# Publications from Trail of Bits

- [Publications from Trail of Bits](#publications-from-trail-of-bits)
  - [Academic Papers](#academic-papers)
  - [White Papers](#white-papers)
  - [Guides and Handbooks](#guides-and-handbooks)
  - [Conference Presentations](#conference-presentations)
    - [Automated bug finding and exploitation](#automated-bug-finding-and-exploitation)
    - [Blockchain](#blockchain)
    - [Compilers](#compilers)
    - [Cryptography](#cryptography)
    - [Engineering](#engineering)
    - [Education](#education)
    - [Infrastructure](#infrastructure)
    - [Machine Learning](#machine-learning)
    - [Mobile security](#mobile-security)
    - [Programming](#programming)
    - [Side channels](#side-channels)
    - [Supply chain](#supply-chain)
    - [Threat analysis \& malware](#threat-analysis--malware)
  - [Podcasts](#podcasts)
  - [Webinars](#webinars)
  - [Public Comments](#public-comments)
  - [Security Reviews](#security-reviews)
    - [Major Clients](#major-clients)
      - [Frax Finance](#frax-finance)
      - [MobileCoin](#mobilecoin)
      - [Offchain Labs](#offchain-labs)
      - [Reserve Protocol](#reserve-protocol)
      - [Scroll](#scroll)
      - [Uniswap](#uniswap)
      - [Western Digital](#western-digital)
    - [AI/ML Reviews](#aiml-reviews)
    - [Cryptography Reviews](#cryptography-reviews)
    - [Technology Product Reviews](#technology-product-reviews)
    - [Cloud-Native Reviews](#cloud-native-reviews)
    - [Invariant Testing and Development Engagements](#invariant-testing-and-development-engagements)
    - [Blockchain Reviews](#blockchain-reviews)
      - [Wallet Reviews](#wallet-reviews)
      - [Algorand](#algorand)
      - [Avalanche](#avalanche)
      - [Bitcoin \& Derivatives](#bitcoin--derivatives)
      - [Ethereum/EVM](#ethereumevm)
      - [NervOS](#nervos)
      - [Starknet](#starknet)
      - [Solana](#solana)
      - [Substrate](#substrate)
      - [Tendermint/Cosmos](#tendermintcosmos)
      - [Tezos](#tezos)
      - [TON](#ton)
      - [Other/Multi-Chain](#othermulti-chain)
  - [Disclosures and exploits](#disclosures-and-exploits)
  - [Workshops](#workshops)
  - [Datasets](#datasets)
  - [Service Overviews](#service-overviews)
- [Legend](#legend)

