trailofbits/publications

# Trail of Bits 出版物 - [Trail of Bits 出版物](#publications-from-trail-of-bits) - [学术论文](#academic-papers) - [白皮书](#white-papers) - [指南与手册](#guides-and-handbooks) - [会议演讲](#conference-presentations) - [自动化漏洞发现与利用](#automated-bug-finding-and-exploitation) - [区块链](#blockchain) - [编译器](#compilers) - [密码学](#cryptography) - [工程](#engineering) - [教育](#education) - [基础设施](#infrastructure) - [机器学习](#machine-learning) - [移动安全](#mobile-security) - [编程](#programming) - [侧信道](#side-channels) - [供应链](#supply-chain) - [威胁分析与恶意软件](#threat-analysis--malware) - [播客](#podcasts) - [网络研讨会](#webinars) - [公开评论](#public-comments) - [安全审计](#security-reviews) - [主要客户](#major-clients) - [Frax Finance](#frax-finance) - [MobileCoin](#mobilecoin) - [Offchain Labs](#offchain-labs) - [Reserve Protocol](#reserve-protocol) - [Scroll](#scroll) - [Uniswap](#uniswap) - [Western Digital](#western-digital) - [AI/ML 审计](#aiml-reviews) - [密码学审计](#cryptography-reviews) - [技术产品审计](#technology-product-reviews) - [云原生审计](#cloud-native-reviews) - [不变式测试与开发合作](#invariant-testing-and-development-engagements) - [区块链审计](#blockchain-reviews) - [钱包审计](#wallet-reviews) - [Algorand](#algorand) - [Avalanche](#avalanche) - [Bitcoin 及其衍生品](#bitcoin--derivatives) - [Ethereum/EVM](#ethereumevm) - [NervOS](#nervos) - [Starknet](#starknet) - [Solana](#solana) - [Substrate](#substrate) - [Tendermint/Cosmos](#tendermintcosmos) - [Tezos](#tezos) - [TON](#ton) - [其他/多链](#othermulti-chain) - [披露与漏洞利用](#disclosures-and-exploits) - [研讨会](#workshops) - [数据集](#datasets) - [服务概述](#service-overviews) - [图例](#legend) ## 学术论文 | 论文标题 | 发表会议/期刊 | 发布日期 | | --- | --- | --- | | [A Broad Comparative Evaluation of Software Debloating Tools](papers/debloater-eval.pdf) | [USENIX Security 2024](https://www.usenix.org/conference/usenixsecurity24) | 2024 | | [PolyTracker: Whole-Input Dynamic Information Flow Tracing](papers/issta24-polytracker.pdf) | [ISSTA 2024](https://conf.researchr.org/details/issta-ecoop-2024/issta-ecoop-2024-tool-demonstrations/7/PolyTracker-Whole-Input-Dynamic-Information-Flow-Tracing) | 2024 | | [Endokernel: A Thread Safe Monitor for Lightweight Subprocess Isolation](papers/usenixsecurity24-endokernel.pdf) | [Usenix Security 2024](https://www.usenix.org/conference/usenixsecurity24/presentation/yang-fangfei) | 2024 | | [Design and Implementation of a Coverage-Guided Ruby Fuzzer](papers/ruzzy-ruby-fuzzer.pdf) | [CSET 24](https://cset24.isi.edu/) | 2024 | | [Test Harness Mutilation](papers/test_harness_mutilation.pdf) | [Mutation 2024](https://conf.researchr.org/home/icst-2024/mutation-2024) | 2024 | | [VAST: MLIR compiler for C/C++](papers/vast-eurollvm-poster.pdf) | [EuroLLVM Devs' Meeting 2024](https://llvm.swoogo.com/2024eurollvm) | 2024 | | [PoTATo: Points-to analysis via domain specific MLIR dialect](papers/potato-eurollvm-poster.pdf) | [EuroLLVM Devs' Meeting 2024](https://llvm.swoogo.com/2024eurollvm) | 2024 | | [Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol](papers/edhoc-euros&P-2023.pdf) | [Euro S&P 2023](https://www.ieee-security.org/TC/EuroSP2023/index.html) | 2023 | | [Weak Fiat-Shamir Attacks on Modern Proof Systems](papers/weakfs_ieee_s&p_2023.pdf) | [IEEE S&P 2023](https://eprint.iacr.org/2023/691) | 2023 | | [Endoprocess: Programmable and Extensible Subprocess Isolation](https://dl.acm.org/doi/10.1145/3633500.3633507) | [NSPW 2023](https://www.nspw.org/2023/program) | 2023 | | [CIVSCOPE: Analyzing Potential Memory Corruption Bugs in Compartment Interfaces](papers/civscope.pdf) | SOSP [KISV 2023](https://dl.acm.org/doi/abs/10.1145/3625275.3625399) | 2023 | | [Detecting variability bugs through hybrid control and data flow analysis](papers/ubet_langsec_2023.pdf) | [LangSec 2023](https://langsec.org/spw23/papers.html#variability) | 2023 | | [Blind Spots: Automatically detecting ignored program inputs](https://arxiv.org/abs/2301.08700) | [LangSec 2023](https://langsec.org/spw23/papers.html) | 2023 | | [Efficient Proofs of Software Exploitability for Real-world Processors](papers/sieve-msp430-pets2023.pdf) | [PETS 2023](https://petsymposium.org/2023/index.php) | 2023 | | [Toward Comprehensive Risk Assessments and Assurance of AI Systems](https://github.com/trailofbits/publications/blob/master/papers/toward_comprehensive_risk_assessments.pdf) | arXiv | 2023 | | [A Broad Comparative Evaluation of x86-64 Binary Rewriters](papers/cset22.pdf) | [CSET 22](https://cset22.isi.edu/index.html) | 2022 | | [On the Optimization of Equivalent Concurrent Computations](papers/eqsat-pldi-egraphs2022.pdf) | [PLDI EGRAPHS 2022](https://pldi22.sigplan.org/program/program-egraphs-2022/) | 2022 | | [Evaluating Static Analysis Tools via Differential Mutation](papers/qrs21.pdf) | [QRS 2021](https://qrs21.techconf.org/) | 2021 | | [echidna-parade: Diverse multicore smart contract fuzzing](papers/echidna-parade_issta21.pdf) | [ISSTA 2021](https://conf.researchr.org/home/issta-2021) | 2021 | | [Differential analysis of x86-64 instruction decoders](papers/mishegos-langsec2021.pdf) | [LangSec 2021](https://langsec.org/spw21/) | 2021 | | [Echidna: effective, usable, and fast fuzzing for smart contracts](papers/echidna_issta2020.pdf) | [ISSTA 2020](https://conf.researchr.org/home/issta-2020) | 2020 | | [ICARUS: Understanding De Facto Formats By Way of Feathers and Wax](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9283834) | [LangSec 2020](http://spw20.langsec.org/) | 2020 | | [Toward Automated Grammar Extraction via Semantic Labeling of Parser Implementations](papers/semantic_labeling_langsec2020.pdf) | [LangSec 2020](http://spw20.langsec.org/) | 2020 | | [What are the Actual Flaws in Important Smart Contracts?](papers/smart_contract_flaws_fc2020.pdf) | [FC 2020](https://fc20.ifca.ai/program.html) | 2020 | | [Echidna: A Practical Smart Contract Fuzzer](papers/echidna_fc_poster.pdf) | [FC 2020](https://fc20.ifca.ai/program.html) | 2020 | | [RSA GTFO](papers/rsagtfo.pdf) | [PoC\|\|GTFO 0x20](https://www.sultanik.com/pocorgtfo/#0x20) | 2020 | | [Manticore: Symbolic Execution for Binaries and Smart Contracts](papers/manticore.pdf) | [ASE 2019](https://2019.ase-conferences.org/) | 2019 | | [Slither: A Static Analysis Framework For Smart Contracts](papers/wetseb19.pdf) | [WETSEB 2019](http://www.agilegroup.eu/wetseb2019/) | 2019 | | [Toward Smarter Vulnerability Discovery Using Machine Learning](papers/ceo.pdf) | [AISec 2018](http://aisec2018.icsi.berkeley.edu/aisec2018/index.html) | 2018 | | [The Past, Present, and Future of Cyberdyne](papers/cyberdyne.pdf) | [IEEE S&P](https://ieeexplore.ieee.org/xpl/tocresult.jsp?isnumber=8328963) | 2018 | | [DeepState - Symbolic Unit Testing for C and C++](papers/deepstate-bar18.pdf) | [BAR 2018](https://www.ndss-symposium.org/ndss2018/cfp-ndss2018-bar/) | 2018 | | [Cyber-Deception and Attribution in Capture-the-Flag Exercises](papers/deception_attribution_ctf.pdf) | [FOSINT-SI 2015](http://fosint-si.cpsc.ucalgary.ca/2015/) | 2015 | ## 白皮书 | 论文标题 | 作者 | 发布日期 | | --- | --- | --- | | [Detecting Implicit Conversions in OpenVPN2 Using CodeQL](reports/detecting-implicit-conversions-in-openvpn2-using-codeql-casestudy.pdf) | Paweł Płatek | Sep 2025 | | [Preventing Account Takeovers on Centralized Cryptocurrency Exchanges Recommended Practices](papers/account-takeover-recommended-practices.pdf) | Shaun Mirani, Kelly Kaoudis, and Evan Sultanik | Feb 2025 | | [Input-Driven Recursion: Ongoing Security Risks](papers/trailofbits-20241218-recursion-whitepaper.pdf) | Alexis Challande and Brad Swain | Dec 2024 | | [OpenSearch Benchmark Assessment](reports/OpenSearch-Benchmarking.pdf) | Evan Downing, Riccardo Schirone, Francesco Bertolaccini, and Ronald Eytchison | Aug 2024 | | [Cedar, Rego, and OpenFGA Policy Languages: Comparative Language Security Assessment](reports/Policy_Language_Security_Comparison_and_TM.pdf) | Ian Smith and Kelly Kaoudis | Aug 2024 | | [Toward Comprehensive Risk Assessments and Assurance of AI-Based Systems](papers/trailofbits-20230307-ai-risk-assessments-whitepaper.pdf) | Heidy Khlaaf | Mar 2023 | | [Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers](papers/trailofbits-20220601-are-blockchain-decentralized-whitepaper.pdf) | Evan Sultanik et al. | Jun 2022 | | [Do You Really Need a Blockchain? An Operational Risk Assessment](papers/trailofbits-20220601-do-you-really-need-a-blockchain-whitepaper.pdf) | Evan Sultanik and Mike Myers | Jun 2022 | ## 指南与手册 | 链接 | 描述 | | ---- | ----------- | | [Testing Handbook](https://appsec.guide/) | 配置和自动化静态及动态分析工具的指南 | | [ZKDocs](https://www.zkdocs.com/) | 关于零知识证明系统的交互式文档 | | [Building Secure Smart Contracts](https://secure-contracts.com/) | 开发安全智能合约的最佳实践 | | [CTF Field Guide](https://trailofbits.github.io/ctf/) | 夺旗赛 (CTF) 获胜指南 | | [Ruby Security Field Guide](https://trailofbits.github.io/rubysec/) | 实用 Ruby 安全指南 | ## 会议演讲 ### 自动化漏洞发现与利用 | 演讲标题 | 作者 | 年份 | | --- |---------------------------------------------------| --- | | [Buttercup: Autonomously Finding and Fixing Bugs at Scale in Open-Source Software](presentations/Buttercup:%20Autonomously%20Finding%20and%20Fixing%20Bugs%20at%20Scale%20in%20Open-Source%20Software/buttercup-cucyber.pdf) | Ronald Eytchison | 2025 | | [Buttercup: The Future of Trail of Bits' Solution to DARPA's AI Cyber Challenge](presentations/Buttercup:%20The%20Future%20of%20Trail%20of%20Bits'%20Solution%20to%20DARPA's%20AI%20Cyber%20Challenge) | Trent Brunson | 2025 | | [Buttercup and DARPA's AI Cyber Challenge, Ringzer0](presentations/Buttercup%20and%20DARPA's%20AI%20Cyber%20Challenge,%20Henrik%20Brodin%20and%20Ronald%20Eytchison) | Henrik Brodin, Ronald Eytchison | 2025 | | [Our experience competing in the AI Cyber Challenge](presentations/Our%20experience%20competing%20in%20the%20AI%20Cyber%20Challenge/Our_experience_competing_in_the_AI_Cyber_Challenge.pdf) | Michael Brown et al. | 2025 | | [Buttercup and DARPA's AI Cyber Challenge, CSAW](presentations/Buttercup%20and%20DARPA's%20AI%20Cyber%20Challenge,%20Ronald%20Eytchison) | Ronald Eytchison | 2024 | | [Your Mitigations are My Opportunities](presentations/Your%20Mitigations%20are%20My%20Opportunities) | Yarden Shafir | 2023 | | [Detecting variability bugs with hybrid control and data flow](presentations/Automatically%20Detecting%20Variability%20Bugs%20Through%20Hybrid%20Control%20and%20Data%20Flow%20Analysis) | Kelly Kaoudis, Henrik Brodin, Evan Sultanik | 2023 | | Blind Spots: Identifying Exploitable Program Inputs | Henrik Brodin, Evan Sultanik, and Marek Surovič | 2023 | | [MLIR is the future of program analysis](presentations/MLIR%20is%20the%20future%20of%20program%20analysis) | Peter Goodman | 2023 | | [A Sermon on the Indulgences of Computational Sacrifice; or, The Superabundant Benedictions of Programming an Absurd NES Game](https://www.youtube.com/watch?v=RTjP3fnQ5d8) | Evan Sultanik | 2021 | | [Differential analysis of x86-64 instruction decoders](presentations/Differential%20analysis%20of%20x86-64%20decoders) | William Woodruff, Niki Carroll, Sebastiaan Peters | 2021 | | [How to find bugs when (ground) truth isn't real](presentations/Differential%20fuzzing,%20or%20how%20to%20find%20bugs%20when%20%28ground%29%20truth%20isn't%20real) | William Woodruff | 2020 | | [Toward Automated Grammar Extraction via Semantic Labeling of Parser Implementations](presentations/Semantic%20Labeling%20of%20Parsers) | Carson Harmon, Brad Larsen, Evan Sultanik | 2020 | | [The Treachery of Files and Two New Tools that Tame It](presentations/The%20Treachery%20of%20Files) | Evan Sultanik |2019 | | [Symbolically Executing a Fuzzy Tyrant](presentations/Symbolically%20Executing%20a%20Fuzzy%20Tyrant) | Stefan Edwards | 2019 | | [Kernel space fault injection with KRF](presentations/Kernel%20space%20fault%20injection%20with%20KRF) | William Woodruff | 2019 | | [Binary Symbolic Execution With KLEE-Native](presentations/Binary%20Symbolic%20Execution%20With%20KLEE-Native) | Sai Vegasena | 2019 | | [Going sicko mode on the Linux Kernel](presentations/Going%20sicko%20mode%20on%20the%20Linux%20Kernel) | William Woodruff | 2019 | | [Vulnerability Modeling with Binary Ninja](presentations/Vulnerability%20Modeling%20with%20Binary%20Ninja) | Josh Watson | 2018 | | [File Polyglottery; or, This PoC is also a picture of cats](presentations/The%20Treachery%20of%20Files) | Evan Sultanik | 2017 | | [Be a binary rockstar](https://vimeo.com/215511922#t=27m33s) | Sophia D'Antoine | 2017 | | [Symbolic Execution for Humans](presentations/Symbolic%20Execution%20for%20Humans) | Mark Mossberg | 2017 | | [The spirit of the 90s is still alive in Brooklyn](presentations/The%20spirit%20of%20the%2090s%20is%20alive%20in%20Brooklyn) | Ryan Stortz, Sophia D'Antoine | 2017 | | [The dream of a static and dynamic analysis shootout](presentations/The%20dream%20of%20a%20static%20and%20dynamic%20analysis%20shootout) | Ryan