Skip to content

trailofbits/publications

Repository files navigation

Publications from Trail of Bits

Academic Papers

Paper Title Venue Publication Date
A Broad Comparative Evaluation of Software Debloating Tools USENIX Security 2024 2024
PolyTracker: Whole-Input Dynamic Information Flow Tracing ISSTA 2024 2024
Endokernel: A Thread Safe Monitor for Lightweight Subprocess Isolation Usenix Security 2024 2024
Design and Implementation of a Coverage-Guided Ruby Fuzzer CSET 24 2024
Test Harness Mutilation Mutation 2024 2024
VAST: MLIR compiler for C/C++ EuroLLVM Devs' Meeting 2024 2024
PoTATo: Points-to analysis via domain specific MLIR dialect EuroLLVM Devs' Meeting 2024 2024
Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol Euro S&P 2023 2023
Weak Fiat-Shamir Attacks on Modern Proof Systems IEEE S&P 2023 2023
Endoprocess: Programmable and Extensible Subprocess Isolation NSPW 2023 2023
CIVSCOPE: Analyzing Potential Memory Corruption Bugs in Compartment Interfaces SOSP KISV 2023 2023
Detecting variability bugs through hybrid control and data flow analysis LangSec 2023 2023
Blind Spots: Automatically detecting ignored program inputs LangSec 2023 2023
Efficient Proofs of Software Exploitability for Real-world Processors PETS 2023 2023
Toward Comprehensive Risk Assessments and Assurance of AI Systems arXiv 2023
A Broad Comparative Evaluation of x86-64 Binary Rewriters CSET 22 2022
On the Optimization of Equivalent Concurrent Computations PLDI EGRAPHS 2022 2022
Evaluating Static Analysis Tools via Differential Mutation QRS 2021 2021
echidna-parade: Diverse multicore smart contract fuzzing ISSTA 2021 2021
Differential analysis of x86-64 instruction decoders LangSec 2021 2021
Echidna: effective, usable, and fast fuzzing for smart contracts ISSTA 2020 2020
ICARUS: Understanding De Facto Formats By Way of Feathers and Wax LangSec 2020 2020
Toward Automated Grammar Extraction via Semantic Labeling of Parser Implementations LangSec 2020 2020
What are the Actual Flaws in Important Smart Contracts? FC 2020 2020
Echidna: A Practical Smart Contract Fuzzer FC 2020 2020
RSA GTFO PoC||GTFO 0x20 2020
Manticore: Symbolic Execution for Binaries and Smart Contracts ASE 2019 2019
Slither: A Static Analysis Framework For Smart Contracts WETSEB 2019 2019
Toward Smarter Vulnerability Discovery Using Machine Learning AISec 2018 2018
The Past, Present, and Future of Cyberdyne IEEE S&P 2018
DeepState - Symbolic Unit Testing for C and C++ BAR 2018 2018
Cyber-Deception and Attribution in Capture-the-Flag Exercises FOSINT-SI 2015 2015

Conference Presentations

Automated bug finding and exploitation

Presentation Title Author(s) Year
Your Mitigations are My Opportunities Yarden Shafir 2023
Detecting variability bugs with hybrid control and data flow Kelly Kaoudis, Henrik Brodin, Evan Sultanik 2023
Blind Spots: Identifying Exploitable Program Inputs Henrik Brodin, Evan Sultanik, and Marek Surovič 2023
MLIR is the future of program analysis Peter Goodman 2023
A Sermon on the Indulgences of Computational Sacrifice; or, The Superabundant Benedictions of Programming an Absurd NES Game Evan Sultanik 2021
Differential analysis of x86-64 instruction decoders William Woodruff, Niki Carroll, Sebastiaan Peters 2021
How to find bugs when (ground) truth isn't real William Woodruff 2020
The Treachery of Files and Two New Tools that Tame It Evan Sultanik 2019
Symbolically Executing a Fuzzy Tyrant Stefan Edwards 2019
Kernel space fault injection with KRF William Woodruff 2019
Binary Symbolic Execution With KLEE-Native Sai Vegasena 2019
Going sicko mode on the Linux Kernel William Woodruff 2019
Vulnerability Modeling with Binary Ninja Josh Watson 2018
File Polyglottery; or, This PoC is also a picture of cats Evan Sultanik 2017
Be a binary rockstar Sophia D'Antoine 2017
Symbolic Execution for Humans Mark Mossberg 2017
The spirit of the 90s is still alive in Brooklyn Ryan Stortz, Sophia D'Antoine 2017
The dream of a static and dynamic analysis shootout Ryan Stortz 2016
Binary constraint solving for automatic exploit generation Sophia D'Antoine 2016
The Smart Fuzzer Revolution Dan Guido 2016
Making a scaleable automated hacking system Artem Dinaburg 2016
Cyberdyne - Automatic bug-finding at scale Peter Goodman 2016
McSema: Static translation of x86 to LLVM IR Andrew Ruef, Artem Dinaburg 2014

Blockchain

Presentation Title Author(s) Year
Test your tests: the do's and don'ts of testing Kurt Willis 2023
Slither: a static analysis tool for Vyper and Solidity Troy Sargent 2023
Roundme: rounding analysis made simpler Josselin Feist 2023
Smart Contracts: The Beta Nat Chin 2023
Fuzzing like a security engineer Nat Chin 2023
Write better smart contracts with Slither's Python API Troy Sargent 2022
Building Secure Cairo Filipe Casal, Simone Monica 2022
How to fuzz like a pro Josselin Feist, Nat Chin 2022
Demystifying Fuzzing Nat Chin 2022
Building a Practical Static Analyzer for Smart Contracts Josselin Feist 2021
Testing and Verifying Smart Contracts: From Theory to Practice Josselin Feist 2021
Safely integrating with ERC20 tokens Josselin Feist 2021
Detecting transaction replacement attacks with Manticore Sam Moelius 2020
Fantastic Bugs and How to Squash Them; or, the Crimes of Solidity Evan Sultanik 2019
SlithIR: High-Precision Security Analysis with an IR for Solidity Josselin Feist 2019
Slither: A Static Analysis Framework for Smart Contracts Josselin Feist 2019
What blockchain got right Dan Guido 2019
Property-testing of smart contracts JP Smith 2018
Anatomy of an unsafe programming language Evan Sultanik 2018
Contract upgrade risks and recommendations Josselin Feist 2018
Blackhat Ethereum Ryan Stortz, Jay Little 2018
Blockchain Autopsies - Analyzing Smart Contract Deaths Jay Little 2018
Rattle - an Ethereum EVM binary analysis framework Ryan Stortz 2018
Securing value on the Ethereum blockchain Dan Guido 2018
Binary analysis, meet the blockchain Mark Mossberg 2018
Automatic bug finding for the blockchain Felipe Manzano, Josselin Feist 2017