## Academic Papers

| Paper Title | Venue | Publication Date |
| --- | --- | --- |
| [A Broad Comparative Evaluation of Software Debloating Tools](papers/debloater-eval.pdf) | [USENIX Security 2024](https://www.usenix.org/conference/usenixsecurity24) | 2024 |
| [PolyTracker: Whole-Input Dynamic Information Flow Tracing](papers/issta24-polytracker.pdf) | [ISSTA 2024](https://conf.researchr.org/details/issta-ecoop-2024/issta-ecoop-2024-tool-demonstrations/7/PolyTracker-Whole-Input-Dynamic-Information-Flow-Tracing) | 2024 |
| [Endokernel: A Thread Safe Monitor for Lightweight Subprocess Isolation](papers/usenixsecurity24-endokernel.pdf) | [Usenix Security 2024](https://www.usenix.org/conference/usenixsecurity24/presentation/yang-fangfei) | 2024 |
| [Design and Implementation of a Coverage-Guided Ruby Fuzzer](papers/ruzzy-ruby-fuzzer.pdf) | [CSET 24](https://cset24.isi.edu/) | 2024 |
| [Test Harness Mutilation](papers/test_harness_mutilation.pdf) | [Mutation 2024](https://conf.researchr.org/home/icst-2024/mutation-2024) | 2024 |
| [VAST: MLIR compiler for C/C++](papers/vast-eurollvm-poster.pdf) | [EuroLLVM Devs' Meeting 2024](https://llvm.swoogo.com/2024eurollvm) | 2024 |
| [PoTATo: Points-to analysis via domain specific MLIR dialect](papers/potato-eurollvm-poster.pdf) | [EuroLLVM Devs' Meeting 2024](https://llvm.swoogo.com/2024eurollvm) | 2024 |
| [Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol](papers/edhoc-euros&P-2023.pdf) | [Euro S&P 2023](https://www.ieee-security.org/TC/EuroSP2023/index.html) | 2023 |
| [Weak Fiat-Shamir Attacks on Modern Proof Systems](papers/weakfs_ieee_s&p_2023.pdf) | [IEEE S&P 2023](https://eprint.iacr.org/2023/691) | 2023 |
| [Endoprocess: Programmable and Extensible Subprocess Isolation](https://dl.acm.org/doi/10.1145/3633500.3633507) | [NSPW 2023](https://www.nspw.org/2023/program) | 2023 |
| [CIVSCOPE: Analyzing Potential Memory Corruption Bugs in Compartment Interfaces](papers/civscope.pdf) | SOSP [KISV 2023](https://dl.acm.org/doi/abs/10.1145/3625275.3625399) | 2023 |
| [Detecting variability bugs through hybrid control and data flow analysis](papers/ubet_langsec_2023.pdf) | [LangSec 2023](https://langsec.org/spw23/papers.html#variability) | 2023 |
| [Blind Spots: Automatically detecting ignored program inputs](https://arxiv.org/abs/2301.08700) | [LangSec 2023](https://langsec.org/spw23/papers.html) | 2023 |
| [Efficient Proofs of Software Exploitability for Real-world Processors](papers/sieve-msp430-pets2023.pdf) | [PETS 2023](https://petsymposium.org/2023/index.php) | 2023 |
| [Toward Comprehensive Risk Assessments and Assurance of AI Systems](https://github.com/trailofbits/publications/blob/master/papers/toward_comprehensive_risk_assessments.pdf)  | arXiv | 2023 |
| [A Broad Comparative Evaluation of x86-64 Binary Rewriters](papers/cset22.pdf) | [CSET 22](https://cset22.isi.edu/index.html) | 2022 |
| [On the Optimization of Equivalent Concurrent Computations](papers/eqsat-pldi-egraphs2022.pdf) | [PLDI EGRAPHS 2022](https://pldi22.sigplan.org/program/program-egraphs-2022/) | 2022 |
| [Evaluating Static Analysis Tools via Differential Mutation](papers/qrs21.pdf) |  [QRS 2021](https://qrs21.techconf.org/) | 2021 |
| [echidna-parade: Diverse multicore smart contract fuzzing](papers/echidna-parade_issta21.pdf) | [ISSTA 2021](https://conf.researchr.org/home/issta-2021) | 2021 |
| [Differential analysis of x86-64 instruction decoders](papers/mishegos-langsec2021.pdf) |  [LangSec 2021](https://langsec.org/spw21/) | 2021 |
| [Echidna: effective, usable, and fast fuzzing for smart contracts](papers/echidna_issta2020.pdf) | [ISSTA 2020](https://conf.researchr.org/home/issta-2020) | 2020 |
| [ICARUS: Understanding De Facto Formats By Way of Feathers and Wax](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9283834) | [LangSec 2020](http://spw20.langsec.org/) | 2020 |
| [Toward Automated Grammar Extraction via Semantic Labeling of Parser Implementations](papers/semantic_labeling_langsec2020.pdf) | [LangSec 2020](http://spw20.langsec.org/) | 2020 |
| [What are the Actual Flaws in Important Smart Contracts?](papers/smart_contract_flaws_fc2020.pdf) | [FC 2020](https://fc20.ifca.ai/program.html) | 2020 |
| [Echidna: A Practical Smart Contract Fuzzer](papers/echidna_fc_poster.pdf) | [FC 2020](https://fc20.ifca.ai/program.html) | 2020 |
| [RSA GTFO](papers/rsagtfo.pdf) | [PoC\|\|GTFO 0x20](https://www.sultanik.com/pocorgtfo/#0x20) | 2020 |
| [Manticore: Symbolic Execution for Binaries and Smart Contracts](papers/manticore.pdf) | [ASE 2019](https://2019.ase-conferences.org/) | 2019 |
| [Slither: A Static Analysis Framework For Smart Contracts](papers/wetseb19.pdf) | [WETSEB 2019](http://www.agilegroup.eu/wetseb2019/) | 2019 |
| [Toward Smarter Vulnerability Discovery Using Machine Learning](papers/ceo.pdf) | [AISec 2018](http://aisec2018.icsi.berkeley.edu/aisec2018/index.html) | 2018 |
| [The Past, Present, and Future of Cyberdyne](papers/cyberdyne.pdf) | [IEEE S&P](https://ieeexplore.ieee.org/xpl/tocresult.jsp?isnumber=8328963) | 2018 |
| [DeepState - Symbolic Unit Testing for C and C++](papers/deepstate-bar18.pdf) | [BAR 2018](https://www.ndss-symposium.org/ndss2018/cfp-ndss2018-bar/) | 2018 |
| [Cyber-Deception and Attribution in Capture-the-Flag Exercises](papers/deception_attribution_ctf.pdf) | [FOSINT-SI 2015](http://fosint-si.cpsc.ucalgary.ca/2015/) | 2015 |

