theredguild · mattaereal · Aug 27, 2025 · Mar 12, 2025 · Aug 26, 2025 · Aug 26, 2025
diff --git a/.devcontainer/auditor/Dockerfile b/.devcontainer/auditor/Dockerfile
@@ -0,0 +1,143 @@
+# syntax=docker/dockerfile:1.10.0
+# check=error=true
+# 
+# AUDITOR TRG DevContainer Dockerfile
+# This Dockerfile creates a specialized development environment for smart contract auditing
+# with focused tooling, Docker-in-Docker support, and comprehensive security analysis tools.
+# 
+# Key features:
+# - Multi-stage build for Echidna binary
+# - Specialized audit tools (slither, mythril, crytic-compile)
+# - Foundry framework for testing and interaction
+# - Hardhat for development workflows
+# - Docker-in-Docker support for containerized tools
+
+# Pull latest Echidna prebuilt image from Crytic
+# Echidna is a fuzzing tool for Ethereum smart contracts
+FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna AS echidna
+
+# Base image: Debian 12 (Bookworm) with VS Code DevContainer support
+# This provides a stable, development-focused base for auditing work
+FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm
+
+# Switch to root user temporarily for system package installation
+USER root
+
+# Install essential system packages for development
+# These are the minimal packages needed for Web3 development tools
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    bash-completion       # Shell completion support \
+    build-essential       # Compilation tools (gcc, make, etc.) \
+    curl                  # HTTP client for downloading tools \
+    git                   # Version control system \
+    jq                    # JSON processor for tool outputs \
+    pkg-config            # Package configuration helper \
+    sudo                  # Privilege escalation (needed for some tools) \
+    unzip                 # Archive extraction \
+    vim                   # Text editor \
+    wget                  # Alternative HTTP client \
+    zsh                   # Advanced shell \
+    && rm -rf /var/lib/apt/lists/*
+
+
+
+# Install Python development dependencies
+# Required for Python-based security tools and package management
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    python3-pip          # Python package installer \
+    libpython3-dev       # Python development headers \
+    python3-dev          # Python development tools \
+    python3-venv         # Python virtual environment support \
+    && rm -rf /var/lib/apt/lists/*
+
+# Switch to vscode user for security (drop privileges)
+# This ensures all subsequent operations run as non-root user
+USER vscode
+WORKDIR /home/vscode
+ENV HOME=/home/vscode
+
+# Install uv
+RUN curl -LsSf https://astral.sh/uv/install.sh | sh
+
+# Update PATH environment for tool access
+# Configure paths for Python, Node.js, and other tools
+ENV UV_LOCAL_BIN=$HOME/.cargo/bin
+ENV USR_LOCAL_BIN=/usr/local/bin
+ENV LOCAL_BIN=${HOME}/.local/bin
+ENV PNPM_HOME=${HOME}/.local/share/pnpm
+ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN}
+
+# Install Python 3.12 with uv
+RUN uv python install 3.12
+
+# Set the default shell to zsh for better development experience
+ENV SHELL=/usr/bin/zsh
+
+# Running everything under zsh for consistency and features
+SHELL ["/usr/bin/zsh", "-ic"]
+
+# Install Go programming language through asdf version manager
+# asdf provides consistent version management across different tools
+# Go is required for various Web3 tools and Foundry framework
+RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0  && \
+    echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \
+    echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \
+    echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \
+    . $HOME/.asdf/asdf.sh && \
+    asdf plugin add golang && \
+    asdf install golang latest && \
+    asdf global golang latest
+
+# Install Rust programming language
+# Required for various Web3 security tools and Foundry framework
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env
+
+# Switch to root user temporarily for Node.js installation
+USER root
+
+# Install Node.js, npm, yarn, and pnpm through devcontainer features
+# These are essential for JavaScript/TypeScript Web3 development and Hardhat
+RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash
+RUN chown -R vscode:vscode ${HOME}/.npm
+
+# Switch back to vscode user for security
+USER vscode 
+
+# Install Foundry framework for Ethereum development and testing
+# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain)
+# Essential for smart contract development and testing during audits
+RUN curl -L https://foundry.paradigm.xyz | zsh
+RUN foundryup
+