Compilers

Presentation Title Author(s) Year
A Broad Comparative Evaluation of Software Debloating Tools Michael D. Brown, Adam Meily, Eric Kilmer, Ronald Eytchison 2024
Repurposing LLVM analyses in MLIR: Also there and back again across the tower of IRs Henrich Lauko 2024
VAST: MLIR for program analysis of C/C++ Henrich Lauko 2022
A Broad Comparative Evaluation of x86-64 Binary Rewriters Michael D. Brown 2022
On the Optimization of Equivalent Concurrent Computations Henrich Lauko, LukÑő Korenčik, Peter Goodman 2022

Cryptography

Presentation Title Author(s) Year
Weak Fiat-Shamir attacks on modern proof systems Jim Miller 2024
Building a Rusty path validation library for PyCA Cryptography William Woodruff 2024
Implementing X.509 path validation for Python William Woodruff 2024
Careful with MAc-then-SIGn Marc Ilunga Β 2023
Ergonomic codesigning for the Python ecosystem with Sigstore William Woodruff 2023
Sigstore for Python Packaging: Next Steps for Adoption William Woodruff 2022
die, PGP, die William Woodruff 2022
Seriously, stop using RSA Ben Perez 2019
Best Practices for Cryptography in Python Paul Kehrer 2019
Analyzing the MD5 collision in Flame Alex Sotirov 2012

Engineering

Presentation Title Author(s) Year
Linux Security Event Monitoring with osquery Alessandro Gario 2019
osql: The community oriented osquery fork Stefano Bonicatti, Mark Mossberg 2019
Getting started with osquery Lauren Pearl, Andy Ying 2018
osquery Super Features Lauren Pearl 2018
osquery Extension Skunkworks Mike Myers 2018
Build it Break it Fix it Andrew Ruef 2014

Education

Presentation Title Author(s) Year
Introduction to Semgrep and
Semgrep Practice Exercises
Maciej DomaΕ„ski, Matt Schwager, Spencer Michaels 2024
A mostly gentle introduction to LLVM William Woodruff 2022
JWTs, and why they suck Rory M 2021
The Joy of Pwning Sophia D'Antoine 2017
How to CTF - Getting and using Other People's Computers (OPC) Jay Little 2014
Low-level Security Andrew Ruef 2014
Security and Your Business Andrew Ruef 2014
Bringing nothing to the party Vincenzo Iozzo 2013
From One Ivory Tower to Another Vincenzo Iozzo 2012

Infrastructure

Presentation Title Author(s) Year
Return to the 100 Acre Woods Stefan Edwards 2019
Swimming with the kubectl fish Stefan Edwards 2019

Machine Learning

Presentation Title Author(s) Year
Incubated Machine Learning Exploits: Backdooring ML Pipelines Using Input-Handling Bugs Suha Sabi Hussain 2024
Holistic ML Threat Models Adelin Travers 2024
Using Graph-Based Machine Learning Algorithms for Software Analysis Michael D. Brown 2023
Exploiting Machine Learning Pickle Files Carson Harmon, Evan Sultanik, Jim Miller, Suha Sabi Hussain 2021
PrivacyRaven: Comprehensive Privacy Testing for Deep Learning Suha Sabi Hussain 2020

Mobile security

Presentation Title Author(s) Year
Swift Reversing Ryan Stortz 2016
Modern iOS Application Security Sophia D'Antoine, Dan Guido 2016
The Mobile Exploit Intelligence Project Dan Guido 2012
A Tale of Mobile Threats Vincenzo Iozzo 2012

Programming

Presentation Title Author(s) Year
Python internals - let's talk about dicts Dominik Czarnota 2019
Low-level debugging with Pwndbg Dominik Czarnota 2018
Insecure Things to Avoid in Python Dominik Czarnota 2018

Side channels

Presentation Title Author(s) Year
Hardware side channels in virtualized environments Sophia D'Antoine 2015
Exploiting Out-of-Order Execution Sophia D'Antoine 2015

Supply chain

Presentation Title Author(s) Year
The Next 5 Years of Supply Chain Security on PyPI William Woodruff 2024
PEP 740 and PyPI: Bootstrapping Provenance for the Python Ecosystem William Woodruff 2024
Imagining a zero-trust future for PyPI William Woodruff 2024
Build Provenance: Lessons (so far) from Homebrew Joe Sweeney 2024
What does it look like to code-sign for an entire packaging ecosystem? William Woodruff 2023
Securing your Package Ecosystem with Trusted Publishing William Woodruff 2023
Trusted Publishing: Lessons from PyPI William Woodruff 2023
Python Packaging Mystery Meat William Woodruff 2022
Automated Tools for Securing the Software Supply Chain Michael D. Brown 2022
Improving PyPI's security with Two Factor Authentication William Woodruff 2019

Threat analysis & malware

Presentation Title Author(s) Year
Peeling back the 'Shlayers' of macOS Malware Josh Watson, Erika Noerenberg 2019
The Exploit Intelligence Project Revisited Dan Guido 2013

Guides and Handbooks

We publish much of our subject matter expertise in the form of guides and handbooks.

Link Repository Description
Trail of Bits Testing Handbook trailofbits/testing-handbook The automated testing handbook is a resource that guides developers and security professionals in configuring, optimizing, and automating many of the static and dynamic analysis tools we use.
ZKDocs trailofbits/zkdocs ZKDocs provides comprehensive, detailed, and interactive documentation on zero-knowledge proof systems and related primitives.
Building Secure Smart Contracts crytic/building-secure-contracts Guidelines and best practices for developing secure smart contracts.
CTF Field Guide trailofbits/ctf Our field guide to winning at Capture The Flag (CTF).
Ruby Security Field Guide trailofbits/rubysec Our field guide for practical Ruby security.

Datasets

Dataset Date
Smart Contract Audit Findings Aug 2019

Podcasts

We host our own podcast: Trail of Bits. You can download episodes from your favorite podcast app.

