• Stars
    star
    1,232
  • Rank 38,102 (Top 0.8 %)
  • Language
    Python
  • License
    Creative Commons ...
  • Created over 9 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Publications from Trail of Bits

Publications from Trail of Bits

Academic Papers

Paper Title Venue Publication Date
Automatically detecting variability bugs through hybrid control and data flow analysis LangSec 2023 2023
Efficient Proofs of Software Exploitability for Real-world Processors PETS 2023 2023
Toward Comprehensive Risk Assessments and Assurance of AI-Based Systems arXiv 2023
A Broad Comparative Evaluation of x86-64 Binary Rewriters CSET 22 2022
On the Optimization of Equivalent Concurrent Computations PLDI EGRAPHS 2022 2022
Evaluating Static Analysis Tools via Differential Mutation QRS 2021 2021
echidna-parade: Diverse multicore smart contract fuzzing ISSTA 2021 2021
Differential analysis of x86-64 instruction decoders LangSec 2021 2021
Echidna: effective, usable, and fast fuzzing for smart contracts ISSTA 2020 2020
Automated Grammar Extraction via Semantic Labeling of Parsers LangSec 2020 2020
What are the Actual Flaws in Important Smart Contracts? FC 2020 2020
Echidna: A Practical Smart Contract Fuzzer FC 2020 2020
RSA GTFO PoC||GTFO 0x20 2020
Manticore: Symbolic Execution for Binaries and Smart Contracts ASE 2019 2019
Slither: A Static Analysis Framework For Smart Contracts WETSEB 2019 2019
Toward Smarter Vulnerability Discovery Using Machine Learning AISec 2018 2018
The Past, Present, and Future of Cyberdyne IEEE S&P 2018
DeepState - Symbolic Unit Testing for C and C++ BAR 2018 2018
Cyber-Deception and Attribution in Capture-the-Flag Exercises FOSINT-SI 2015 2015

Conference Presentations

Automated bug finding and exploitation

Presentation Title Author(s) Year
Automatically detecting variability bugs through hybrid control and data flow analysis (LangSec23 paper presentation) Kelly Kaoudis, Henrik Brodin, Evan Sultanik 2023
MLIR is the future of program analysis Peter Goodman 2023
Differential analysis of x86-64 instruction decoders William Woodruff, Niki Carroll, Sebastiaan Peters 2021
How to find bugs when (ground) truth isn't real William Woodruff 2020
The Treachery of Files and Two New Tools that Tame It Evan Sultanik 2019
Symbolically Executing a Fuzzy Tyrant Stefan Edwards 2019
Kernel space fault injection with KRF William Woodruff 2019
Binary Symbolic Execution With KLEE-Native Sai Vegasena 2019
Going sicko mode on the Linux Kernel William Woodruff 2019
Vulnerability Modeling with Binary Ninja Josh Watson 2018
File Polyglottery; or, This PoC is also a picture of cats Evan Sultanik 2017
Be a binary rockstar Sophia D'Antoine 2017
Symbolic Execution for Humans Mark Mossberg 2017
The spirit of the 90s is still alive in Brooklyn Ryan Stortz, Sophia D'Antoine 2017
The dream of a static and dynamic analysis shootout Ryan Stortz 2016
Binary constraint solving for automatic exploit generation Sophia D'Antoine 2016
The Smart Fuzzer Revolution Dan Guido 2016
Making a scaleable automated hacking system Artem Dinaburg 2016
Cyberdyne - Automatic bug-finding at scale Peter Goodman 2016
McSema: Static translation of x86 to LLVM IR Andrew Ruef, Artem Dinaburg 2014

Blockchain

Presentation Title Author(s) Year
Write Better Smart Contracts By Checking Them With Slither's Python API Troy Sargent 2022
Building Secure Cairo Filipe Casal, Simone Monica 2022
How to fuzz like a pro Josselin Feist, Nat Chin 2022
Demystifying Fuzzing Nat Chin 2022
Building a Practical Static Analyzer for Smart Contracts Josselin Feist 2021
Testing and Verifying Smart Contracts: From Theory to Practice Josselin Feist 2021
Safely integrating with ERC20 tokens Josselin Feist 2021
Detecting transaction replacement attacks with Manticore Sam Moelius 2020
Fantastic Bugs and How to Squash Them; or, the Crimes of Solidity Evan Sultanik 2019
SlithIR: High-Precision Security Analysis with an IR for Solidity Josselin Feist 2019
Slither: A Static Analysis Framework for Smart Contracts Josselin Feist 2019
What blockchain got right Dan Guido 2019
Property-testing of smart contracts JP Smith 2018
Anatomy of an unsafe programming language Evan Sultanik 2018
Contract upgrade risks and recommendations Josselin Feist 2018
Blackhat Ethereum Ryan Stortz, Jay Little 2018
Blockchain Autopsies - Analyzing Smart Contract Deaths Jay Little 2018
Rattle - an Ethereum EVM binary analysis framework Ryan Stortz 2018
Securing value on the Ethereum blockchain Dan Guido 2018
Binary analysis, meet the blockchain Mark Mossberg 2018
Automatic bug finding for the blockchain Felipe Manzano, Josselin Feist 2017

Cryptography

Presentation Title Author(s) Year
Ergonomic codesigning for the Python ecosystem with Sigstore William Woodruff 2023
Sigstore for Python Packaging: Next Steps for Adoption William Woodruff 2022
die, PGP, die William Woodruff 2022
Seriously, stop using RSA Ben Perez 2019
Best Practices for Cryptography in Python Paul Kehrer 2019
Analyzing the MD5 collision in Flame Alex Sotirov 2012

