Home

Awesome

Publications from Trail of Bits

Academic Papers

Paper TitleVenuePublication Date
A Broad Comparative Evaluation of Software Debloating ToolsUSENIX Security 20242024
PolyTracker: Whole-Input Dynamic Information Flow TracingISSTA 20242024
Endokernel: A Thread Safe Monitor for Lightweight Subprocess IsolationUsenix Security 20242024
Design and Implementation of a Coverage-Guided Ruby FuzzerCSET 242024
Test Harness MutilationMutation 20242024
VAST: MLIR compiler for C/C++EuroLLVM Devs' Meeting 20242024
PoTATo: Points-to analysis via domain specific MLIR dialectEuroLLVM Devs' Meeting 20242024
Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange ProtocolEuro S&P 20232023
Weak Fiat-Shamir Attacks on Modern Proof SystemsIEEE S&P 20232023
Endoprocess: Programmable and Extensible Subprocess IsolationNSPW 20232023
CIVSCOPE: Analyzing Potential Memory Corruption Bugs in Compartment InterfacesSOSP KISV 20232023
Detecting variability bugs through hybrid control and data flow analysisLangSec 20232023
Blind Spots: Automatically detecting ignored program inputsLangSec 20232023
Efficient Proofs of Software Exploitability for Real-world ProcessorsPETS 20232023
Toward Comprehensive Risk Assessments and Assurance of AI SystemsarXiv2023
A Broad Comparative Evaluation of x86-64 Binary RewritersCSET 222022
On the Optimization of Equivalent Concurrent ComputationsPLDI EGRAPHS 20222022
Evaluating Static Analysis Tools via Differential MutationQRS 20212021
echidna-parade: Diverse multicore smart contract fuzzingISSTA 20212021
Differential analysis of x86-64 instruction decodersLangSec 20212021
Echidna: effective, usable, and fast fuzzing for smart contractsISSTA 20202020
ICARUS: Understanding De Facto Formats By Way of Feathers and WaxLangSec 20202020
Toward Automated Grammar Extraction via Semantic Labeling of Parser ImplementationsLangSec 20202020
What are the Actual Flaws in Important Smart Contracts?FC 20202020
Echidna: A Practical Smart Contract FuzzerFC 20202020
RSA GTFOPoC||GTFO 0x202020
Manticore: Symbolic Execution for Binaries and Smart ContractsASE 20192019
Slither: A Static Analysis Framework For Smart ContractsWETSEB 20192019
Toward Smarter Vulnerability Discovery Using Machine LearningAISec 20182018
The Past, Present, and Future of CyberdyneIEEE S&P2018
DeepState - Symbolic Unit Testing for C and C++BAR 20182018
Cyber-Deception and Attribution in Capture-the-Flag ExercisesFOSINT-SI 20152015

Conference Presentations

Automated bug finding and exploitation

Presentation TitleAuthor(s)Year
Your Mitigations are My OpportunitiesYarden Shafir2023
Detecting variability bugs with hybrid control and data flowKelly Kaoudis, Henrik Brodin, Evan Sultanik2023
Blind Spots: Identifying Exploitable Program InputsHenrik Brodin, Evan Sultanik, and Marek Surovič2023
MLIR is the future of program analysisPeter Goodman2023
A Sermon on the Indulgences of Computational Sacrifice; or, The Superabundant Benedictions of Programming an Absurd NES GameEvan Sultanik2021
Differential analysis of x86-64 instruction decodersWilliam Woodruff, Niki Carroll, Sebastiaan Peters2021
How to find bugs when (ground) truth isn't realWilliam Woodruff2020
The Treachery of Files and Two New Tools that Tame ItEvan Sultanik2019
Symbolically Executing a Fuzzy TyrantStefan Edwards2019
Kernel space fault injection with KRFWilliam Woodruff2019
Binary Symbolic Execution With KLEE-NativeSai Vegasena2019
Going sicko mode on the Linux KernelWilliam Woodruff2019
Vulnerability Modeling with Binary NinjaJosh Watson2018
File Polyglottery; or, This PoC is also a picture of catsEvan Sultanik2017
Be a binary rockstarSophia D'Antoine2017
Symbolic Execution for HumansMark Mossberg2017
The spirit of the 90s is still alive in BrooklynRyan Stortz, Sophia D'Antoine2017
The dream of a static and dynamic analysis shootoutRyan Stortz2016
Binary constraint solving for automatic exploit generationSophia D'Antoine2016
The Smart Fuzzer RevolutionDan Guido2016
Making a scaleable automated hacking systemArtem Dinaburg2016
Cyberdyne - Automatic bug-finding at scalePeter Goodman2016
McSema: Static translation of x86 to LLVM IRAndrew Ruef, Artem Dinaburg2014

Blockchain

Presentation TitleAuthor(s)Year
Test your tests: the do's and don'ts of testingKurt Willis2023
Slither: a static analysis tool for Vyper and SolidityTroy Sargent2023
Roundme: rounding analysis made simplerJosselin Feist2023
Smart Contracts: The BetaNat Chin2023
Fuzzing like a security engineerNat Chin2023
Write better smart contracts with Slither's Python APITroy Sargent2022
Building Secure CairoFilipe Casal, Simone Monica2022
How to fuzz like a proJosselin Feist, Nat Chin2022
Demystifying FuzzingNat Chin2022
Building a Practical Static Analyzer for Smart ContractsJosselin Feist2021
Testing and Verifying Smart Contracts: From Theory to PracticeJosselin Feist2021
Safely integrating with ERC20 tokensJosselin Feist2021
Detecting transaction replacement attacks with ManticoreSam Moelius2020
Fantastic Bugs and How to Squash Them; or, the Crimes of SolidityEvan Sultanik2019
SlithIR: High-Precision Security Analysis with an IR for SolidityJosselin Feist2019
Slither: A Static Analysis Framework for Smart ContractsJosselin Feist2019
What blockchain got rightDan Guido2019
Property-testing of smart contractsJP Smith2018
Anatomy of an unsafe programming languageEvan Sultanik2018
Contract upgrade risks and recommendationsJosselin Feist2018
Blackhat EthereumRyan Stortz, Jay Little2018
Blockchain Autopsies - Analyzing Smart Contract DeathsJay Little2018
Rattle - an Ethereum EVM binary analysis frameworkRyan Stortz2018
Securing value on the Ethereum blockchainDan Guido2018
Binary analysis, meet the blockchainMark Mossberg2018
Automatic bug finding for the blockchainFelipe Manzano, Josselin Feist2017