## White Papers

| Paper Title | Author(s) | Publication Date |
| --- | --- | --- |
| [Detecting Implicit Conversions in OpenVPN2 Using CodeQL](reports/detecting-implicit-conversions-in-openvpn2-using-codeql-casestudy.pdf) | Paweł Płatek | Sep 2025 |
| [Preventing Account Takeovers on Centralized Cryptocurrency Exchanges Recommended Practices](papers/account-takeover-recommended-practices.pdf) | Shaun Mirani, Kelly Kaoudis, and Evan Sultanik | Feb 2025 |
| [Input-Driven Recursion: Ongoing Security Risks](papers/trailofbits-20241218-recursion-whitepaper.pdf) | Alexis Challande and Brad Swain | Dec 2024 |
| [OpenSearch Benchmark Assessment](reports/OpenSearch-Benchmarking.pdf) | Evan Downing, Riccardo Schirone, Francesco Bertolaccini, and Ronald Eytchison | Aug 2024 |
| [Cedar, Rego, and OpenFGA Policy Languages: Comparative Language Security Assessment](reports/Policy_Language_Security_Comparison_and_TM.pdf) | Ian Smith and Kelly Kaoudis | Aug 2024 |
| [Toward Comprehensive Risk Assessments and Assurance of AI-Based Systems](papers/trailofbits-20230307-ai-risk-assessments-whitepaper.pdf) | Heidy Khlaaf | Mar 2023 |
| [Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers](papers/trailofbits-20220601-are-blockchain-decentralized-whitepaper.pdf) | Evan Sultanik et al. | Jun 2022 |
| [Do You Really Need a Blockchain? An Operational Risk Assessment](papers/trailofbits-20220601-do-you-really-need-a-blockchain-whitepaper.pdf) | Evan Sultanik and Mike Myers | Jun 2022 |

## Guides and Handbooks

| Link | Description |
| ---- | ----------- |
| [Testing Handbook](https://appsec.guide/) | Guides for configuring and automating static and dynamic analysis tools |
| [ZKDocs](https://www.zkdocs.com/) | Interactive documentation on zero-knowledge proof systems |
| [Building Secure Smart Contracts](https://secure-contracts.com/) | Best practices for developing secure smart contracts |
| [CTF Field Guide](https://trailofbits.github.io/ctf/) | Field guide to winning at Capture The Flag competitions |
| [Ruby Security Field Guide](https://trailofbits.github.io/rubysec/) | Practical Ruby security guide |