Stortz | 2016 | | [Binary constraint solving for automatic exploit generation](presentations/Binary%20constraint%20solving%20for%20automatic%20exploit%20generation) | Sophia D'Antoine | 2016 | | [The Smart Fuzzer Revolution](presentations/The%20Smart%20Fuzzer%20Revolution) | Dan Guido | 2016 | | [Making a scaleable automated hacking system](presentations/Cyber%20Grand%20Challenge) | Artem Dinaburg | 2016 | | [Cyberdyne - Automatic bug-finding at scale](presentations/Cyber%20Grand%20Challenge) | Peter Goodman | 2016 | | [McSema: Static translation of x86 to LLVM IR](presentations/McSema%20-%20Static%20Translation%20of%20x86%20instructions%20to%20LLVM%20IR) | Andrew Ruef, Artem Dinaburg | 2014 | ### 区块链 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Mutation Testing with Slither: A New Way to Find High-Severity Issues](presentations/Mutation%20Testing%20with%20Slither%3A%20A%20New%20Way%20to%20Find%20High-Severity%20Issues) | Guillermo Larregay | 2025 | | [Slither's Model Context Protocol: Giving LLMs Ground Truth from Static Analysis](presentations/Slither's%20Model%20Context%20Protocol%3A%20Giving%20LLMs%20Ground%20Truth%20from%20Static%20Analysis) | Ben Samuels | 2025 | | [The $1.5B Problem: How Exchanges Can Build Safer Cold Storage](presentations/The%20%241.5B%20Problem%3A%20How%20Exchanges%20Can%20Build%20Safer%20Cold%20Storage) | Benjamin Samuels | 2025 | | [How to Become a Smart Contract Auditor](presentations/How%20to%20Become%20a%20Smart%20Contract%20Auditor) | nisedo | 2025 | | [Test your tests: the do's and don'ts of testing](presentations/TrustX%202023/Test%20Your%20Tests) | Kurt Willis | 2023 | | [Slither: a static analysis tool for Vyper and Solidity](presentations/TrustX%202023/Slither%20a%20Vyper%20and%20Solidity%20static%20analyzer) | Troy Sargent | 2023 | | [Roundme: rounding analysis made simpler](presentations/TrustX%202023/roundme) | Josselin Feist | 2023 | | [Smart Contracts: The Beta](presentations/Smart%20Contracts:%20The%20Beta/DSS%20101.pdf) | Nat Chin | 2023 | | [Fuzzing like a security engineer](presentations/How%20to%20Fuzz%20Like%20a%20Pro/Eth%20Taipei%20Workshop.pdf) | Nat Chin | 2023 | | [Write better smart contracts with Slither's Python API](presentations/Write%20Better%20Smart%20Contracts%20By%20Checking%20Them%20With%20Slither's%20Python%20API) | Troy Sargent | 2022 | | [Building Secure Cairo](presentations/Building%20Secure%20Cairo) | Filipe Casal, Simone Monica | 2022 | | [How to fuzz like a pro](presentations/How%20to%20Fuzz%20Like%20a%20Pro) | Josselin Feist, Nat Chin | 2022 | | [Demystifying Fuzzing](presentations/Demystifying%20Fuzzing) | Nat Chin | 2022 | | [Building a Practical Static Analyzer for Smart Contracts](presentations/Building%20a%20Practical%20Static%20Analyzer%20for%20Smart%20Contracts) | Josselin Feist | 2021 | | [Testing and Verifying Smart Contracts: From Theory to Practice](presentations/Testing%20and%20Verifying%20Smart%20Contracts:%20From%20Theory%20to%20Practice) | Josselin Feist | 2021 | | [Safely integrating with ERC20 tokens](presentations/Safely%20integrating%20with%20ERC20%20tokens) | Josselin Feist | 2021 | | [Detecting transaction replacement attacks with Manticore](presentations/Detecting%20transaction%20replacement%20attacks%20with%20Manticore) | Sam Moelius | 2020 | | [DeFi Hacks and Future Threats: The Role of Economics in Secure Protocol Design](presentations/DeFi%20Hacks%20and%20Future%20Threats) | Dan Guido | 2020 | | [Fantastic Bugs and How to Squash Them; or, the Crimes of Solidity](presentations/Anatomy%20of%20an%20unsafe%20programming%20language) | Evan Sultanik | 2019 | | [SlithIR: High-Precision Security Analysis with an IR for Solidity](presentations/SlithIR%2C%20An%20Intermediate%20Representation%20of%20Solidity%20to%20enable%20High%20Precision%20Security%20Analysis) | Josselin Feist | 2019 | | [Slither: A Static Analysis Framework for Smart Contracts](presentations/Slither:%20A%20Static%20Analysis%20Framework%20for%20Smart%20Contracts) | Josselin Feist | 2019 | | [What blockchain got right](presentations/What%20blockchain%20got%20right) | Dan Guido | 2019 | | [Traditional Infosec for Blockchain Firms](presentations/Traditional%20Infosec%20for%20Blockchain%20Firms) | Dan Guido | 2019 | | [Property-testing of smart contracts](presentations/Property-based%20testing%20of%20smart%20contracts) | JP Smith | 2018 | | [Anatomy of an unsafe programming language](presentations/Anatomy%20of%20an%20unsafe%20programming%20language) | Evan Sultanik | 2018 | | [Contract upgrade risks and recommendations](presentations/Contract%20upgrade%20risks%20and%20recommendations) | Josselin Feist | 2018 | | [Blackhat Ethereum](presentations/Blackhat%20Ethereum) | Ryan Stortz, Jay Little | 2018 | | [Blockchain Autopsies - Analyzing Smart Contract Deaths](presentations/Blockchain%20Autopsies%20-%20Analyzing%20Smart%20Contract%20Deaths) | Jay Little | 2018 | | [Rattle - an Ethereum EVM binary analysis framework](https://www.trailofbits.com/presentations/rattle/) | Ryan Stortz | 2018 | | [Securing value on the Ethereum blockchain](presentations/Securing%20value%20on%20the%20Ethereum%20blockchain) | Dan Guido | 2018 | | [Binary analysis, meet the blockchain](presentations/Binary%20analysis%2C%20meet%20the%20blockchain) | Mark Mossberg | 2018 | | [Automatic bug finding for the blockchain](presentations/Automatic%20bugfinding%20for%20the%20blockchain) | Felipe Manzano, Josselin Feist | 2017 | ### 编译器 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Constant-Time Coding Support in LLVM](presentations/Constant-Time%20Coding%20Support%20in%20LLVM) | Julius Alexandre | 2025 | | [A Broad Comparative Evaluation of Software Debloating Tools](presentations/A%20Broad%20Comparative%20Evaluation%20of%20Software%20Debloating%20Tools/debloater-eval.pdf) | Michael D. Brown, Adam Meily, Eric Kilmer, Ronald Eytchison | 2024 | | [Repurposing LLVM analyses in MLIR: Also there and back again across the tower of IRs](presentations/Repurposing%20LLVM%20analyses%20in%20MLIR:%20Also%20there%20and%20back%20again%20across%20the%20Tower%20of%20IRs) | Henrich Lauko | 2024 | | [VAST: MLIR for program analysis of C/C++](presentations/VAST:%20MLIR%20for%20program%20analysis%20of%20C) | Henrich Lauko | 2022 | | [A Broad Comparative Evaluation of x86-64 Binary Rewriters](presentations/A%20Broad%20Comparative%20Evaluation%20of%20x86-64%20Binary%20Rewriters/A%20Broad%20Comparative%20Evaluation%20of%20x86-64%20Binary%20Rewriters.pdf) | Michael D. Brown | 2022 | | [On the Optimization of Equivalent Concurrent Computations](presentations/On%20the%20Optimization%20of%20Equivalent%20Concurrent%20Computations/PLDI-EGRAPHS-2022.pdf) | Henrich Lauko, Lukáš Korenčik, Peter Goodman | 2022 | ### 密码学 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Cut To The QUIC: Slashing QUIC's Performance With A Hash DoS](presentations/Cut%20To%20The%20QUIC%3A%20Slashing%20QUIC%27s%20Performance%20With%20A%20Hash%20DoS) | Paul Bottinelli | 2025 | | [One, Two, TEE: Trust in Numbers Meets Hardware Security](presentations/One,%20Two,%20TEE:%20Trust%20in%20Numbers%20Meets%20Hardware%20Security) | Paul Bottinelli | 2025 | | [Weak Fiat-Shamir attacks on modern proof systems](presentations/Weak%20Fiat-Shamir%20attacks%20on%20modern%20proof%20systems) | Jim Miller | 2024 | | [Building a Rusty path validation library for PyCA Cryptography](presentations/Building%20a%20Rusty%20path%20validation%20library%20for%20PyCA%20Cryptography) | William Woodruff | 2024 | | [Implementing X.509 path validation for Python](presentations/Implementing%20X.509%20path%20validation%20for%20Python) | William Woodruff | 2024 | | [Careful with MAc-then-SIGn](presentations/Careful%20with%20MAc-then-SIGn/128_Careful_with_MAC_then_SIGn.pdf) | Marc Ilunga | 2023 | | [die, PGP, die](presentations/die%2C%20PGP%2C%20die) | William Woodruff | 2022 | | [Seriously, stop using RSA](presentations/Seriously%2C%20stop%20using%20RSA) | Ben Perez | 2019 | | [Best Practices for Cryptography in Python](presentations/Best%20Practices%20for%20Cryptography%20in%20Python) | Paul Kehrer | 2019 | | [Analyzing the MD5 collision in Flame](presentations/Analyzing%20the%20MD5%20Collision%20in%20Flame) | Alex Sotirov | 2012 | ### 工程 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Repeatable Benchmarking: An Exploration of OpenSearch vs Elasticsearch](presentations/Repeatable%20Benchmarking%3A%20An%20Exploration%20of%20OpenSearch%20vs%20Elasticsearch) | Evan Downing | 2025 | | [Evidence-driven Security Engineering](presentations/Evidence-driven%20Security%20Engineering) | Dan Guido | 2019 | | [Linux Security Event Monitoring with osquery](presentations/osquery%20Linux%20security%20event%20monitoring) | Alessandro Gario | 2019 | | [osql: The community oriented osquery fork](presentations/osql%3A%20The%20community%20oriented%20osquery%20fork) | Stefano Bonicatti, Mark Mossberg | 2019 | | [Getting started with osquery](presentations/Getting%20started%20with%20osquery) | Lauren Pearl, Andy Ying | 2018 | | [osquery Super Features](presentations/osquery%20Super%20Features) | Lauren Pearl | 2018 | | [osquery Extension Skunkworks](presentations/osquery%20Extension%20Skunkworks) | Mike Myers | 2018 | | [Build it Break it Fix it](presentations/Build%20it%20Break%20it%20Fix%20it) | Andrew Ruef | 2014 | ### 教育 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Introduction to Semgrep](presentations/Introduction%20To%20Semgrep/Testing%20Handbook%20-%20Semgrep.pdf) and
[Semgrep Practice Exercises](presentations/Introduction%20To%20Semgrep/TrailofBits_Semgrep_Practice_Exercises.pdf) | Maciej Domański, Matt Schwager, Spencer Michaels | 2024 | | [A mostly gentle introduction to LLVM](presentations/A%20mostly%20gentle%20introduction%20to%20LLVM) | William Woodruff | 2022 | | [JWTs, and why they suck](presentations/JWTs,%20and%20why%20they%20suck) | Rory M | 2021 | | [The Joy of Pwning](presentations/The%20Joy%20of%20Pwning) | Sophia D'Antoine | 2017 | | [How to CTF - Getting and using Other People's Computers (OPC)](presentations/How%20to%20CTF%20-%20Getting%20and%20Using%20OPC) | Jay Little | 2014 | | [Low-level Security](presentations/Low-level%20Security) | Andrew Ruef | 2014 | | [Security and Your Business](presentations/Security%20and%20Your%20Business) | Andrew Ruef | 2014 | | [Bringing nothing to the party](presentations/Bringing%20nothing%20to%20the%20party) | Vincenzo Iozzo | 2013 | | [From One Ivory Tower to Another](presentations/From%20One%20Ivory%20Tower%20to%20Another) | Vincenzo Iozzo | 2012 | ### 基础设施 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Return to the 100 Acre Woods](presentations/Return%20to%20the%20100%20Acre%20Woods) | Stefan Edwards | 2019 | | [Swimming with the kubectl fish](presentations/Swimming%20with%20the%20kubectl%20fish) | Stefan Edwards | 2019 | ### 机器学习 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Weaponizing Image Scaling Against Production AI Systems](presentations/Weaponizing%20Image%20Scaling%20Against%20Production%20AI%20Systems) | Kikimora Morozova, Suha Sabi Hussain | 2025 | | [Indirect Prompt Injection: Architectural Testing Approaches for Real World AI/ML Systems](presentations/Indirect%20Prompt%20Injection%3A%20Architectural%20Testing%20Approaches%20for%20Real%20World%20AI%20ML%20Systems) | Will Vandevanter | 2025 | | [From Polyglots to Prompt Injections: Parsing is Still Execution (And Your LLM Didn't Get the Memo)](presentations/From%20Polyglots%20to%20Prompt%20Injections%3A%20Parsing%20is%20Still%20Execution%20%28And%20Your%20LLM%20Didn%27t%20Get%20the%20Memo%29) | Evan Sultanik | 2025 | | [Frontier AI in Cybersecurity: Risks and Opportunities](presentations/Frontier%20AI%20in%20Cybersecurity%3A%20Risks%20and%20Opportunities) | Dan Guido, Riccardo Schirone | 2025 | | [The Present and Future of AI and Security](presentations/The%20Present%20and%20Future%20of%20AI%20and%20Security) | Evan Downing | 2024 | | [Incubated Machine Learning Exploits: Backdooring ML Pipelines Using Input-Handling Bugs](presentations/Incubated%20Machine%20Learning%20Exploits%3A%20Backdooring%20ML%20Pipelines%20Using%20Input-Handling%20Bugs) | Suha Sabi Hussain | 2024 | | [Holistic ML Threat Models](presentations/Holistic%20ML%20Threat%20Models) | Adelin Travers | 2024 | | [Using Graph-Based Machine Learning Algorithms for Software Analysis](presentations/Using%20Graph-Based%20Machine%20Learning%20Algorithms%20for%20Software%20Analysis) | Michael D. Brown | 2023 | | [Exploiting Machine Learning Pickle Files](presentations/Never%20a%20Dill%20Moment:%20Exploiting%20Machine%20Learning%20Pickle%20Files) | Carson Harmon, Evan Sultanik, Jim Miller, Suha Sabi Hussain | 2021 | | [PrivacyRaven: Comprehensive Privacy Testing