Engineering

Presentation Title Author(s) Year
Python Packaging Mystery Meat William Woodruff 2022
Improving PyPI's security with Two Factor Authentication William Woodruff 2019
Linux Security Event Monitoring with osquery Alessandro Gario 2019
osql: The community oriented osquery fork Stefano Bonicatti, Mark Mossberg 2019
Getting started with osquery Lauren Pearl, Andy Ying 2018
osquery Super Features Lauren Pearl 2018
osquery Extension Skunkworks Mike Myers 2018
Build it Break it Fix it Andrew Ruef 2014

Education

Presentation Title Author(s) Year
A mostly gentle introduction to LLVM William Woodruff 2022
JWTs, and why they suck Rory M 2021
The Joy of Pwning Sophia D'Antoine 2017
How to CTF - Getting and using Other People's Computers (OPC) Jay Little 2014
Low-level Security Andrew Ruef 2014
Security and Your Business Andrew Ruef 2014
Bringing nothing to the party Vincenzo Iozzo 2013
From One Ivory Tower to Another Vincenzo Iozzo 2012

Infrastructure

Presentation Title Author(s) Year
Return to the 100 Acre Woods Stefan Edwards 2019
Swimming with the kubectl fish Stefan Edwards 2019

Machine Learning

Presentation Title Author(s) Year
Exploiting Machine Learning Pickle Files Carson Harmon, Evan Sultanik, Jim Miller, Suha Hussain 2021
PrivacyRaven: Comprehensive Privacy Testing for Deep Learning Suha Hussain 2020

Mobile security

Presentation Title Author(s) Year
Swift Reversing Ryan Stortz 2016
Modern iOS Application Security Sophia D'Antoine, Dan Guido 2016
The Mobile Exploit Intelligence Project Dan Guido 2012
A Tale of Mobile Threats Vincenzo Iozzo 2012

Programming

Presentation Title Author(s) Year
Python internals - let's talk about dicts Dominik Czarnota 2019
Low-level debugging with Pwndbg Dominik Czarnota 2018
Insecure Things to Avoid in Python Dominik Czarnota 2018

Program Transformation

Presentation Title Author(s) Year
A Broad Comparative Evaluation of x86-64 Binary Rewriters Eric Schulte, Michael D. Brown, Vlad Folts 2022
On the Optimization of Equivalent Concurrent Computations Henrich Lauko, LukÑő Korenčik, Peter Goodman 2022

Side channels

Presentation Title Author(s) Year
Hardware side channels in virtualized environments Sophia D'Antoine 2015
Exploiting Out-of-Order Execution Sophia D'Antoine 2015

Supply chain

Presentation Title Author(s) Year
Automated Tools for Securing the Software Supply Chain Michael D. Brown 2022

Threat analysis & malware

Presentation Title Author(s) Year
Peeling back the 'Shlayers' of macOS Malware Josh Watson, Erika Noerenberg 2019
The Exploit Intelligence Project Revisited Dan Guido 2013

Datasets

Dataset Date
Smart Contract Audit Findings Aug 2019

Podcasts

We host our own podcast: Trail of Bits. You can download episodes from your favorite podcast app.

Podcast Guest Date Topic(s)
Risky Biz 707 Dan Guido May 2023 ML security
ASW 229 Nick Selby Feb 2023 Threat modeling, cloud-native audits
Risky Biz 690 Dan Guido Jan 2023 Vuln disclosure
Risky Biz 672 Dan Guido Jul 2022 Blockchain security
Cloud Security Reinvented Nick Selby Jun 2022 Cloud security
Skiff Office Hours Dan Guido Mar 2022 Privacy technology
Risky Biz 652 Dan Guido Jan 2022 Zero-knowledge proofs
Secureum Safecast #3 Josselin Feist Nov 2021 Blockchain security
Secureum Safecast #2 Dan Guido Oct 2021 Blockchain security
Press Freedom Foundation Dan Guido Jul 2021 Mobile security and iVerify
Employee Cycle Hannah Hanks Mar 2021 First PeopleOps hire
Risky Biz 614 Dan Guido Feb 2021 iVerify
Building Better Systems 6 Dan Guido Jan 2021 What blockchain got right
WCBS 880 Dan Guido Sep 2020 Gap years and intern hiring
Risky Biz 594 Dan Guido Aug 2020 Apple security
Epicenter 346 Dan Guido Jun 2020 Smart contract security
Absolute AppSec 97 Stefan Edwards May 2020 Threat modeling
Unchained 170 Dan Guido May 2020 DeFi security
Risky Biz 580 Dan Guido Apr 2020 Mobile voting
Absolute AppSec 91 Stefan Edwards Apr 2020 Mobile voting
Zero Knowledge 122 Ben Perez Mar 2020 Cryptography reviews, ZKPs
Changelog Dan Guido Jan 2020 AlgoVPN
Risky Business 559 Stefan Edwards Oct 2019 Kubernetes
FOSS Weekly 545 William Woodruff Sep 2019 PyPI security improvements
Podcast.__init__ 225 William Woodruff Aug 2019 PyPI security, UX, and sustainability
Absolute AppSec 68 Stefan Edwards, Bobby Tonic Aug 2019 Kubernetes
Hashing it Out 53 Dan Guido Jul 2019 Smart contract testing
Absolute AppSec 60 Stefan Edwards May 2019 Android, programming languages
Absolute AppSec 55 Stefan Edwards Apr 2019 Security testing
Hashing it Out 35 Dan Guido, Josselin Feist Jan 2019 Ethereum's failed EIP-1283
Risky Biz 526 JP Smith Jan 2019 Post-quantum crypto in CTFs
Absolute AppSec 37 Stefan Edwards Nov 2018 Programming languages, symbex
Risky Biz 510 Lauren Pearl Aug 2018 Open source security engineering
Absolute AppSec 34 Stefan Edwards Oct 2018 Security testing, blockchain
Zero Knowledge 16 JP Smith Mar 2018 Smart contract security
Risky Biz 488 JP Smith Feb 2018 Smart contract testing w/ Manticore
Risky Biz 474 Dan Guido Oct 2017 How to engineer secure software
Georgian Partners 47 Dan Guido May 2017 AlgoVPN and Tor
VUC 643 Dan Guido Apr 2017 AlgoVPN
Risky Biz 449 Dan Guido Mar 2017 Control Flow Integrity
Risky Biz 425 Dan Guido Sep 2016 Recap the week's news
Risky Biz 421 Dan Guido Aug 2016 Car hacking and the week's news
Risky Biz 416 Dan Guido Jul 2016 DARPA Cyber Grand Challenge
Risky Biz 399 Dan Guido Feb 2016 Apple vs the FBI
Risky Biz 370 Dan Guido Feb 2015 DARPA Cyber Grand Challenge
Risky Biz 348 Dan Guido Jun 2015 DARPA Cyber Grand Challenge

