We help secure the world’s most targeted organizations and products. We combine security research with an attacker mentality to reduce risk and fortify code.
We launched Patch the Planet with OpenAI, factored hundreds of weak RSA keys with a new polynomial technique, and bypassed every AI skill scanner we tested. Plus 10 new public reviews, gosentry, and more. June Tribune: mailchi.mp/trailofbits/june-…
Today, we are disclosing LeftoverLocals, a vulnerability that allows listening to LLM responses through leaked GPU local memory created by another process on Apple, Qualcomm, AMD, and Imagination GPUs (CVE-2023-4969) buff.ly/48RDP68
Today we’re releasing weAudit, the VSCode extension we use during secure code reviews to collaboratively take notes and highlight code regions. blog.trailofbits.com/2024/03…
Today, we are releasing RPC Investigator, made for exploring RPC clients and servers on Windows. This .NET application builds on the NtApiDotNet platform, adding features that offer a new way to explore RPC blog.trailofbits.com/2023/01…
Your code might be vulnerable! Our cryptography team has discovered a number of Fiat-Shamir vulnerabilities affecting proof systems such as Bulletproofs and PlonK. Check out this blog series for details and contact us if you think your codebase might be… blog.trailofbits.com/2022/04…
Event Tracing for Windows (ETW) is crucial for modern EDR solutions. But what do you really know about its internal workings? Dive into ETW to discover useful attack targets and forensic information.
blog.trailofbits.com/2023/11…
We’re thrilled to announce our new Testing Handbook, which gathers insights we gained over years of experience using static and dynamic analysis tools. It goes beyond standard documentation, focusing on giving the right answers rather than all the answers. blog.trailofbits.com/2023/07…
Earlier this year, one of our interns found a vulnerability that affects applications using the SQLite library API. We are publicly disclosing that vuln today. blog.trailofbits.com/2022/10…
It's easy to find bugs when you know how to build the right tools. Check out our blog to learn how to model vulnerabilities with Binary Ninja's MLIL and SSA form. blog.trailofbits.com/2018/04…
Check out our _accessible_ Meltdown and Spectre explainer, made for developers without a background in computer architecture. No awkward analogies, we stick to the real details. blog.trailofbits.com/2018/01…
We’re releasing a Ghidra extension, BTIGhidra, that automatically recovers types with inter-procedural analysis and enhances decompilation for improved reverse engineering comprehension.
buff.ly/3uheYdl
We've just released secure-contracts.com, a revamp of our guide to building secure contracts! It contains security guidelines, best practices, tool tutorials, and many other resources.
Over the years, we have accumulated advanced knowledge and guidance for writing better smart contracts. We are sharing this knowledge in the first release of building-secure-contracts:
github.com/crytic/building-s…
Check out the repo to learn about best practices and tooling!
The $1.5B Bybit hack marks a new era in cryptocurrency security. Attackers have moved beyond technical exploits to sophisticated operational attacks. Read our initial analysis of this historic breach and its industry-wide implications: blog.trailofbits.com/2025/02…
The Linux kernel 6.10 introduces the mseal syscall for memory protection. Discover its unique features, how it differs from prior schemes, its kernel implementation, and the userspace exploits it prevents.
hubs.la/Q02VNW-30
Shoutout to @1Password, @signalapp, and @SlackHQ for patching this vulnerability before our public disclosure, demonstrating how responsible disclosure makes the entire ecosystem safer.
We audited the @golang standard cryptographic library, used by thousands of libraries and millions of users.
Here's what we found and some key takeaways 🧵
Today we released Echidna, our next generation EVM smart fuzzer at #EthCC. It's the first-ever fuzzer to target smart contracts! blog.trailofbits.com/2018/03…
Since the Balancer hack on Monday, we've been working around the clock to help the Balancer team understand the bug and its implications. We've verified the bug's cause and have independently verified that the exploit does not work on Balancer V3.
Once the dust settles, we plan on doing a retrospective and sharing more information including long-term, strategic guidance on how to avoid similar bugs.
Our software engineer Boyan Milanov introduces Maat, a low-level symbolic execution framework based on Ghidra's IR language p-code. blog.trailofbits.com/2022/02…
Process reparenting is a Windows technique used by malicious actors, but it can also be a benign, legitimate event. @yarden_shafir has insights on how to investigate this behavior blog.trailofbits.com/2022/12…
As smart contract security evolves, property-based fuzzing has become a go-to technique for developers and security engineers. To help the community define properties, we are releasing a set of 168 pre-built properties that can be used to guide Echidna. blog.trailofbits.com/2023/02…
Most border crossings depend on cryptographic protocols most people have never heard of. You should know the technology and security risks behind your passport.