for Deep Learning](presentations/PrivacyRaven:%20Comprehensive%20Privacy%20Testing%20for%20Deep%20Learning) | Suha Sabi Hussain | 2020 | ### 移动安全 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [macOS Privilege Escalation Via Traceroute6](presentations/macOS%20Privilege%20Escalation%20Via%20Traceroute6) | Paweł Płatek | 2025 | | [Swift Reversing](presentations/Swift%20Reversing) | Ryan Stortz | 2016 | | [ iOS Application Security](presentations/Modern%20iOS%20Application%20Security) | Sophia D'Antoine, Dan Guido | 2016 | | [The Mobile Exploit Intelligence Project](presentations/The%20Mobile%20Exploit%20Intelligence%20Project) | Dan Guido | 2012 | | [A Tale of Mobile Threats](presentations/A%20Tale%20of%20Mobile%20Threats) | Vincenzo Iozzo | 2012 | ### 编程 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Python internals - let's talk about dicts](presentations/Python%20internals%20-%20lets%20talk%20about%20dicts) | Dominik Czarnota | 2019 | | [Low-level debugging with Pwndbg](presentations/Low-level%20debugging%20with%20Pwndbg) | Dominik Czarnota | 2018 | | [Insecure Things to Avoid in Python](presentations/Insecure%20Things%20to%20Avoid%20in%20Python) | Dominik Czarnota | 2018 | ### 侧信道 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Hardware side channels in virtualized environments](presentations/Hardware%20side%20channels%20in%20virtualized%20environments) | Sophia D'Antoine | 2015 | | [Exploiting Out-of-Order Execution](presentations/Exploiting%20Out-of-Order%20Execution) | Sophia D'Antoine | 2015 | ### 供应链 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Attestations: a new generation of signatures on PyPI](presentations/Attestations:%20a%20new%20generation%20of%20signatures%20on%20PyPI) | William Woodruff | 2025 | | [The Next 5 Years of Supply Chain Security on PyPI](presentations/The%20Next%205%20Years%20of%20Supply%20Chain%20Security%20on%20PyPI) | William Woodruff | 2024 | | [PEP 740 and PyPI: Bootstrapping Provenance for the Python Ecosystem](presentations/PEP%20740%20and%20PyPI:%20Bootstrapping%20Provenance%20for%20the%20Python%20Ecosystem) | William Woodruff | 2024 | | [Imagining a zero-trust future for PyPI](presentations/Imagining%20a%20zero-trust%20future%20for%20PyPI) | William Woodruff | 2024 | | [Build Provenance: Lessons (so far) from Homebrew](presentations/Build%20Provenance:%20Lessons%20%28so%20Far%29%20from%20Homebrew) | Joe Sweeney | 2024 | | [What does it look like to code-sign for an entire packaging ecosystem?](presentations/What%20does%20it%20look%20like%20to%20code-sign%20for%20an%20entire%20packaging%20ecosystem) | William Woodruff | 2023 | | [Securing your Package Ecosystem with Trusted Publishing](presentations/Securing%20your%20Package%20Ecosystem%20with%20Trusted%20Publishing) | William Woodruff | 2023 | | [Trusted Publishing: Lessons from PyPI](presentations/Trusted%20Publishing:%20Lessons%20from%20PyPI) | William Woodruff | 2023 | | [Ergonomic codesigning for the Python ecosystem with Sigstore](presentations/Ergonomic%20codesigning%20for%20the%20Python%20ecosystem%20with%20Sigstore) | William Woodruff | 2023 | | [Sigstore for Python Packaging: Next Steps for Adoption](presentations/Sigstore%20for%20Python%20Packaging%3A%20Next%20Steps%20for%20Adoption) | William Woodruff | 2022 | | [Python Packaging Mystery Meat](presentations/Python%20Packaging%20Mystery%20Meat) | William Woodruff | 2022 | | [Automated Tools for Securing the Software Supply Chain](presentations/Automated%20Tools%20for%20Securing%20the%20Software%20Supply%20Chain) | Michael D. Brown | 2022 | | [Improving PyPI's security with Two Factor Authentication](presentations/Improving%20PyPI%27s%20security%20with%20Two%20Factor%20Authentication) | William Woodruff | 2019 | ### 威胁分析与恶意软件 | 演讲标题 | 作者 | 年份 | | --- | --- | --- | | [Peeling back the 'Shlayers' of macOS Malware](presentations/Peeling%20back%20the%20Shlayers%20of%20macOS%20Malware) | Josh Watson, Erika Noerenberg | 2019 | | [The Exploit Intelligence Project Revisited](presentations/The%20Exploit%20Intelligence%20Project) | Dan Guido | 2013 | ## 播客 | 播客 | 嘉宾 | 日期 | 主题 | | --- | --- | --- | --- | | [Risky Biz](https://risky.biz/RBNEWSSI114/) | Dan Guido | Feb 2026 | AI at Trail of Bits | | [What's in the SOSS? 53](https://openssf.org/podcast/2026/02/09/whats-in-the-soss-podcast-53-s3e5-aixcc-part-3-buttercups-hybrid-approach-trail-of-bits-journey-to-second-place-in-aixcc/) | Michael Brown | Feb 2026 | AIxCC & Buttercup | | [Insecure Agents 18](https://insecureagents.com/episodes/18-kiki-morozova) | Kikimora Morozova | Dec 2025 | AI prompt injections | | [Risky Biz](https://risky.biz/RBNEWSS198/) | Keith Hoodlet | Sep 2025 | AI prompt injections | | [Zero Signal](https://www.youtube.com/watch?v=G3pGCEQWJZs&list=PLvtGUUDFmi-aTEsna3wgfMrCH-DpZQJgn&index=2) | Keith Hoodlet | Sep 2025 | AI Security | | [Unsupervised Learning](https://www.youtube.com/watch?v=nvU0GbA9F9Q) | Michael Brown | Aug 2025 | AIxCC | | [Security Weekly 342](https://www.youtube.com/watch?v=C2kSdo7aNzU) | Will Vandevanter | Aug 2025 | NVIDIA vulnerability disclosure | | [CTF Radiooo 01E](https://youtu.be/BmCWryz3dsU?si=4T34d9DIP2MOcuo9) | Michael Brown & Evan Downing | Aug 2025 | AIxCC | | [Click Here Show](https://podcasts.apple.com/us/podcast/mic-drop-the-ego-exploit/id1225077306?i=1000712717394) | Dan Guido | Jun 2025 | Zoom remote control attacks | | [Security Weekly 336](https://youtu.be/1YvQi5Bc9_M?si=j-grngtTaI7Rloq6) | Artur Cygan | Jun 2025 | Fuzzing Barcodes | | [Protect AI](https://youtu.be/saLKE9y4EoU?si=9xqCNiY_Fx3ad9Mu) | Keith Hoodlet | Jun 2025 | MCP Security | | [Open Source Security](https://www.youtube.com/watch?v=EKXV6vxRTHM) | William Woodruff | May 2025 | Zizmor & GitHub Actions security | | [MLSecOps](https://youtu.be/8WsgV0svqPM?si=iB_9rUl33vPIT8sL) | Keith Hoodlet | Apr 2025 | AI/ML security | | [Risky Biz 786](https://youtu.be/DNAOwukOQi4?si=4KPfY2RnPMxVwSJJ&t=2556) | Tjaden Hess | Apr 2025 | Cryptography & blockchain | | [Security Weekly 323](https://youtu.be/zn3LT4BqOJo?si=3zY5YkRU4ArgM-vn) | Keith Hoodlet | Mar 2025 | GenAI in Appsec | | [Xyonix](https://youtu.be/y8TF7MELevg?si=gv60OR2_L86fsL2L) | Keith Hoodlet | Mar 2025 | AI/ML security | | [The Impulsive Thinker](https://theimpulsivethinker.libsyn.com/unlocking-ai-a-tool-not-a-magic-bullet-for-adhd-entrepreneurs) | Dan Guido | Feb 2025 | Neurodivergence | | [Bugcrowd](https://youtu.be/b7EULU_X7fQ?si=DZFenK1x00PaD5yV) | Keith Hoodlet | Oct 2024 | AI/ML Bias | | [Risky Biz](https://risky.biz/RBNEWSSI62/) | Dan Guido | Oct 2024 | Post-quantum cryptography | | [Risky Biz 759](https://youtu.be/4zpPk3Y4CYA?si=Pvd8px1DQHRPsRtM&t=3046) | Dan Guido | Aug 2024 | DARPA's AI Cyber Challenge | | [Resilience Rundown](https://www.youtube.com/watch?v=EB2oV1umU3Y&list=PLciHOL_J7IwpS8Cdl9lMB8Mxqu0as8yPi&index=7) | Josiah Dykstra | May 2024 | Bias in security | | [Risky Biz](https://risky.biz/RBNEWSSI40/) | Dan Guido | Apr 2024 | Open source tooling | | [MLSecOps March 20](https://mlsecops.com/podcast/redos-vulnerability-reports-security-relevance-vs.-noisy-nuisance) | William Woodruff | Mar 2024 | Supply chain security | | [yWhales](https://www.youtube.com/watch?v=LqkH1jYFE2g&list=PLciHOL_J7IwpS8Cdl9lMB8Mxqu0as8yPi&index=6) | Dan Guido | Dec 2023 | Blockchain security | | [Risky Biz 707](https://risky.biz/RB707/) | Dan Guido | May 2023 | ML security | | [ASW 229](https://youtu.be/wHuZzV0Da_s) | Nick Selby | Feb 2023 | Threat modeling, cloud-native audits | | [Risky Biz 690](https://risky.biz/RB690/) | Dan Guido | Jan 2023 | Vuln disclosure | | [Risky Biz 672](https://risky.biz/RB672/) | Dan Guido | Jul 2022 | Blockchain security | | [Cloud Security Reinvented](https://orca.security/resources/podcast/?blaid=3070895&wchannelid=v7ih6xfqse&wmediaid=ll04oa1n8n) | Nick Selby | Jun 2022 | Cloud security | | [Skiff Office Hours](https://twitter.com/i/web/status/1503822822237368321) | Dan Guido | Mar 2022 | Privacy technology | | [Risky Biz 652](https://risky.biz/RB652/) | Dan Guido | Jan 2022 | Zero-knowledge proofs | | [Secureum Safecast #3](https://www.youtube.com/watch?v=Ycj0ZVWof5E) | Josselin Feist | Nov 2021 | Blockchain security | | [Secureum Safecast #2](https://www.youtube.com/watch?v=NSzniIpPYdw) | Dan Guido | Oct 2021 | Blockchain security | | [Press Freedom Foundation](https://www.twitch.tv/videos/1102962356) | Dan Guido | Jul 2021 | Mobile security and iVerify | | [Employee Cycle](https://employeecycle.com/podcast/how-to-onboard-yourself-as-the-first-people-leader-with-hannah-hanks/) | Hannah Hanks | Mar 2021 | First PeopleOps hire | | [Risky Biz 614](https://risky.biz/RB614/) | Dan Guido | Feb 2021 | iVerify | | [Building Better Systems 6](https://www.youtube.com/watch?v=QXF6agsYqV0) | Dan Guido | Jan 2021 | What blockchain got right | | [WCBS 880](https://www.radio.com/podcasts/wcbs-880-small-business-spotlight-32986/pandemic-gap-year-leads-to-career-development-322317063) | Dan Guido | Sep 2020 | Gap years and intern hiring | | [Risky Biz 594](https://risky.biz/RB594/) | Dan Guido | Aug 2020 | Apple security | | [Epicenter 346](https://epicenter.tv/episodes/346) | Dan Guido | Jun 2020 | Smart contract security | | [Absolute AppSec 97](https://www.youtube.com/watch?v=GvNXxOc30lM) | Stefan Edwards | May 2020 | Threat modeling | | [Unchained 170](https://unchainedpodcast.com/defi-security-with-so-many-hacks-will-it-ever-be-safe/) | Dan Guido | May 2020 | DeFi security | | [Risky Biz 580](https://risky.biz/RB580/) | Dan Guido | Apr 2020 | Mobile voting | | [Absolute AppSec 91](https://www.youtube.com/watch?v=HlGcJRhgNG0) | Stefan Edwards | Apr 2020 | Mobile voting | | [Zero Knowledge 122](https://www.zeroknowledge.fm/122) | Ben Perez | Mar 2020 | Cryptography reviews, ZKPs | | [Changelog](https://changelog.com/podcast/377) | Dan Guido | Jan 2020 | AlgoVPN | | [Risky Business 559](https://risky.biz/RB559/) | Stefan Edwards | Oct 2019 | Kubernetes | | [FOSS Weekly 545](https://www.youtube.com/watch?v=mkjoTAdZd3Q) | William Woodruff | Sep 2019 | PyPI security improvements | | [`Podcast.__init__` 225](https://www.pythonpodcast.com/pypi-improvements-episode-225/) | William Woodruff | Aug 2019 | PyPI security, UX, and sustainability | | [Absolute AppSec 68](https://www.youtube.com/watch?v=bOR21l96zz4) | Stefan Edwards, Bobby Tonic | Aug 2019 | Kubernetes | | [Hashing it Out 53](https://thebitcoinpodcast.com/hashing-it-out-53/) | Dan Guido | Jul 2019 | Smart contract testing | | [Absolute AppSec 60](https://www.youtube.com/watch?v=BZ0U7K0IxNQ) | Stefan Edwards | May 2019 | Android, programming languages | | [Absolute AppSec 55](https://www.youtube.com/watch?v=Q0pKAlGLFtY) | Stefan Edwards | Apr 2019 | Security testing | | [Hashing it Out 35](https://thebitcoinpodcast.com/hashing-it-out-35/) | Dan Guido, Josselin Feist | Jan 2019 | Ethereum's failed EIP-1283 | | [Risky Biz 526](https://risky.biz/RB526/) | JP Smith | Jan 2019 | Post-quantum crypto in CTFs | | [Absolute AppSec 37](https://www.youtube.com/watch?v=beGo7l0u5cY) | Stefan Edwards | Nov 2018 | Programming languages, symbex | | [Risky Biz 510](https://risky.biz/RB510/) | Lauren Pearl | Aug 2018 | Open source security engineering | | [Absolute AppSec 34](https://www.youtube.com/watch?v=gtikYoT6vKc) | Stefan Edwards | Oct 2018 | Security testing, blockchain | | [The Smartest Contract 15](https://web.archive.org/web/20181018135712/http://www.thesmartestcontract.com/15) | JP Smith | Aug 2018 | Trail of Bits security tools & auditing | | [Zero Knowledge 16](https://www.zeroknowledge.fm/16) | JP Smith | Mar 2018 | Smart contract security | | [Risky Biz 488](https://risky.biz/RB488/) | JP Smith | Feb 2018 | Smart contract testing w/ Manticore | | [Risky Biz 474](https://risky.biz/RB474/) | Dan Guido | Oct 2017 | How to engineer secure software | | [Georgian Partners 47](https://georgianpartners.com/the-problem-with-the-tor-network-and-commercial-vpns/) | Dan Guido | May 2017 | [AlgoVPN](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/) and Tor | | [VUC 643](https://www.youtube.com/watch?v=r_FV-uHYDgs) | Dan Guido | Apr 2017 | [AlgoVPN](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/) | | [Risky Biz 449](https://risky.biz/RB449/) | Dan Guido | Mar 2017 | Control Flow Integrity | | [Risky Biz 425](https://risky.biz/RB425/) | Dan Guido | Sep 2016 | Recap the week's news | | [Risky Biz 421](https://risky.biz/RB421/) | Dan Guido | Aug 2016 | Car hacking and the week's news | | [Risky Biz 416](https://risky.biz/RB416/) | Dan Guido | Jul 2016 | DARPA Cyber Grand Challenge | | [Risky Biz 399](https://risky.biz/RB399/) | Dan Guido | Feb 2016 | [Apple vs the FBI](https://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/) | | [Risky Biz 348](https://risky.biz/RB348/) | Dan Guido | Jun 2015 | DARPA Cyber Grand Challenge | [Risky Biz 370](https://risky.biz/RB370/) | Dan Guido | Feb 2015 | DARPA Cyber Grand Challenge | ## 网络研讨会 | 标题 | 演讲者 | 日期 | | --- | --- | --- | | [Top TEE bugs you should fix before your audit](https://watch.getcontrast.io/register/trail-of-bits-top-tee-bugs-you-should-fix-before-your-audit) | Tjaden Hess, Paul Bottinelli, & Jules Drean | Dec 2025 | | [Building secure end-to-end encrypted systems](https://watch.getcontrast.io/register/trail-of-bits-running-effective-threat-models-in-e2ee) | Marc Ilunga & Fredrik Dahlgren | Dec 2025 | | [After Wiretap and Battering RAM: What Changes for TEE-Based Blockchain Infrastructure](https://watch.getcontrast.io/register/trail-of-bits-after-wiretap-and-battering-ram-what-changes-for-tee-based-blockchain-infrastructure) | Tjaden Hess & Andy Campbell | Nov 2025 | | [MCP Security Deep Dive: From Attacks to Defense](https://app.getcontrast.io/register/trail-of-bits-mcp-security-deep-dive-from-vulnerability-to-defense) | Keith Hoodlet, Cliff Smith, Vineeth Sai Narajala, Manish Bhatt | Jul 2025 | | [Security Audits: Best Practices with Trail of Bits](https://workbrew.com/webinars/security-audits) | Chris Dahlheimer, Lindsay Rakowski, & Vanessa Gennarelli | Mar 2025 | | [Mastering Web Research with Burp Suite](https://www.youtube.com/watch?v=0PV5QEQTmPg) | Keith Hoodlet, Cliff Smith, & James Kettle | Jun 2024 | | [Introduction to CodeQL: Examples, Tools and CI Integration](https://www.youtube.com/watch?v=rQRlnUQPXDw) | Filipe Casal & Fredrik Dahlgren | Mar 2024 | | [Introduction to Semgrep](https://www.youtube.com/watch?v=yKQlTbVlf0Q) | Maciej Domanski & Matt Schwager | Jan 2024 | ## 公开评论 | 主题 | 机构 | 日期 | | --- | --- | --- | | [Automated Artifical Intelligence Bill Of Materials for AI/ML Ops](./public-comments/AIBOM-RFI-response.pdf) | U.S. Army PEO IEW&S | Dec 2023 | | [Open-Source Software Security: Areas of Long-Term Focus and Prioritization](./public-comments/tob-response-to-oncd-cisa-rfi-2023.pdf) | ONCD, CISA, NSF, DARPA, OMB | Nov 2023 | | [Understanding the National Security Implications of AI](https://www.trailofbits.com/documents/whitehouse_otsp_national_security_ai.pdf) | Whitehouse OTSP | Jul 2023 | | [AI Accountability, Regulation, and Audits](https://blog.trailofbits.com/2023/06/16/trail-of-bitss-response-to-ntia-ai-accountability-rfc/) | NTIA | Jun 2023 | | [A Comprehensive Risk Assessment Framework for AI Assurance in Ethical, Legal, and Societal Domains](./public-comments/comprehensive-risk-assessment-framework-AI-Assurance-ELS-Domains.pdf) | DARPA | Jun 2023 | | [Understanding Crypto Markets Security](https://github.com/trailofbits/publications/blob/master/presentations/public/CFTC_TAC_presentation_March_2023.pdf) | CFTC | Mar 2023 | | [Regulation of Intrusion and Surveillance Software](https://www.regulations.gov/document/BIS-2015-0011-0209) | Commerce Dept | Jul 2015 | ## 安全审计 允许我们公开讨论其工作的公司可在此处找到。更多项目仍处于保密状态。 ### 主要客户 以下客户已委托 Trail of Bits 进行过 5 次或更多的安全审计： #### Frax Finance | 产品 | 日期 | 投入
精力 | 公告 | 报告 | | --- | --: | :-: | --- | :-: | | [FraxGov](https://frax.finance/) | May 2023 | 4 | | [📄✅](reviews/2023-05-fraxgov-securityreview.pdf) | | [Fraxlend and veFPIS](https://frax.finance/) | Jan 2023 | 4 | | | | [Fraxlend and FraxFerry](https://frax.finance/) | Oct 2022 | 4 | | [📄](reviews/2022-10-fraxfinance-fraxlend-fraxferry-securityreview.pdf) | | [Frax](https://frax.finance/) | May 2022 | 4 | | [📄](reviews/FraxQ22022.pdf) | | [Frax](https://frax.finance/) | Dec 2021 | 4 | | [📄](reviews/FraxQ42021.pdf) | | [Frax](https://frax.finance/) | May 2021 | 4 | | [📄](reviews/FraxFinance.pdf) | #### MobileCoin | 产品 | 日期 | 投入
精力 | 公告 | 报告 | | --- | --: | :-: | --- | :-: | | [MobileCoin](https://mobilecoin.com/homepage) | Jul 2022 | 2 | | [📄](reviews/2022-07-mobilecoin-securityreview.pdf) | | [Fog Protocol](https://www.mobilecoin.com/) | Jan 2021 | 4 | | [📄](reviews/MobilecoinFog.pdf) | | [MobileCoin BFT](https://www.mobilecoin.com/) | Oct 2020 | 4 | | [📄](reviews/MobileCoinBFT.pdf) | | [MobileCoin](https://www.mobilecoin.com/) | Aug 2020 | 4 | | [📄](reviews/Mobilecoin.pdf) | #### Offchain Labs | 产品 | 日期 | 投入
精力 | 公告 | 报告 | | --- | --: | :-: | --- | :-: | | [Offchain Labs Arbitrum Quorum Changes](https://www.offchainlabs.com/) | Feb 2026 | 1.2 | | [📄](reviews/2026-02-offchain-arbitrum-quorum-changes-securityreview.pdf) | | [Offchain Labs Arbitrum Nitro External DA](https://www.offchainlabs.com/) | Jan 2026 | 4 | | [📄✅](reviews/2026-01-offchain-nitro-external-da-securityreview.pdf) | | [Offchain Labs Arbitrum ArbOS 50 and 51 (Fusaka)](https://www.offchainlabs.com/) | Dec 2025 | | | [📄](reviews/2025-12-offchain-arbos50-and-51-securityreview.pdf) | | [Offchain Labs Arbitrum Chains Genesis File Generator](https://www.offchainlabs.com/) | Dec 2025 | 1.6 | | [📄✅](reviews/2025-12-offchain-arbitrum-chains-genesis-generator-securityreview.pdf) | | [Offchain Labs Upgrade Executor](https://www.offchainlabs.com/) | Jul 2025 | 0.2 | | [📄](reviews/2025-07-offchain-upgrade-executor-securityreview.pdf) | | [Offchain SetCoreGovernorQuorumAction](https://www.offchainlabs.com/) | Jun 2025 | 1.2 | | [📄](reviews/2025-06-offchain-setcoregovernorquorumaction-securityreview.pdf) | | [Offchain Arbitrum Mint/Burn Precompile](https://www.offchainlabs.com/) | Jun 2025 | 1.8 | | [📄✅](reviews/2025-06-offchain-arbitrum-mint-burn-precompile-securityreview.pdf) | | [Offchain Arbitrum Block Hash Pusher](https://www.offchainlabs.com/) | Jun 2025 | 1.8 | | [📄](reviews/2025-06-offchain-arbitrum-block-hash-pusher-securityreview.pdf) | | [Offchain ArbOS 40 Nitro](https://www.offchainlabs.com/) | May 2025 | 6 | | [📄](reviews/2025-05-offchainlabs-arbos40nitro-securityreview.pdf) | | [Offchain Reward Distributor Fixes](https://www.offchainlabs.com/) | Apr 2025 | 0.8 | | [📄](reviews/2025-04-offchainlabs-reward-distributor-fixes-securityreview.pdf) | | [Offchain Sequencer Liveness](https://www.offchainlabs.com/) | Mar 2025 | 3 | | [📄](reviews/2025-03-offchain-sequencer-liveness-securityreview.pdf) | | [Offchain Custom Fee Bridge & EIP-7702](https://www.offchainlabs.com/) | Mar 2025 | 1 | | [📄](reviews/2025-03-offchain-custom-fee-erc20-bridge-securityreview.pdf) | | [Offchain Geth 14.4 Pectra](https://www.offchainlabs.com/) | Mar 2025 | 0.8 | | [📄](reviews/2025-03-offchain-geth-14.4-securityreview.pdf) | | [Offchain Custom Fee Exchange Rate](https://www.offchainlabs.com/) | Mar 2025 | 1 | | [📄](reviews/2025-03-offchain-custom-fee-token-exchange-rate-securityreview.pdf) | | [Offchain Security Council Rotation](https://www.offchainlabs.com/) | Mar 2025 | 1.6 | | [📄](reviews/2025-03-offchain-security-council-rotation-securityreview.pdf) | | [Offchain DisableGateway USDT](https://www.offchainlabs.com/) | Mar 2025 | 0.4 | | [📄](reviews/2025-03-offchain-disablegateway-action-securityreview.pdf) | | [Offchain BoLD Fixes](https://www.offchainlabs.com/) | Dec 2024 | 0.8 | | [📄](reviews/2024-12-offchain-boldfixes-securityreview.pdf) | | [Offchain Stylus Emergency Fixes](https://www.offchainlabs.com/) | Oct 2024 | 2 | | [📄](reviews/2024-10-offchain-stylus-emergency-fixes-securityreview.pdf) | | [Offchain BoLD History Commits](https://www.offchainlabs.com/) | Oct 2024 | 2 | | [📄](reviews/2024-10-offchain-bold-optimized-history-commit-securityreview.pdf) | | [Offchain Nitro with BoLD](https://www.offchainlabs.com/) | Oct 2024 | 2.6 | | [📄](reviews/2024-10-30-Offchain-NitroContractswithBoLD-securityreview.pdf) | | [Offchain Stylus](https://www.offchainlabs.com/) | Sep 2024 | 2 | | [📄✅](reviews/2024-09-offchain-stylus-securityreview.pdf) | | [Offchain RARI](https://www.offchainlabs.com/) | Aug 2024 | 0.6 | | [📄](reviews/2024-08-offchainlabs-register-and-set-arb-custom-gateway-action-governance-action-securityreview.pdf) | | [Offchain Office Hours Action](https://www.offchainlabs.com/) | Aug 2024 | 0.6 | | [📄](reviews/2024-08-offchainlabs-office-hours-governance-action-securityreview.pdf) | | [Offchain Timeboost Auction](https://www.offchainlabs.com/) | Aug 2024 | 3 | | [📄](reviews/2024-08-offchainlabs-timeboost-auction-contracts-securityreview.pdf) | | [Offchain Orbit Actions](https://www.offchainlabs.com/) | Aug 2024 | 1 | | [📄](reviews/2024-08-offchainlabs-orbit-actions-securityreview.pdf) | | [Offchain USDC Gateway](https://www.offchainlabs.com/) | Jul 2024 | 2 | | [📄](reviews/2024-08-offchainlabs-usdc-custom-gateway-securityreview.pdf) | | [Offchain BoLD & DAC Rewards](https://www.offchainlabs.com/) | Jun 2024 | 3 | | [📄](reviews/2024-06-offchain-labs-bold-dac-rewards-updates-securityreview.pdf) | | [Offchain Arbitrum Stylus](https://www.offchainlabs.com/) | May 2024 | 47 | | [📄](reviews/2024-05-offchain-arbitrumstylus-securityreview.pdf) | | [Offchain L1-L3 Teleporter](https://www.offchainlabs.com/) | Apr 2024 | 2 | | [📄](reviews/2024-04-offchain-l1-l3-teleporter-securityreview.pdf) | | [Offchain ArbOS 31](https://www.offchainlabs.com/) | Apr 2024 | 2 | | [📄](reviews/2024-04-offchain-arbos-31-securityreview.pdf) | | [Offchain ArbOS 30 Nitro](https://www.offchainlabs.com/) | Apr 2024 | 6 | | [📄](reviews/2024-04-offchain-arbos-30-nitro-upgrade-securityreview.pdf) | | [Offchain BoLD](https://www.offchainlabs.com/) | Apr 2024 | 5 | | [📄](reviews/2024-04-offchainbold-securityreview.pdf) | | [Offchain ArbOS](https://www.offchainlabs.com/) | Feb 2024 | 4 | | [📄](reviews/2024-02-offchainlabsarbos-securityreview.pdf) | | [Offchain Arbitrum](https://www.offchainlabs.com/) | Jan 2024 | 2 | | [📄](reviews/2024-01-offchainarbitrum-securityreview.pdf) | | [Offchain Token Bridge Creator](https://www.offchainlabs.com/) | Dec 2023 | 6 | | [📄](reviews/2023-12-offchain-labs-arbitrum-token-bridge-creator-securityreview.pdf) | | [Offchain Custom Fee Token](https://www.offchainlabs.com/) | Sep 2023 | 3 | | [📄](reviews/2023-09-offchain-labs-custom-fee-token-securityreview.pdf) | | [Offchain Arbitrum Challenge v2](https://www.offchainlabs.com/) | Aug 2023 | 20 | | [📄✅](reviews/2023-8-offchain-challenge-protocol-V2-securityreview.pdf) | #### Reserve Protocol | 产品 | 日期 | 投入
精力 | 公告 | 报告 | | --- | --: | :-: | --- | :-: | | [Reserve Protocol Solidity 4.0.0](https://reserve.org/) | Jun 2025 | 3.6 | | [📄✅](reviews/2025-06-reserveprotocol-solidity400-securityreview.pdf) | | [Reserve Protocol Solana DTFs](https://reserve.org/) | Apr 2025 | 2 | | [📄✅](reviews/2025-04-reserve-solana-dtfs-securityreview.pdf) | | [Reserve Folio Solidity-Based Contracts](https://reserve.org/) | Apr 2025 | 2 | | [📄✅](reviews/2025-04-reserve-folio-solidity-securityreview.pdf) | | [Reserve Protocol](https://reserve.org/) | Aug 2022 | 8 | | [📄](reviews/2022-08-reserve-protocol-securityreview.pdf), [✅](reviews/2022-08-reserve-protocol-fixreview.pdf) | | [Reserve Protocol](https://reserve.org/) | Mar 2019 | 1 | | [📄](reviews/Reserve_LOA.pdf) | #### Scroll | 产品 | 日期 | 投入
精力 | 公告 | 报告 | | --- | --: | :-: | --- | :-: | | [Scroll Feynman Upgrade Smart Contract Changes](https://scroll.io/) | Jul 2025 | 1 | | [📄](reviews/2025-07-scroll-feynmanupgradesmartcontractchanges-securityreview.pdf) | | [Scroll Euclid Phase 2](https://scroll.io) | Apr 2025 | 4 | [Scroll](https://gov.scroll.io/proposals/81939631158579841171219988954315753236293867421581097385921335841780903893992) | [📄✅](reviews/2025-04-scroll-euclid-phase2-securityreview.pdf)[🔖](reviews/2025-03-scroll-euclidphase2-loa.pdf) | | [Scroll Euclid Phase 1](https://scroll.io) | Apr 2025 | 3 | [](https://gov.scroll.io/proposals/81939631158579841171219988954315753236293867421581097385921335841780903893992) | [📄✅](reviews/2025-04-scroll-euclid-phase1-securityreview.pdf)[🔖](reviews/2025-03-scroll-euclidphase1-loa.pdf) | | [Scroll zstd Compression](https://scroll.io/) | Jun 2024 | 12 | | [📄✅](reviews/2024-06-scroll-zstd-compression-securityreview.pdf) | | [Scroll ZkEVM 4844 Blob](https://scroll.io/) | Apr 2024 | 6 | | [📄✅](reviews/2024-04-scroll-4844-blob-securityreview.pdf) | | [Scroll ZkEVM Wave 3](https://scroll.io/) | Sep 2023 | 9 | | [📄✅](reviews/2023-09-scroll-zkEVM-wave3-securityreview.pdf) | | [Scroll l2geth [diff] ](https://scroll.io/) | Aug 2023 | 2 | | [📄](reviews/2023-08-scrollL2geth-securityreview.pdf) | | [Scroll l2geth [initial]](https://scroll.io/) | Aug 2023 | 2 | | [📄](reviews/2023-08-scrollL2geth-initial-securityreview.pdf) | | [Scroll ZkEVM Wave 2](https://scroll.io/) | Aug 2023 | 6 | | [📄✅](reviews/2023-08-scroll-zkEVM-wave2-securityreview.pdf) | | [Scroll zkTrie](https://scroll.io/) | Jul 2023 | 4 | | [📄✅](reviews/2023-07-scroll-zktrie-securityreview.pdf) | | [Scroll ZkEVM Wave 1](https://scroll.io/) | Apr 2023 | 23 | | [📄✅](reviews/2023-04-scroll-zkEVM-wave1-securityreview.pdf) | #### Uniswap | 产品 | 日期 | 投入