Public Comments

Title Agency Date
Understanding Crypto Markets Security CFTC Mar 2023

Security Reviews

Companies that have allowed us to speak about our work can be found here. Many more remain confidential.

Technology Product Reviews

Product Date Level of
Effort
Announcement Report
Atlendis Smart Contracts Mar 2023 6 πŸ“„βœ…
Practical Stealth Addresses Feb 2023 2 πŸ“„βœ…
noble-curves Library Jan 2023 2 πŸ“„βœ…
OpenVPN3 Jan 2023 6
Fraxlend and veFPIS Jan 2023 4
Redpanda Core, Console, and Console Enterprise Jan 2023 4
Injective Labs Options Market Jan 2023 4
OpenArchive (Android) Dec 2022 1
Enclave Markets Trading Platform Nov 2022 9
Phantom Nov 2022 2
Fiat Ramps Nov 2022 4
cURL Oct 2022 9.5 OSTIF, Daniel Stenberg. Trail of Bits πŸ“„βœ…πŸ“›
CloudEvents Oct 2022 4 CloudEvents Security Assessment πŸ“„
OpenArchive Save (iOS) Oct 2022 1.2
Fraxlend and FraxFerry Oct 2022 4 πŸ“„
SimpleX Chat Oct 2022 1 Security assessment by Trail of Bits πŸ“„
AlphaSOC API Sep 2022 1 πŸ“„βœ…
Consul Enterprise Sep 2022 6
snarkVM Sep 2022 12 πŸ“„βœ…
Uniswap Mobile Wallet Aug 2022 4 πŸ“„βœ…
Hashicorp Boundary Jul 2022 6
BLS Signature Scheme Jul 2022 1
Skiff Jul 2022 6
Terraform Cloud Jun 2022 6
CGGMP21 and FROST May 2022 8
Datadog May 2022 6
Phantom Wallet Apr 2022 4
Datadog May 2022 6
MATTR May 2022 4
ArmorLock Apr 2022 6
DigitalOcean Function Apr 2022 4
Auvik Collector Apr 2022 8
snarkVM and snarkOS Apr 2022 12
Fuchsia Platform Mar 2022 8
Optimus ROM Jan 2022 4
BitcoinBeach Mar 2022 4 πŸ“„
osquery Jan 2022 6 πŸ“„
Redjack Dec 2021 2
DigitalOcean Cloud Nov 2021 12
SpruceID Oct 2021 12 πŸ“„
Doppler Sept 2021 4
Datadog Agent Aug 2021 8
Appian Jun 2021 4
Cashero-2.0 Jun 2021 4
Orbit Apr 2021 1
Linux Kernel Apr 2021 2 Linux Kernel Release Signing and Management πŸ“„
VGS Proxy Apr 2021 4
Skiff Feb 2021 4
CircleCI Server 3.0 Jan 2021 6 Penetration testing at CircleCI
BitMEX Jan 2021 4
SecureDrop Dec 2020 8 2nd audit of SecureDrop Workstation πŸ“„
Citizen Browser Dec 2020 0.43 How We Built a Facebook Inspector
Ren Aug 2020 4 August Development Update πŸ“„
Hey.com Jun 2020 1 Serious Security πŸ“„
Azure Sphere Jun 2020 12 Azure Sphere 20.07 Security Enhancements
Zoom May 2020 9 90 Days Done, What’s Next for Zoom
Secure Transport Apr 2020 4
ZeroTier 2.0 Mar 2020 2 ZeroTier πŸ“„
Standard Notes Mar 2020 1 Standard Notes Completes Crypto Audit πŸ“„
Voatz Feb 2020 12 Voatz, Tusk πŸ“„πŸ“›
Vault Feb 2020 12
Voice Jan 2020 4
Sweet B Jan 2020 4 Western Digital πŸ“„
SanDisk X600 May 2019 6 Multiple vulnerabilities in SanDisk X600 πŸ“„
Azure Sphere Jun 2019 12
Project Callisto Aug 2018 5
zlib Sep 2016 1 πŸ“„