## Conference Presentations

### Automated bug finding and exploitation

| Presentation Title | Author(s)                                         | Year |
| --- |---------------------------------------------------| --- |
| [Buttercup: Autonomously Finding and Fixing Bugs at Scale in Open-Source Software](presentations/Buttercup:%20Autonomously%20Finding%20and%20Fixing%20Bugs%20at%20Scale%20in%20Open-Source%20Software/buttercup-cucyber.pdf) | Ronald Eytchison                              | 2025 |
| [Buttercup: The Future of Trail of Bits' Solution to DARPA's AI Cyber Challenge](presentations/Buttercup:%20The%20Future%20of%20Trail%20of%20Bits'%20Solution%20to%20DARPA's%20AI%20Cyber%20Challenge) | Trent Brunson | 2025 |
| [Buttercup and DARPA's AI Cyber Challenge, Ringzer0](presentations/Buttercup%20and%20DARPA's%20AI%20Cyber%20Challenge,%20Henrik%20Brodin%20and%20Ronald%20Eytchison) | Henrik Brodin, Ronald Eytchison | 2025 |
| [Our experience competing in the AI Cyber Challenge](presentations/Our%20experience%20competing%20in%20the%20AI%20Cyber%20Challenge/Our_experience_competing_in_the_AI_Cyber_Challenge.pdf) | Michael Brown et al.                              | 2025 |
| [Buttercup and DARPA's AI Cyber Challenge, CSAW](presentations/Buttercup%20and%20DARPA's%20AI%20Cyber%20Challenge,%20Ronald%20Eytchison) | Ronald Eytchison | 2024 |
| [Your Mitigations are My Opportunities](presentations/Your%20Mitigations%20are%20My%20Opportunities) | Yarden Shafir                                     | 2023 |
| [Detecting variability bugs with hybrid control and data flow](presentations/Automatically%20Detecting%20Variability%20Bugs%20Through%20Hybrid%20Control%20and%20Data%20Flow%20Analysis) | Kelly Kaoudis, Henrik Brodin, Evan Sultanik       | 2023 |
| Blind Spots: Identifying Exploitable Program Inputs | Henrik Brodin, Evan Sultanik, and Marek Surovič    | 2023 |
| [MLIR is the future of program analysis](presentations/MLIR%20is%20the%20future%20of%20program%20analysis) | Peter Goodman                                     | 2023 |
| [A Sermon on the Indulgences of Computational Sacrifice; or, The Superabundant Benedictions of Programming an Absurd NES Game](https://www.youtube.com/watch?v=RTjP3fnQ5d8) | Evan Sultanik | 2021 |
| [Differential analysis of x86-64 instruction decoders](presentations/Differential%20analysis%20of%20x86-64%20decoders) | William Woodruff, Niki Carroll, Sebastiaan Peters | 2021 |
| [How to find bugs when (ground) truth isn't real](presentations/Differential%20fuzzing,%20or%20how%20to%20find%20bugs%20when%20%28ground%29%20truth%20isn't%20real) | William Woodruff                                  | 2020 |
| [Toward Automated Grammar Extraction via Semantic Labeling of Parser Implementations](presentations/Semantic%20Labeling%20of%20Parsers) | Carson Harmon, Brad Larsen, Evan Sultanik | 2020 |
| [The Treachery of Files and Two New Tools that Tame It](presentations/The%20Treachery%20of%20Files) | Evan Sultanik                                     | 2019 |
| [Symbolically Executing a Fuzzy Tyrant](presentations/Symbolically%20Executing%20a%20Fuzzy%20Tyrant) | Stefan Edwards                                    | 2019 |
| [Kernel space fault injection with KRF](presentations/Kernel%20space%20fault%20injection%20with%20KRF) | William Woodruff                                  | 2019 |
| [Binary Symbolic Execution With KLEE-Native](presentations/Binary%20Symbolic%20Execution%20With%20KLEE-Native) | Sai Vegasena                                      | 2019 |
| [Going sicko mode on the Linux Kernel](presentations/Going%20sicko%20mode%20on%20the%20Linux%20Kernel) | William Woodruff                                  | 2019 |
| [Vulnerability Modeling with Binary Ninja](presentations/Vulnerability%20Modeling%20with%20Binary%20Ninja) | Josh Watson                                       | 2018 |
| [File Polyglottery; or, This PoC is also a picture of cats](presentations/The%20Treachery%20of%20Files) | Evan Sultanik                                     | 2017 |
| [Be a binary rockstar](https://vimeo.com/215511922#t=27m33s) | Sophia D'Antoine                                  | 2017 |
| [Symbolic Execution for Humans](presentations/Symbolic%20Execution%20for%20Humans) | Mark Mossberg                                     | 2017 |
| [The spirit of the 90s is still alive in Brooklyn](presentations/The%20spirit%20of%20the%2090s%20is%20alive%20in%20Brooklyn) | Ryan Stortz, Sophia D'Antoine                     | 2017 |
| [The dream of a static and dynamic analysis shootout](presentations/The%20dream%20of%20a%20static%20and%20dynamic%20analysis%20shootout) | Ryan Stortz                                       | 2016 |
| [Binary constraint solving for automatic exploit generation](presentations/Binary%20constraint%20solving%20for%20automatic%20exploit%20generation) | Sophia D'Antoine                                  | 2016 |
| [The Smart Fuzzer Revolution](presentations/The%20Smart%20Fuzzer%20Revolution) | Dan Guido                                         | 2016 |
| [Making a scaleable automated hacking system](presentations/Cyber%20Grand%20Challenge) | Artem Dinaburg                                    | 2016 |
| [Cyberdyne - Automatic bug-finding at scale](presentations/Cyber%20Grand%20Challenge) | Peter Goodman                                     | 2016 |
| [McSema: Static translation of x86 to LLVM IR](presentations/McSema%20-%20Static%20Translation%20of%20x86%20instructions%20to%20LLVM%20IR) | Andrew Ruef, Artem Dinaburg                       | 2014 |