Compilers

Presentation TitleAuthor(s)Year
A Broad Comparative Evaluation of Software Debloating ToolsMichael D. Brown, Adam Meily, Eric Kilmer, Ronald Eytchison2024
Repurposing LLVM analyses in MLIR: Also there and back again across the tower of IRsHenrich Lauko2024
VAST: MLIR for program analysis of C/C++Henrich Lauko2022
A Broad Comparative Evaluation of x86-64 Binary RewritersMichael D. Brown2022
On the Optimization of Equivalent Concurrent ComputationsHenrich Lauko, Lukáš Korenčik, Peter Goodman2022

Cryptography

Presentation TitleAuthor(s)Year
Weak Fiat-Shamir attacks on modern proof systemsJim Miller2024
Building a Rusty path validation library for PyCA CryptographyWilliam Woodruff2024
Implementing X.509 path validation for PythonWilliam Woodruff2024
Careful with MAc-then-SIGnMarc Ilunga 2023
Ergonomic codesigning for the Python ecosystem with SigstoreWilliam Woodruff2023
Sigstore for Python Packaging: Next Steps for AdoptionWilliam Woodruff2022
die, PGP, dieWilliam Woodruff2022
Seriously, stop using RSABen Perez2019
Best Practices for Cryptography in PythonPaul Kehrer2019
Analyzing the MD5 collision in FlameAlex Sotirov2012

Engineering

Presentation TitleAuthor(s)Year
Linux Security Event Monitoring with osqueryAlessandro Gario2019
osql: The community oriented osquery forkStefano Bonicatti, Mark Mossberg2019
Getting started with osqueryLauren Pearl, Andy Ying2018
osquery Super FeaturesLauren Pearl2018
osquery Extension SkunkworksMike Myers2018
Build it Break it Fix itAndrew Ruef2014

Education

Presentation TitleAuthor(s)Year
Introduction to Semgrep and<br /> Semgrep Practice ExercisesMaciej Domański, Matt Schwager, Spencer Michaels2024
A mostly gentle introduction to LLVMWilliam Woodruff2022
JWTs, and why they suckRory M2021
The Joy of PwningSophia D'Antoine2017
How to CTF - Getting and using Other People's Computers (OPC)Jay Little2014
Low-level SecurityAndrew Ruef2014
Security and Your BusinessAndrew Ruef2014
Bringing nothing to the partyVincenzo Iozzo2013
From One Ivory Tower to AnotherVincenzo Iozzo2012

Infrastructure

Presentation TitleAuthor(s)Year
Return to the 100 Acre WoodsStefan Edwards2019
Swimming with the kubectl fishStefan Edwards2019

Machine Learning

Presentation TitleAuthor(s)Year
Incubated Machine Learning Exploits: Backdooring ML Pipelines Using Input-Handling BugsSuha Sabi Hussain2024
Holistic ML Threat ModelsAdelin Travers2024
Using Graph-Based Machine Learning Algorithms for Software AnalysisMichael D. Brown2023
Exploiting Machine Learning Pickle FilesCarson Harmon, Evan Sultanik, Jim Miller, Suha Sabi Hussain2021
PrivacyRaven: Comprehensive Privacy Testing for Deep LearningSuha Sabi Hussain2020

Mobile security

Presentation TitleAuthor(s)Year
Swift ReversingRyan Stortz2016
Modern iOS Application SecuritySophia D'Antoine, Dan Guido2016
The Mobile Exploit Intelligence ProjectDan Guido2012
A Tale of Mobile ThreatsVincenzo Iozzo2012

Programming

Presentation TitleAuthor(s)Year
Python internals - let's talk about dictsDominik Czarnota2019
Low-level debugging with PwndbgDominik Czarnota2018
Insecure Things to Avoid in PythonDominik Czarnota2018

Side channels

Presentation TitleAuthor(s)Year
Hardware side channels in virtualized environmentsSophia D'Antoine2015
Exploiting Out-of-Order ExecutionSophia D'Antoine2015

Supply chain

Presentation TitleAuthor(s)Year
Build Provenance: Lessons (so far) from HomebrewJoe Sweeney2024
What does it look like to code-sign for an entire packaging ecosystem?William Woodruff2023
Securing your Package Ecosystem with Trusted PublishingWilliam Woodruff2023
Trusted Publishing: Lessons from PyPIWilliam Woodruff2023
Python Packaging Mystery MeatWilliam Woodruff2022
Automated Tools for Securing the Software Supply ChainMichael D. Brown2022
Improving PyPI's security with Two Factor AuthenticationWilliam Woodruff2019

Threat analysis & malware

Presentation TitleAuthor(s)Year
Peeling back the 'Shlayers' of macOS MalwareJosh Watson, Erika Noerenberg2019
The Exploit Intelligence Project RevisitedDan Guido2013

Guides and Handbooks

We publish much of our subject matter expertise in the form of guides and handbooks.