Cloud-Native Reviews

Product Date Level of
Effort
Announcement Report
KEDA Dec 2022 6 Audit of Kubernetes Event Driven Autoscaling (KEDA) πŸ“„
Terraform Enterprise Nov 2022 6
Nomad Enterprise Nov 2022 6
HashiCorp Cloud Jun 2022 9
Tekton Mar 2022 4 Tekton Security Review Completed πŸ“„
Linkerd Feb 2022 4 πŸ“›πŸ“„βœ…
CoreDNS Jan 2022 4 πŸ“„
Terraform Enterprise Nov 2021 6
Nomad Enterprise Nov 2021 6
Consul Enterprise Oct 2021 6
Vault Enterprise Oct 2021 6
HashiCorp Cloud Jun 2021 8
Argo Mar 2021 4 πŸ“›πŸ“„
Terraform Cloud Jan 2021 6
Consul Oct 2020 10
Nomad Aug 2020 6
Helm Aug 2020 4 Helm 2nd Security Audit πŸ“„
Terraform Mar 2020 6
OPA Mar 2020 2 Open Policy Agent (OPA) Graduation Proposal πŸ“„
etcd Jan 2020 4 CNCF πŸ“„
Rook Dec 2019 2 CNCF πŸ“„
Kubernetes May 2019 12 Google, CNCF πŸ“›πŸ“„πŸ“°

Blockchain Reviews

Algorand

Product Date Level of
Effort
Announcement Report
Folks Finance Protocol Nov 2022 6
wXTZ Nov 2020 4 πŸ“„
wALGO Nov 2020 4 πŸ“„
Meld Gold Jul 2020 2
Algorand Mar 2019 14 Success and momentum of Algorand
Pixel Dec 2019 4

Avalanche

Product Date Level of
Effort
Announcement Report
Alkimiya Silica V2 Jun 2022 6
Ava Labs Apr 2022 8
Flare Network Mar 2021 8

Bitcoin & Derivatives

Product Date Level of
Effort
Announcement Report
STAS SDK Oct 2021 4
STAS-JS SDK Sept 2021 4
Bitcoin SV Jan 2021 6
Zcoin Jul 2020 2 Lelantus Cryptographic Library Audit Results πŸ“„
Zcash Apr 2020 3 Heartwood security assessment results πŸ“„
Zcash Nov 2019 6 NU3, Blossom, and Sapling security reviews πŸ“„
Zcash Nov 2019 6 πŸ“„
Paymail Protocol Nov 2019 7
Bitcoin SV Nov 2018 12
Simple Ledger Oct 2019 3
ZecWallet Apr 2019 2 πŸ“„
RSKj Nov 2017 6 RSK security audit results πŸ“„