### Blockchain

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [Mutation Testing with Slither: A New Way to Find High-Severity Issues](presentations/Mutation%20Testing%20with%20Slither%3A%20A%20New%20Way%20to%20Find%20High-Severity%20Issues) | Guillermo Larregay | 2025 |
| [Slither's Model Context Protocol: Giving LLMs Ground Truth from Static Analysis](presentations/Slither's%20Model%20Context%20Protocol%3A%20Giving%20LLMs%20Ground%20Truth%20from%20Static%20Analysis) | Ben Samuels | 2025 |
| [The $1.5B Problem: How Exchanges Can Build Safer Cold Storage](presentations/The%20%241.5B%20Problem%3A%20How%20Exchanges%20Can%20Build%20Safer%20Cold%20Storage) | Benjamin Samuels | 2025 |
| [How to Become a Smart Contract Auditor](presentations/How%20to%20Become%20a%20Smart%20Contract%20Auditor) | nisedo | 2025 |
| [Test your tests: the do's and don'ts of testing](presentations/TrustX%202023/Test%20Your%20Tests) | Kurt Willis | 2023 |
| [Slither: a static analysis tool for Vyper and Solidity](presentations/TrustX%202023/Slither%20a%20Vyper%20and%20Solidity%20static%20analyzer) | Troy Sargent | 2023 |
| [Roundme: rounding analysis made simpler](presentations/TrustX%202023/roundme) | Josselin Feist | 2023 |
| [Smart Contracts: The Beta](presentations/Smart%20Contracts:%20The%20Beta/DSS%20101.pdf) | Nat Chin | 2023 |
| [Fuzzing like a security engineer](presentations/How%20to%20Fuzz%20Like%20a%20Pro/Eth%20Taipei%20Workshop.pdf) | Nat Chin | 2023 |
| [Write better smart contracts with Slither's Python API](presentations/Write%20Better%20Smart%20Contracts%20By%20Checking%20Them%20With%20Slither's%20Python%20API) | Troy Sargent | 2022 |
| [Building Secure Cairo](presentations/Building%20Secure%20Cairo) | Filipe Casal, Simone Monica | 2022 |
| [How to fuzz like a pro](presentations/How%20to%20Fuzz%20Like%20a%20Pro) | Josselin Feist, Nat Chin | 2022 |
| [Demystifying Fuzzing](presentations/Demystifying%20Fuzzing) | Nat Chin | 2022 |
| [Building a Practical Static Analyzer for Smart Contracts](presentations/Building%20a%20Practical%20Static%20Analyzer%20for%20Smart%20Contracts) | Josselin Feist | 2021 |
| [Testing and Verifying Smart Contracts: From Theory to Practice](presentations/Testing%20and%20Verifying%20Smart%20Contracts:%20From%20Theory%20to%20Practice) | Josselin Feist | 2021 |
| [Safely integrating with ERC20 tokens](presentations/Safely%20integrating%20with%20ERC20%20tokens) | Josselin Feist | 2021 |
| [Detecting transaction replacement attacks with Manticore](presentations/Detecting%20transaction%20replacement%20attacks%20with%20Manticore) | Sam Moelius | 2020 |
| [DeFi Hacks and Future Threats: The Role of Economics in Secure Protocol Design](presentations/DeFi%20Hacks%20and%20Future%20Threats) | Dan Guido | 2020 |
| [Fantastic Bugs and How to Squash Them; or, the Crimes of Solidity](presentations/Anatomy%20of%20an%20unsafe%20programming%20language) | Evan Sultanik | 2019 |
| [SlithIR: High-Precision Security Analysis with an IR for Solidity](presentations/SlithIR%2C%20An%20Intermediate%20Representation%20of%20Solidity%20to%20enable%20High%20Precision%20Security%20Analysis) | Josselin Feist | 2019 |
| [Slither: A Static Analysis Framework for Smart Contracts](presentations/Slither:%20A%20Static%20Analysis%20Framework%20for%20Smart%20Contracts) | Josselin Feist | 2019 |
| [What blockchain got right](presentations/What%20blockchain%20got%20right) | Dan Guido | 2019 |
| [Traditional Infosec for Blockchain Firms](presentations/Traditional%20Infosec%20for%20Blockchain%20Firms) | Dan Guido | 2019 |
| [Property-testing of smart contracts](presentations/Property-based%20testing%20of%20smart%20contracts) | JP Smith | 2018 |
| [Anatomy of an unsafe programming language](presentations/Anatomy%20of%20an%20unsafe%20programming%20language) | Evan Sultanik | 2018 |
| [Contract upgrade risks and recommendations](presentations/Contract%20upgrade%20risks%20and%20recommendations) | Josselin Feist | 2018 |
| [Blackhat Ethereum](presentations/Blackhat%20Ethereum) | Ryan Stortz, Jay Little | 2018 |
| [Blockchain Autopsies - Analyzing Smart Contract Deaths](presentations/Blockchain%20Autopsies%20-%20Analyzing%20Smart%20Contract%20Deaths) | Jay Little | 2018 |
| [Rattle - an Ethereum EVM binary analysis framework](https://www.trailofbits.com/presentations/rattle/) | Ryan Stortz | 2018 |
| [Securing value on the Ethereum blockchain](presentations/Securing%20value%20on%20the%20Ethereum%20blockchain) | Dan Guido | 2018 |
| [Binary analysis, meet the blockchain](presentations/Binary%20analysis%2C%20meet%20the%20blockchain) | Mark Mossberg | 2018 |
| [Automatic bug finding for the blockchain](presentations/Automatic%20bugfinding%20for%20the%20blockchain) | Felipe Manzano, Josselin Feist | 2017 |

