Railguard

Getting Started

Install Railguard and run your first protected transaction in minutes.

Installation

From Source (Rust)

# Clone the repository
git clone https://github.com/LatitudeVentures/railguard.git
cd railguard
 
# Build release binary
cargo build --release
 
# The binary is at ./target/release/rg

Homebrew (coming soon)

brew install railguard/tap/rg

Cargo (coming soon)

cargo install railguard

Quick Start

1. Create a Configuration File

Create railguard.toml in your project directory:

[server]
port = 8545
 
[upstream]
url = "https://eth-mainnet.g.alchemy.com/v2/${ALCHEMY_KEY}"
 
[firewall]
mode = "strict"
 
[firewall.global_limits]
max_value = "10000000000000000000"  # 10 ETH max per tx
 
[[firewall.rules]]
name = "Allow USDC"
contract = "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48"
allow_methods = [
    "approve(address,uint256)",
    "transfer(address,uint256)"
]

2. Run Your Script Through Railguard

# Run a Foundry script through the proxy
rg run -- forge script script/Deploy.s.sol
 
# Railguard automatically sets RPC_URL and ETH_RPC_URL
# pointing to the local proxy

3. Watch the TUI

Railguard displays a live feed of transaction attempts:

┌─ Railguard ──────────────────────────────────────────────┐
│ Status: Running on http://127.0.0.1:8545                 │
├──────────────────────────────────────────────────────────┤
│ [PASS] eth_sendTransaction -> 0xa0b8...eb48 (0x1a2b...)  │
│ [BLOCK] eth_sendTransaction -> 0xdead...beef             │
│         Reason: Contract not in allowlist                │
└──────────────────────────────────────────────────────────┘

Environment Variables

Railguard supports environment variable expansion in your config:

[upstream]
url = "https://eth-mainnet.g.alchemy.com/v2/${ALCHEMY_KEY}"

When running via rg run, Railguard automatically injects:

  • RPC_URL — Points to http://127.0.0.1:<port>
  • ETH_RPC_URL — Same (for Foundry compatibility)

Your scripts don't need any modification—they'll automatically use the Railguard proxy.

Proxy-Only Mode

If you don't want Railguard to manage your script's lifecycle:

# Start the proxy in the background
rg proxy &
 
# Run your script manually with the proxy URL
ETH_RPC_URL=http://127.0.0.1:8545 forge script Deploy.s.sol

Testing with Anvil

For local development, point Railguard at Anvil:

# Terminal 1: Start Anvil
anvil
 
# Terminal 2: Configure Railguard
# In railguard.toml:
# [upstream]
# url = "http://127.0.0.1:8545"
 
# Run through Railguard
rg run -- forge script script/Test.s.sol --broadcast

Common Patterns

Deploy Script Protection

# Allow deployer to create contracts and initialize them
[[firewall.rules]]
name = "Deployer"
contract = "0x0000000000000000000000000000000000000000"  # Contract creation
allow_methods = []  # Empty = allow any data
 
[[firewall.rules]]
name = "Initialize"
contract = "0xYourNewContract"
allow_methods = ["initialize(address,uint256)"]

Keeper Bot Limits

[firewall.global_limits]
max_value = "0"  # No ETH transfers
max_gas_price = "50000000000"  # 50 gwei cap
 
[[firewall.rules]]
name = "Liquidate"
contract = "0xLendingProtocol"
allow_methods = ["liquidate(address,address,uint256)"]
arg_constraints = [
    { index = 2, max = "1000000000000000000000" }  # Max 1000 tokens
]

Next Steps

Previous

Introduction

Next

Configuration

On this page