Ethereum/EVM

Product Date Level of
Effort
Announcement Report
Raft Apr 2023 2 πŸ“„βœ…
MYSO v2 Apr 2023 2 Security review of our v2 contracts πŸ“„βœ…
Waymont Mar 2023 1
Primitive Hyper Jan 2023 8
Polygon Edge Jan 2023 6
Optimism Dec 2022 8
Paxos Dec 2022 1
GameStop iOS Web Wallet Nov 2022 1
GSquared Oct 2022 6 πŸ“„βœ…
Meson Protocol Oct 2022 6 πŸ“„βœ…
Managed pool smart contracts Oct 2022 4 πŸ“„
Ondo Oct 2022 4 πŸ“„βœ…
Maple Protocol v2 Sep 2022 8 πŸ“„βœ…
Increment Protocol Sep 2022 4 πŸ“„βœ…
Subspace Network Desktop Farmer Sep 2022 2 πŸ“„βœ…
Optimism Sep 2022 16 πŸ“„
Nayms Sep 2022 6
Aggregator Aug 2022 2
The Franchiser Aug 2022 3
Meson Protocol Jul 2022 0.6 πŸ“„
ChainPort July 2022 8 πŸ“„βœ…
Relay Jul 2022 1
Beanstalk Jul 2022 8
Purpose for Profit Jul 2022 3
Reserve Protocol Jul 2022 8
Solon Jul 2022 6
Roll Jul 2022 2
Ante Protocol May 2022 2 πŸ“„βœ…
Sherlock Jun 2022 4
FlareFinance Jun 2022 4
TBTv2 Jun 2022 6
Morpho Jun 2022 4 @trailofbits security audit of Morpho πŸ“„
Relayer Contracts Jun 2022 2
AuctionRaffle May 2022 2
Seaport Protocol May 2022 4 Introducing Seaport Protocol πŸ“„
Shell Protocol v2 May 2022 4 πŸ“„
Optimism Apr 2022 6
NFTX Apr 2022 4 Trail of Bits Audit πŸ“„
Frax May 2022 4 πŸ“„
ReserveLending+ Apr 2022 4 Security Audit for ReserveLending+
Firefly Apr 2022 4
GameStop Wallet Mar 2022 2 GameStop wallet
Gyroscope Mar 2022 6
LooksRare Mar 2022 4 πŸ“„
Symbiosis Mar 2022 2
RAILGUN Feb 2022 4
RAILWAY Feb 2022 4
Persistence ETH2.0 Feb 2022 4
Advanced Blockchain Feb 2022 6 πŸ“„
Perpetual Protocol V2 Feb 2022 4 πŸ“„
Futureswap V4.1 Feb 2022 4
Firefly Feb 2022 8
API3 Feb 2022 8 πŸ“„
Beethoven X Feb 2022 1 πŸ“„
Minterest Finance Jan 2022 6
pSTAKE Jan 2022 6
Primitive Jan 2022 8 Primitive RMM smart contracts audit by @trailofbits πŸ“„
Strips Finance Jan 2022 8
Cardstack Dec 2021 4
Frax Dec 2021 4 πŸ“„
Sherlock Protocol V2 Dec 2021 4 πŸ“„
Maple Nov 2021 4 Maple Loans Audit Reports πŸ“„
Advanced Blockchain Nov 2021 6 πŸ“„
Opyn Nov 2021 6 πŸ“„
Aave V3 Nov 2021 12
Tokemak Oct 2021 3
Fuji Finance Oct 2021 6 πŸ“„
V2 Vault Oct 2021 4
Yield V2 Sept 2021 6 πŸ“„
Gro protocol Sept 2021 2
Futureswap V4 Sept 2021 6
RocketPool Aug 2021 5 πŸ“„
AlphaX Aug 2021 6
Bug Bounty Platform Aug 2021 8
88mph V3 Aug 2021 6 πŸ“„
Timeswap Jul 2021 2
CompliFi Jul 2021 6 πŸ“„
Optics Jul 2021 2
FlareFinance Jun 2021 4
Uniswap V3 Staker Jun 2021 2
Abyss Lockup Jun 2021 2
Futureswap V3 Jun 2021 6
CompliFi Jun 2021 6
Syndicate May 2021 4
Opyn Gamma May 2021 6 πŸ“„
Frax May 2021 4 πŸ“„
Yearn v2 Vaults Apr 2021 6 πŸ“„
Balancer v2 Apr 2021 4 πŸ“„
DFX Finance Apr 2021 6
Tokemak Apr 2021 1
Warp Contracts Apr 2021 6 Completion of Trail of Bits’ Audit πŸ“„
FlareFinance Apr 2021 3
MC Dai Mar 2021 6
Uniswap V3 Mar 2021 10 Introducing Uniswap V3 πŸ“„
dForce Lending Mar 2021 6
Liquity Proxy Contract Feb 2021 0.57 πŸ“„
Liquity Protocol Feb 2021 8 πŸ“„
RAY-DAO Feb 2021 4
Futureswap Jan 2021 2
Balancer V2 Jan 2021 6
C.R.E.A.M. Jan 2021 1 πŸ“„
LUSD Dec 2020 8 πŸ“„
Origin Dollar Nov 2020 4 Origin Dollar Relaunches πŸ“„
Zerion SDK Nov 2020 4
Teller Protocol Nov 2020 4
Hermez Nov 2020 4 Hermez Second Audit, by Trail of Bits πŸ“„
Graph Protocol Oct 2020 3
OVM Oct 2020 6
Prysm Sep 2020 6
DODO Sep 2020 3 πŸ“„
Yield Protocol Aug 2020 6 πŸ“„
Smart Pool Aug 2020 1
DeFiner Aug 2020 1
ETH2.0 Deposit CLI Aug 2020 4 πŸ“„
Argent Aug 2020 4
CurveDAO Jul 2020 6 πŸ“„
Amp Jul 2020 3 πŸ“„
Federated Bridge Jul 2020 1
dForce dToken Jul 2020 2 πŸ“„
Matic Jun 2020 4
Lighthouse Jun 2020 4
tBTC May 2020 6 πŸ“„
QTUM Apr 2020 0.43 πŸ“„
Hegic Apr 2020 0.43 πŸ“„
Golem Network Mar 2020 2
Reddit Mar 2020 1 A New Frontier
Chai Feb 2020 0.28 πŸ“„
Compound Feb 2020 2 πŸ“„
WorkLock Jan 2020 2 WorkLock Security Audit πŸ“„
Balancer Jan 2020 4 πŸ“„
Curve.fi Jan 2020 1 πŸ“„
Livepeer Oct 2019 3
Topo Finance Oct 2019 4
0x Protocol Oct 2019 10 πŸ“„
Dharma Wallet Oct 2019 4 πŸ“„
Flexa Sep 2019 2 Announcing Flexa Capacity πŸ“„
AZTEC Protocol Sep 2019 10 πŸ“„
Oasis Labs Sep 2019 13
Aave Protocol Sep 2019 4 πŸ“„
MC Dai Aug 2019 13 MCD Security Roadmap Update: Oct 2019 πŸ“„
Staked Aug 2019 4
Compound Aug 2019 2 πŸ“„
Computable Jul 2019 8 Computable Contract Audit πŸ“„
Numerai May 2019 3 NMR 2.0 is now live! πŸ“„
MerkleX May 2019 4
TokenCard May 2019 5 πŸ“„
Unity Coin Apr 2019 1
Compound Apr 2019 8 Compound v2 is Live πŸ“„
Ocean Protocol Mar 2019 4 One Protocol. One Network. One Community
UMA Project Mar 2019 3
Centrifuge Mar 2019 5
Nomisma Mar 2019 1
Reserve Protocol Mar 2019 1 πŸ“„
Set Protocol Mar 2019 5 The Road to MainNet πŸ“„
NuCypher Feb 2019 4 Security Audits (Round 2) πŸ“„
AMP StableWire Jan 2019 1
EIP-1283 Jan 2019 1 Constantinople Security Update πŸ“„
Ampleforth Nov 2018 4 Security Audits with Trail of Bits πŸ“„
Origin Protocol Nov 2018 4 How We Approach Security at Origin πŸ“„
Paxos Standard Oct 2018 4 πŸ“„
Basecoin Oct 2018 12 πŸ“„
Pantheon Oct 2018 8 What we learned auditing our ETH client πŸ“„
Compound Sep 2018 12 Compound launches money markets
NuCypher Aug 2018 12 Security audits: round 1 πŸ“„
CENTRE Jul 2018 4 Designing an upgradeable Ethereum contract
Bloom Jul 2018 1 Bloom development update
Gemini Dollar Jun 2018 8 Stablecoins: Understanding Counterparty Risk πŸ“„
Dharma May 2018 1 Dharma protocol v1 is live on mainnet
Golem Apr 2018 4 Smart contracts: audit report πŸ“„
LivePeer Mar 2018 4 Livepeer security audit results πŸ“„
DappHub Dec 2017 8 πŸ“„
MakerDAO Sai Oct 2017 8 Single-collateral Dai security reviews πŸ“„
Omega One Aug 2017 6