LinkRepositoryDescription
Trail of Bits Testing Handbooktrailofbits/testing-handbookThe automated testing handbook is a resource that guides developers and security professionals in configuring, optimizing, and automating many of the static and dynamic analysis tools we use.
ZKDocstrailofbits/zkdocsZKDocs provides comprehensive, detailed, and interactive documentation on zero-knowledge proof systems and related primitives.
Building Secure Smart Contractscrytic/building-secure-contractsGuidelines and best practices for developing secure smart contracts.
CTF Field Guidetrailofbits/ctfOur field guide to winning at Capture The Flag (CTF).
Ruby Security Field Guidetrailofbits/rubysecOur field guide for practical Ruby security.

Datasets

DatasetDate
Smart Contract Audit FindingsAug 2019

Podcasts

We host our own podcast: Trail of Bits. You can download episodes from your favorite podcast app.

PodcastGuestDateTopic(s)
MLSecOps March 20William WoodruffMarch 2024Supply chain security
Risky Biz 707Dan GuidoMay 2023ML security
ASW 229Nick SelbyFeb 2023Threat modeling, cloud-native audits
Risky Biz 690Dan GuidoJan 2023Vuln disclosure
Risky Biz 672Dan GuidoJul 2022Blockchain security
Cloud Security ReinventedNick SelbyJun 2022Cloud security
Skiff Office HoursDan GuidoMar 2022Privacy technology
Risky Biz 652Dan GuidoJan 2022Zero-knowledge proofs
Secureum Safecast #3Josselin FeistNov 2021Blockchain security
Secureum Safecast #2Dan GuidoOct 2021Blockchain security
Press Freedom FoundationDan GuidoJul 2021Mobile security and iVerify
Employee CycleHannah HanksMar 2021First PeopleOps hire
Risky Biz 614Dan GuidoFeb 2021iVerify
Building Better Systems 6Dan GuidoJan 2021What blockchain got right
WCBS 880Dan GuidoSep 2020Gap years and intern hiring
Risky Biz 594Dan GuidoAug 2020Apple security
Epicenter 346Dan GuidoJun 2020Smart contract security
Absolute AppSec 97Stefan EdwardsMay 2020Threat modeling
Unchained 170Dan GuidoMay 2020DeFi security
Risky Biz 580Dan GuidoApr 2020Mobile voting
Absolute AppSec 91Stefan EdwardsApr 2020Mobile voting
Zero Knowledge 122Ben PerezMar 2020Cryptography reviews, ZKPs
ChangelogDan GuidoJan 2020AlgoVPN
Risky Business 559Stefan EdwardsOct 2019Kubernetes
FOSS Weekly 545William WoodruffSep 2019PyPI security improvements
Podcast.__init__ 225William WoodruffAug 2019PyPI security, UX, and sustainability
Absolute AppSec 68Stefan Edwards, Bobby TonicAug 2019Kubernetes
Hashing it Out 53Dan GuidoJul 2019Smart contract testing
Absolute AppSec 60Stefan EdwardsMay 2019Android, programming languages
Absolute AppSec 55Stefan EdwardsApr 2019Security testing
Hashing it Out 35Dan Guido, Josselin FeistJan 2019Ethereum's failed EIP-1283
Risky Biz 526JP SmithJan 2019Post-quantum crypto in CTFs
Absolute AppSec 37Stefan EdwardsNov 2018Programming languages, symbex
Risky Biz 510Lauren PearlAug 2018Open source security engineering
Absolute AppSec 34Stefan EdwardsOct 2018Security testing, blockchain
Zero Knowledge 16JP SmithMar 2018Smart contract security
Risky Biz 488JP SmithFeb 2018Smart contract testing w/ Manticore
Risky Biz 474Dan GuidoOct 2017How to engineer secure software
Georgian Partners 47Dan GuidoMay 2017AlgoVPN and Tor
VUC 643Dan GuidoApr 2017AlgoVPN
Risky Biz 449Dan GuidoMar 2017Control Flow Integrity
Risky Biz 425Dan GuidoSep 2016Recap the week's news
Risky Biz 421Dan GuidoAug 2016Car hacking and the week's news
Risky Biz 416Dan GuidoJul 2016DARPA Cyber Grand Challenge
Risky Biz 399Dan GuidoFeb 2016Apple vs the FBI
Risky Biz 370Dan GuidoFeb 2015DARPA Cyber Grand Challenge
Risky Biz 348Dan GuidoJun 2015DARPA Cyber Grand Challenge

Public Comments

TopicAgencyDate
Automated Artifical Intelligence Bill Of Materials for AI/ML OpsU.S. Army PEO IEW&SDec 2023
Open-Source Software Security: Areas of Long-Term Focus and PrioritizationONCD, CISA, NSF, DARPA, OMBNov 2023
Understanding the National Security Implications of AIWhitehouse OTSPJul 2023
AI Accountability, Regulation, and AuditsNTIAJun 2023
A Comprehensive Risk Assessment Framework for AI Assurance in Ethical, Legal, and Societal DomainsDARPAJun 2023
Understanding Crypto Markets SecurityCFTCMar 2023
Regulation of Intrusion and Surveillance SoftwareCommerce DeptJul 2015

Security Reviews

Companies that have allowed us to speak about our work can be found here. Many more remain confidential.