Podcast Guest Date Topic(s)
MLSecOps March 20 William Woodruff March 2024 Supply chain security
Risky Biz 707 Dan Guido May 2023 ML security
ASW 229 Nick Selby Feb 2023 Threat modeling, cloud-native audits
Risky Biz 690 Dan Guido Jan 2023 Vuln disclosure
Risky Biz 672 Dan Guido Jul 2022 Blockchain security
Cloud Security Reinvented Nick Selby Jun 2022 Cloud security
Skiff Office Hours Dan Guido Mar 2022 Privacy technology
Risky Biz 652 Dan Guido Jan 2022 Zero-knowledge proofs
Secureum Safecast #3 Josselin Feist Nov 2021 Blockchain security
Secureum Safecast #2 Dan Guido Oct 2021 Blockchain security
Press Freedom Foundation Dan Guido Jul 2021 Mobile security and iVerify
Employee Cycle Hannah Hanks Mar 2021 First PeopleOps hire
Risky Biz 614 Dan Guido Feb 2021 iVerify
Building Better Systems 6 Dan Guido Jan 2021 What blockchain got right
WCBS 880 Dan Guido Sep 2020 Gap years and intern hiring
Risky Biz 594 Dan Guido Aug 2020 Apple security
Epicenter 346 Dan Guido Jun 2020 Smart contract security
Absolute AppSec 97 Stefan Edwards May 2020 Threat modeling
Unchained 170 Dan Guido May 2020 DeFi security
Risky Biz 580 Dan Guido Apr 2020 Mobile voting
Absolute AppSec 91 Stefan Edwards Apr 2020 Mobile voting
Zero Knowledge 122 Ben Perez Mar 2020 Cryptography reviews, ZKPs
Changelog Dan Guido Jan 2020 AlgoVPN
Risky Business 559 Stefan Edwards Oct 2019 Kubernetes
FOSS Weekly 545 William Woodruff Sep 2019 PyPI security improvements
Podcast.__init__ 225 William Woodruff Aug 2019 PyPI security, UX, and sustainability
Absolute AppSec 68 Stefan Edwards, Bobby Tonic Aug 2019 Kubernetes
Hashing it Out 53 Dan Guido Jul 2019 Smart contract testing
Absolute AppSec 60 Stefan Edwards May 2019 Android, programming languages
Absolute AppSec 55 Stefan Edwards Apr 2019 Security testing
Hashing it Out 35 Dan Guido, Josselin Feist Jan 2019 Ethereum's failed EIP-1283
Risky Biz 526 JP Smith Jan 2019 Post-quantum crypto in CTFs
Absolute AppSec 37 Stefan Edwards Nov 2018 Programming languages, symbex
Risky Biz 510 Lauren Pearl Aug 2018 Open source security engineering
Absolute AppSec 34 Stefan Edwards Oct 2018 Security testing, blockchain
Zero Knowledge 16 JP Smith Mar 2018 Smart contract security
Risky Biz 488 JP Smith Feb 2018 Smart contract testing w/ Manticore
Risky Biz 474 Dan Guido Oct 2017 How to engineer secure software
Georgian Partners 47 Dan Guido May 2017 AlgoVPN and Tor
VUC 643 Dan Guido Apr 2017 AlgoVPN
Risky Biz 449 Dan Guido Mar 2017 Control Flow Integrity
Risky Biz 425 Dan Guido Sep 2016 Recap the week's news
Risky Biz 421 Dan Guido Aug 2016 Car hacking and the week's news
Risky Biz 416 Dan Guido Jul 2016 DARPA Cyber Grand Challenge
Risky Biz 399 Dan Guido Feb 2016 Apple vs the FBI
Risky Biz 370 Dan Guido Feb 2015 DARPA Cyber Grand Challenge
Risky Biz 348 Dan Guido Jun 2015 DARPA Cyber Grand Challenge

Public Comments

Topic Agency Date
Automated Artifical Intelligence Bill Of Materials for AI/ML Ops U.S. Army PEO IEW&S Dec 2023
Open-Source Software Security: Areas of Long-Term Focus and Prioritization ONCD, CISA, NSF, DARPA, OMB Nov 2023
Understanding the National Security Implications of AI Whitehouse OTSP Jul 2023
AI Accountability, Regulation, and Audits NTIA Jun 2023
A Comprehensive Risk Assessment Framework for AI Assurance in Ethical, Legal, and Societal Domains DARPA Jun 2023
Understanding Crypto Markets Security CFTC Mar 2023
Regulation of Intrusion and Surveillance Software Commerce Dept Jul 2015

Security Reviews

Companies that have allowed us to speak about our work can be found here. Many more remain confidential.

ML/AI Reviews

Product Date Level of
Effort
Announcement Report
YOLOv7 Threat Model and Code Review October 2023 4 πŸ“„
EleutherAI, Hugging Face,
& Stability AI SafeTensors Library
Mar 2023 2 πŸ“„

Cryptography Reviews

Product Date Level of
Effort
Announcement Report
Lit Protocol Cait-Sith June 2024 10 πŸ“„βœ…
Discord DAVE Protocol Code Review September 2024 5 πŸ“„βœ…
Discord DAVE Protocol Design Review November 2023 4 πŸ“„βœ…
Scroll zstd Compression June 2024 12 πŸ“„βœ…
Iron Fish FishHash April 2024 1 πŸ“„βœ…
Scroll ZkEVM 4844 Blob April 2024 6 πŸ“„βœ…
Ockam Nov 2023 11 Cryptographic design review of Ockam πŸ“„
Aleo snarkVM, snarkOS, BullsharkBFT Oct 2023 18 πŸ“„βœ…
Scroll ZkEVM Wave 3 Sept 2023 9 πŸ“„βœ…
Scroll ZkEVM Wave 2 August 2023 6 πŸ“„βœ…
Scroll ZkEVM Wave 1 April 2023 23 πŸ“„βœ…
Dfinity Candid Nov 2023 3 πŸ“„βœ…
Scroll zkTrie July 2023 4 πŸ“„βœ…
Dfinity ckBTC and BTC Integration June 2023 2.5 Third-party assessment by Trail of Bits, Taking security seriously
Dfinity SNS Phase 2 June 2023 2.5 Third-party assessment by Trail of Bits, Taking security seriously πŸ“„
Thesis tss-lib BitForge June 2023 .2 πŸ“„βœ…
Chainflip April 2023 12 πŸ“„βœ…
Practical Stealth Addresses Feb 2023 2 πŸ“„βœ…
Succinct Labs ZK Ethereum Light Client Feb 2023 8 Introducing Telepathy πŸ“„βœ…
noble-curves Library Jan 2023 2 πŸ“„βœ…
ParaSpace Dec 2022 1 πŸ“„
Phantom Wallet Nov 2022 2
ParaSpace Nov 2022 7 πŸ“„βœ…
SimpleX Chat Oct 2022 1 Security assessment by Trail of Bits πŸ“„
Dfinity Sep 2022 4 Third-party assessment by Trail of Bits, Taking security seriously πŸ“„βœ…
Aleo snarkVM Sep 2022 12 πŸ“„βœ…
Microsoft/Verasion Go-COSE Jul 2022 4 πŸ“„βœ…
BLS Signature Scheme Jul 2022 1
MobileCoin Jul 2022 2 πŸ“„
Binance CGGMP21 and FROST May 2022 8
snarkVM and snarkOS Apr 2022 12
Aleo snarkVM & snarkOS Apr 2022 12
Phantom Wallet Apr 2022 4
Parallel Finance Mar 2022 6 πŸ“„
Polkadex Feb 2022 10
Linux Kernel Apr 2021 2 Linux Kernel Release Signing and Management πŸ“„
MobileCoin BFT Oct 2020 4 πŸ“„
MobileCoin Aug 2020 4 πŸ“„
Western Digital Sweet B Jan 2020 4 Western Digital πŸ“„
Standard Notes Mar 2020 1 Standard Notes Completes Crypto Audit πŸ“„
SanDisk X600 May 2019 6 Multiple vulnerabilities in SanDisk X600 πŸ“„
Project Callisto Aug 2018 5