We’re launching a new service: invariant development. We’ll identify, implement, and test security-critical invariants to prevent bugs & secure your codebase over the long term. Plus, we’ll upskill your team to write their own invariants! buff.ly/3PIbjM7
We've discovered yet another MCP attack technique!
Attackers can hide malicious payloads using ANSI terminal escape codes. When your AI agent processes these invisible instructions, it can leak data or compromise your supply chain without you seeing anything suspicious.
We found critical flaws in common TSS libraries, a cryptographic protocol for distributed key generation and signing. We’ve released ZKDocs.com to help secure the rapidly advancing field of ZKPs, TSS, and similar schemes. blog.trailofbits.com/2021/12…
Warning: @lfgexchange is falsely claiming to have worked with us on an audit. The report on their page is fake. If you want to verify the authenticity of a @trailofbits report, find it on our publications repo, the authoritative source straight from us. github.com/trailofbits/publi…
A new release of Slither is available, which now uses OpenAI's Codex to auto-generate solidity documentation and leverages GPT-3 to find vulnerabilities. github.com/crytic/slither/re…
During research that led to our discovery of a vuln in SQLite, we found something we call "divergent representations." Once we started looking for them, we found them everywhere blog.trailofbits.com/2022/11…
There's a dark side to compiler optimizations that can inadvertently cause information leaks or remove code critical to security. Read about the research being done to mitigate this risk and reduce the exposure to code-reuse attacks in software. blog.trailofbits.com/2022/03…
We published a technical summary of the "AMD Flaws" so they can be of use to the security community without the distraction of the surrounding disclosure issues. blog.trailofbits.com/2018/03…
The @raft_fi issue is complex and we're actively investigating it. We've offered to help their team however we can. Here's some of what we know so far:
The attack: override JavaScript builtins in v8_context_snapshot.bin. When apps use these builtins during normal operation, malicious code executes. Code integrity checks miss this, since snapshots are not considered executable.
blog.trailofbits.com/2025/09…
Today's release of our Echidna smart contract fuzzer is more than 20x faster, thanks to multicore support and optimized coverage collection.
github.com/crytic/echidna/re…
If you missed our @BurpSuite webinar ft @albinowax, you can watch the recording now on Youtube.
buff.ly/4ds1dd7
We cover:
Advanced web research techniques using Burp Suite
How to discover ideas and targets
Optimize your setup
& utilize Burp tools in various scenarios
++ Q&A with @albinowax
Amarna, our new static analyzer for the Cairo programming language and StarkNet contracts, is here! Try it out and let us know what you think blog.trailofbits.com/2022/04…
The #RektTest is a simple way for blockchain teams to assess their security posture. Created by top security experts, it includes 12 key questions.
Can you pass the Rekt Test?
blog.trailofbits.com/2023/08…
Why should you care about the security of VSCode extensions? How does compromising a local machine, stealing all local files from that machine, or even swiping your SSH keys sound? blog.trailofbits.com/2023/02…
Is your centralized exchange, bridge, or L2 client using block delays to determine transaction finality? If so, it may be vulnerable to re-orgs, double-spend attacks, and stolen funds. Our new guide to blockchain finality helps you avoid these attacks. blog.trailofbits.com/2023/08…
Before its prod launch, we used every crowbar in our toolbox to break into @WhatsApp’s Private Processing TEEs, and starting from a compromised hypervisor gave plenty of leverage. The enclaves yielded to injected ACPI tables, environment variables and evil file names; but now the system is stronger for it.
How Threat Modeling Could Have Prevented the $1.5B Bybit Hack. Our blog explores one of our most popular but rarely published report types, and how adding threat modeling to your organization can save you from becoming the next billion-dollar headline.
blog.trailofbits.com/2025/02…
As a summer intern, Jason An upgraded Pwndbg with Binary Ninja integration and Go structure dumping, bringing an IDE-like experience to stripped binary analysis.
buff.ly/3Xvcgwy
Buttercup won the $3M second prize at DARPA's AIxCC. We found 28 vulnerabilities across 20 CWEs with 90% accuracy at just $181/point, achieving this with exclusively non-reasoning LLMs.
