In our first article we introduce ourselves as The Red Guild, a collective of security researchers, educators and advocates committed to protect web3 applications in the Ethereum ecosystem.
But we know you. You don't want the short shallow version. You want the truth behind The Red Guild.
Here it is.
Ethereum features a robust base layer, built with a strong security-first mindset. It supports the smart-contract-based application layer, one that’s been growing in size, complexity and TVL over the years. Although the app layer hasn’t become as secure as the base layer.
The security landscape has evolved, though we continue to see – almost on a weekly basis – multi-million-dollar hacks on Ethereum-based applications. From the simplest to the most sophisticated ones, these attacks damage the credibility and legitimacy of Ethereum as the platform to build and use web3 apps.
If we want the Ethereum ecosystem to last long into the future, we have to protect its applications. We must strive for a more resilient application layer.
What's happened so far?
Historically, most significant efforts to secure the app layer have come from profit-driven entities. The smart contract security industry grew from lone-wolf reviewers in the early days, to a handful of firms offering manual reviews. Then some started providing semi-automated reviews, sometimes with hardcore techniques like formal verification. Meanwhile, bug-hunting platforms for web3 showed up, attracting security researchers with their big payouts. And DAO-like companies too - spearheading different forms of competitive and crowdsourced security reviews.
All their work is necessary, yet not sufficient. In The Red Guild we've realized that we must complement their efforts.
To begin with, not all projects can afford high-quality security reviews. And even those who can may benefit from another set of eyes. Because these reviews provide strong security guarantees, but they’re not bullet-proof.
You might say that's where bug bounty programs and contests play a role. Well, to a certain extent. Because they incentivize bug hunters to work on the highest-paying projects.
Bug hunters who're trying to make a living out of it are likely to be driven by money. They prioritize finding and reporting specific types of vulnerabilities that can yield the highest rewards on in-scope parts of the system. Leaving out relevant flaws that, from a financial standpoint, are just not worth the time and effort to disclose.
On top of it, it’s not uncommon to see UIs, key management practices, oracles, deployment settings, off-chain services, web2 infrastructure and social engineering vectors being left out of scope. Both of security reviews (either crowdsourced or from consulting firms) and bug bounty programs.
Meanwhile, not profitable but equally important areas seem deprioritized:
- Reviewing projects akin to public goods that cannot afford a high-quality security review or an attractive bug bounty program / contest.
- Disclosing weaknesses, flaws and security concerns that are not yet exploitable and/or out of scope.
- Disclosing MEV opportunities that may be harmful for users, even if not strictly steaming from security flaws.
- Onboarding, training and sharing guidelines and best practices to educate developers and new security researchers joining the space.
- Helping users understand security risks in renowned projects.
- Identifying and raising awareness of scam projects that undermine the credibility of the Ethereum ecosystem.
It's hard to see how many of these points can be fully covered by strictly profit-seeking entities. And we really don't say that in a demeaning tone. There are things that people (us included) just won't do without getting something in return.
Most professionals securing Ethereum’s application layer work for security consulting firms and VCs. These orgs provide them with financial stability and a career path. As well as exposure to reputable clients, and the opportunity to collaborate and learn from peers. However, the environment can become limiting for those who want to pursue more open-ended vulnerability research. Also, the timing, priorities, financial incentives, and values of the employers may not necessarily align with those of their own security researchers. Let alone those of the broader Ethereum ecosystem.
That’s why some security researchers work as lone wolves. They freely determine priorities following their own motivation, values and interests. All while being fully rewarded for their contributions, usually via bounty-hunting payouts and public recognition. What's the downside ?
They lose the financial stability and safety of a regular full-time job at a company. Thus, to make a living, they’re prone to sell their so-demanded skills to the highest-paying customers. In the form of selling private audits, selling private education, private support and coaching, and so on. Oftentimes they may pass over projects that matter for Ethereum’s future, who cannot afford to attract them.
We don’t think application security should be solely driven in this way. We all share a responsibility to make this layer more secure. But it does feel like, for many, the instant gratification of likes, retweets, leaderboards and big checks are more relevant than the genuine long-term commitment to make the ecosystem a safer place.
So what can we do about it ?
The Red Guild's approach
We don't start from a blank slate. In spite of any shortcomings, there's been many people around who've put their heart, sweat and countless hours to keep important Ethereum applications safe. We appreciate and thank them.
So The Red Guild is not here to replace, not even compete, with your favorite consulting firm or award-winning hacker. In The Red Guild we just play another kind of game.
A game where security research has a public-good-like role for Ethereum, prioritizing its long-term sustainability over financial interests. We're here to help foster and protect the infinite garden.
Our vision is that of an autonomous guild that carries out applied security research, education and advocacy for the common good.
The guild is to be funded by community members and orgs that believe application security is fundamental for the future of Ethereum. Right now we're solely funded by the Ethereum Foundation, who has strongly believed in and funded all our work since inception.
With a stable source of income - from grants and similar sources - guild members can focus on what matters to make Ethereum’s application layer more resilient. Without necessarily having to pursue strictly lucrative work to be sustainable.
What do we do?
At The Red Guild we have two main focus areas: (1) application security research and (2) education and awareness. For now we’re limiting our scope to the application layer. That is, smart contracts and the off-chain infrastructure and services that support their operation.
Our daily activities are driven by security spotchecks.
But a spotcheck on its own would be rather pointless. It'd be just us reviewing some codebase we found.
The real magic comes when we materialize insights from spotchecks into concrete results, such as:
- Responsibly disclosing security vulnerabilities (like this one).
- Reaching out privately to developers to share weaknesses, flaws or security concerns.
- Opening public GitHub issues for non-exploitable bugs or to suggest best practices (like this, this, this, this or this).
- Distilling lessons learned to create educational content. Like videos, articles, threads, talks, mentorship programs, and even in-person events.
- Incorporating learnings into wargames (ever heard of Damn Vulnerable DeFi?).
- Raising user awareness on security risks and considerations when interacting with a project.
- Exploring and sharing techniques to reverse engineer obfuscated code that may be harmful for users, or worth studying and sharing with fellow security researchers.
We share all of these with the community in our monthly updates:
We also participate actively in Spanish-speaking communities in Latin America, where we share content, advice and support with our friends of the patria grande.
How are we organized ?
We're neither a DAO, nor launching a token, nor a consulting firm.
Some have labeled us as a think tank, others as a grassroots research lab, others as a guild. Guild sounds nice. Time will tell.
We do know that the tough problems of smart contract security we face are too mentally draining to always be working alone. You've been in those shoes - you know it. That's why we gather around The Red Guild's fire.
We tell stories of our past, we show each other our magic tricks, and go on some adventures together. We strive to create a shared sense of achievement and identity out of everything we do. This keeps us motivated, focused and accountable.
If we want our message to spread, we cannot do that on our own. In the future we may have new researchers join us, partner with other organizations in the security space, or empower fellows in the Ethereum community to carry the message to their own circles.
In any case, the journey of The Red Guild has just begun. We'll continue traveling the road towards a more resilient application layer in Ethereum. And when we look to the sides, we hope to see you walking with us!