ML/AI Reviews

ProductDateLevel of <br />EffortAnnouncementReport
YOLOv7 Threat Model and Code ReviewOctober 20234📄
EleutherAI, Hugging Face, <br />& Stability AI SafeTensors LibraryMar 20232📄

Cryptography Reviews

ProductDateLevel of <br />EffortAnnouncementReport
Discord DAVE Protocol Code ReviewSeptember 20245📄✅
Discord DAVE Protocol Design ReviewNovember 20234📄✅
Scroll zstd CompressionJune 202412📄✅
Iron Fish FishHashApril 20241📄✅
Scroll ZkEVM 4844 BlobApril 20246📄✅
OckamNov 202311Cryptographic design review of Ockam📄
Aleo snarkVM, snarkOS, BullsharkBFTOct 202318📄✅
Scroll ZkEVM Wave 3Sept 20239📄✅
Scroll ZkEVM Wave 2August 20236📄✅
Scroll ZkEVM Wave 1April 202323📄✅
Dfinity CandidNov 20233📄✅
Scroll zkTrieJuly 20234📄✅
Dfinity ckBTC and BTC IntegrationJune 20232.5Third-party assessment by Trail of Bits, Taking security seriously
Dfinity SNS Phase 2June 20232.5Third-party assessment by Trail of Bits, Taking security seriously📄
Thesis tss-lib BitForgeJune 2023.2📄✅
ChainflipApril 202312📄✅
Practical Stealth AddressesFeb 20232📄✅
Succinct Labs ZK Ethereum Light ClientFeb 20238Introducing Telepathy📄✅
noble-curves LibraryJan 20232📄✅
ParaSpaceDec 20221📄
Phantom WalletNov 20222
ParaSpaceNov 20227📄
SimpleX ChatOct 20221Security assessment by Trail of Bits📄
DfinitySep 20224Third-party assessment by Trail of Bits, Taking security seriously📄✅
Aleo snarkVMSep 202212📄✅
Microsoft/Verasion Go-COSEJul 20224📄✅
BLS Signature SchemeJul 20221
MobileCoinJul 20222📄
Binance CGGMP21 and FROSTMay 20228
snarkVM and snarkOSApr 202212
Aleo snarkVM & snarkOSApr 202212
Phantom WalletApr 20224
Parallel FinanceMar 20226📄
PolkadexFeb 202210
Linux KernelApr 20212Linux Kernel Release Signing and Management📄
MobileCoin BFTOct 20204📄
MobileCoinAug 20204📄
Western Digital Sweet BJan 20204Western Digital📄
Standard NotesMar 20201Standard Notes Completes Crypto Audit📄
SanDisk X600May 20196Multiple vulnerabilities in SanDisk X600📄
Project CallistoAug 20185

Technology Product Reviews

ProductDateLevel of <br />EffortAnnouncementReport
Eclipse TemurinDecember 20234Eclipse Temurin Response, OSTIF Announcement, Eclipse Foundation Announcement📄✅
Arch Linux PacmanDecember 20232OTF Announcement📄✅
cURL HTTP3December 20234OSTIF, Daniel Stenberg📄
Lisk SDK 6.1 Sapphire, NFT and PoA modulesSept 20234📄✅
OpenSSLSeptember 20239OSTIF Blog, OpenSSL Blog📄✅
PyPI WarehouseSeptember 202310PyPI, Trail of Bits📄✅
wasmCloudSeptember 20236📄✅
WorldcoinAugust 20236📄✅
HomebrewAugust 20236📄
DigitalOcean OIDCAugust 20234📄
FluxAugust 20234OSTIF, Flux📄✅
Lisk SDKJuly 202330📄✅
DragonFly2July 20234Dragonfly, OSTIF📄✅
Eclipse JKubeMay 20235OSTIF, Eclipse📄✅
FraxGovMay 20234📄✅
ChainflipApril 202312📄✅
Eclipse MosquittoMarch 20234OSTIF, Eclipse📛📄✅
Eclipse JettyMarch 20236Jetty, Eclipse📄✅
Spool PlatformMarch 20238📄✅
Fraxlend and veFPISJan 20234
Redpanda Core, Console, and Console EnterpriseJan 20234
Injective Labs Options MarketJan 20234
OpenVPN3Jan 20236
OpenVPN2Dec 20224OpenVPN Blog📄✅
OpenArchive Save (Android)Dec 20221OpenArchive Save📄✅
Enclave Markets Trading PlatformNov 20229
Fiat RampsNov 20224
cURLOct 20229.5OSTIF, Daniel Stenberg. Trail of Bits📄✅📛
CloudEventsOct 20224CloudEvents Security Assessment📄
OpenArchive Save (iOS)Oct 20221.2OpenArchive Save📄✅
Fraxlend and FraxFerryOct 20224📄
AlphaSOC APISep 20221📄✅
Consul EnterpriseSep 20226
snarkVMSep 202212📄✅
Hashicorp BoundaryJul 20226
SkiffJul 20226
Terraform CloudJun 20226
DatadogMay 20226
DatadogMay 20226
MATTRMay 20224
ArmorLockApr 20226
DigitalOcean FunctionApr 20224
Auvik CollectorApr 20228
Fuchsia PlatformMar 20228
Optimus ROMJan 20224
BitcoinBeachMar 20224📄
osqueryJan 20226📄
RedjackDec 20212
DigitalOcean CloudNov 202112
SpruceIDOct 202112📄
DopplerSept 20214
Datadog AgentAug 20218
AppianJun 20214
Cashero-2.0Jun 20214
OrbitApr 20211
VGS ProxyApr 20214
SkiffFeb 20214
CircleCI Server 3.0Jan 20216Penetration testing at CircleCI
BitMEXJan 20214
SecureDropDec 202082nd audit of SecureDrop Workstation📄
Citizen BrowserDec 20200.43How We Built a Facebook Inspector
RenAug 20204August Development Update📄
Hey.comJun 20201Serious Security📄
Azure SphereJun 202012Azure Sphere 20.07 Security Enhancements
ZoomMay 2020990 Days Done, What’s Next for Zoom
Secure TransportApr 20204
ZeroTier 2.0Mar 20202ZeroTier📄
VoatzFeb 202012Voatz, Tusk📄📛
VaultFeb 202012
VoiceJan 20204
Azure SphereJun 201912
zlibSep 20161📄

