling of choice.
- Continue working on Damn Vulnerable DeFi V4, planning sprints and actually coding broken stuff. We're also trying to understand if and how Damn Vulnerable DeFi could become a platform for the community to train and evaluate security auditors, hopefully catering for the needs of some big players in the security space.
- Continue learning about Ethereum's base layer in the EF's study group, sharpening our knowledge on the inner workings of the protocol. This should be helpful for future spotchecks on nodes (or similar base layer infrastructure) that we want to review.
- Continue researching and digesting best practices to stay safe in crypto, and dumping more and more content into the safety handbook.