Technology Product Reviews

Product Date Level of
Effort
Announcement Report
Kraken Mobile Wallet iCloud Backup September 2024 2 πŸ“„βœ…
Hugging Face Gradio July 2024 4 Hugging Face Blog, Trail of Bits Blog πŸ“„βœ…
Eclipse Temurin December 2023 4 Eclipse Temurin Response, OSTIF Announcement, Eclipse Foundation Announcement πŸ“„βœ…
Arch Linux Pacman December 2023 2 OTF Announcement πŸ“„βœ…
cURL HTTP3 December 2023 4 OSTIF, Daniel Stenberg πŸ“„
Lisk SDK 6.1 Sapphire, NFT and PoA modules Sept 2023 4 πŸ“„βœ…
OpenSSL September 2023 9 OSTIF Blog, OpenSSL Blog πŸ“„βœ…
PyPI Warehouse September 2023 10 PyPI, Trail of Bits πŸ“„βœ…
wasmCloud September 2023 6 πŸ“„βœ…
Worldcoin August 2023 6 πŸ“„βœ…
Homebrew August 2023 6 πŸ“„
DigitalOcean OIDC August 2023 4 πŸ“„
Flux August 2023 4 OSTIF, Flux πŸ“„βœ…
Lisk SDK July 2023 30 πŸ“„βœ…
DragonFly2 July 2023 4 Dragonfly, OSTIF πŸ“„βœ…
Eclipse JKube May 2023 5 OSTIF, Eclipse πŸ“„βœ…
FraxGov May 2023 4 πŸ“„βœ…
Chainflip April 2023 12 πŸ“„βœ…
Eclipse Mosquitto March 2023 4 OSTIF, Eclipse πŸ“›πŸ“„βœ…
Eclipse Jetty March 2023 6 Jetty, Eclipse πŸ“„βœ…
Spool Platform March 2023 8 πŸ“„βœ…
Fraxlend and veFPIS Jan 2023 4
Redpanda Core, Console, and Console Enterprise Jan 2023 4
Injective Labs Options Market Jan 2023 4
OpenVPN3 Jan 2023 6
OpenVPN2 Dec 2022 4 OpenVPN Blog πŸ“„βœ…
OpenArchive Save (Android) Dec 2022 1 OpenArchive Save πŸ“„βœ…
Enclave Markets Trading Platform Nov 2022 9
Fiat Ramps Nov 2022 4
cURL Oct 2022 9.5 OSTIF, Daniel Stenberg. Trail of Bits πŸ“„βœ…πŸ“›
CloudEvents Oct 2022 4 CloudEvents Security Assessment πŸ“„
OpenArchive Save (iOS) Oct 2022 1.2 OpenArchive Save πŸ“„βœ…
Fraxlend and FraxFerry Oct 2022 4 πŸ“„
AlphaSOC API Sep 2022 1 πŸ“„βœ…
Consul Enterprise Sep 2022 6
snarkVM Sep 2022 12 πŸ“„βœ…
Hashicorp Boundary Jul 2022 6
Skiff Jul 2022 6
Terraform Cloud Jun 2022 6
Datadog May 2022 6
Datadog May 2022 6
MATTR May 2022 4
ArmorLock Apr 2022 6
DigitalOcean Function Apr 2022 4
Auvik Collector Apr 2022 8
Fuchsia Platform Mar 2022 8
Optimus ROM Jan 2022 4
BitcoinBeach Mar 2022 4 πŸ“„
osquery Jan 2022 6 πŸ“„
Redjack Dec 2021 2
DigitalOcean Cloud Nov 2021 12
SpruceID Oct 2021 12 πŸ“„
Doppler Sept 2021 4
Datadog Agent Aug 2021 8
Appian Jun 2021 4
Cashero-2.0 Jun 2021 4
Orbit Apr 2021 1
VGS Proxy Apr 2021 4
Skiff Feb 2021 4
CircleCI Server 3.0 Jan 2021 6 Penetration testing at CircleCI
BitMEX Jan 2021 4
SecureDrop Dec 2020 8 2nd audit of SecureDrop Workstation πŸ“„
Citizen Browser Dec 2020 0.43 How We Built a Facebook Inspector
Ren Aug 2020 4 August Development Update πŸ“„
Hey.com Jun 2020 1 Serious Security πŸ“„
Azure Sphere Jun 2020 12 Azure Sphere 20.07 Security Enhancements
Zoom May 2020 9 90 Days Done, What’s Next for Zoom
Secure Transport Apr 2020 4
ZeroTier 2.0 Mar 2020 2 ZeroTier πŸ“„
Voatz Feb 2020 12 Voatz, Tusk πŸ“„πŸ“›
Vault Feb 2020 12
Voice Jan 2020 4
Azure Sphere Jun 2019 12
zlib Sep 2016 1 πŸ“„

Cloud-Native Reviews

Product Date Level of
Effort
Announcement Report
KEDA Dec 2022 6 Audit of Kubernetes Event Driven Autoscaling (KEDA) πŸ“„
Terraform Enterprise Nov 2022 6
Nomad Enterprise Nov 2022 6
HashiCorp Cloud Jun 2022 9
Tekton Mar 2022 4 Tekton Security Review Completed πŸ“„
Linkerd Feb 2022 4 πŸ“›πŸ“„βœ…
CoreDNS Jan 2022 4 πŸ“„
Terraform Enterprise Nov 2021 6
Nomad Enterprise Nov 2021 6
Consul Enterprise Oct 2021 6
Vault Enterprise Oct 2021 6
HashiCorp Cloud Jun 2021 8
Argo Mar 2021 4 πŸ“›πŸ“„
Terraform Cloud Jan 2021 6
Consul Oct 2020 10
Nomad Aug 2020 6
Helm Aug 2020 4 Helm 2nd Security Audit πŸ“„
Terraform Mar 2020 6
OPA Mar 2020 2 Open Policy Agent (OPA) Graduation Proposal πŸ“„
etcd Jan 2020 4 CNCF πŸ“„
Rook Dec 2019 2 CNCF πŸ“„
Kubernetes May 2019 12 Google, CNCF πŸ“›πŸ“„πŸ“°