Cloud-Native Reviews

ProductDateLevel of <br />EffortAnnouncementReport
KEDADec 20226Audit of Kubernetes Event Driven Autoscaling (KEDA)📄
Terraform EnterpriseNov 20226
Nomad EnterpriseNov 20226
HashiCorp CloudJun 20229
TektonMar 20224Tekton Security Review Completed📄
LinkerdFeb 20224📛📄
CoreDNSJan 20224📄
Terraform EnterpriseNov 20216
Nomad EnterpriseNov 20216
Consul EnterpriseOct 20216
Vault EnterpriseOct 20216
HashiCorp CloudJun 20218
ArgoMar 20214📛📄
Terraform CloudJan 20216
ConsulOct 202010
NomadAug 20206
HelmAug 20204Helm 2nd Security Audit📄
TerraformMar 20206
OPAMar 20202Open Policy Agent (OPA) Graduation Proposal📄
etcdJan 20204CNCF📄
RookDec 20192CNCF📄
KubernetesMay 201912Google, CNCF📛📄📰

Invariant Testing and Development Engagements

ProductDateLevel of <br />EffortAnnouncementReportPublic Suite
PanopticMay 20249📄
CurvanceMarch 20245📄Public invariants

Blockchain Reviews

Wallet Reviews

ProductDateLevel of <br />EffortAnnouncementReport
Uniswap Browser ExtensionFeb 20246📄✅
UniswapSep 20234📄✅
dappOS v2 virtual walletJul 20233📄✅
WalletConnect v2.0Mar 20234WalletConnect📄✅
Uniswap Mobile WalletAug 20224📄
Phantom WalletNov 20222
GameStop iOS Web WalletNov 20221
Phantom WalletApr 20224
GameStop WalletMar 20222GameStop wallet
RAILGUNFeb 20224
Casper Web WalletJul 20214📄
ArgentAug 20204
MagmaJun 20201📄
Dharma WalletOct 20194📄
ZecWalletApr 20192📄
Web3Mar 20182W3F and TOB hardware wallet guidance💬

Algorand

ProductDateLevel of <br />EffortAnnouncementReport
Folks Finance ProtocolNov 20226📄✅
wXTZNov 20204📄
wALGONov 20204📄
Meld GoldJul 20202
AlgorandMar 201914Success and momentum of Algorand
PixelDec 20194

Avalanche

ProductDateLevel of <br />EffortAnnouncementReport
Alkimiya Silica V2Jun 20226
Ava LabsApr 20228
Flare NetworkMar 20218

Bitcoin & Derivatives

ProductDateLevel of <br />EffortAnnouncementReport
STAS SDKOct 20214
STAS-JS SDKSept 20214
Bitcoin SVJan 20216
ZcoinJul 20202Lelantus Cryptographic Library Audit Results📄
ZcashApr 20203Heartwood security assessment results📄
ZcashNov 20196NU3, Blossom, and Sapling security reviews📄
ZcashNov 20196📄
Paymail ProtocolNov 20197
Bitcoin SVNov 201812
Simple LedgerOct 20193
RSKjNov 20176RSK security audit results📄