精力 | 公告 | 报告 | | --- | --: | :-: | --- | :-: | | [Uniswap v4 Core](https://docs.uniswap.org/contracts/v4/concepts/intro-to-v4) | Jul 2024 | 6 | | [📄✅](reviews/2024-07-uniswap-v4-core-securityreview.pdf) | | [Uniswap Browser Extension](https://uniswap.org/) | Feb 2024 | 6 | | [📄✅](reviews/2024-02-uniswap-wallet-browserextension-securityreview.pdf) | | [Uniswap](https://uniswap.org/) | Sep 2023 | 4 | | [📄✅](reviews/2023-09-uniswap-wallet-securityreview.pdf) | | [Uniswap Mobile Wallet](https://freewallet.org/uni-wallet) | Aug 2022 | 4 | | [📄](reviews/UniswapMobileWallet-securityreview.pdf)[✅](reviews/UniswapMobileWallet-fixreview.pdf) | | [Uniswap V3 Staker](https://uniswap.org/blog/uniswap-v3/) | Jun 2021 | 2 | | | | [Uniswap V3](https://uniswap.org/) | Mar 2021 | 10 | [Uniswap](https://uniswap.org/blog/uniswap-v3/) | [📄](reviews/UniswapV3Core.pdf) | #### Western Digital | 产品 | 日期 | 投入
精力 | 公告 | 报告 | | --- | --: | :-: | --- | :-: | | [ArmorLock](https://www.westerndigital.com/) | Apr 2022 | 6 | | | | [Optimus ROM](https://www.westerndigital.com/) | Jan 2022 | 4 | | | | [Secure Transport](https://www.westerndigital.com/) | Apr 2020 | 4 | | | [Western Digital Sweet B](https://github.com/westerndigitalcorporation/sweet-b) | Jan 2020 | 4 | [Western Digital](https://www.westerndigital.com/company/newsroom/press-releases/2020/2020-09-03-western-digital-sets-a-new-standard-in-data-protection) | [📄](reviews/SweetB.pdf) | | [SanDisk X600](https://www.westerndigital.com/) | May 2019 | 6 | [Multiple vulnerabilities in SanDisk X600](https://www.westerndigital.com/support/productsecurity/wdc-19006-sandisk-x600-sata-ssd) | [📄](reviews/sandiskx600.pdf) | ### AI/ML 审计 | 产品 | 日期 | 投入
精力 | 公告 | 报告 | | ---| --: | :-: | --- | :-: | | [YOLOv7](https://github.com/WongKinYiu/yolov7/) | Oct 2023 | 4 | | [📄](reviews/2023-10-yolov7-securityreview.pdf) | | [SafeTensors](https://github.com/huggingface/safetensors) | Mar 2023 | 2 | | [📄](reviews/2023-03-eleutherai-huggingface-safetensors-securityreview.pdf) | ### 密码学审计 | 产品 | 日期 | 投入
精力 | 公告 | 报告 | | ---| --: | :-: | --- | :-: | | [Anza Token-2022 Confidential Transfer, Cryptography](https://www.anza.xyz/) | Jan 2026 | 7 | | [📄](reviews/2026-01-anza-token-2022-confidential-transfer-cryptography-securityreview.pdf.pdf) | | [Calyx Institute HSM Provisioning Ceremony Scripts](https://calyxos.org/) | Jan 2026 | 1 | | [📄✅](reviews/2026-01-calyx-hsm-provisioning-ceremony-scripts-securityreview.pdf) | | [BSV Blockchain TS-SDK](https://bsvassociation.org/) | Jan 2026 | 6 | | [📄✅](reviews/2026-01-bsv-association-ts-sdk-securityreview.pdf) | | [Bron Labs MCP Library](https://bron.org/) | Jan 2026 | 8 | | [📄✅](reviews/2026-01-bron-mcp-securityreview.pdf) | | [NEAR One Confidential Key Derivation](https://docs.near.org/chain-abstraction/chain-signatures) | Dec 2025 | 4 | | [📄✅](reviews/2025-12-near-one-confidential-key-derivation-securityreview.pdf) | | [Zama](https://docs.zama.org/protocol/zama-protocol-litepaper) | Oct 2025 | 32.2 | | | | [DFINITY Orbit](https://dfinity.org/) | Sep 2025 | 4 | | [📄✅](reviews/2025-09-dfinity-orbit-securityreview.pdf) | | [DFINITY Oisy](https://oisy.com/) | Sep 2025 | 4 | | [📄✅](reviews/2025-09-dfinity-oisy-securityreview.pdf) | | [Google Longfellow](https://github.com/google/longfellow-zk) | Aug 2025 | 4.6 | | [📄✅](reviews/2025-08-googlelongfellow-securityreview.pdf) | | [Open Quantum Safe liboqs](https://openquantumsafe.org/) | Apr 2025 | 5 | [Open Quantum Safe](https://openquantumsafe.org/liboqs/security.html) | [📄](reviews/2025-04-quantum-open-safe-liboqs-securityreview.pdf) | | [Go Crypto Libraries](https://go.dev) | Mar 2025 | 12 | [Go](https://go.dev/blog/tob-crypto-audit) | [📄✅](reviews/2025-03-google-gocryptographiclibraries-securityreview.pdf) | | [Zkonduit EZKL](https://github.com/zkonduit/ezkl) | Mar 2025 | 11 | [EZKL](https://blog.ezkl.xyz/post/audit/) | [📄✅](reviews/2025-03-zkonduit-ezkl-securityreview.pdf) | | [Scopely Monopoly Go!](https://www.monopolygo.com) | Dec 2024 | 2 | | [🔖](reviews/2025-01-scopely-monopolygo-letterofattestation.pdf) | | [Aligned](https://www.alignedlayer.com/) | Dec 2024 | 3 | | [📄✅](reviews/2024-12-alignedlayer-aligned-securityreview.pdf) | | [Discord DAVE](https://discord.com/) | Sep 2024 | 5 | [Discord](https://discord.com/blog/meet-dave-e2ee-for-audio-video) | [📄✅](reviews/2024-09-discord-dave-protocol-codereview.pdf) | | [Discord DAVE](https://discord.com/) | Aug 2024 | 4 | [Discord](https://discord.com/blog/meet-dave-e2ee-for-audio-video) | [📄✅](reviews/2024-08-discord-dave-protocol-designreview.pdf) | | [Lit Protocol Cait-Sith](https://www.litprotocol.com/) | Jun 2024 | 10 | | [📄✅](reviews/2024-06-lit-protocol-cait-sith-securityreview.pdf) | | [Iron Fish FishHash](https://ironfish.network/) | Apr 2024 | 1 | [Iron Fish](https://ironfish.network/learn/blog/2024-05-14-fish-hash-audit) | [📄✅](reviews/2024-04-ironfish-fishhash-securityreview.pdf) | | [Silence Laboratories Silent Shard](https://www.silencelaboratories.com) | Feb 2024 | 5 | | [📄✅](reviews/2024-02-silencelaboratories-silentshard-securityreview.pdf) | | [Snow](https://github.com/mcginty/snow) | Jan 2024 | 4 | | [📄✅](reviews/2024-01-agilebits-snow-securityreview.pdf) | | [Ockam](https://docs.ockam.io) | Nov 2023 | 11 | [Trail of Bits](https://blog.trailofbits.com/2024/03/05/cryptographic-design-review-of-ockam/) | [📄](reviews/2023-11-ockam-designreview.pdf) | | [Dfinity Candid](https://dfinity.org/) | Nov 2023 | 3 | | [📄✅](reviews/2023-11-dfinity-candid-securityreview.pdf) | | [Axiom Halo2 Library Upgrades](https://www.axiom.xyz/) | Oct 2023 | 6 | [Axiom](https://docs.axiom.xyz/docs/transparency-and-security/security) | [📄✅](reviews/2023-10-axiom-halo2libraryupgrades-securityreview.pdf) | | [Aleo snarkVM, snarkOS, BullsharkBFT](https://aleo.org/) | Oct 2023 | 18 | [Aleo](https://aleo.org/post/aleo-completes-security-audits-of-snarkos-and-snarkvm/) | [📄✅](reviews/2023-10-aleo-securityreview.pdf) | | [Axiom Halo2 Libraries](https://www.axiom.xyz/) | Jun 2023 | 14 | [Axiom](https://docs.axiom.xyz/docs/transparency-and-security/security) | [📄✅](reviews/2023-06-axiom-halo2libraries-securityreview.pdf) | | [Dfinity ckBTC and BTC Integration](https://dfinity.org/) | Jun 2023 | 2.5 | [Forum](https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380), [Blog](https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68) | | | [Dfinity SNS Phase 2](https://dfinity.org/) | Jun 2023 | 2.5 | [Forum](https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380), [Blog](https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68) | [📄](reviews/2023-06-dfinity-sns-securityreview.pdf) | | [Thesis tss-lib BitForge](https://threshold.network/) | Jun 2023 | 0.2 | [Threshold](https://blog.threshold.network/bitforge-and-tsshock/) | [📄✅](reviews/2023-06-thesistsslib-securityreview.pdf) | | [Chainflip](https://chainflip.io/) | Apr 2023 | 12 | [Chainflip](https://blog.chainflip.io/trail-of-bits-security-audit/) | [📄✅](reviews/2023-04-chainflip-securityreview.pdf) | | [Stealth Addresses](https://gist.github.com/shea256/e4a8dccd1e83fa801c7328a0af611798) | Feb 2023 | 2 | | [📄✅](reviews/2023-02-ryanshea-practicalstealthaddresses-securityreview.pdf) | | [Succinct ZK Light Client](https://www.succinct.xyz/) | Feb 2023 | 8 | [Succinct](https://blog.succinct.xyz/blog/telepathy) | [📄✅](reviews/2023-02-succinct-securityreview.pdf) | | [noble-curves Library](https://github.com/paulmillr/noble-curves) | Jan 2023 | 2 | | [📄✅](reviews/2023-01-ryanshea-noblecurveslibrary-securityreview.pdf) | | [ParaSpace](https://para.space/) | Dec 2022 | 1 | | [📄](reviews/ParallelFinance3.pdf) | | [Phantom Wallet](https://phantom.app/) | Nov 2022 | 2 | | | | [ParaSpace](https://para.space/) | Nov 2022 | 7 | | [📄](reviews/ParallelFinance2.pdf)[✅](reviews/ParallelFinance2FixReview.pdf) | | [SimpleX Chat](https://simplex.chat/) | Oct 2022 | 1 | [SimpleX](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) | [📄](reviews/SimpleXChat.pdf) | | [Dfinity](https://dfinity.org/) | Sep 2022 | 4 | [Forum](https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380), [Blog](https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68) | [📄✅](reviews/2022-09-dfinity-sns-securityreview.pdf) | | [Aleo snarkVM](https://www.aleo.org/) | Sep 2022 | 12 | | [📄✅](reviews/2022-09-aleosystems-snarkvm-securityreview.pdf) | | [Microsoft/Verasion Go-COSE](https://github.com/veraison) | Jul 2022 | 4 | | [📄✅](reviews/2022-07-microsoft-go-cose-securityreview.pdf) | | [BLS Signature Scheme](https://www.binance.com/) | Jul 2022 | 1 | | | | [Binance CGGMP21 and FROST](https://www.binance.com/) | May 2022 | 8 | | | | [Aleo snarkVM & snarkOS](https://www.aleo.org/) | Apr 2022 | 12 | | | | [Phantom Wallet](https://phantom.app/) | Apr 2022 | 4 | | | | [Parallel Finance](https://parallel.fi/) | Mar 2022 | 6 | | [📄](reviews/ParallelFinance.pdf) | | [Polkadex](https://www.polkadex.trade/) | Feb 2022 | 10 | | | | [Linux Kernel](https://kernelci.org/about/) | Apr 2021 | 2 | [Release Signing and Management](https://ostif.org/a-review-of-the-linux-kernels-release-signing-and-key-management-policies/) | [📄](reviews/LinuxKernelReleaseSigning.pdf) | | [Standard Notes](https://standardnotes.com/) | Mar 2020 | 1 | [Standard Notes](https://standardnotes.com/blog/standard-notes-security-audits-2021) | [📄](reviews/StandardNotes.pdf) | | [Project Callisto](https://www.projectcallisto.org/) | Aug 2018 | 5 | | | ### 技术产品审计 | 产品 | 日期 | 投入
精力 | 公告 | 报告 | | --- | --: | :-: | --- | :-: | | [X XChat](https://x.com/) | Oct 2025 | 4 | |📄✅](reviews/2025-10-x-xchat-securityreview.pdf) | | [Edera Runtime Container](https://edera.dev/) | Oct 2025 | 4 | | [📄](reviews/2025-11-edera-container-runtime-securityreview.pdf) | | [Meta WhatsApp Private Processing](https://www.meta.com/whatsapp/) | Aug 2025 | 12 | | [📄✅](reviews/2025-08-meta-whatsapp-privateprocessing-securityreview.pdf) | | [Discord E2EE WebAssembly](https://discord.com/) | Jun 2025 | 3 | | [📄](reviews/2025-06-discord-e2eewebassembly-securityreview.pdf) | | [NATS Server](https://nats.io/) | Feb 2025 | 6 | | [📄✅](reviews/2025-04-ostif-nats-securityreview.pdf) | | [Istio Ztunnel](https://istio.io/) | Dec 2024 | 2 | [OSTIF](https://ostif.org/istio-ztunnel-audit-complete/), [Istio](https://istio.io/latest/blog/2025/ztunnel-security-assessment/) | [📄✅](/reviews/2024-12-istio-ztunnel-securityreview.pdf) | | [RubyGems.org](https://www.rubygems.org) | Dec 2024 | 5 | | [📄](reviews/2024-12-rubycentral-rubygemsorg-securityreview.pdf) | | [Kraken Wallet In-App Browser](https://www.kraken.com/wallet) | Nov 2024 | 4 | | [📄✅](reviews/2024-11-kraken-wallet-in-app-browser-securityreview.pdf) | | [Kraken Wallet iCloud Backup](https://www.kraken.com/wallet) | Sep 2024 | 2 | | [📄✅](reviews/2024-09-kraken-mobile-wallet-icloud-backup-securityreview.pdf) | | [Hugging Face Gradio](https://huggingface.co/gradio) | Jul 2024 | 4 | [Hugging Face](https://huggingface.co/blog/gradio-5-security), [Trail of Bits](https://blog.trailofbits.com/2024/10/10/auditing-gradio-5-hugging-faces-ml-gui-framework/) | [📄✅](reviews/2024-10-huggingface-gradio-securityreview.pdf) | | [Zoo KittyCAD](https://zoo.dev/) | Jun 2024 | 4.6 | | [📄✅](reviews/2024-06-zoo-kittycad-securityreview.pdf) | | [Polygon Labs Iden3 Circuits](https://polygon.technology/) | May 2024 | 2 | | [📄✅](reviews/2024-05-polygonlabs-iden3circuits-securityreview.pdf) | | [Kraken Mobile Wallet](https://www.kraken.com/wallet) | Jan 2024 | 7 | [Kraken](https://blog.kraken.com/product/kraken-wallet/kraken-wallet-security)| [📄✅](reviews/2024-1-kraken-mobile-wallet-securityreview.pdf) | | [Eclipse Temurin](https://adoptium.net/temurin/) | Dec 2023 | 4 | [Response](https://adoptium.net/pdf/temurin-audit-response.pdf), [OSTIF](https://ostif.org/temurin-audit-complete/), [Eclipse Foundation](https://adoptium.net/blog/2024/06/external_audit) | [📄✅](reviews/2023-12-eclipse-temurin-securityreview.pdf) | | [Arch Linux Pacman](https://archlinux.org/pacman/) | Dec 2023 | 2 | [OTF](https://www.opentech.fund/security-safety-audits/arch-linuxs-pacman-package-manager-security-audit/) | [📄✅](reviews/2023-12-pacman-securityreview.pdf) | | [cURL HTTP3](https://curl.se/) | Dec 2023 | 4 | [OSTIF](https://ostif.org/curl-audit-complete/), [Daniel Stenberg](https://daniel.haxx.se/blog/2024/02/23/curl-http-3-security-audit/) | [📄](reviews/2023-12-curl-http3-securityreview.pdf) | | [Lisk SDK 6.1 modules](https://lisk.com/) | Sep 2023 | 4 | | [📄✅](reviews/2023-09-lisksdk-securityreview.pdf) | | [OpenSSL](https://www.openssl.org/) | Sep 2023 | 9 | [OSTIF](https://ostif.org/openssl-audit-complete/), [OpenSSL](https://www.openssl.org/blog/blog/2024/05/02/ostif/) | [📄✅](reviews/2023-09-openssl-securityreview.pdf) | | [PyPI Warehouse](https://warehouse.pypa.io/) | Sep 2023 | 10 | [PyPI](https://blog.pypi.org/posts/2023-11-14-1-pypi-completes-first-security-audit/), [Trail