Invariant Testing and Development Engagements

Product Date Level of
Effort
Announcement Report Public Suite
Panoptic May 2024 9 πŸ“„
Curvance March 2024 5 πŸ“„ Public invariants

Blockchain Reviews

Wallet Reviews

Product Date Level of
Effort
Announcement Report
Uniswap Browser Extension Feb 2024 6 πŸ“„βœ…
Uniswap Sep 2023 4 πŸ“„βœ…
dappOS v2 virtual wallet Jul 2023 3 πŸ“„βœ…
WalletConnect v2.0 Mar 2023 4 WalletConnect πŸ“„βœ…
Uniswap Mobile Wallet Aug 2022 4 πŸ“„βœ…
Phantom Wallet Nov 2022 2
GameStop iOS Web Wallet Nov 2022 1
Phantom Wallet Apr 2022 4
GameStop Wallet Mar 2022 2 GameStop wallet
RAILGUN Feb 2022 4
Casper Web Wallet Jul 2021 4 πŸ“„
Argent Aug 2020 4
Magma Jun 2020 1 πŸ“„
Dharma Wallet Oct 2019 4 πŸ“„
ZecWallet Apr 2019 2 πŸ“„
Web3 Mar 2018 2 W3F and TOB hardware wallet guidance πŸ’¬

Algorand

Product Date Level of
Effort
Announcement Report
Folks Finance Protocol Nov 2022 6 πŸ“„βœ…
wXTZ Nov 2020 4 πŸ“„
wALGO Nov 2020 4 πŸ“„
Meld Gold Jul 2020 2
Algorand Mar 2019 14 Success and momentum of Algorand
Pixel Dec 2019 4

Avalanche

Product Date Level of
Effort
Announcement Report
Alkimiya Silica V2 Jun 2022 6
Ava Labs Apr 2022 8
Flare Network Mar 2021 8

Bitcoin & Derivatives

Product Date Level of
Effort
Announcement Report
Nomic Nov 2024 10 Nomic Completes Security Audit by Trail of Bits πŸ“„βœ…
STAS SDK Oct 2021 4
STAS-JS SDK Sept 2021 4
Bitcoin SV Jan 2021 6
Zcoin Jul 2020 2 Lelantus Cryptographic Library Audit Results πŸ“„
Zcash Apr 2020 3 Heartwood security assessment results πŸ“„
Zcash Nov 2019 6 NU3, Blossom, and Sapling security reviews πŸ“„
Zcash Nov 2019 6 πŸ“„
Paymail Protocol Nov 2019 7
Bitcoin SV Nov 2018 12
Simple Ledger Oct 2019 3
RSKj Nov 2017 6 RSK security audit results πŸ“„