### Compilers

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [Constant-Time Coding Support in LLVM](presentations/Constant-Time%20Coding%20Support%20in%20LLVM) | Julius Alexandre | 2025 |
| [A Broad Comparative Evaluation of Software Debloating Tools](presentations/A%20Broad%20Comparative%20Evaluation%20of%20Software%20Debloating%20Tools/debloater-eval.pdf) | Michael D. Brown, Adam Meily, Eric Kilmer, Ronald Eytchison | 2024 |
| [Repurposing LLVM analyses in MLIR: Also there and back again across the tower of IRs](presentations/Repurposing%20LLVM%20analyses%20in%20MLIR:%20Also%20there%20and%20back%20again%20across%20the%20Tower%20of%20IRs) | Henrich Lauko | 2024 |
| [VAST: MLIR for program analysis of C/C++](presentations/VAST:%20MLIR%20for%20program%20analysis%20of%20C) | Henrich Lauko | 2022 |
| [A Broad Comparative Evaluation of x86-64 Binary Rewriters](presentations/A%20Broad%20Comparative%20Evaluation%20of%20x86-64%20Binary%20Rewriters/A%20Broad%20Comparative%20Evaluation%20of%20x86-64%20Binary%20Rewriters.pdf) | Michael D. Brown | 2022 |
| [On the Optimization of Equivalent Concurrent Computations](presentations/On%20the%20Optimization%20of%20Equivalent%20Concurrent%20Computations/PLDI-EGRAPHS-2022.pdf) | Henrich Lauko, Lukáš Korenčik, Peter Goodman | 2022 |

### Cryptography

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [Cut To The QUIC: Slashing QUIC's Performance With A Hash DoS](presentations/Cut%20To%20The%20QUIC%3A%20Slashing%20QUIC%27s%20Performance%20With%20A%20Hash%20DoS) | Paul Bottinelli | 2025 |
| [One, Two, TEE: Trust in Numbers Meets Hardware Security](presentations/One,%20Two,%20TEE:%20Trust%20in%20Numbers%20Meets%20Hardware%20Security) | Paul Bottinelli | 2025 |
| [Weak Fiat-Shamir attacks on modern proof systems](presentations/Weak%20Fiat-Shamir%20attacks%20on%20modern%20proof%20systems) | Jim Miller | 2024 |
| [Building a Rusty path validation library for PyCA Cryptography](presentations/Building%20a%20Rusty%20path%20validation%20library%20for%20PyCA%20Cryptography) | William Woodruff | 2024 |
| [Implementing X.509 path validation for Python](presentations/Implementing%20X.509%20path%20validation%20for%20Python) | William Woodruff | 2024 |
| [Careful with MAc-then-SIGn](presentations/Careful%20with%20MAc-then-SIGn/128_Careful_with_MAC_then_SIGn.pdf) | Marc Ilunga | 2023 |
| [die, PGP, die](presentations/die%2C%20PGP%2C%20die) | William Woodruff | 2022 |
| [Seriously, stop using RSA](presentations/Seriously%2C%20stop%20using%20RSA) | Ben Perez | 2019 |
| [Best Practices for Cryptography in Python](presentations/Best%20Practices%20for%20Cryptography%20in%20Python) | Paul Kehrer | 2019 |
| [Analyzing the MD5 collision in Flame](presentations/Analyzing%20the%20MD5%20Collision%20in%20Flame) | Alex Sotirov | 2012 |

### Engineering

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [Repeatable Benchmarking: An Exploration of OpenSearch vs Elasticsearch](presentations/Repeatable%20Benchmarking%3A%20An%20Exploration%20of%20OpenSearch%20vs%20Elasticsearch) | Evan Downing | 2025 |
| [Evidence-driven Security Engineering](presentations/Evidence-driven%20Security%20Engineering) | Dan Guido | 2019 |
| [Linux Security Event Monitoring with osquery](presentations/osquery%20Linux%20security%20event%20monitoring) | Alessandro Gario | 2019 |
| [osql: The community oriented osquery fork](presentations/osql%3A%20The%20community%20oriented%20osquery%20fork) | Stefano Bonicatti, Mark Mossberg | 2019 |
| [Getting started with osquery](presentations/Getting%20started%20with%20osquery) | Lauren Pearl, Andy Ying | 2018 |
| [osquery Super Features](presentations/osquery%20Super%20Features) | Lauren Pearl | 2018 |
| [osquery Extension Skunkworks](presentations/osquery%20Extension%20Skunkworks) | Mike Myers | 2018 |
| [Build it Break it Fix it](presentations/Build%20it%20Break%20it%20Fix%20it) | Andrew Ruef | 2014 |

### Education

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [Introduction to Semgrep](presentations/Introduction%20To%20Semgrep/Testing%20Handbook%20-%20Semgrep.pdf) and<br /> [Semgrep Practice Exercises](presentations/Introduction%20To%20Semgrep/TrailofBits_Semgrep_Practice_Exercises.pdf) | Maciej Domański, Matt Schwager, Spencer Michaels | 2024 |
| [A mostly gentle introduction to LLVM](presentations/A%20mostly%20gentle%20introduction%20to%20LLVM) | William Woodruff | 2022 |
| [JWTs, and why they suck](presentations/JWTs,%20and%20why%20they%20suck) | Rory M | 2021 |
| [The Joy of Pwning](presentations/The%20Joy%20of%20Pwning) | Sophia D'Antoine | 2017 |
| [How to CTF - Getting and using Other People's Computers (OPC)](presentations/How%20to%20CTF%20-%20Getting%20and%20Using%20OPC) | Jay Little | 2014 |
| [Low-level Security](presentations/Low-level%20Security) | Andrew Ruef | 2014 |
| [Security and Your Business](presentations/Security%20and%20Your%20Business) | Andrew Ruef | 2014 |
| [Bringing nothing to the party](presentations/Bringing%20nothing%20to%20the%20party) | Vincenzo Iozzo | 2013 |
| [From One Ivory Tower to Another](presentations/From%20One%20Ivory%20Tower%20to%20Another) | Vincenzo Iozzo | 2012 |