NervOS

Product Date Level of
Effort
Announcement Report
xUDT Jun 2021 2
Nervos -RSA Mar 2021 4
Nervos SUDT Oct 2020 6 πŸ“„
Cheque Cell & ORU Feb 2021 8
Force Bridge - Solidity Feb 2021 4
Force Bridge - Rust Feb 2021 3

StarkWare

Product Date Level of
Effort
Announcement Report
Nostra Dec 2022 8
StarkGate Dec 2022 2
StarkEx Oct 2022 1
StarkNet token Jul 2022 1
StarkPerpetual Jan 2022 8
StarkEx Nov 2021 8

Solana

Product Date Level of
Effort
Announcement Report
Token-2022 Program Feb 2023 1 πŸ“„βœ…
Drift Protocol Dec 2022 6 Announcement (Tweet) πŸ“„βœ…
Solana Apr 2022 12

Substrate

Product Date Level of
Effort
Announcement Report
ParaSpace Dec 2022 1 πŸ“„
ParaSpace Nov 2022 7 πŸ“„βœ…
Parallel Finance Mar 2022 6 πŸ“„
Polkadex Feb 2022 10
Polkadex Dec 2021 4
PINT Sept 2021 4
Polkaswap Jul 2021 6
AlephBFT Jun 2021 4 πŸ“„
Acala Network Jun 2021 4
Compound Chain May 2021 6
Acala Network Jan 2021 6 πŸ“„
Parity Fether Aug 2019 4
Parity Jul 2018 12 Parity completes Trail of Bits security review πŸ“„

Tendermint/Cosmos

Product Date Level of
Effort
Announcement Report
Umee Feb 2022 8 πŸ“„
Columbus-5 Jan 2022 2
IBC Protocol Dec 2021 4
THORChain Aug 2021 12
Tendermint Mar 2019 12
ndau Nov 2018 8 ndau Holders Elect Inaugural Policy Council

Tezos

Product Date Level of
Effort
Announcement Report
Kolibri Apr 2022 4
Tezori (T2) Dec 2020 4 πŸ“„
Tezori Jul 2018 2 Thanks to @trailofbits for their security review
Magma Jun 2020 1 πŸ“„
Dexter Jun 2020 4 πŸ“„

Other/Multi-Chain

Product Date Level of
Effort
Announcement Report
DFINITY Canister Sandbox Sept 2022 2 πŸ“„βœ…
DFINITY Threshold ECDSA
& BTC Canisters
Sept 2022 4 πŸ“„βœ…
MobileCoin Jul 2022 2 πŸ“„
CAT Standard Jun 2022 8
FROST BLS Protocols Jul 2022 12
SORA Trustless Bridge Jul 2022 8
DFINITY Threshold ECDSA May 2022 8
Arbitrum Nitro Mar 2022 16
DeGate Feb 2022 4 πŸ“„
ShardX Dec 2021 2
DeGate Dec 2021 4
Threshold-DSA Nov 2021 6
DFINITY Consensus Nov 2021 2 Internet Computer Consensus: Security
Assessment
πŸ“„
PolySign HSM Oct 2021 6
Hop Protocol V2 Sept 2021 4
Golden Gate Library Sept 2021 1
PolySign Sept 2021 6
Qredo Blockchain Sept 2021 6
Arbitrum Sept 2021 16
go-schnorrkel Aug 2021 4
ShardX Aug 2021 4
Casper Web Wallet Jul 2021 4 πŸ“„
AElf Jul 2021 4
CrossChain-Bridge Jul 2021 8
Open Oracle Apr 2021 2
DFINITY May 2021 24 πŸ“„
Arbitrum V2 Feb 2021 8
Fog Protocol Jan 2021 4 πŸ“„
eFIL Jan 2021 2
MobileCoin BFT Oct 2020 4 πŸ“„
Highway Consensus Nov 2020 4 ToB Audit of the Casper Highway Protocol πŸ“„
Stacks V2 Sep 2020 6
MobileCoin Aug 2020 4 πŸ“„
VRFs Aug 2020 2
Arbitrum Jul 2020 6
MYKEY Jul 2020 4
Symbol Jul 2020 4 Symbol from NEM completes Trail of Bits
Security Audit
πŸ“„
Ledger Filecoin Jul 2020 2 πŸ“„
Chainlink Jun 2020 8
Chainlink Flux May 2020 4
Elrond Mar 2020 6
EOSIO SDK Jan 2020 4
NEAR Protocol Nov 2019 8
EOSIO 2.0 Oct 2019 8
Status-go Oct 2019 9
Celo Sep 2019 8
Blockchain.com Aug 2019 4
RandomX Jun 2019 2 Monero and Arweave to Validate RandomX πŸ“„
Interest Token May 2019 0.28
Loom May 2019 10 Loom SDK Q1 2019 Security Audit
Building Blocks Aug 2018 7 UN WFP uses Ethereum to aid 100k refugees
Web3 Mar 2018 2 W3F and TOB hardware wallet guidance πŸ’¬