Ethereum/EVM

Product Date Level of
Effort
Announcement Report
Offchain Nitro Contracts with BoLD October 2024 2.6 πŸ“„
Wonderland Prophet May 2024 4 πŸ“„βœ…
Offchain Stylus September 2024 2 πŸ“„βœ…
Elixir Protocol August 2024 4 πŸ“„βœ…
Offchain RARI August 2024 .6 πŸ“„
Offchain Office Hours Governance Action August 2024 .6 πŸ“„
Offchain Timeboost Auction August 2024 3 πŸ“„
Offchain Orbit Actions August 2024 1 πŸ“„
Offchain USDC Custom Gateway July 2024 2 πŸ“„
Treehouse tETH Protocol September 2024 4 πŸ“„βœ…
Acronym Foundation December 2023 4 πŸ“„βœ…
Pyth Entropy December 2023 4 πŸ“„
Onchain Pass App Contracts August 2024 1 πŸ“„βœ…
Uniswap v4 Core July 2024 6 πŸ“„βœ…
Taraxa Ficus Root Bridge Smart Contracts July 2024 1.6 πŸ“„βœ…
Intuition March 2024 2 πŸ“„
Offchain Labs BoLD and DAC Rewards Updates June 2024 3 πŸ“„
Offchain Labs Custom Fee Token September 2023 3 πŸ“„
Offchain Labs Arbitrum Token Bridge Creator December 2023 6 πŸ“„
Offchain Labs L1-L3 Teleporter April 2024 2 πŸ“„
Offchain Labs ArbOS 31 April 2024 2 πŸ“„
Offchain Labs ArbOS 30 Nitro Upgrade April 2024 6 πŸ“„
Ethereum Foundation Devcon Auction Raffle June 2024 1 πŸ“„βœ…
Aladdin f(x) Oracle June 2024 2 πŸ“„βœ…
AiLayer Labs 6079 Smart Contracts May 2024 3 πŸ“„βœ…
Offchain Labs Arbitrum Stylus May 2024 47 πŸ“„
Hydrogen Labs Rover Protocol May 2024 .45 πŸ“„
Lisk Smart Contracts May 2024 4 πŸ“„βœ…
Offchain Labs BoLD April 2024 5 πŸ“„
SEDA Chain Token Migration March 2024 1 πŸ“„βœ…
Lisk Smart Contracts March 2024 4.6 πŸ“„βœ…
Bondex Ecosystem Ltd. Smart Contracts March 2024 0.6 πŸ“„
Aladdin f(x) Protocol March 2024 4 πŸ“„βœ…
Puffer Finance Contracts March 2024 1.2 πŸ“„βœ…
Helios Global Feb 2024 1 πŸ“„βœ…
ScopeLift Stealth Address Contracts Feb 2024 1 πŸ“„βœ…
Offchain Labs ArbOS Feb 2024 4 πŸ“„
MetaLayer Blast Jan 2024 4 πŸ“„βœ…
Offchain Arbitrum Jan 2024 2 πŸ“„
Unibot Router Dec 2023 1.6 πŸ“„βœ…
Salty.IO Protocol Oct 2023 6 πŸ“„βœ…
Immutable ZKEVM Bridge Contracts Nov 2023 2 πŸ“„βœ…
Spiko Smart Contracts Oct 2023 1 πŸ“„βœ…
Hyperlane v3 Sept 2023 2 πŸ“„βœ…
Elixir Vertex & Injective Contracts Sept 2023 2 πŸ“„βœ…
Easy Crypto NZDD token Aug 2023 0.6 πŸ“„βœ…
Scroll l2geth [diff] Aug 2023 2 πŸ“„
Scroll l2geth [initial] Aug 2023 2 πŸ“„
Immutable Aug 2023 4 πŸ“„βœ…
Sandclock Jul 2023 8 πŸ“„βœ…
Arcade Jul 2023 8 πŸ“„βœ…
Nested Finance Tetris & HyVM June 2023 1 πŸ“„βœ…
Franklin Templeton May 2023 4 πŸ“„βœ…
Prysm Apr 2023 8 πŸ“„βœ…
Ajna Protocol Apr 2023 12 πŸ“„βœ…
Raft Apr 2023 2 πŸ“„βœ…
MYSO v2 Apr 2023 2 Security review of our v2 contracts πŸ“„βœ…
Smardex AMM Apr 2023 2 SmarDex protocol Security is confirmed πŸ“„βœ…
Waymont Mar 2023 1
Atlendis Smart Contracts Mar 2023 6 Atlendis V2 Audit πŸ“„βœ…
Primitive Hyper Mar 2023 8 πŸ“„βœ…
Succinct Labs Ethereum Light Client Feb 2023 8 Introducing Telepathy πŸ“„βœ…
Nested Finance Smart Contracts Feb 2023 4 πŸ“„βœ…
Polygon Edge Jan 2023 6
Optimism Dec 2022 8
Paxos PayPal PYUSD Dec 2022 1 πŸ“„βœ…
GSquared Oct 2022 6 πŸ“„βœ…
Meson Protocol Oct 2022 6 πŸ“„βœ…
Managed pool smart contracts Oct 2022 4 πŸ“„
Ondo Oct 2022 4 πŸ“„βœ…
Maple Protocol v2 Sep 2022 8 πŸ“„βœ…
Increment Protocol Sep 2022 4 πŸ“„βœ…
Subspace Network Desktop Farmer Sep 2022 2 πŸ“„βœ…
Optimism Sep 2022 16 πŸ“„
Nayms Sep 2022 6
Aggregator Aug 2022 2
The Franchiser Aug 2022 3
Meson Protocol Jul 2022 0.6 πŸ“„
ChainPort July 2022 8 πŸ“„βœ…
Relay Jul 2022 1
Beanstalk Jul 2022 8 Audit of Beanstalk πŸ“„βœ…
Purpose for Profit Jul 2022 3
Reserve Protocol Jul 2022 8
Solon Jul 2022 6
Roll Jul 2022 2
Ante Protocol May 2022 2 πŸ“„βœ…
Sherlock Jun 2022 4
FlareFinance Jun 2022 4
TBTv2 Jun 2022 6
Morpho Jun 2022 4 @trailofbits security audit of Morpho πŸ“„
Relayer Contracts Jun 2022 2
AuctionRaffle May 2022 2
Seaport Protocol May 2022 4 Introducing Seaport Protocol πŸ“„
Shell Protocol v2 May 2022 4 πŸ“„
Optimism Apr 2022 6
NFTX Apr 2022 4 Trail of Bits Audit πŸ“„
Frax May 2022 4 πŸ“„
ReserveLending+ Apr 2022 4 Security Audit for ReserveLending+
Firefly Apr 2022 4
Maple Finance Smart Contracts Mar 2022 1 πŸ“„βœ…
Gyroscope Mar 2022 6
LooksRare Mar 2022 4 πŸ“„
Symbiosis Mar 2022 2
RAILWAY Feb 2022 4
Persistence ETH2.0 Feb 2022 4
Advanced Blockchain Feb 2022 6 πŸ“„
Perpetual Protocol V2 Feb 2022 4 πŸ“„
Futureswap V4.1 Feb 2022 4
Firefly Feb 2022 8
API3 Feb 2022 8 πŸ“„
Beethoven X Feb 2022 1 πŸ“„
Minterest Finance Jan 2022 6
pSTAKE Jan 2022 6
Primitive Jan 2022 8 Primitive RMM smart contracts audit by @trailofbits πŸ“„
Strips Finance Jan 2022 8
Cardstack Dec 2021 4
Frax Dec 2021 4 πŸ“„
Sherlock Protocol V2 Dec 2021 4 πŸ“„
Maple Nov 2021 4 Maple Loans Audit Reports πŸ“„
Advanced Blockchain Nov 2021 6 πŸ“„
Opyn Nov 2021 6 πŸ“„
Aave V3 Nov 2021 12
Tokemak Oct 2021 3
Fuji Finance Oct 2021 6 πŸ“„
V2 Vault Oct 2021 4
Yield V2 Sept 2021 6 πŸ“„
Gro protocol Sept 2021 2
Futureswap V4 Sept 2021 6
RocketPool Aug 2021 5 πŸ“„
AlphaX Aug 2021 6
Bug Bounty Platform Aug 2021 8
88mph V3 Aug 2021 6 πŸ“„
Timeswap Jul 2021 2
CompliFi Jul 2021 6 πŸ“„
Optics Jul 2021 2
FlareFinance Jun 2021 4
Uniswap V3 Staker Jun 2021 2
Abyss Lockup Jun 2021 2
Futureswap V3 Jun 2021 6
CompliFi Jun 2021 6
Syndicate May 2021 4
Opyn Gamma May 2021 6 πŸ“„
Frax May 2021 4 πŸ“„
Yearn v2 Vaults Apr 2021 6 πŸ“„
Balancer v2 Apr 2021 4 πŸ“„
DFX Finance Apr 2021 6
Tokemak Apr 2021 1
Warp Contracts Apr 2021 6 Completion of Trail of Bits’ Audit πŸ“„
FlareFinance Apr 2021 3
MC Dai Mar 2021 6
Uniswap V3 Mar 2021 10 Introducing Uniswap V3 πŸ“„
dForce Lending Mar 2021 6
Liquity Proxy Contract Feb 2021 0.57 πŸ“„
Liquity Protocol Feb 2021 8 πŸ“„
RAY-DAO Feb 2021 4
Futureswap Jan 2021 2
Balancer V2 Jan 2021 6
C.R.E.A.M. Jan 2021 1 πŸ“„
LUSD Dec 2020 8 πŸ“„
Origin Dollar Nov 2020 4 Origin Dollar Relaunches πŸ“„
Zerion SDK Nov 2020 4
Teller Protocol Nov 2020 4
Hermez Nov 2020 4 Hermez Second Audit, by Trail of Bits πŸ“„
Graph Protocol Oct 2020 3
OVM Oct 2020 6
Prysm Sep 2020 6
DODO Sep 2020 3 πŸ“„
Yield Protocol Aug 2020 6 πŸ“„
Smart Pool Aug 2020 1
DeFiner Aug 2020 1
ETH2.0 Deposit CLI Aug 2020 4 πŸ“„
CurveDAO Jul 2020 6 πŸ“„
Amp Jul 2020 3 πŸ“„
Federated Bridge Jul 2020 1
dForce dToken Jul 2020 2 πŸ“„
Matic Jun 2020 4
Lighthouse Jun 2020 4
tBTC May 2020 6 πŸ“„
QTUM Apr 2020 0.43 πŸ“„
Hegic Apr 2020 0.43 πŸ“„
Golem Network Mar 2020 2
Reddit Mar 2020 1 A New Frontier
Chai Feb 2020 0.28 πŸ“„
Compound Feb 2020 2 πŸ“„
WorkLock Jan 2020 2 WorkLock Security Audit πŸ“„
Balancer Jan 2020 4 πŸ“„
Curve.fi Jan 2020 1 πŸ“„
Livepeer Oct 2019 3
Topo Finance Oct 2019 4
0x Protocol Oct 2019 10 πŸ“„
Flexa Sep 2019 2 Announcing Flexa Capacity πŸ“„
AZTEC Protocol Sep 2019 10 πŸ“„
Oasis Labs Sep 2019 13
Aave Protocol Sep 2019 4 πŸ“„
MC Dai Aug 2019 13 MCD Security Roadmap Update: Oct 2019 πŸ“„
Staked Aug 2019 4
Compound Aug 2019 2 πŸ“„
Computable Jul 2019 8 Computable Contract Audit πŸ“„
Numerai May 2019 3 NMR 2.0 is now live! πŸ“„
MerkleX May 2019 4
TokenCard May 2019 5 πŸ“„
Unity Coin Apr 2019 1
Compound Apr 2019 8 Compound v2 is Live πŸ“„
Ocean Protocol Mar 2019 4 One Protocol. One Network. One Community
UMA Project Mar 2019 3
Centrifuge Mar 2019 5
Nomisma Mar 2019 1
Reserve Protocol Mar 2019 1 πŸ“„
Set Protocol Mar 2019 5 The Road to MainNet πŸ“„
NuCypher Feb 2019 4 Security Audits (Round 2) πŸ“„
AMP StableWire Jan 2019 1
EIP-1283 Jan 2019 1 Constantinople Security Update πŸ“„
Ampleforth Nov 2018 4 Security Audits with Trail of Bits πŸ“„
Origin Protocol Nov 2018 4 How We Approach Security at Origin πŸ“„
Paxos Standard Oct 2018 4 πŸ“„
Basecoin Oct 2018 12 πŸ“„
Pantheon Oct 2018 8 What we learned auditing our ETH client πŸ“„
Compound Sep 2018 12 Compound launches money markets
NuCypher Aug 2018 12 Security audits: round 1 πŸ“„
CENTRE Jul 2018 4 Designing an upgradeable Ethereum contract
Bloom Jul 2018 1 Bloom development update
Gemini Dollar Jun 2018 8 Stablecoins: Understanding Counterparty Risk πŸ“„
Dharma May 2018 1 Dharma protocol v1 is live on mainnet
Golem Apr 2018 4 Smart contracts: audit report πŸ“„
LivePeer Mar 2018 4 Livepeer security audit results πŸ“„
DappHub Dec 2017 8 πŸ“„
MakerDAO Sai Oct 2017 8 Single-collateral Dai security reviews πŸ“„
Omega One Aug 2017 6