of Bits](https://blog.trailofbits.com/2023/11/14/our-audit-of-pypi/) | [📄✅](reviews/2023-09-pypi-warehouse-securityreview.pdf) | | [wasmCloud](https://wasmcloud.com/) | Sep 2023 | 6 | | [📄✅](reviews/2023-09-wasmCloud-securityreview.pdf) | | [Worldcoin](https://worldcoin.org/) | Aug 2023 | 6 | | [📄✅](reviews/2023-08-worldcoin-orb-securityreview.pdf) | | [Homebrew](https://brew.sh) | Aug 2023 | 6 | | [📄](reviews/2023-08-28-homebrew-securityreview.pdf) | | [DigitalOcean OIDC](https://www.digitalocean.com/) | Aug 2023 | 4 | | [📄](reviews/2023-08-digitalocean-oidc-securityreview.pdf) | | [Flux | [Firefly](https://dtrade.org/) | 2022年4月 | 4 | | | | [Maple Finance](https://www.maple.finance/) | 2022年3月 | 1 | | [📄✅](reviews/2022-03-maplefinance-securityreview.pdf) | | [Gyroscope](https://gyro.finance/) | 2022年3月 | 6 | | | | [LooksRare](https://looksrare.org/) | 2022年3月 | 4 | | [📄](reviews/LooksRare.pdf) | | [Symbiosis](https://symbiosis.finance/) | 2022年3月 | 2 | | | | [RAILWAY](https://righttoprivacy.foundation/) | 2022年2月 | 4 | | | | [Persistence ETH2.0](https://persistence.one/) | 2022年2月 | 4 | | | | [Advanced Blockchain](https://www.advancedblockchain.com/) | 2022年2月 | 6 | | [📄](reviews/AdvancedBlockchainQ12022.pdf) | | [Perpetual Protocol V2](https://perp.com/) | 2022年2月 | 4 | | [📄](reviews/PerpetualProtocolV2.pdf) | | [Futureswap V4.1](https://www.futureswap.com/) | 2022年2月 | 4 | | | | [Firefly](https://dtrade.org/) | 2022年2月 | 8 | | | | [API3](https://api3.org/) | 2022年2月 | 8 | | [📄](reviews/API3.pdf) | | [Beethoven X](https://beets.fi/) | 2022年2月 | 1 | | [📄](reviews/BeethovenXSummary.pdf) | | [Minterest Finance](https://minterest.com/) | 2022年1月 | 6 | | | | [pSTAKE](https://persistence.one/) | 2022年1月 | 6 | | | | [Primitive](https://primitive.finance/) | 2022年1月 | 8 | [Primitive](https://twitter.com/PrimitiveFi/status/1518665248756051968) | [📄](reviews/Primitive.pdf) | | [Strips Finance](https://strips.finance/) | 2022年1月 | 8 | | | | [Cardstack](https://cardstack.com/) | 2021年12月 | 4 | | | | [Sherlock Protocol V2](https://www.sherlock.xyz/) | 2021年12月 | 4 | | [📄](reviews/Sherlockv2.pdf) | | [Maple](https://www.maple.finance/) | 2021年11月 | 4 | [Maple](https://github.com/maple-labs/loan#audit-reports) | [📄](reviews/MapleFinance.pdf) | | [Advanced Blockchain](https://www.advancedblockchain.com/) | 2021年11月 | 6 | | [📄](reviews/AdvancedBlockchainQ42021.pdf) | | [Opyn](https://www.opyn.co/) | 2021年11月 | 6 | | [📄](reviews/Opyn.pdf) | | [Aave V3](https://aave.com/) | 2021年11月 | 12 | | [📄✅](reviews/2021-11-aave-v3-securityreview.pdf) | | [Tokemak](https://www.tokemak.xyz/) | 2021年10月 | 3 | | | | [Fuji Finance](https://app.fujidao.org/#/) | 2021年10月 | 6 | | [📄](reviews/FujiProtocol.pdf) | | [V2 Vault](https://www.riskharbor.com/) | 2021年10月 | 4 | | | | [Yield V2](https://yield.is/) | 2021年9月 | 6 | | [📄](reviews/YieldV2.pdf) | | [Gro protocol](https://www.gro.xyz/) | 2021年9月 | 2 | | | | [Futureswap V4](https://www.futureswap.com/) | 2021年9月 | 6 | | | | [RocketPool](https://rocketpool.net/) | 2021年8月 | 5 | | [📄](reviews/RocketPool.pdf) | | [AlphaX](https://alphafinance.io/) | 2021年8月 | 6 | | | | [Bug Bounty Platform](https://solidified.io/) | 2021年8月 | 8 | | | | [88mph V3](https://88mph.app/) | 2021年8月 | 6 | | [📄](reviews/88mph.pdf) | | [Timeswap](https://timeswap.io/) | 2021年7月 | 2 | | | | [CompliFi](https://compli.fi/) | 2021年7月 | 6 | | [📄](reviews/CompliFi.pdf) | | [Optics](https://celo.org/) | 2021年7月 | 2 | | | | [FlareFinance](https://flr.finance/) | 2021年6月 | 4 | | | | [Abyss Lockup](https://www.allnodes.com/) | 2021年6月 | 2 | | | | [Futureswap V3](https://www.futureswap.com/) | 2021年6月 | 6 | | | | [CompliFi](https://compli.fi/) | 2021年6月 | 6 | | | | [Syndicate](https://www.syndicateprotocol.org/) | 2021年5月 | 4 | | | | [Opyn Gamma](https://www.opyn.co/) | 2021年5月 | 6 | | [📄](reviews/Opyn-Gamma-Protocol.pdf) | | [Yearn v2 Vaults](https://yearn.finance/) | 2021年4月 | 6 | | [📄](reviews/YearnV2Vaults.pdf) | | [Balancer v2](https://balancer.fi/) | 2021年4月 | 4 | | [📄](reviews/2021-04-balancer-balancerv2-securityreview.pdf) | | [DFX Finance](https://dfx.finance/) | 2021年4月 | 6 | | | | [Tokemak](https://www.tokemak.xyz/) | 2021年4月 | 1 | | | | [Warp Contracts](https://en.advancedblockchain.com/) | 2021年4月 | 6 |[Composable](https://composablefi.medium.com/composable-announces-the-completion-of-trail-of-bits-audit-c46bd84333de) | [📄](reviews/AdvancedBlockchain.pdf) | | [FlareFinance](https://flr.finance/) | 2021年4月 | 3 | | | | [MC Dai](https://makerdao.com) | 2021年3月 | 6 | | | | [dForce Lending](https://dforce.network/) | 2021年3月 | 6 | | | | [Liquity Proxy Contract](https://www.liquity.org/) | 2021年2月 | 0.57 | | [📄](reviews/LiquityProxyContracts.pdf) | | [Liquity Protocol](https://www.liquity.org/) | 2021年2月 | 8 | | [📄](reviews/LiquityProtocolandStabilityPoolFinalReport.pdf)| | [RAY-DAO](https://staked.us/) | 2021年2月 | 4 | | | | [Futureswap](https://www.futureswap.com/) | 2021年1月 | 2 | | | | [Balancer V2](https://balancer.finance/) | 2021年1月 | 6 | | | | [C.R.E.A.M.](https://app.cream.finance/) | 2021年1月 | 1 | | [📄](reviews/CREAMSummary.pdf) | | [LUSD](https://www.liquity.org/) | 2020年12月 | 8 | | [📄](reviews/Liquity.pdf) | | [Origin Dollar](https://www.ousd.com/) | 2020年11月 | 4 | [Origin Protocol](https://medium.com/originprotocol/origin-dollar-ousd-relaunches-to-offer-hassle-free-defi-returns-b8ee0c601dad) | [📄](reviews/OriginDollar.pdf) | | [Zerion SDK](https://zerion.io/) | 2020年11月 | 4 | | | | [Teller Protocol](https://www.teller.finance/) | 2020年11月 | 4 | | | | [Hermez](https://iden3.io/) | 2020年11月 | 4 | [Hermez](https://blog.hermez.io/hermez-second-audit-by-trail-of-bits/) | [📄](reviews/hermez.pdf) | | [Graph Protocol](https://thegraph.com/) | 2020年10月 | 3 | | | | [OVM](https://optimism.io/) | 2020年10月 | 6 | | | | [Prysm](https://prysmaticlabs.com/) | 2020年9月 | 6 | | | | [DODO](https://dodoex.io/) | 2020年9月 | 3 | | [📄](reviews/dodo.pdf) | | [Yield Protocol](https://yield.is/Yield.pdf) | 2020年8月 | 6 | | [📄](reviews/YieldProtocol.pdf) | | [Smart Pool](https://balancer.finance/) | 2020年8月 | 1 | | | | [DeFiner](https://definer.org/) | 2020年8月 | 1 | | | | [ETH2.0 Deposit CLI](https://ethereum.org/en/) | 2020年8月 | 4 | | [📄](reviews/ETH2DepositCLI.pdf)| | [CurveDAO](https://dao.curve.fi/) | 2020年7月 | 6 | | [📄](reviews/CurveDAO.pdf) | | [Amp](https://amptoken.org/) | 2020年7月 | 3 | | [📄](reviews/amp.pdf) | | [Federated Bridge](https://www.rsk.co/) | 2020年7月 | 1 | | | | [dForce dToken](https://dforce.network/) | 2020年7月 | 2 | | [📄](reviews/dtoken.pdf) | | [Matic](https://matic.network/) | 2020年6月 | 4 | | | | [Lighthouse](https://lighthouse.sigmaprime.io/) | 2020年6月 | 4 | | | | [tBTC](https://thesis.co/) | 2020年5月 | 6 | | [📄](reviews/thesis-summary.pdf) | | [QTUM](https://qtum.org/en) | 2020年4月 | 0.43 | | [📄](reviews/qtum_loa.pdf) | | [Hegic](https://www.hegic.co/) | 2020年4月 | 0.43 | | [📄](reviews/hegic-summary.pdf) | | [Golem Network](https://golem.network/) | 2020年3月 | 2 | | | | [Reddit](https://www.reddit.com/community-points/) | 2020年3月 | 1 | [A New Frontier](https://www.reddit.com/community-points/) | | | [Chai](https://chai.money/) | 2020年2月 | 0.28 | | [📄](reviews/chai-loa.pdf) | | [Compound](https://compound.finance/) | 2020年2月 | 2 | | [📄](reviews/compound-governance.pdf) | | [WorkLock](https://www.nucypher.com/) | 2020年1月 | 2 | [NuCypher](https://blog.nucypher.com/worklock-security-audit/) | [📄](reviews/WorkLock-Summary.pdf) | | [Balancer](https://balancer.finance/) | 2020年1月 | 4 | | [📄](reviews/BalancerCore.pdf) | | [Curve.fi](https://compound.curve.fi/) | 2020年1月 | 1 | | [📄](reviews/curve-summary.pdf) | | [Livepeer](https://livepeer.org/) | 2019年10月 | 3 | | | | [Topo Finance](https://topo.finance/) | 2019年10月 | 4 | | | | [0x Protocol](https://0x.org/) | 2019年10月 | 10 | | [📄](reviews/0x-protocol.pdf) | | [Flexa](https://flexa.network/) | 2019年9月 | 2 | [Flexa](https://medium.com/flexa/announcing-flexa-capacity-35c62ade9522) | [📄](reviews/Flexa.pdf) | | [AZTEC Protocol](https://www.aztecprotocol.com/) | 2019年9月 | 10 | | [📄](reviews/aztec.pdf) | | [Oasis Labs](https://www.oasislabs.com/) | 2019年9月 | 13 | | | | [Aave Protocol](https://aave.com/) | 2019年9月 | 4 | | [📄](reviews/aaveprotocol.pdf) | | [MC Daihttps://makerdao.com) | 2019年8月 | 13 | [MakerDAO](https://blog.makerdao.com/mcd-security-roadmap-update-october-2019/) | [📄](reviews/mc-dai.pdf) | | [Staked](https://staked.us/) | 2019年8月 | 4 | | | | [Compound](https://compound.finance/) | 2019年8月 | 2 | | [📄](reviews/compound-3.pdf) | | [Computable](https://www.computable.io/) | 2019年7月 | 8 | [Computable](https://medium.com/computable-blog/computable-contract-audit-771e3d39ea7) | [📄](reviews/computable.pdf) | | [Numerai](https://numer.ai/homepage) | 2019年5月 | 3 | [Numerai](https://medium.com/numerai/nmr2point0-66a45a9a5e70) | [📄](reviews/numerai.pdf) | | [MerkleX](https://merklex.io/) | 2019年5月 | 4 | | | | [TokenCard](https://tokencard.io/) | 2019年5月 | 5 | | [📄](reviews/TokenCard.pdf) | | Unity Coin | 2019年4月 | 1 | | | | [Compound](https://compound.finance/) | 2019年4月 | 8 | [Compound](https://medium.com/compound-finance/compound-v2-is-live-157db0b7cfc8) | [📄](reviews/compound-2.pdf) | | [Ocean Protocol](https://oceanprotocol.com/) | 2019年3月 | 4 | [Ocean Protocol](https://blog.oceanprotocol.com/one-protocol-one-network-many-stakeholders-8be11a020cff) | | | [UMA Project](https://umaproject.org/) | 2019年3月 | 3 | | | | [Centrifuge](https://centrifuge.io/) | 2019年3月 | 5 | | | | [Nomisma](http://nomisma.org/) | 2019年3月 | 1 | | | | [Set Protocol](https://www.setprotocol.com/) | 2019年3月 | 5 | [Set Protocol](https://medium.com/set-protocol/the-road-to-mainnet-ab4877b73066) | [📄](reviews/setprotocol.pdf) | | [NuCypher](https://www.nucypher.com/) | 2019年2月 | 4 | [NuCypher](https://blog.nucypher.com/security-audits-round-2/) | [📄](reviews/nucypher-2.pdf) | | [AMP StableWire](https://amp.credit/) | 2019年1月 | 1 | | | | [EIP-1283](https://github.com/ethereum/EIPs/pull/1283) | 2019年1月 | 1 | [ChainSecurity](https://medium.com/chainsecurity/constantinople-security-update-3d02017747f2) | [📄](reviews/EIP-1283.pdf) | | [Ampleforth](https://www.ampleforth.org/) | 2018年11月 | 4 | [Ampleforth](https://medium.com/ampleforth/source-code-and-security-audits-with-trail-of-bits-2b1ad4a09a31) | [📄](reviews/ampleforth.pdf) | | [Origin Protocol](https://www.originprotocol.com/en) | 2018年11月 | 4 | [Origin Protocol](https://medium.com/originprotocol/the-results-of-our-smart-contract-audit-with-trail-of-bits-and-how-we-approach-security-at-origin-175cc1646d71) | [📄](reviews/origin.pdf) | | [Paxos Standard](https://www.paxos.com/standard/) | 2018年10月 | 4 | | [📄](reviews/paxos.pdf) | | [Basecoin](https://www.basis.io/) | 2018年10月 | 12 | | [📄](reviews/basis.pdf) | | [Pantheon](https://pegasys.tech/) | 2018年10月 | 8 | [PegaSys](https://pegasys.tech/what-we-learned-from-auditing-our-ethereum-client/) | [📄](reviews/pantheon.pdf) | | [Compound](https://compound.finance/) | 2018年9月 | 12 | [Compound](https://medium.com/compound-finance/compound-launches-money-markets-for-ethereum-assets-f50920f04488) | | | [NuCypher](https://www.nucypher.com/) | 2018年8月 | 12 | [NuCypher](https://blog.nucypher.com/security-audits--round-1--3/) | [📄](reviews/nucypher.pdf) | | [CENTRE](https://www.centre.io/) | 2018年7月 | 4 | [CENTRE](https://medium.com/centre-blog/designing-an-upgradeable-ethereum-contract-3d850f637794) | | [Bloom](https://bloom.co/) | 2018年7月 | 1 | [Bloom](https://blog.hellobloom.io/bloom-development-update-mainnet-launch-blockchain-ux-improvements-open-source-developer-c8ddc194fe83) | | [Gemini Dollar](https://gemini.com/dollar/) | 2018年6月 | 8 | [Gemini](https://medium.com/gemini/stablecoins-understanding-counterparty-risk-241d55f0b392) | [📄](reviews/gemini-dollar.pdf) | | [Dharma](https://dharma.io/) | 2018年5月 | 1 | [Dharma](https://blog.dharma.io/dharma-protocol-v1-is-live-on-mainnet-95f8ef770c2c) | | | [Golem](https://golem.network/) | 2018年4月 | 4 | [Golem](https://medium.com/golem-project/smart-contracts-audit-report-ad41fdd5085b) | [📄](reviews/golem.pdf) | | [LivePeer](https://livepeer.org/) | 2018年3月 | 4 | [Livepeer](https://medium.com/livepeer-blog/livepeer-smart-contract-security-audit-1-results-631c4d7d98a4) | [📄](reviews/livepeer.pdf) | | [DappHub](https://dapphub.com/) | 2017年12月 | 8 | | [📄](reviews/dapphub.pdf) | | [MakerDAO Sai](https://makerdao.com/en/) | 2017年10月 | 8 | [MakerDAO](https://medium.com/makerdao/single-collateral-dai-source-code-and-security-reviews-523e1a01a3c8) | [📄](reviews/sai.pdf) | | [Omega One](https://dark.omega.one/) | 2017年8月 | 6 | | | #### NervOS | 产品 | 日期 | 工作量