ML/AI Reviews

Product Date Level of
Effort
Announcement Report
EleutherAI, Hugging Face,
& Stability AI SafeTensors Library
Mar 2023 2 πŸ“„

Disclosures

Product Date CVE CVSS Exploits Report
SQLite Jul 2022 CVE-2022-35737 7.5 Crash
Live lock
Code execution
πŸ’¬

Workshops

Workshop Title Venue Date
Smart Contract Security Automation Workshop TruffleCon 2019 Oct 2019
Manticore EVM Workshop Devcon4 2018 Nov 2018
Introduction to Smart Contract Exploitation GreHack 2018 Nov 2018
DeepState: Bringing Vulnerability Detection Tools into the Dev Cycle SecDev 2018 Oct 2018
Smart Contract Security Automation Workshop TruffleCon 2018 Oct 2018
Smart Contract Security Automation Workshop ETH Berlin 2018 Sep 2018
Manticore EVM Workshop EthCC 2018 Mar 2018
Manticore Workshop GreHack 2017 Oct 2017

Legend

Icon Definition
πŸ’¬ Blog post or other social media
πŸ“„ Security Assessment report
βœ… Fix review report
πŸ“› Threat Model report
πŸ“° Whitepaper
Header Definition
Level of Effort Defined in person-weeks for the project

More Repositories

1

algo

Set up a personal VPN in the cloud
Jinja
27,779
star
2

manticore

Symbolic execution tool
Python
3,536
star
3

graphtage

A semantic diff utility and library for tree-like files such as JSON, JSON5, XML, HTML, YAML, and CSV.
Python
2,354
star
4

ctf

CTF Field Guide
C
1,273
star
5

deepstate

A unit test-like interface for fuzzing and symbolic execution
Python
818
star
6

pe-parse

Principled, lightweight C/C++ PE parser
C++
691
star
7

eth-security-toolbox

A Docker container preconfigured with all of the Trail of Bits Ethereum security tools.
Dockerfile
670
star
8

maat

Open-source symbolic execution framework: https://maat.re
C++
612
star
9

twa

A tiny web auditor with strong opinions.
Shell
579
star
10

winchecksec

Checksec, but for Windows: static detection of security mitigations in executables
C++
523
star
11

polytracker

An LLVM-based instrumentation tool for universal taint tracking, dataflow analysis, and tracing.
C++
514
star
12

cb-multios

DARPA Challenges Sets for Linux, Windows, and macOS
C
498
star
13

multiplier

Code auditing productivity multiplier.
C++
434
star
14

onesixtyone

Fast SNMP Scanner
C
411
star
15

fickling

A Python pickling decompiler and static analyzer
Python
407
star
16

vast

VAST is an experimental compiler pipeline designed for program analysis of C and C++. It provides a tower of IRs as MLIR dialects to choose the best fit representations for a program analysis or further program abstraction.
C++
381
star
17

tubertc

Peer-to-Peer Video Chat for Corporate LANs
JavaScript
361
star
18

krf

A kernelspace syscall interceptor and randomized faulter
C
348
star
19

polyfile

A pure Python cleanroom implementation of libmagic, with instrumented parsing from Kaitai struct and an interactive hex viewer
Python
338
star
20

it-depends

A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.
Python
328
star
21

sinter

A user-mode application authorization system for MacOS written in Swift
Swift
301
star
22

SecureEnclaveCrypto

Demonstration library for using the Secure Enclave on iOS
Swift
276
star
23

protofuzz

Google Protocol Buffers message generator
Python
267
star
24

osquery-extensions

osquery extensions by Trail of Bits
C
262
star
25

dylint

A tool for running Rust lints from dynamic libraries
Rust
259
star
26

RpcInvestigator

Exploring RPC interfaces on Windows
C#
245
star
27

constexpr-everything

Rewrite C++ code to automatically apply `constexpr` where possible
C++
245
star
28

binjascripts

Scripts for Binary Ninja
Python
241
star
29

audit-kubernetes

k8s audit repo
Go
226
star
30

mishegos

A differential fuzzer for x86 decoders
C++
226
star
31

semgrep-rules

Semgrep queries developed by Trail of Bits.
Go
197
star
32

circomspect

A static analyzer and linter for the Circom zero-knowledge DSL
Rust
186
star
33

PrivacyRaven

Privacy Testing for Deep Learning
Python
183
star
34

llvm-sanitizer-tutorial

An LLVM sanitizer tutorial
C++
177
star
35

siderophile

Find the ideal fuzz targets in a Rust codebase
Rust
171
star
36

flying-sandbox-monster

Sandboxed, Rust-based, Windows Defender Client
Rust
170
star
37

not-going-anywhere

A set of vulnerable Golang programs
Go
163
star
38

AppJailLauncher

CTF Challenge Framework for Windows 8 and above
C++
141
star
39

BTIGhidra

Binary Type Inference Ghidra Plugin
Java
138
star
40

uthenticode

A cross-platform library for verifying Authenticode signatures
C++
136
star
41

zkdocs

Interactive documentation on zero-knowledge proof systems and related primitives.
HTML
133
star
42

sienna-locomotive

A user-friendly fuzzing and crash triage tool for Windows
C++
132
star
43

Honeybee

An experimental high performance, fuzzing oriented Intel Processor Trace capture and analysis suite
C
127
star
44