NervOS

Product Date Level of
Effort
Announcement Report
xUDT Jun 2021 2
Nervos -RSA Mar 2021 4
Nervos SUDT Oct 2020 6 πŸ“„
Cheque Cell & ORU Feb 2021 8
Force Bridge - Solidity Feb 2021 4
Force Bridge - Rust Feb 2021 3

Starknet

Product Date Level of
Effort
Announcement Report
Opus December 2023 8 πŸ“„βœ…
Aura August 2023 8 πŸ“„βœ…
Nostra Dec 2022 8
StarkGate Dec 2022 2
StarkEx Oct 2022 1
StarkNet token Jul 2022 1
StarkPerpetual Jan 2022 8
StarkEx Nov 2021 8

Solana

Product Date Level of
Effort
Announcement Report
Squads V4 Oct 2023 2 Announcement πŸ“„βœ…
Token-2022 Program Feb 2023 1 πŸ“„βœ…
Drift Protocol Dec 2022 6 Announcement (Tweet) πŸ“„βœ…
Solana Apr 2022 12

Substrate

Product Date Level of
Effort
Announcement Report
ParaSpace Dec 2022 1 πŸ“„
ParaSpace Nov 2022 7 πŸ“„βœ…
Parallel Finance Mar 2022 6 πŸ“„
Polkadex Feb 2022 10
Polkadex Dec 2021 4
PINT Sept 2021 4
Polkaswap Jul 2021 6
AlephBFT Jun 2021 4 πŸ“„
Acala Network Jun 2021 4
Compound Chain May 2021 6
Acala Network Jan 2021 6 πŸ“„
Parity Fether Aug 2019 4
Parity Jul 2018 12 Parity completes Trail of Bits security review πŸ“„

Tendermint/Cosmos

Product Date Level of
Effort
Announcement Report
Orga and Merk Nov 2024 10 Orga & Merk Trail of Bits Security Audit πŸ“„βœ…
Berachain Polaris API polaris-geth Aug 2023 8
Berachain berachain Jun 2023 6
Umee Feb 2022 8 πŸ“„
Columbus-5 Jan 2022 2
IBC Protocol Dec 2021 4
THORChain Aug 2021 12
Tendermint Mar 2019 12
ndau Nov 2018 8 ndau Holders Elect Inaugural Policy Council

Tezos

Product Date Level of
Effort
Announcement Report
Kolibri Apr 2022 4
Tezori (T2) Dec 2020 4 πŸ“„
Tezori Jul 2018 2 Thanks to @trailofbits for their security review
Dexter Jun 2020 4 πŸ“„

Other/Multi-Chain

Product Date Level of
Effort
Announcement Report
Wormhole Governors and Watchers March 2023 8 πŸ“„βœ…
DFINITY Canister Sandbox Sept 2022 2 πŸ“„βœ…
DFINITY Threshold ECDSA
& BTC Canisters
Sept 2022 4 πŸ“„βœ…
MobileCoin Jul 2022 2 πŸ“„
CAT Standard Jun 2022 8
FROST BLS Protocols Jul 2022 12
SORA Trustless Bridge Jul 2022 8
DFINITY Threshold ECDSA May 2022 8
Arbitrum Nitro Mar 2022 16
DeGate Feb 2022 4 πŸ“„
ShardX Dec 2021 2
DeGate Dec 2021 4
Threshold-DSA Nov 2021 6
DFINITY Consensus Nov 2021 2 Internet Computer Consensus: Security
Assessment
πŸ“„
PolySign HSM Oct 2021 6
Hop Protocol V2 Sept 2021 4
Golden Gate Library Sept 2021 1
PolySign Sept 2021 6
Qredo Blockchain Sept 2021 6
Arbitrum Sept 2021 16
go-schnorrkel Aug 2021 4
ShardX Aug 2021 4
AElf Jul 2021 4
CrossChain-Bridge Jul 2021 8
Open Oracle Apr 2021 2
DFINITY May 2021 24 πŸ“„
Arbitrum V2 Feb 2021 8
Fog Protocol Jan 2021 4 πŸ“„
eFIL Jan 2021 2
MobileCoin BFT Oct 2020 4 πŸ“„
Highway Consensus Nov 2020 4 ToB Audit of the Casper Highway Protocol πŸ“„
Stacks V2 Sep 2020 6
MobileCoin Aug 2020 4 πŸ“„
VRFs Aug 2020 2
Celo Oracle Jul 2020 2 πŸ“„
Arbitrum Jul 2020 6
MYKEY Jul 2020 4
Symbol Jul 2020 4 Symbol from NEM completes Trail of Bits
Security Audit
πŸ“„
Ledger Filecoin Jul 2020 2 πŸ“„
Chainlink Jun 2020 8
Chainlink Flux May 2020 4
Elrond Mar 2020 6
EOSIO SDK Jan 2020 4
NEAR Protocol Nov 2019 8
EOSIO 2.0 Oct 2019 8
Status-go Oct 2019 9
Celo Sep 2019 8
Blockchain.com Aug 2019 4
RandomX Jun 2019 2 Monero and Arweave to Validate RandomX πŸ“„
Interest Token May 2019 0.28
Loom May 2019 10 Loom SDK Q1 2019 Security Audit
Building Blocks Aug 2018 7 UN WFP uses Ethereum to aid 100k refugees