级别 | 公告 | 报告 | | ---| --: | :-: | --- | :-: | | [xUDT](https://www.nervos.org/) | 2021年6月 | 2 | | | | [Nervos -RSA](https://www.nervos.org/) | 2021年3月 | 4 | | | | [Cheque Cell & ORU](https://www.nervos.org/) | 2021年2月 | 8 | | | | [Force Bridge - Solidity](https://www.nervos.org/) | 2021年2月 | 4 | | | | [Force Bridge - Rust](https://www.nervos.org/) | 2021年2月 | 3 | | | | [Nervos SUDT](https://www.nervos.org/) | 2020年10月 | 6 | | [📄](reviews/NervosSUDT.pdf) | #### Starknet | 产品 | 日期 | 工作量
级别 | 公告 | 报告 | | ---| --: | :-: | --- | :-: | | [Opus](https://lindylabs.net/opus) | 2023年12月 | 8 | | [📄✅](reviews/2023-12-opus-contracts-securityreview.pdf) | | [Aura](https://lindylabs.net) | 2023年8月 | 8 | | [📄✅](reviews/2023-08-aura-securityreview.pdf) | | [Nostra](https://docs.tempus.finance/products/nostra) | 2022年12月 | 8 | | | | [StarkGate](https://starkgate.starknet.io/) | 2022年12月 | 2 | | | | [StarkEx](https://starkware.co/starkex/) | 2022年10月 | 1 | | | | [StarkNet token](https://starkware.co/starknet/) | 2022年7月 | 1 | | | | [StarkPerpetual](https://docs.starkware.co/starkex-v4/starkex-deep-dive/message-encodings/in-perpetual) | 2022年1月 | 8 | | | | [StarkEx](https://starkware.co/starkex/) | 2021年11月 | 8 | | | #### Solana | 产品 | 日期 | 工作量
级别 | 公告 | 报告 | | ---| --: | :-: | --- | :-: | | [Anza Token-2022 Confidential Transfer, Blockchain](https://www.anza.xyz/) | 2026年1月 | 3 | | [📄](reviews/2026-01-anza-token-2022-confidential-transfer-blockchain-securityreview.pdf) | | [Franklin Templeton Benji Contracts](https://www.franklintempleton.com/about-us/our-teams/specialist-investment-managers/digital-assets/digital-assets-technology) | 2025年2月 | 2 | | [📄✅](reviews/2025-02-franklintempleton-benjicontracts-securityreview.pdf) | | [ZetaChain Solana Gateway](https://www.zetachain.com/) | 2025年1月 | 1 | | [📄✅](reviews/2025-01-zetachain-solana-gateway-security-review.pdf) | | [Solang Code Generation](https://solana.com/) | 2023年11月 | 4 | | [📄](reviews/2023-11-solana-solang-code-generation-securityreview.pdf) | | [Solang Code Generation, Part 1](https://solana.com/) | 2023年11月 | 2 | | [📄](reviews/2023-11-solana-solang-code-generation-part-1-securityreview.pdf) | | [Squads V4](https://squads.so/) | 2023年10月 | 2 | [Squads](https://x.com/SquadsProtocol/status/1725548225804005464?s=20) | [📄✅](reviews/2023-10-squadsv4-securityreview.pdf) | | [Solang Parser and Semantic Analysis](https://solana.com/) | 2023年9月 | 2 | | [📄](reviews/2023-09-solana-solang-parser-semantic-analysis-securityreview.pdf) | | [Solang Solana Library](https://solana.com/) | 2023年7月 | 1 | | [📄](reviews/2023-07-solana-solang-library-securityreview.pdf) | | [Token-2022 Program](https://spl.solana.com/token-2022) | 2023年2月 | 1 | | [📄✅](reviews/2023-02-solana-token-2022-program-securityreview.pdf) | | [Drift Protocol](https://www.drift.trade/) | 2022年12月 | 6 | [Drift](https://twitter.com/driftprotocol/status/1635630624978640899?s=46&t=f8ijViICJAoKBBoQUh58Og) | [📄✅](reviews/2022-12-driftlabs-driftprotocol-securityreview.pdf) | | [Solana](https://solana.com/) | 2022年4月 | 12 | | | #### Substrate | 产品 | 日期 | 工作量
级别 | 公告 | 报告 | | ---| --: | :-: | --- | :-: | | [zkVerify](https://zkverify.io/) | 2025年2月 | 3 | | [📄](reviews/2025-02-zkverify-foundation-blockchain-securityreview.pdf) | | [ParaSpace](https://para.space/) | 2022年12月 | 1 | | [📄](reviews/ParallelFinance3.pdf) | | [ParaSpace](https://para.space/) | 2022年11月 | 7 | | [📄](reviews/ParallelFinance2.pdf)[✅](reviews/ParallelFinance2FixReview.pdf) | | [Parallel Finance](https://parallel.fi/) | 2022年3月 | 6 | | [📄](reviews/ParallelFinance.pdf) | | [Polkadex](https://www.polkadex.trade/) | 2022年2月 | 10 | | | | [Polkadex](https://www.polkadex.trade/) | 2021年12月 | 4 | | | | [PINT](https://pub.finance/) | 2021年9月 | 4 | | | | [Polkaswap](https://soramitsu.co.jp/) | 2021年8月 | 6 | | [📄](reviews/2021-08-soramitsu-polkaswap-securityreview.pdf) | | [AlephBFT](https://alephzero.org/) | 2021年6月 | 4 | | [📄](reviews/AlephBFT.pdf) | | [Acala Network](https://acala.network/) | 2021年6月 | 4 | | | | [Compound Chain](https://compound.finance/) | 2021年5月 | 6 | | | | [Acala Network](https://acala.network/) | 2021年1月 | 6 | | [📄](reviews/AcalaNetwork.pdf) | | [Parity Fether](https://www.parity.io/) | 2019年8月 | 4 | | | | [Parity](https://www.parity.io/) | 2018年7月 | 12 | [Parity completes Trail of Bits security review](https://medium.com/paritytech/parity-completes-trail-of-bits-security-review-bda9d48fd3d4) | [📄](reviews/parity.pdf) | #### Tendermint/Cosmos | 产品 | 日期 | 工作量
级别 | 公告 | 报告 | | ---| --: | :-: | --- | :-: | | [Orga and Merk](https://turbofish.org/) | 2024年11月 | 10 | [Orga & Merk Trail of Bits Security Audit](https://turbofish.org/blog/audit) | [📄✅](reviews/2024-11-orgaandmerk-securityreview.pdf) | | [Berachain polaris-geth](https://www.berachain.com/) | 2023年8月 | 8 | | | | [Berachain berachain](https://www.berachain.com/) | 2023年6月 | 6 | | | | [Umee](https://www.umee.cc/) | 2022年2月 | 8 | | [📄](reviews/Umee.pdf) | | [Columbus-5](https://www.terra.money/) | 2022年1月 | 2 | | | |IBC Protocol](https://www.interchain.berlin/) | 2021年12月 | 4 | | | | [THORChain](https://thorchain.org/) | 2021年8月 | 12 | | | | [Tendermint](https://interchain.io/) | 2019年3月 | 12 | | | | [ndau](https://oneiro.io/) | 2018年11月 | 8 | [Policy Council](https://www.globenewswire.com/news-release/2019/05/22/1840819/0/en/ndau-Holders-Elect-Inaugural-Policy-Council-Votes-to-be-Listed-on-BitMart-Exchange.html) | | #### Tezos | 产品 | 日期 | 工作量
级别 | 公告 | 报告 | | ---| --: | :-: | --- | :-: | | [Kolibri](https://tezos.foundation/) | 2022年4月 | 4 | | | | [Tezori (T2)](https://github.com/Cryptonomic/Tezori) | 2020年12月 | 4 | | [📄](reviews/Tezori.pdf) | | [Dexter](https://dexter.exchange/) | 2020年6月 | 4 | | [📄](reviews/dexter.pdf) | | [Tezori](https://github.com/Cryptonomic/Tezori) | 2018年7月 | 2 | [Thanks to @trailofbits for their security review](https://twitter.com/CryptonomicTech/status/1015686612641042434) | #### TON | 产品 | 日期 | 工作量
级别 | 公告 | 报告 | | ---| --: | :-: | --- | :-: | | [TONCO CLAMM DEX v1.6](https://app.tonco.io/#/swap) | 2026年1月 | 11 | [TONCO v1.6 is live](https://x.com/Tonco_io/status/2020808567419195632) | [📄✅](reviews/2026-02-tonco-clamm-securityreview.pdf) | | [EVAA Finance](https://evaa.finance/) | 2025年8月 | 8.6 | | [📄✅](reviews/2025-08-evaafinance-securityreview.pdf) | | [Swap Coffee TON DEX](https://swap.coffee/dex/) | 2025年7月 | 6 | | [📄✅](reviews/2025-07-swapcoffee-tondex-securityreview.pdf) | | [FIVA Yield Protocol](https://www.thefiva.com/) | 2025年5月 | 6 | | [📄✅](reviews/2025-05-FIVA-yieldtokenizationprotocol-securityreview.pdf) | | [FIVA Evaa Integration](https://www.thefiva.com/) | 2025年5月 | 6 | | [📄✅](reviews/2025-05-FIVA-evaaintegration-securityreview.pdf) | | [Whales Holders](https://whalesdmcc.com/) | 2025年5月 | 4 | | [📄✅](reviews/2025-05-whales-dmcc-holders-contracts-securityreview.pdf) | | [Whales Nominators](https://whalesdmcc.com/) | 2025年5月 | 4 | | [📄✅](reviews/2025-05-whales-dmcc-nominators-contract-securityreview.pdf) | | [STON.fi DEX V2](https://ston.fi/) | 2025年1月 | 8 | | [📄✅](reviews/2025-01-stonfi-ton-amm-dex-v2-securityreview.pdf) | | [Tact Compiler](https://github.com/tact-lang/tact) | 2025年1月 | 8 | | [📄✅](reviews/2025-01-ton-studio-tact-compiler-securityreview.pdf) | | [TON Foundation Multisignature Wallet](https://ton.foundation/en/) | 2024年3月 | 4 | | [📄✅](reviews/2024-03-tonfoundation-multisignaturewallet-securityreview.pdf) | #### 其他/多链 | 产品 | 日期 | 工作量
级别 | 公告 | 报告 | | ---| --: | :-: | --- | :-: | | [Shape Gasback](https://shape.network/) | 2025年1月 | 2 | | [📄✅](reviews/2025-01-shape-gasback-securityreview.pdf) | | [PixelSwap DEX](https://www.pixelswap.io/) | 2024年12月 | 6 | | [📄✅](reviews/2024-12-pixelswap-dex-securityreview.pdf) | | [Arkis Prime](https://www.arkis.xyz/) | 2024年12月 | 5 | | [📄✅](reviews/2024-12-arkis-defi-prime-brokerage-securityreview.pdf) | | [Wormhole Governors and Watchers](https://wormhole.com/) | 2023年3月 | 8 | | [📄✅](reviews/2023-03-wormhole-securityreview.pdf) | | [DFINITY Canister Sandbox](https://dfinity.org/) | 2022年9月 | 2 | | [📄](reviews/DFINITYCanisterSandbox.pdf)[✅](reviews/DFINITYCanisterSandboxFixReview.pdf) | | [DFINITY ECDSA/BTC](https://dfinity.org/) | 2022年9月 | 4 | | [📄](reviews/DFINITYThresholdECDSAandBtcCanisters.pdf)[✅](reviews/DFINITYThresholdECDSAandBtcCanistersFixReview.pdf) | | [FROST BLS Protocols](https://www.polysign.io/) | 2022年7月 | 12 | | | | [SORA Trustless Bridge](https://soramitsu.co.jp/) | 2022年7月 | 8 | | | | [CAT Standard](https://chia.net/) | 2022年6月 | 8 | | | | [DFINITY Threshold ECDSA](https://dfinity.org/) | 2022年5月 | 8 | | | | [Arbitrum Nitro](https://offchainlabs.com/) | 2022年3月 | 16 | | | | [DeGate](https://degate.com/?en-US) | 2022年2月 | 4 | | [📄](reviews/DeGate.pdf) | | [ShardX](https://www.gemini.com/) | 2021年12月 | 2 | | | | [DeGate](https://degate.com/?en-US) | 2021年12月 | 4 | | | | [Threshold-DSA](https://anyswap.exchange/) | 2021年11月 | 6 | | | | [DFINITY Consensus](https://dfinity.org/) | 2021年11月 | 2 | [DFINITY](https://forum.dfinity.org/t/internet-computer-consensus-security-assessment-by-trail-of-bits-third-party-security-audit-2/11453) | [📄](reviews/DFINITYConsensus.pdf) | | [PolySign HSM](https://polysign.io/) | 2021年10月 | 6 | | | | [Hop Protocol V2](https://hop.exchange/) | 2021年9月 | 4 | | | | [Golden Gate Library](https://layerzero.network/) | 2021年9月 | 1 | | | | [PolySign](https://www.polysign.io/) | 2021年9月 | 6 | | | | [Qredo Blockchain](https://www.qredo.com/) | 2021年9月 | 6 | | | | [Arbitrum](https://offchainlabs.com/) | 2021年9月 | 16 | | | | [go-schnorrkel](https://chainsafe.io/) | 2021年8月 | 4 | | | | [ShardX](https://www.gemini.com/) | 2021年8月 | 4 | | | | [AElf](https://aelf.io/) | 2021年7月 | 4 | | | | [CrossChain-Bridge](https://anyswap.exchange/bridge) | 2021年7月 | 8 | | | [DFINITY](https://dfinity.org/) | 2021年5月 | 24 | | [📄](reviews/DFINITY.pdf) | | [Open Oracle](https://chain.link/) | 2021年4月 | 2 | | | | [Arbitrum V2](https://offchainlabs.com/) | 2021年2月 | 8 | | | | [eFIL](https://www.gemini.com/blog/gemini-launches-wrapped-filecoin-efil-building-a-bridge-to-defi) | 2021年1月 | 2 | | | | [Highway Consensus](https://casperlabs.io/en/) | 2020年11月 | 4 | [CasperLabs](https://blog.casperlabs.io/trail-of-bits-security-audit-casper-highway-protocol/) | [📄](reviews/CasperLabsHighwayProtocol.pdf) | | [Stacks V2](https://www.blockstack.org/) | 2020年9月 | 6 | | | | [VRFs](https://chain.link/) | 2020年8月 | 2 | | | | [Celo Oracle](clabs.co) | 2020年7月 | 2 | | [📄](reviews/celo-oracle.pdf) | | [Arbitrum](https://offchainlabs.com/) | 2020年7月 | 6 | | | | [MYKEY](https://mykey.org/en) | 2020年7月 | 4 | | | | [Symbol](https://symbolplatform.com/) | 2020年7月 | 4 | [Symbol](https://symbolplatform.com/latest/symbol-from-nem-completes-trail-of-bits-security-audit/) | [📄](reviews/Symbol.pdf) | | [Ledger Filecoin](https://protocol.ai/) | 2020年7月 | 2 | | [📄](reviews/LedgerFilecoin.pdf) | | [Chainlink](https://chain.link/) | 2020年6月 | 8 | | | | [Chainlink Flux](https://chain.link/) | 2020年5月 | 4 | | | | [Elrond](https://elrond.com/) | 2020年3月 | 6 | | | | [EOSIO SDK](http://block.one/) | 2020年1月 | 4 | | | | [NEAR Protocol](https://nearprotocol.com/) | 2019年11月 | 8 | | | | [EOSIO 2.0](http://block.one/) | 2019年10月 | 8 | | | | [Status-go](https://status.im/) | 2019年10月 | 9 | | | | [Celo](https://celo.org/) | 2019年9月 | 8 | | | | [Blockchain.com](https://www.blockchain.com/) | 2019年8月 | 4 | | | | [RandomX](https://www.arweave.org/) | 2019年6月 | 2 | [Monero and Arweave to Validate RandomX](https://www.prnewswire.com/news-releases/monero-and-arweave-to-validate-the-proof-of-work-algorithm-randomx-300861697.html) | [📄](reviews/arweave-randomx.pdf) | | Interest Token | 2019年5月 | 0.28 | | | | [Loom](https://loomx.io/) | 2019年5月 | 10 | [Loom SDK Q1 2019 Security Audit](https://twitter.com/loomnetwork/status/1126748703530766336) | | | [Building Blocks](https://innovation.wfp.org/project/building-blocks) | 2018年8月 | 7 | [UN WFP uses Ethereum to aid 100k refugees](https://www.parity.io/un-world-food-programme-uses-parity-ethereum-to-aid-100-000-refugees/) | | ## 披露与漏洞利用 另请参阅 [exploits repository](https://github.com/trailofbits/exploits)。 |名称|产品|发现者|年份|ID|博客| |---|---|---|---|---|---| |Denial of Service in protobuf-python|protobuf-python|Alexis Challande|2025|[CVE-2025-4565](https://github.com/advisories/GHSA-8qvm-5x2c-j2w7)|| |Vulnerabilities in LUKS2 disk encryption for confidential VMs|Linux LUKS2|Tjaden Hess|2025|[CVE-2025-59054](https://nvd.nist.gov/vuln/detail/CVE-2025-59054), [CVE-2025-58356](https://nvd.nist.gov/vuln/detail/CVE-2025-58356)|[💬](https://blog.trailofbits.com/2025/10/30/vulnerabilities-in-luks2-disk-encryption-for-confidential-vms/)| |Prompt injection to RCE in AI agents|AI Agents (multiple platforms)|Will Vandevanter|2025|❌|[💬](https://blog.trailofbits.com/2025/10/22/prompt-injection-to-rce-in-ai-agents/)| |Code integrity bypass in Electron applications|Electron Applications (Signal, 1Password, Slack)|Darius Houle|2025|[CVE-2025-55305](https://nvd.nist.gov/vuln/detail/CVE-2025-55305)|[💬](https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/)| |Weaponizing image scaling against production AI systems|Google Gemini, Vertex AI, Genspark|Kikimora Morozova, Suha Sabi Hussain|2025|❌|[💬](https://blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/)| |Prompt injection engineering for attackers: Exploiting GitHub Copilot|GitHub Copilot Agent|Kevin Higgs|2025|❌|[💬](https://blog.trailofbits.com/2025/08/06/prompt-injection-engineering-for-attackers-exploiting-github-copilot/)| |Memory corruption in NVIDIA Triton Inference Server|NVIDIA Triton|Will Vandevanter|2025|[CVE-2025-23310](https://nvd.nist.gov/vuln/detail/CVE-2025-23310), [CVE-2025-23311](https://nvd.nist.gov/vuln/detail/CVE-2025-23311)|[💬](https://blog.trailofbits.com/2025/08/04/uncovering-memory-corruption-in-nvidia-triton-as-a-new-hire/)| |Exploiting zero days in abandoned hardware|Netgear WGR614v9, BitDefender Box V1|Alan Cao, Will Tan|2025|❌|[💬](https://blog.trailofbits.com/2025/07/25/exploiting-zero-days-in-abandoned-hardware/)| |MCP plaintext API key storage|Model Context Protocol|Cliff Smith, Suha Hussain, and Will Vandevanter|2025|❌|[💬](https://blog.trailofbits.com/2025/04/30/insecure-credential-storage-plagues-mcp/)| |MCP ANSI escape sequence attacks|Model Context Protocol|Cliff Smith, Suha Hussain, and Will Vandevanter|2025|❌|[💬](https://blog.trailofbits.com/2025/04/29/deceiving-users-with-ansi-terminal-codes-in-mcp/)| |MCP Line Jumping vulnerability|Model Context Protocol|Cl Smith, Suha Hussain, and Will Vandevanter|2025|❌|[💬](https://blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/)| |User to root privilege escalation from an integer overflow in libinfo|macOS|Paweł Płatek|2025|[CVE-2025-24195](https://nvd.nist.gov/vuln/detail/CVE-2025-24195), [CVE-2025-31222](https://nvd.nist.gov/vuln/detail/cve-2025-31222), [CVE-2025-30440](https://nvd.nist.gov/vuln/detail/cve-2025-30440)|[💬](https://github.com/trailofbits/exploits/tree/main/obts-2025-macos-lpe)| |Cryptography bugs in elliptic library|elliptic JavaScript library|Markus Schiffermuller|2024|[CVE-2024-48948](https://nvd.nist.gov/vuln/detail/CVE-2024-48948), [CVE-2024-48949](https://nvd.nist.gov/vuln/detail/CVE-2024-48949), [CVE-2024-48950](https://nvd.nist.gov/vuln/detail/CVE-2024-48950), [CVE-2024-48951](https://nvd.nist.gov/vuln/detail/CVE-2024-48951), [CVE-2024-48952](https://nvd.nist.gov/vuln/detail/CVE-2024-48952)|[💬](https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/)| |Crash due to uncontrolled recursion in `Well-KnownText`|Elastic|Alexis Challande, Brad Swain|2024|[CVE-2024-52981](https://github.com/advisories/GHSA-5xm9-x7x4-4j5x)|| |Crash due to uncontrolled recursion in `innerForbidCircularReferences`|Elastic|Alexis Challande, Brad Swain|2024|[CVE-2024-52980](https://github.com/advisories/GHSA-ghfh-p92w-j4mg)|| |Crash due to uncontrolled recursion in Wire|Wire|Alexis Challande, Brad Swain|2024|[CVE-2024-58103](https://nvd.nist.gov/vuln/detail/CVE-2024-58103)|| |Crash due to uncontrolled recursion in protobuf crate|rust-protobuf|Alexis Challande, Brad Swain|2024|[RUSTSEC-2024-0437](https://rustsec.org/advisories/RUSTSEC-2024-0437.html)|| |Denial of Service in XStream|XStream|Alexis Challande, Brad Swain|2024|[GHSA-hfq9-hggm-c56q](https://github.com/advisories/GHSA-hfq9-hggm-c56q)|[💬](https://blog.trailofbits.com/2025/02/21/dont-recurse-on-untrusted-input/)| |Denial of Service in protobuf-java|protobuf-java|Alexis Challande, Brad Swain|2024|[GHSA-735f-pc8j-v9w8](https://github.com/advisories/GHSA-735f-pc8j-v9w8)|[💬](https://blog.trailofbits.com/2025/02/21/dont-recurse-on-untrusted-input/)| |Insufficient validation of integration timestamp in sigstore-python|sigstore-python|William Woodruff|2024|[CVE-2024-55655](https://www.cve.org/cverecord?id=CVE-2024-55655)|| |Rust crates "stable" and "nightly" might be installed instead of the corresponding toolchains|Crates.io|Max Ammann|2024|❌|| |num-bigint disclosure|num-bigint|Samuel Moelius|2024|❌|[💬](https://blog.trailofbits.com/2024/04/15/5-reasons-to-strive-for-better-disclosure-processes/)| |Memory corruption during X.509 validation in GnuTLS|GnuTLS|William Woodruff|2024|[CVE-2024-28835](https://www.cve.org/cverecord?id=CVE-2024-28835)|| |Linux kernel modules kASLR bypass|Linux|Dominik Czarnota|2024|❌|[💬](https://blog.trailofbits.com/2024/03/08/out-of-the-kernel-into-the-tokens/)| |Pedersen DKG vulnerability disclosure|Multiple|Fredrik Dahlgren|2024|❌|[💬](https://blog.trailofbits.com/2024/02/20/breaking-the-shared-key-in-threshold-signature-schemes/)| |LeftoverLocals disclosure|multiple GPUs|Tyler Sorensen|2024|[CVE-2023-4969](https://www.cve.org/cverecord?id=CVE-2023-4969)|[💬](https://blog.trailofbits.com/2024/01/16/leftoverlocals-listening-to-llm-responses-through-leaked-gpu-local-memory/)| |Billion hashes attack against Go JOSE libraries|go-jose|Matt Schwager|2023|GO-2023-2334, GO-2023-2409|[💬](https://blog.trailofbits.com/2024/03/08/out-of-the-kernel-into-the-tokens/)| |Expo Secure Store: Shortening AES GCM Authentication Tags|expo-secure-store|Joop van de Pol|2023|❌|[💬](https://blog.trailofbits.com/2024/04/15/5-reasons-to-strive-for-better-disclosure-processes/)| |YOLOv7 disclosure|YOLOv7|Alvin Crighton, Anusha Ghosh, Suha Hussain, Heidy Khlaaf, Jim Miller|2023|❌|[💬](https://blog.trailofbits.com/2023/11/15/assessing-the-security-posture-of-a-widely-used-vision-model-yolov7/)| |Numbers turned weapons: DoS in Osmosis’ math library|Osmosis|Sam Alws|2023|❌|[💬](https://blog.trailofbits.com/2023/10/23/numbers-turned-weapons-dos-in-osmosis-math-library/)| |The issue with ATS in Apple’s macOS and iOS|iOS, iPadOS, tvOS, macOS, and watchOS|Will Brattain|2023|[CVE-2023-38596](https://www.cve.org/cverecord?id=CVE-2023-38596)|[💬](https://blog.trailofbits.com/2023/10/30/the-issue-with-ats-in-apples-macos-and-ios/)| |Eth ABI DoS disclosure|ethabi, eth_abi, etheriumjs-abi, alloy-rs|Max Ammann|2023|❌|| |L2 finality bugs in Juno and Pathfinder|Juno, Pathfinder|Benjamin Samuels|2023|❌|[💬](https://blog.trailofbits.com/2023/08/23/the-engineers-guide-to-blockchain-finality/)| |Security flaws in an SSO plugin for Caddy|caddy-security|Maciej Domanski, Travis Peters, David Pokora|2023|[CVE-2024-21500](https://www.cve.org/cverecord?id=CVE-2024-21500), [CVE-2024-21499](https://www.cve.org/cverecord?id=CVE-2024-21499), [CVE-2024-21498](https://www.cve.org/cverecord?id=CVE-2024-21498), [CVE-2024-21497](https://www.cve.org/cverecord?id=CVE-2024-21497), [CVE-2024-21496](https://www.cve.org/cverecord?id=CVE-2024-21496), [CVE-2024-21493](https://www.cve.org/cverecord?id=CVE-2024-21493), [CVE-2024-21495](https://www.cve.org/cverecord?id=CVE-2024-21495), [CVE-2024-21494](https://www.cve.org/cverecord?id=CVE-2024-21494), [CVE-2024-21492](https://www.cve.org/cverecord?id=CVE-2024-21492), [CVE-2023-52430](https://www.cve.org/cverecord?id=CVE-2023-52430)|[💬](https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/)| |ktor Path Traversal|ktor|Vasco Franco|2023|[CVE-2022-48476](https://www.cve.org/cverecord?id=CVE-2022-48476)|| |Specialized Zero-Knowledge Proof failures|Binance's tss-lib; All forks of tss-lib: Joltify, SwipeChain, and ThorChain; Coinbase's kryptology|Opal Wright|2022|❌|[💬](https://blog.trailofbits.com/2022/11/29/specialized-zero-knowledge-proof-failures/)| |Forgery in Amis' Alice library|[Amis' alice](https://github.com/getamis/alice#acknowledgments)|Filipe Casal|2022|❌|| |Keeping the wolves out of wolfSSL|wolfSSL|Max Ammann|2022|[CVE-2022-38152](https://www.cve.org/cverecord?id=CVE-2022-38152) [CVE-2022-38153](https://www.cve.org/cverecord?id=CVE-2022-38153) [CVE-2022-39173](https://www.cve.org/cverecord?id=CVE-2022-39173) [CVE-2022-42905](https://www.cve.org/cverecord?id=CVE-2022-42905)|[💬](https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/)| |Escaping misconfigured VSCode extensions - Live Preview XSS|Live Preview VSCode extension|Vasco Franco|2022|MS-VULN-073448|[💬](https://blog.trailofbits.com/2023/02/21/vscode-extension-escape-vulnerability/)| |Escaping misconfigured VSCode extensions - Live Preview Path Traversal|Live Preview VSCode extension|Vasco Franco|2022|MS-VULN-073447|[💬](https://blog.trailofbits.com/2023/02/21/vscode-extension-escape-vulnerability/)| |Escaping well-configured VSCode extensions (for profit) - VSCode localResourceRoots Bypass|VSCode|Vasco Franco|2022|[CVE-2022-41042](https://www.cve.org/cverecord?id=CVE-2022-41042)|[💬](https://blog.trailofbits.com/2023/02/23/escaping-well-configured-vscode-extensions-for-profit/)| |Escaping misconfigured VSCode extensions - Sarif Viewer XSS|Sarif Viewer VSCode extension|Vasco Franco|2022|MS-VULN-071828|[💬](https://blog.trailofbits.com/2023/02/21/vscode-extension-escape-vulnerability/)| |Stranger Strings: An exploitable flaw in SQLite|SQLite|Andreas Kellas|2022|❌|[💬](https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/)| |json-viewer XSS|jquery.json-viewer|Vasco Franco|2022|[CVE-2022-30241](https://www.cve.org/cverecord?id=CVE-2022-30241)|| |ERC721 improper token transfer in cairo-contracts|OpenZeppelin cairo-contracts|Simone Monica|2022|❌|[💬](https://github.com/OpenZeppelin/cairo-contracts/issues/148)| |Shamir's Secret Sharing vulnerabilities|Binance’s [tss-lib](https://github.com/binance-chain/tss-lib); Clover Network’s [threshold-crypto](https://github.com/clover-network/threshold-crypto); Keep Network’s [keep-ecdsa](https://github.com/keep-network/keep-ecdsa); Swingby’s [tss-lib](https://github.com/SwingbyProtocol/tss-lib); THORchain’s [tss-lib](https://gitlab.com/thorchain/tss/tss-lib); ZenGo X’s [curv](https://github.com/ZenGo-X/curv)|Filipe Casal|2021|❌|[💬](https://blog.trailofbits.com/2021/12/21/disclosing-shamirs-secret-sharing-vulnerabilities-and-announcing-zkdocs/)| |Breaking Aave Upgradeability|Aave v1/v2|Josselin Feist|2020|❌|[💬](https://blog.trailofbits.com/2020/12/16/breaking-aave-upgradeability/)| |Accidentally stepping on a DeFi lego|yVault (yEarn)|Sam Sun|2020|❌|[💬](https://blog.trailofbits.com/2020/08/05/accidentally-stepping-on-a-defi-lego/)| |Smart contract vulnerabilities due to Tezos message passing architecture|Tezos|Simone Monica|2020|❌|[💬](https://forum.tezosagora.org/t/smart-contract-vulnerabilities-due-to-tezos-message-passing-architecture/2045)| |Bug Hunting with Crytic|E&Y Nightfall, DeFiStrategies, Set Protocol, Computable, Aragon, Balancer|Josselin Feist|2020|❌|[💬](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/)| |OSX slack:// protocol handler javascript injection|Slack|Jay Little|2016|❌|[💬](https://hackerone.com/reports/79348)| |Double free in VLC's 3GP file format|VLC|Loren Maggiore|2015|[CVE-2015-5949](https://www.cve.org/cverecord?id=CVE-2015-5949)|[💬](https://blog.trailofbits.com/2015/09/10/summer-trail-of-bits/)| ## 研讨会 | 研讨会标题 | 地点 | 日期 | | --- | --- | --: | | [Smart Contract Security Automation](workshops/Automated%20Smart%20Contracts%20Audit%20-%20TruffleCon%202019) | TruffleCon 2019 | 2019年10月 | | [Introduction to Smart Contract Exploitation](workshops/Introduction%20to%20Smart%20Contract%20Exploitation%20-%20GreHack%202018) | GreHack 2018 | 2018年11月 | | [Manticore EVM Workshop](workshops/Using%20Manticore%20and%20Symbolic%20Execution%20to%20Find%20Smart%20Contracts%20Bugs%20-%20Devcon%204) | Devcon4 2018 | 2018年11月 | | [Smart Contract Security Automation](workshops/Automated%20Smart%20Contracts%20Audit%20-%20TruffleCon%202018) | TruffleCon 2018 | 2018年10月 | | [DeepState: Bringing Vulnerability Detection Tools into the Dev Cycle](workshops/DeepState:%20Bringing%20vulnerability%20detection%20tools%20into%20the%20development%20lifecycle%20-%20SecDev%202018) | SecDev 2018 | 2018年10月 | | [Smart Contract Security Automation](workshops/Smart%20Contract%20Security%20Automation%20-%20ETHBerlin%202018) | ETH Berlin 2018 | 2018年9月 | | [Manticore EVM Workshop](workshops/Manticore%20-%20EthCC%202018) | EthCC 2018 | 2018年3月 | | [Manticore Workshop](workshops/Manticore%20-%20GreHack%202017) | GreHack 2017 | 2017年10月 | ## 数据集 | 数据集 | 日期 | | --- |---| | [Smart Contract Audit Findings](datasets/smart_contract_audit_findings) | 2019年8月 | ## 服务概述 | 服务标题 | 文档类型 | | --- | --- | | [AI Safety & Security Training](service-overviews/AI-safety-security-training.pdf) | 单页服务概述 | # 图例 | 图标 | 定义 | | --- | --- | | 💬 | 博客文章或其他社交媒体 | | 📄 | 安全评估报告 | | ✅ | 修复审查报告 | | 🔖 | 证明信 | | 📛 | 威胁模型报告 | | 📰 | 白皮书 | | 表头 | 定义 | | --- | --- | | Level of Effort | 项目的所需工作量（以人周为单位） |

标签：Algorand, Avalanche, Cosmos, DeFi, Scroll, Solana, Tezos, Trail of Bits, Uniswap, ZK-Rollup, 以太坊, 会议演讲, 侧信道攻击, 出版物, 区块链安全, 域名收集, 威胁分析, 学术白皮书, 密码学, 密钥泄露防护, 恶意软件, 手动系统调用, 技术报告, 文档安全, 智能合约审计, 机器学习安全, 比特币, 目录枚举, 移动安全, 编译器安全, 网络安全, 自动化侦查工具, 自动化漏洞利用, 配置审计, 隐私保护