### Infrastructure

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [Return to the 100 Acre Woods](presentations/Return%20to%20the%20100%20Acre%20Woods) | Stefan Edwards | 2019 |
| [Swimming with the kubectl fish](presentations/Swimming%20with%20the%20kubectl%20fish) | Stefan Edwards | 2019 |

### Machine Learning

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [How we made Trail of Bits AI-Native (so far)](presentations/How%20we%20made%20Trail%20of%20Bits%20AI-Native%20%28so%20far%29) | Dan Guido | 2026 |
| [Weaponizing Image Scaling Against Production AI Systems](presentations/Weaponizing%20Image%20Scaling%20Against%20Production%20AI%20Systems) | Kikimora Morozova, Suha Sabi Hussain | 2025 |
| [Indirect Prompt Injection: Architectural Testing Approaches for Real World AI/ML Systems](presentations/Indirect%20Prompt%20Injection%3A%20Architectural%20Testing%20Approaches%20for%20Real%20World%20AI%20ML%20Systems) | Will Vandevanter | 2025 |
| [From Polyglots to Prompt Injections: Parsing is Still Execution (And Your LLM Didn't Get the Memo)](presentations/From%20Polyglots%20to%20Prompt%20Injections%3A%20Parsing%20is%20Still%20Execution%20%28And%20Your%20LLM%20Didn%27t%20Get%20the%20Memo%29) | Evan Sultanik | 2025 |
| [Frontier AI in Cybersecurity: Risks and Opportunities](presentations/Frontier%20AI%20in%20Cybersecurity%3A%20Risks%20and%20Opportunities) | Dan Guido, Riccardo Schirone | 2025 |
| [The Present and Future of AI and Security](presentations/The%20Present%20and%20Future%20of%20AI%20and%20Security) | Evan Downing | 2024 |
| [Incubated Machine Learning Exploits: Backdooring ML Pipelines Using Input-Handling Bugs](presentations/Incubated%20Machine%20Learning%20Exploits%3A%20Backdooring%20ML%20Pipelines%20Using%20Input-Handling%20Bugs) | Suha Sabi Hussain | 2024 |
| [Holistic ML Threat Models](presentations/Holistic%20ML%20Threat%20Models) | Adelin Travers | 2024 |
| [Using Graph-Based Machine Learning Algorithms for Software Analysis](presentations/Using%20Graph-Based%20Machine%20Learning%20Algorithms%20for%20Software%20Analysis) | Michael D. Brown                                     | 2023 |
| [Exploiting Machine Learning Pickle Files](presentations/Never%20a%20Dill%20Moment:%20Exploiting%20Machine%20Learning%20Pickle%20Files) | Carson Harmon, Evan Sultanik, Jim Miller, Suha Sabi Hussain | 2021 |
| [PrivacyRaven: Comprehensive Privacy Testing for Deep Learning](presentations/PrivacyRaven:%20Comprehensive%20Privacy%20Testing%20for%20Deep%20Learning) | Suha Sabi Hussain | 2020 |

### Mobile security

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [macOS Privilege Escalation Via Traceroute6](presentations/macOS%20Privilege%20Escalation%20Via%20Traceroute6) | Paweł Płatek | 2025 |
| [Swift Reversing](presentations/Swift%20Reversing) | Ryan Stortz | 2016 |
| [Modern iOS Application Security](presentations/Modern%20iOS%20Application%20Security) | Sophia D'Antoine, Dan Guido | 2016 |
| [The Mobile Exploit Intelligence Project](presentations/The%20Mobile%20Exploit%20Intelligence%20Project) | Dan Guido | 2012 |
| [A Tale of Mobile Threats](presentations/A%20Tale%20of%20Mobile%20Threats) | Vincenzo Iozzo | 2012 |

### Programming

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [Python internals - let's talk about dicts](presentations/Python%20internals%20-%20lets%20talk%20about%20dicts) | Dominik Czarnota | 2019 |
| [Low-level debugging with Pwndbg](presentations/Low-level%20debugging%20with%20Pwndbg) | Dominik Czarnota | 2018 |
| [Insecure Things to Avoid in Python](presentations/Insecure%20Things%20to%20Avoid%20in%20Python) | Dominik Czarnota | 2018 |