Disclosures

Name Product Discoverer Year ID Blog
Rust crates "stable" and "nightly" might be installed instead of the corresponding toolchains Crates.io Max Ammann 2024 ❌
num-bigint disclosure num-bigint Samuel Moelius 2024 ❌ πŸ’¬
Memory corruption during X.509 validation in GnuTLS GnuTLS William Woodruff 2024 CVE-2024-28835
Linux kernel modules kASLR bypass Linux Dominik Czarnota 2024 ❌ πŸ’¬
Pedersen DKG vulnerability disclosure Multiple Fredrik Dahlgren 2024 None πŸ’¬
LeftoverLocals disclosure multiple GPUs Tyler Sorensen 2024 CVE-2023-4969 πŸ’¬
Billion hashes attack against Go JOSE libraries https://github.com/go-jose/go-jose Matt Schwager 2023 GO-2023-2334, GO-2023-2409 πŸ’¬
Expo Secure Store: Shortening AES GCM Authentication Tags expo-secure-store Joop van de Pol 2023 ❌ πŸ’¬
YOLOv7 disclosure YOLOv7 Alvin Crighton, Anusha Ghosh, Suha Sabi Hussain, Heidy Khlaaf, Jim Miller 2023 ❌ πŸ’¬
Numbers turned weapons: DoS in Osmosis’ math library Osmosis Sam Alws 2023 ❌ πŸ’¬
The issue with ATS in Apple’s macOS and iOS iOS, iPadOS, tvOS, macOS, and watchOS Will Brattain 2023 CVE-2023-38596 πŸ’¬
Eth ABI DoS disclosure ethabi, eth_abi, etheriumjs-abi, alloy-rs Max Ammann 2023 ❌
Security flaws in an SSO plugin for Caddy caddy-security Maciej Domanski, Travis Peters, David Pokora 2023 [CVE-2024-21500 CVE-2024-21499 CVE-2024-2149 CVE-2024-21497 CVE-2024-21496 CVE-2024-21493 CVE-2024-21495 CVE-2024-21494 CVE-2024-21492 CVE-2023-52430](https://www.cve.org/cverecord?id=[CVE-2024-21500](https://www.cve.org/CVERecord?id=CVE-2024-21500) CVE-2024-21499 CVE-2024-2149 CVE-2024-21497 CVE-2024-21496 CVE-2024-21493 CVE-2024-21495 CVE-2024-21494 CVE-2024-21492 CVE-2023-52430) πŸ’¬
ktor Path Traversal ktor Vasco Franco 2023 CVE-2022-48476
Specialized Zero-Knowledge Proof failures Binance's tss-lib; All forks of tss-lib: Joltify, SwipeChain, and ThorChain; Coinbase's kryptology Opal Wright 2022 ❌ πŸ’¬
Forgery in Amis' Alice library Amis' alice Filipe Casal 2022 ❌
Keeping the wolves out of wolfSSL wolfSSL Max Ammann 2022 CVE-2022-38152 CVE-2022-38153 CVE-2022-39173 CVE-2022-42905 πŸ’¬
Escaping misconfigured VSCode extensions - Live Preview XSS Live Preview VSCode extension Vasco Franco 2022 MS-VULN-073448 πŸ’¬
Escaping misconfigured VSCode extensions - Live Preview Path Traversal Live Preview VSCode extension Vasco Franco 2022 MS-VULN-073447 πŸ’¬
Escaping well-configured VSCode extensions (for profit) - VSCode localResourceRoots Bypass VSCode Vasco Franco 2022 CVE-2022-41042 πŸ’¬
Escaping misconfigured VSCode extensions - Sarif Viewer XSS Sarif Viewer VSCode extension Vasco Franco 2022 MS-VULN-071828 πŸ’¬
Stranger Strings: An exploitable flaw in SQLite SQLite Andreas Kellas 2022 ❌ πŸ’¬
json-viewer XSS jquery.json-viewer Vasco Franco 2022 CVE-2022-30241
Shamir’s Secret Sharing vulnerabilities Binance’s tss-lib; Clover Network’s threshold-crypto; Keep Network’s keep-ecdsa; Swingby’s tss-lib; THORchain’s tss-lib; ZenGo X’s curv Filipe Casal 2021 ❌ πŸ’¬
OSX slack:// protocol handler javascript injection Slack Jay Little 2016 ❌ πŸ’¬
Double free in VLC's 3GP file format VLC Loren Maggiore 2015 CVE-2015-5949 πŸ’¬

Workshops

Workshop Title Venue Date
Smart Contract Security Automation Workshop TruffleCon 2019 Oct 2019
Manticore EVM Workshop Devcon4 2018 Nov 2018
Introduction to Smart Contract Exploitation GreHack 2018 Nov 2018
DeepState: Bringing Vulnerability Detection Tools into the Dev Cycle SecDev 2018 Oct 2018
Smart Contract Security Automation Workshop TruffleCon 2018 Oct 2018
Smart Contract Security Automation Workshop ETH Berlin 2018 Sep 2018
Manticore EVM Workshop EthCC 2018 Mar 2018
Manticore Workshop GreHack 2017 Oct 2017

Service Overviews

Service Title Type of Document
AI Safety & Security Training One-page service overview

Research Reports

Report Title Description
Cedar, Rego, and OpenFGA Policy Languages: Comparative Language Security Assessment Comparative assessment of the security properties of selected policy languages.

Legend

Icon Definition
πŸ’¬ Blog post or other social media
πŸ“„ Security Assessment report
βœ… Fix review report
πŸ“› Threat Model report
πŸ“° Whitepaper
Header Definition
Level of Effort Defined in person-weeks for the project