+# Install Python-based security analysis tools for auditing
+# These tools provide comprehensive smart contract security analysis
+# Focused on core auditing tools: slither, mythril, crytic-compile
+RUN uv tool install slither-analyzer && \
+    uv tool install mythril && \
+    uv tool install crytic-compile 
+
+# Install Hardhat and Solhint for Ethereum development
+# Hardhat is a popular development environment, Solhint provides linting
+RUN pnpm install -g hardhat solhint
+
+# Copy prebuilt Echidna binary from echidna stage to final image
+# This provides the prebuilt Echidna tool without rebuilding
+COPY --chown=vscode:vscode --from=echidna /usr/local/bin/echidna ${HOME}/.local/bin/echidna
+RUN chmod 755 ${HOME}/.local/bin/echidna
+
+# Switch to non-root user for final setup
+USER vscode
+
+# Set up user environment with Foundry path
+# Ensure Foundry tools are available in the user's shell
+RUN echo 'export PATH="/usr/local/foundry/bin:$PATH"' >> /home/vscode/.zshrc
+
+# Switch to root for system cleanup
+USER root
+
+# Clean up package cache and temporary files
+# This reduces image size and improves security
+RUN apt-get autoremove -y && apt-get clean -y
+
+# Final switch to vscode user for development
+USER vscode
diff --git a/.devcontainer/auditor/devcontainer.json b/.devcontainer/auditor/devcontainer.json
@@ -0,0 +1,94 @@
+{
+    // For format details, see https://aka.ms/devcontainer.json.
+    // This is the AUDITOR version of TRG's DevContainer - specialized for smart contract auditing
+    // with Docker-in-Docker support, specialized audit extensions, and focused tooling for
+    // comprehensive security analysis and code review.
+    "name": "Auditor TRG's DevContainer",
+
+    // Build configuration - uses the local Dockerfile in this directory
+    "build": {
+        "dockerfile": "./Dockerfile"
+    },
+
+    // Features to add to the dev container. More info: https://containers.dev/features.
+    // Specialized features for auditing and development workflows
+    "features": {
+        "ghcr.io/devcontainers/features/git:1": {},           // Git version control support
+        "ghcr.io/devcontainers/features/github-cli:1": {},    // GitHub CLI for repository management
+        "ghcr.io/devcontainers/features/docker-in-docker:2.12.2": {  // Docker-in-Docker for containerized tools
+            "version": "latest",                              // Use latest stable version
+            "enableNonRootDocker": "true"                     // Enable non-root Docker for security
+        }
+    },
+
+    // Configure tool-specific properties for VS Code
+    "customizations": {
+        "vscode": {
+            // Specialized extensions for smart contract auditing and development
+            "extensions": [ 
+                // check out https://marketplace.visualstudio.com/items?itemName=tintinweb.ethereum-security-bundle for more information
+                "tintinweb.ethereum-security-bundle", // includes what is listed above ^
+                "tintinweb.vscode-ethover",
+                "trailofbits.weaudit",
+                "tintinweb.vscode-inline-bookmarks", 
+                "tintinweb.vscode-solidity-language",
+                "tintinweb.graphviz-interactive-preview",
+                "NomicFoundation.hardhat-solidity",
+                "Olympixai.olympix",
+                "trailofbits.contract-explorer",
+                "tintinweb.chonky"                            // Chonky Agent
+            ],
+            // VS Code settings optimized for auditing workflows
+            "settings": {
+                    // Security settings - killswitch for automated tasks
+                    "task.autoDetect": "off",                    // Disable automatic task detection
+                    "task.problemMatchers.autoDetect": "off",    // Disable automatic problem matchers
+
+                    // Trust and security configuration
+                    "security.workspace.trust.enabled": false,   // Trust no one by default
+
+                    // Privacy settings - killswitch for telemetry
+                    "telemetry.telemetryLevel": "off",           // Disable all telemetry collection
+
+                    // Terminal configuration
+                    "terminal.integrated.defaultProfile.linux": "zsh",  // Use zsh by default
+                    "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } }
+                    // Using bash might be more safe and stable, but zsh provides better features
+                    },
+        }
+    },
+
+    // Mount isolation configuration for security and development workflow
+    // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. 