Today we're releasing Attacknet, a new tool in the blockchain security arsenal. Built in collaboration with the @Ethereum Foundation, it uses Chaos Engineering to test the most challenging network conditions imaginable for fault tolerance blog.trailofbits.com/2024/03…
Three unexpected attack scenarios:
1. Marshaling private data with misconfigured tags
2. Parser differentials in a microservices architecture
3. Cross-format confusion attacks (JSON→XML)
blog.trailofbits.com/2025/06…
Data from @Hacker0x01 and @facebook proves that bug bounties only benefit a small elite group. Is this model meeting researchers' interests? Read our review of "New Solutions for Cybersecurity" by @mitpress. blog.trailofbits.com/2019/01…
We are now accepting applications for our annual summer internship in the following areas:
• AI/ML
• Application security
• Blockchain
• Cryptography
• Operations
Learn more in 🧵
We have a working proof-of-concept exploit for ‘Whose Curve is it Anyway?’ — NSA’s bug in Microsoft’s Crypto API.
Read on for our explainer:
blog.trailofbits.com/2020/01…
Upgrading smart contracts can introduce new bugs, risking millions of dollars. We've developed Diffusc, a differential fuzzer that compares two smart contracts to uncover unexpected differences in behavior before an upgrade is deployed. buff.ly/3rq00zW
Fuzzing is preferred over formal verification because proving the absence of bugs is usually unattainable, and fuzzing identifies the same bugs with less effort. blog.trailofbits.com/2024/03…
Earlier this week, @UncipheredLLC disclosed that BitcoinJS, the most widely used JavaScript library for bitcoin wallets, relied on weak randomness until 2014. This issue puts millions of wallets at risk. Here’s what we know:
Experts discover flaw leaving $1 billion in bitcoin and other cryptocurrencies exposed for stealing from early software wallets. Free link to my story in the The Post: wapo.st/478Av5W#bitcoin#doge#infosec
Async-unsafe signal handlers are at the core of the recent regreSSHion vulnerability (CVE-2024-6387). We published a new CodeQL query that searches for this often overlooked class of bugs.
github.com/trailofbits/codeq…
If you're fuzzing C/C++ code and need more customizability, our new Testing Handbook chapter shows you exactly how to set up and use LibAFL as a libFuzzer drop-in and a Rust library. (More in 🧵)
We’ve built many high-impact tools that we use for security reviews. But mastering them can take time. So we're bringing the mastery to you: we're going to be livestreaming tool workshops on our Twitch and YouTube channels! blog.trailofbits.com/2022/11…
Clang isn't a toolsmith's compiler. PASTA tries to fix this by providing safe-to-use C++ and Python wrappers to the Clang AST. PASTA also answers questions that Clang can't, like how parsed tokens relate back to macro expansions and files. Learn more: blog.trailofbits.com/2023/07…
Manticore now has a GUI that works with Binary Ninja! Our intern, @tcode2k16, explains how his summer project made symbolic execution easier to use and more intuitive. blog.trailofbits.com/2021/11…
Magnifier is a UI that helps reverse engineers explore decompiled programs interactively without all the manual note-taking. Read about this excellent work from our intern, @tcode2k16! blog.trailofbits.com/2022/08…
Our stellar winter intern @ezhes_ built our newest open-source tool named Honeybee. It speeds up the Intel Processor Trace and uses it for fast coverage-guided fuzzing. blog.trailofbits.com/2021/03…
Two days ago, @NIST finalized three post-quantum cryptography standards. Today, we are announcing an open-source Rust implementation of one of these standards, SLH-DSA, now available in RustCrypto!
blog.trailofbits.com/2024/08…
We are now accepting applicants for our summer internship program! We will be hiring approximately 10-15 interns across our research, engineering, and assurance practices boards.greenhouse.io/trailof…
Today we're releasing Caracal, our new static analysis tool for Starknet smart contracts. It has 10 detectors that detect reentrancies and other vulnerabilities, two printers, and more! github.com/crytic/caracal
With Echidna 2.1.0 and later, you can retrieve on-chain data to fuzz deployed contracts and test how new code integrates with existing contracts. You can also use it to recreate real-world hacks! blog.trailofbits.com/2023/07…
Today, we are releasing a maintained repository of @osquery extensions. Our first extension uses the @duo_labs EFIgy API to determine if the EFI firmware on your Mac fleet is up to date. blog.trailofbits.com/2017/12…
DARPA's AIxCC finals: 7 autonomous AI systems are competing RIGHT NOW to find and patch vulnerabilities in critical open-source programs like the Linux kernel, SQLite, and cURL. 🧵