Ethereum/EVM

ProductDateLevel of <br />EffortAnnouncementReport
Pyth EntropyDecember 20234📄
Onchain Pass App ContractsAugust 20241📄✅
Uniswap v4 CoreJuly 20246📄✅
Taraxa Ficus Root Bridge Smart ContractsJuly 20241.6📄✅
IntuitionMarch 20242📄
Offchain Labs BoLD and DAC Rewards UpdatesJune 20243📄
Offchain Labs Custom Fee TokenSeptember 20233📄
Offchain Labs Arbitrum Token Bridge CreatorDecember 20236📄
Offchain Labs L1-L3 TeleporterApril 20242📄
Offchain Labs ArbOS 31April 20242📄
Offchain Labs ArbOS 30 Nitro UpgradeApril 20246📄
Ethereum Foundation Devcon Auction RaffleJune 20241📄✅
Aladdin f(x) OracleJune 20242📄✅
AiLayer Labs 6079 Smart ContractsMay 20243📄✅
Offchain Labs Arbitrum StylusMay 202447📄
Hydrogen Labs Rover ProtocolMay 2024.45📄
Lisk Smart ContractsMay 20244📄✅
Offchain Labs BoLDApril 20245📄
SEDA Chain Token MigrationMarch 20241📄✅
Lisk Smart ContractsMarch 20244.6📄✅
Bondex Ecosystem Ltd. Smart ContractsMarch 20240.6📄
Aladdin f(x) ProtocolMarch 20244📄✅
Puffer Finance ContractsMarch 20241.2📄✅
Helios GlobalFeb 20241📄✅
ScopeLift Stealth Address ContractsFeb 20241📄✅
Offchain Labs ArbOSFeb 20244📄
MetaLayer BlastJan 20244📄✅
Offchain ArbitrumJan 20242📄
Unibot RouterDec 20231.6📄✅
Salty.IO ProtocolOct 20236📄✅
Immutable ZKEVM Bridge ContractsNov 20232📄✅
Spiko Smart ContractsOct 20231📄✅
Hyperlane v3Sept 20232📄✅
Elixir Vertex & Injective ContractsSept 20232📄✅
Easy Crypto NZDD tokenAug 20230.6📄✅
Scroll l2geth [diff] Aug 20232📄
Scroll l2geth [initial]Aug 20232📄
ImmutableAug 20234📄✅
SandclockJul 20238📄✅
ArcadeJul 20238📄✅
Nested Finance Tetris & HyVMJune 20231📄✅
Franklin TempletonMay 20234📄✅
PrysmApr 20238📄✅
Ajna ProtocolApr 202312📄✅
RaftApr 20232📄✅
MYSO v2Apr 20232Security review of our v2 contracts📄✅
Smardex AMMApr 20232SmarDex protocol Security is confirmed📄✅
WaymontMar 20231
Atlendis Smart ContractsMar 20236Atlendis V2 Audit📄✅
Primitive HyperMar 20238📄✅
Succinct Labs Ethereum Light ClientFeb 20238Introducing Telepathy📄✅
Nested Finance Smart ContractsFeb 20234📄✅
Polygon EdgeJan 20236
OptimismDec 20228
Paxos PayPal PYUSDDec 20221📄✅
GSquaredOct 20226📄
Meson ProtocolOct 20226📄
Managed pool smart contractsOct 20224📄
OndoOct 20224📄
Maple Protocol v2Sep 20228📄✅
Increment ProtocolSep 20224📄
Subspace Network Desktop FarmerSep 20222📄
OptimismSep 202216📄
NaymsSep 20226
AggregatorAug 20222
The FranchiserAug 20223
Meson ProtocolJul 20220.6📄
ChainPortJuly 20228📄
RelayJul 20221
BeanstalkJul 20228Audit of Beanstalk📄
Purpose for ProfitJul 20223
Reserve ProtocolJul 20228
SolonJul 20226
RollJul 20222
Ante ProtocolMay 20222📄
SherlockJun 20224
FlareFinanceJun 20224
TBTv2Jun 20226
MorphoJun 20224@trailofbits security audit of Morpho📄
Relayer ContractsJun 20222
AuctionRaffleMay 20222
Seaport ProtocolMay 20224Introducing Seaport Protocol📄
Shell Protocol v2May 20224📄
OptimismApr 20226
NFTXApr 20224Trail of Bits Audit📄
FraxMay 20224📄
ReserveLending+Apr 20224Security Audit for ReserveLending+
FireflyApr 20224
Maple Finance Smart ContractsMar 20221📄✅
GyroscopeMar 20226
LooksRareMar 20224📄
SymbiosisMar 20222
RAILWAYFeb 20224
Persistence ETH2.0Feb 20224
Advanced BlockchainFeb 20226📄
Perpetual Protocol V2Feb 20224📄
Futureswap V4.1Feb 20224
FireflyFeb 20228
API3Feb 20228📄
Beethoven XFeb 20221📄
Minterest FinanceJan 20226
pSTAKEJan 20226
PrimitiveJan 20228Primitive RMM smart contracts audit by @trailofbits📄
Strips FinanceJan 20228
CardstackDec 20214
FraxDec 20214📄
Sherlock Protocol V2Dec 20214📄
MapleNov 20214Maple Loans Audit Reports📄
Advanced BlockchainNov 20216📄
OpynNov 20216📄
Aave V3Nov 202112
TokemakOct 20213
Fuji FinanceOct 20216📄
V2 VaultOct 20214
Yield V2Sept 20216📄
Gro protocolSept 20212
Futureswap V4Sept 20216
RocketPoolAug 20215📄
AlphaXAug 20216
Bug Bounty PlatformAug 20218
88mph V3Aug 20216📄
TimeswapJul 20212
CompliFiJul 20216📄
OpticsJul 20212
FlareFinanceJun 20214
Uniswap V3 StakerJun 20212
Abyss LockupJun 20212
Futureswap V3Jun 20216
CompliFiJun 20216
SyndicateMay 20214
Opyn GammaMay 20216📄
FraxMay 20214📄
Yearn v2 VaultsApr 20216📄
Balancer v2Apr 20214📄
DFX FinanceApr 20216
TokemakApr 20211
Warp ContractsApr 20216Completion of Trail of Bits’ Audit📄
FlareFinanceApr 20213
MC DaiMar 20216
Uniswap V3Mar 202110Introducing Uniswap V3📄
dForce LendingMar 20216
Liquity Proxy ContractFeb 20210.57📄
Liquity ProtocolFeb 20218📄
RAY-DAOFeb 20214
FutureswapJan 20212
Balancer V2Jan 20216
C.R.E.A.M.Jan 20211📄
LUSDDec 20208📄
Origin DollarNov 20204Origin Dollar Relaunches📄
Zerion SDKNov 20204
Teller ProtocolNov 20204
HermezNov 20204Hermez Second Audit, by Trail of Bits📄
Graph ProtocolOct 20203
OVMOct 20206
PrysmSep 20206
DODOSep 20203📄
Yield ProtocolAug 20206📄
Smart PoolAug 20201
DeFinerAug 20201
ETH2.0 Deposit CLIAug 20204📄
CurveDAOJul 20206📄
AmpJul 20203📄
Federated BridgeJul 20201
dForce dTokenJul 20202📄
MaticJun 20204
LighthouseJun 20204
tBTCMay 20206📄
QTUMApr 20200.43📄
HegicApr 20200.43📄
Golem NetworkMar 20202
RedditMar 20201A New Frontier
ChaiFeb 20200.28📄
CompoundFeb 20202📄
WorkLockJan 20202WorkLock Security Audit📄
BalancerJan 20204📄
Curve.fiJan 20201📄
LivepeerOct 20193
Topo FinanceOct 20194
0x ProtocolOct 201910📄
FlexaSep 20192Announcing Flexa Capacity📄
AZTEC ProtocolSep 201910📄
Oasis LabsSep 201913
Aave ProtocolSep 20194📄
MC DaiAug 201913MCD Security Roadmap Update: Oct 2019📄
StakedAug 20194
CompoundAug 20192📄
ComputableJul 20198Computable Contract Audit📄
NumeraiMay 20193NMR 2.0 is now live!📄
MerkleXMay 20194
TokenCardMay 20195📄
Unity CoinApr 20191
CompoundApr 20198Compound v2 is Live📄
Ocean ProtocolMar 20194One Protocol. One Network. One Community
UMA ProjectMar 20193
CentrifugeMar 20195
NomismaMar 20191
Reserve ProtocolMar 20191📄
Set ProtocolMar 20195The Road to MainNet📄
NuCypherFeb 20194Security Audits (Round 2)📄
AMP StableWireJan 20191
EIP-1283Jan 20191Constantinople Security Update📄
AmpleforthNov 20184Security Audits with Trail of Bits📄
Origin ProtocolNov 20184How We Approach Security at Origin📄
Paxos StandardOct 20184📄
BasecoinOct 201812📄
PantheonOct 20188What we learned auditing our ETH client📄
CompoundSep 201812Compound launches money markets
NuCypherAug 201812Security audits: round 1📄
CENTREJul 20184Designing an upgradeable Ethereum contract
BloomJul 20181Bloom development update
Gemini DollarJun 20188Stablecoins: Understanding Counterparty Risk📄
DharmaMay 20181Dharma protocol v1 is live on mainnet
GolemApr 20184Smart contracts: audit report📄
LivePeerMar 20184Livepeer security audit results📄
DappHubDec 20178📄
MakerDAO SaiOct 20178Single-collateral Dai security reviews📄
Omega OneAug 20176