ObjCGraphView

A graph view plugin for Binary Ninja to visualize Objective-C
Python
127
star
45

pasta

Peter's Amazing Syntax Tree Analyzer
C++
124
star
46

sqlite_wrapper

An easy-to-use, extensible and lightweight C++17 wrapper for SQLite
C++
117
star
47

ebpfpub

ebpfpub is a generic function tracing library for Linux that supports tracepoints, kprobes and uprobes.
C++
113
star
48

ctf-challenges

CTF Challenges
Python
112
star
49

binrec-tob

BinRec: Dynamic Binary Lifting and Recompilation
C++
110
star
50

appjaillauncher-rs

AppJailLauncher in Rust
Rust
103
star
51

vscode-weaudit

Create code bookmarks and code highlights with a click.
TypeScript
103
star
52

test-fuzz

To make fuzzing Rust easy
Rust
100
star
53

on-edge

A library for detecting certain improper uses of the "Defer, Panic, and Recover" pattern in Go programs
Go
97
star
54

ios-integrity-validator

Integrity validator for iOS devices
Shell
97
star
55

abi3audit

Scans Python packages for abi3 violations and inconsistencies
Python
97
star
56

ebpfault

A BPF-based syscall fault injector
C++
94
star
57

clang-cfi-showcase

Sample programs that illustrate how to use control flow integrity with the clang compiler
C++
92
star
58

awesome-ml-security

85
star
59

blight

A framework for instrumenting build tools
Python
83
star
60

ruzzy

A coverage-guided fuzzer for pure Ruby code and Ruby C extensions
Ruby
74
star
61

ManticoreUI

The Manticore User Interface with plugins for Binary Ninja and Ghidra
Python
73
star
62

bisc

Borrowed Instructions Synthetic Computation
Ruby
70
star
63

manticore-examples

Example Manticore scripts
Python
69
star
64

algo-ng

Experimental version of Algo built on Terraform
HCL
68
star
65

differ

Detecting Inconsistencies in Feature or Function Evaluations of Requirements
Python
67
star
66

deceptiveidn

Use computer vision to determine if an IDN can be interpreted as something it's not
Python
63
star
67

LeftoverLocalsRelease

The public release of LeftoverLocals code
C++
60
star
68

necessist

A tool for finding bugs in tests
Rust
59
star
69

reverie

An efficient and generalized implementation of the IKOS-style KKW proof system (https://eprint.iacr.org/2018/475) for arbitrary rings.
Rust
59
star
70

Codex-Decompiler

Python
57
star
71

testing-handbook

Trail of Bits Testing Handbook
C++
57
star
72

magnifier

C++
56
star
73

sixtyfour

How fast can we brute force a 64-bit comparison?
C
52
star
74

DomTreSat

Dominator Tree LLVM Pass to Test Satisfiability
C++
47
star
75

HVCI-loldrivers-check

PowerShell
45
star
76

nyc-infosec

Mapping the NYC Infosec Community
CSS
43
star
77

cfg-showcase

Sample programs that illustrate how to use Control Flow Guard, VS2015's control flow integrity implementation
C++
40
star
78

tsc_freq_khz

Linux kernel driver to export the TSC frequency via sysfs
C
40
star
79

rubysec

RubySec Field Guide
Ruby
40
star
80

macroni

C and C++ compiler frontend using PASTA to parse code, and VAST to represent the code as MLIR.
C
39
star
81

indurative

Easily create authenticated data structures
Haskell
37
star
82

http-security

Parse HTTP Security Headers
Ruby
36
star
83

trailofphish

Phishing e-mail repository
Ruby
36
star
84

KRFAnalysis

Collection of LLVM passes and triage tools for use with the KRF fuzzer
LLVM
35
star
85

ebpf-verifier

Harness for the Linux kernel eBPF verifier
C
32
star
86

ml-file-formats

List of ML file formats
31
star
87

umberto

poststructural fuzzing
Haskell
30
star
88

spf-query

Ruby SPF Parser
Ruby
29
star
89

ebpf-common

Various utilities useful for developers writing BPF tools
C++
29
star
90

clang-tidy-audit

Rewrite C/C++/Obj-C to Annotate Points of Interest
C++
27
star
91

eatmynetwork

A small script for running programs with (minimal) network sandboxing
Shell
26
star
92

btfparse

A C++ library that parses debug information encoded in BTF format
C++
25
star
93

anselm

Detect patterns of bad behavior in function calls
C++
25
star
94

dmarc

Ruby DMARC Parser
Ruby
25
star
95

linuxevents

A sample PoC for container-aware exec events for osquery
C++
23
star
96

mpc-learning

Perform multi-party computation on machine learning applications
Python
21
star
97

WinDbg-JS

JavaScript
21
star
98

go-mutexasserts

A small library that allows to check if Go mutexes are locked
Go
21
star
99

screen

Measure branching along code paths
C
20
star
100

itergator

CodeQL library and queries for iterator invalidation
CodeQL
19
star