+    // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist.
+    // Disables mounting the host workspace into the container for isolation.
+    "workspaceMount": "type=tmpfs,destination=/workspace",
+    // Sets a workspace path entirely isolated within the container
+    "workspaceFolder": "/workspace",
+
+    // Docker run arguments for security hardening and resource management
+    "runArgs": [
+
+      // IPv6 security - disable IPv6 to reduce attack surface
+      "--sysctl=net.ipv6.conf.all.disable_ipv6=1",    // Disable IPv6 globally
+      "--sysctl=net.ipv6.conf.default.disable_ipv6=1", // Disable IPv6 by default
+
+      // Network capability restrictions
+      "--cap-drop=NET_RAW",                            // Disable raw packet access
+      "--network=bridge",                              // Use bridge networking
+
+      // DNS configuration for security and reliability
+      "--dns=1.1.1.1",                                // Primary DNS (Cloudflare)
+      "--dns=1.0.0.1",                                // Secondary DNS (Cloudflare)
+
+      // Resource limits for container performance and security
+      // Play a little bit with resources to prevent resource exhaustion
+      // "--memory=512m",                              // Memory limit (commented out)
+      // "--cpus=2"                                    // CPU limit (commented out)
+    ],
+
+    // Writable mounts in case you want to set --read-only above.
+    // Currently no additional mounts are configured
+    "mounts": [
+      ]
+}
diff --git a/.devcontainer/hardened/Dockerfile b/.devcontainer/hardened/Dockerfile
@@ -0,0 +1,155 @@
+# syntax=docker/dockerfile:1.8
+# check=error=true
+# 
+# HARDENED TRG DevContainer Dockerfile
+# This Dockerfile creates a security-hardened development environment for Web3 security research
+# with enhanced security features, capability dropping, and minimal attack surface.
+# 
+# Key security features:
+# - Multi-stage build for Echidna binary
+# - Non-root user execution
+# - Minimal package installation
+# - Security-hardened toolchain
+# - Reduced tool set for security focus
+
+## Multi-stage build for Echidna
+# Pull latest prebuilt Echidna binary from Crytic's official image
+# Echidna is a fuzzing tool for Ethereum smart contracts
+FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna
+
+# Base image: Latest Debian with VS Code DevContainer support
+# This provides a stable, security-focused base for development
+FROM mcr.microsoft.com/devcontainers/base:bookworm
+
+# Install essential system packages for development
+# These are the minimal packages needed for Web3 development tools
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    bash-completion       # Shell completion support \
+    build-essential       # Compilation tools (gcc, make, etc.) \
+    curl                  # HTTP client for downloading tools \
+    git                   # Version control system \
+    jq                    # JSON processor for tool outputs \
+    pkg-config            # Package configuration helper \
+    sudo                  # Privilege escalation (needed for some tools) \
+    unzip                 # Archive extraction \
+    vim                   # Text editor \
+    wget                  # Alternative HTTP client \
+    zsh                   # Advanced shell \
+    && rm -rf /var/lib/apt/lists/*
+
+
+
+# Install Python development dependencies
+# Required for Python-based security tools and package management
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    python3-pip          # Python package installer \
+    libpython3-dev       # Python development headers \
+    python3-dev          # Python development tools \
+    python3-venv         # Python virtual environment support \
+    && rm -rf /var/lib/apt/lists/*
+
+# Switch to vscode user for security (drop privileges)
+# This ensures all subsequent operations run as non-root user