NervOS

ProductDateLevel of <br />EffortAnnouncementReport
xUDTJun 20212
Nervos -RSAMar 20214
Nervos SUDTOct 20206📄
Cheque Cell & ORUFeb 20218
Force Bridge - SolidityFeb 20214
Force Bridge - RustFeb 20213

Starknet

ProductDateLevel of <br />EffortAnnouncementReport
OpusDecember 20238📄✅
AuraAugust 20238📄✅
NostraDec 20228
StarkGateDec 20222
StarkExOct 20221
StarkNet tokenJul 20221
StarkPerpetualJan 20228
StarkExNov 20218

Solana

ProductDateLevel of <br />EffortAnnouncementReport
Squads V4Oct 20232Announcement📄✅
Token-2022 ProgramFeb 20231📄✅
Drift ProtocolDec 20226Announcement (Tweet)📄✅
SolanaApr 202212

Substrate

ProductDateLevel of <br />EffortAnnouncementReport
ParaSpaceDec 20221📄
ParaSpaceNov 20227📄
Parallel FinanceMar 20226📄
PolkadexFeb 202210
PolkadexDec 20214
PINTSept 20214
PolkaswapJul 20216
AlephBFTJun 20214📄
Acala NetworkJun 20214
Compound ChainMay 20216
Acala NetworkJan 20216📄
Parity FetherAug 20194
ParityJul 201812Parity completes Trail of Bits security review📄

Tendermint/Cosmos

ProductDateLevel of <br />EffortAnnouncementReport
Berachain Polaris API polaris-gethAug 20238
Berachain berachainJun 20236
UmeeFeb 20228📄
Columbus-5Jan 20222
IBC ProtocolDec 20214
THORChainAug 202112
TendermintMar 201912
ndauNov 20188ndau Holders Elect Inaugural Policy Council

Tezos

ProductDateLevel of <br />EffortAnnouncementReport
KolibriApr 20224
Tezori (T2)Dec 20204📄
TezoriJul 20182Thanks to @trailofbits for their security review
DexterJun 20204📄

Other/Multi-Chain

ProductDateLevel of <br />EffortAnnouncementReport
Wormhole Governors and WatchersMarch 20238📄✅
DFINITY Canister SandboxSept 20222📄
DFINITY Threshold ECDSA <br>& BTC CanistersSept 20224📄
MobileCoinJul 20222📄
CAT StandardJun 20228
FROST BLS ProtocolsJul 202212
SORA Trustless BridgeJul 20228
DFINITY Threshold ECDSAMay 20228
Arbitrum NitroMar 202216
DeGateFeb 20224📄
ShardXDec 20212
DeGateDec 20214
Threshold-DSANov 20216
DFINITY ConsensusNov 20212Internet Computer Consensus: Security<br /> Assessment📄
PolySign HSMOct 20216
Hop Protocol V2Sept 20214
Golden Gate LibrarySept 20211
PolySignSept 20216
Qredo BlockchainSept 20216
ArbitrumSept 202116
go-schnorrkelAug 20214
ShardXAug 20214
AElfJul 20214
CrossChain-BridgeJul 20218
Open OracleApr 20212
DFINITYMay 202124📄
Arbitrum V2Feb 20218
Fog ProtocolJan 20214📄
eFILJan 20212
MobileCoin BFTOct 20204📄
Highway ConsensusNov 20204ToB Audit of the Casper Highway Protocol📄
Stacks V2Sep 20206
MobileCoinAug 20204📄
VRFsAug 20202
Celo OracleJul 20202📄
ArbitrumJul 20206
MYKEYJul 20204
SymbolJul 20204Symbol from NEM completes Trail of Bits<br /> Security Audit📄
Ledger FilecoinJul 20202📄
ChainlinkJun 20208
Chainlink FluxMay 20204
ElrondMar 20206
EOSIO SDKJan 20204
NEAR ProtocolNov 20198
EOSIO 2.0Oct 20198
Status-goOct 20199
CeloSep 20198
Blockchain.comAug 20194
RandomXJun 20192Monero and Arweave to Validate RandomX📄
Interest TokenMay 20190.28
LoomMay 201910Loom SDK Q1 2019 Security Audit
Building BlocksAug 20187UN WFP uses Ethereum to aid 100k refugees