+USER vscode
+WORKDIR /home/vscode
+ENV HOME=/home/vscode
+
+# Install uv
+RUN curl -LsSf https://astral.sh/uv/install.sh | sh
+
+# Update PATH environment for tool access
+# Configure paths for Python, Node.js, and other tools
+ENV UV_LOCAL_BIN=$HOME/.cargo/bin
+ENV USR_LOCAL_BIN=/usr/local/bin
+ENV LOCAL_BIN=${HOME}/.local/bin
+ENV PNPM_HOME=${HOME}/.local/share/pnpm
+ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN}
+
+# Install Python 3.12 with uv
+RUN uv python install 3.12
+
+# Set the default shell execution for subsequent RUN commands
+# Use zsh for better shell features and compatibility
+ENV SHELL=/usr/bin/zsh
+SHELL ["/bin/zsh", "-ic"]
+
+# Install Rust programming language
+# Required for various Web3 security tools and Foundry framework
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+ENV PATH="$HOME/.cargo/bin:$PATH"
+
+# Install Go programming language through asdf version manager
+# asdf provides consistent version management across different tools
+# Set asdf manager version for reproducibility
+RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \
+    echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \
+    echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \
+    echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \
+    . $HOME/.asdf/asdf.sh && \
+    asdf plugin add golang && \
+    asdf install golang latest && \
+    asdf global golang latest
+
+# Switch to root user temporarily for Node.js installation
+# Some tools require root access for system-wide installation
+USER root
+
+# Install Node.js, npm, yarn, and pnpm through devcontainer features
+# These are essential for JavaScript/TypeScript Web3 development
+RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash
+RUN chown -R vscode:vscode ${HOME}/.npm
+
+# Switch back to vscode user for security
+USER vscode
+ENV PNPM_HOME=${HOME}/.local/share/pnpm
+ENV PATH=${PATH}:${PNPM_HOME}
+
+# Install Foundry framework for Ethereum development
+# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain)
+RUN curl -fsSL https://foundry.paradigm.xyz | zsh && \
+    echo 'export PATH="$HOME/.foundry/bin:$PATH"' >> ~/.zshrc && \
+    export PATH="$HOME/.foundry/bin:$PATH" && \
+    ~/.foundry/bin/foundryup
+
+# Install Hardhat globally for Ethereum development framework
+# Hardhat is a popular development environment for Ethereum
+RUN pnpm install hardhat -g
+
+# Build and install Medusa fuzzing tool
+# Medusa is a fuzzing tool for smart contracts, similar to Echidna
+WORKDIR $HOME/medusa
+RUN git clone https://github.com/crytic/medusa $HOME/medusa && \
+    export LATEST_TAG="$(git describe --tags | sed 's/-[0-9]+-gw+$//')" && \
+    git checkout "$LATEST_TAG" && \
+    go build -trimpath -o=$HOME/.local/bin/medusa -ldflags="-s -w" && \
+    chmod 755 $HOME/.local/bin/medusa
+
+# Return to home directory and clean up build artifacts
+WORKDIR $HOME
+RUN rm -rf medusa/
+
+# Install Python-based security analysis tools (reduced set for security focus)
+# These tools provide essential smart contract security analysis
+# Focused on core tools: slither, mythril, crytic-compile, halmos, solc-select
+RUN uv tool install slither-analyzer && \ 
+    uv tool install crytic-compile && \ 
+    uv tool install slither-lsp && \ 
+    uv tool install mythril && \ 
+    uv tool install halmos && \ 
+    uv tool install solc-select && \
+    solc-select install 0.4.26 0.5.17 0.6.12 0.7.6 0.8.10 latest && solc-select use latest
+
+# Copy Echidna binary from echidna stage to final image
+# This provides the prebuilt Echidna tool without rebuilding
+USER root
+COPY --from=echidna /usr/local/bin/echidna /usr/local/bin/echidna
+RUN chmod 755 /usr/local/bin/echidna
+
+# Final setup and verification
+USER vscode
+RUN echo 'Development environment ready!' && \
+echo 'Tools installed:' && \
+    ls -la $HOME/.local/bin/ || true
+
+# Set working directory to workspace for development
+WORKDIR /workspace