Disclosures

NameProductDiscovererYearIDBlog
Rust crates "stable" and "nightly" might be installed instead of the corresponding toolchainsCrates.ioMax Ammann2024
num-bigint disclosurenum-bigintSamuel Moelius2024💬
Memory corruption during X.509 validation in GnuTLSGnuTLSWilliam Woodruff2024CVE-2024-28835
Linux kernel modules kASLR bypassLinuxDominik Czarnota2024💬
Pedersen DKG vulnerability disclosureMultipleFredrik Dahlgren2024None💬
LeftoverLocals disclosuremultiple GPUsTyler Sorensen2024CVE-2023-4969💬
Billion hashes attack against Go JOSE librarieshttps://github.com/go-jose/go-joseMatt Schwager2023GO-2023-2334, GO-2023-2409💬
Expo Secure Store: Shortening AES GCM Authentication Tagsexpo-secure-storeJoop van de Pol2023💬
YOLOv7 disclosureYOLOv7Alvin Crighton, Anusha Ghosh, Suha Sabi Hussain, Heidy Khlaaf, Jim Miller2023💬
Numbers turned weapons: DoS in Osmosis’ math libraryOsmosisSam Alws2023💬
The issue with ATS in Apple’s macOS and iOSiOS, iPadOS, tvOS, macOS, and watchOSWill Brattain2023CVE-2023-38596💬
Eth ABI DoS disclosureethabi, eth_abi, etheriumjs-abi, alloy-rsMax Ammann2023
Security flaws in an SSO plugin for Caddycaddy-securityMaciej Domanski, Travis Peters, David Pokora2023[CVE-2024-21500 CVE-2024-21499 CVE-2024-2149 CVE-2024-21497 CVE-2024-21496 CVE-2024-21493 CVE-2024-21495 CVE-2024-21494 CVE-2024-21492 CVE-2023-52430](https://www.cve.org/cverecord?id=[CVE-2024-21500](https://www.cve.org/CVERecord?id=CVE-2024-21500) CVE-2024-21499 CVE-2024-2149 CVE-2024-21497 CVE-2024-21496 CVE-2024-21493 CVE-2024-21495 CVE-2024-21494 CVE-2024-21492 CVE-2023-52430)💬
ktor Path TraversalktorVasco Franco2023CVE-2022-48476
Specialized Zero-Knowledge Proof failuresBinance's tss-lib; All forks of tss-lib: Joltify, SwipeChain, and ThorChain; Coinbase's kryptologyOpal Wright2022💬
Forgery in Amis' Alice libraryAmis' aliceFilipe Casal2022
Keeping the wolves out of wolfSSLwolfSSLMax Ammann2022CVE-2022-38152 CVE-2022-38153 CVE-2022-39173 CVE-2022-42905💬
Escaping misconfigured VSCode extensions - Live Preview XSSLive Preview VSCode extensionVasco Franco2022MS-VULN-073448💬
Escaping misconfigured VSCode extensions - Live Preview Path TraversalLive Preview VSCode extensionVasco Franco2022MS-VULN-073447💬
Escaping well-configured VSCode extensions (for profit) - VSCode localResourceRoots BypassVSCodeVasco Franco2022CVE-2022-41042💬
Escaping misconfigured VSCode extensions - Sarif Viewer XSSSarif Viewer VSCode extensionVasco Franco2022MS-VULN-071828💬
Stranger Strings: An exploitable flaw in SQLiteSQLiteAndreas Kellas2022💬
json-viewer XSSjquery.json-viewerVasco Franco2022CVE-2022-30241
Shamir’s Secret Sharing vulnerabilitiesBinance’s tss-lib; Clover Network’s threshold-crypto; Keep Network’s keep-ecdsa; Swingby’s tss-lib; THORchain’s tss-lib; ZenGo X’s curvFilipe Casal2021💬
OSX slack:// protocol handler javascript injectionSlackJay Little2016💬
Double free in VLC's 3GP file formatVLCLoren Maggiore2015CVE-2015-5949💬

Workshops

Workshop TitleVenueDate
Smart Contract Security Automation WorkshopTruffleCon 2019Oct 2019
Manticore EVM WorkshopDevcon4 2018Nov 2018
Introduction to Smart Contract ExploitationGreHack 2018Nov 2018
DeepState: Bringing Vulnerability Detection Tools into the Dev CycleSecDev 2018Oct 2018
Smart Contract Security Automation WorkshopTruffleCon 2018Oct 2018
Smart Contract Security Automation WorkshopETH Berlin 2018Sep 2018
Manticore EVM WorkshopEthCC 2018Mar 2018
Manticore WorkshopGreHack 2017Oct 2017

Service Overviews

Service TitleType of Document
AI Safety & Security TrainingOne-page service overview

Research Reports

Report TitleDescription
Cedar, Rego, and OpenFGA Policy Languages: Comparative Language Security AssessmentComparative assessment of the security properties of selected policy languages.

Legend

IconDefinition
💬Blog post or other social media
📄Security Assessment report
Fix review report
📛Threat Model report
📰Whitepaper
HeaderDefinition
Level of EffortDefined in person-weeks for the project