### Side channels

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [Hardware side channels in virtualized environments](presentations/Hardware%20side%20channels%20in%20virtualized%20environments) | Sophia D'Antoine | 2015 |
| [Exploiting Out-of-Order Execution](presentations/Exploiting%20Out-of-Order%20Execution) | Sophia D'Antoine | 2015 |

### Supply chain

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [Attestations: a new generation of signatures on PyPI](presentations/Attestations:%20a%20new%20generation%20of%20signatures%20on%20PyPI) | William Woodruff | 2025 |
| [The Next 5 Years of Supply Chain Security on PyPI](presentations/The%20Next%205%20Years%20of%20Supply%20Chain%20Security%20on%20PyPI) | William Woodruff | 2024 |
| [PEP 740 and PyPI: Bootstrapping Provenance for the Python Ecosystem](presentations/PEP%20740%20and%20PyPI:%20Bootstrapping%20Provenance%20for%20the%20Python%20Ecosystem) | William Woodruff | 2024 |
| [Imagining a zero-trust future for PyPI](presentations/Imagining%20a%20zero-trust%20future%20for%20PyPI) | William Woodruff | 2024 |
| [Build Provenance: Lessons (so far) from Homebrew](presentations/Build%20Provenance:%20Lessons%20%28so%20Far%29%20from%20Homebrew) | Joe Sweeney | 2024 |
| [What does it look like to code-sign for an entire packaging ecosystem?](presentations/What%20does%20it%20look%20like%20to%20code-sign%20for%20an%20entire%20packaging%20ecosystem) | William Woodruff | 2023 |
| [Securing your Package Ecosystem with Trusted Publishing](presentations/Securing%20your%20Package%20Ecosystem%20with%20Trusted%20Publishing) | William Woodruff | 2023 |
| [Trusted Publishing: Lessons from PyPI](presentations/Trusted%20Publishing:%20Lessons%20from%20PyPI) | William Woodruff | 2023 |
| [Ergonomic codesigning for the Python ecosystem with Sigstore](presentations/Ergonomic%20codesigning%20for%20the%20Python%20ecosystem%20with%20Sigstore) | William Woodruff | 2023 |
| [Sigstore for Python Packaging: Next Steps for Adoption](presentations/Sigstore%20for%20Python%20Packaging%3A%20Next%20Steps%20for%20Adoption) | William Woodruff | 2022 |
| [Python Packaging Mystery Meat](presentations/Python%20Packaging%20Mystery%20Meat) | William Woodruff | 2022 |
| [Automated Tools for Securing the Software Supply Chain](presentations/Automated%20Tools%20for%20Securing%20the%20Software%20Supply%20Chain) | Michael D. Brown | 2022 |
| [Improving PyPI's security with Two Factor Authentication](presentations/Improving%20PyPI%27s%20security%20with%20Two%20Factor%20Authentication) | William Woodruff | 2019 |

### Threat analysis & malware

| Presentation Title | Author(s) | Year |
| --- | --- | --- |
| [Peeling back the 'Shlayers' of macOS Malware](presentations/Peeling%20back%20the%20Shlayers%20of%20macOS%20Malware) | Josh Watson, Erika Noerenberg | 2019 |
| [The Exploit Intelligence Project Revisited](presentations/The%20Exploit%20Intelligence%20Project) | Dan Guido | 2013 |

## Podcasts

| Podcast | Guest | Date | Topic(s) |
| --- | --- | --- | --- |
| [Risky Biz](https://risky.biz/RBNEWSSI114/) | Dan Guido | Feb 2026 | AI at Trail of Bits |
| [What's in the SOSS? 53](https://openssf.org/podcast/2026/02/09/whats-in-the-soss-podcast-53-s3e5-aixcc-part-3-buttercups-hybrid-approach-trail-of-bits-journey-to-second-place-in-aixcc/) | Michael Brown | Feb 2026 | AIxCC & Buttercup |
| [Insecure Agents 18](https://insecureagents.com/episodes/18-kiki-morozova) | Kikimora Morozova | Dec 2025 | AI prompt injections |
| [Risky Biz](https://risky.biz/RBNEWSS198/) | Keith Hoodlet | Sep 2025 | AI prompt injections |
| [Zero Signal](https://www.youtube.com/watch?v=G3pGCEQWJZs&list=PLvtGUUDFmi-aTEsna3wgfMrCH-DpZQJgn&index=2) | Keith Hoodlet | Sep 2025 | AI Security |
| [Unsupervised Learning](https://www.youtube.com/watch?v=nvU0GbA9F9Q) | Michael Brown | Aug 2025 | AIxCC |
| [Security Weekly 342](https://www.youtube.com/watch?v=C2kSdo7aNzU) | Will Vandevanter | Aug 2025 | NVIDIA vulnerability disclosure |
| [CTF Radiooo 01E](https://youtu.be/BmCWryz3dsU?si=4T34d9DIP2MOcuo9) | Michael Brown & Evan Downing | Aug 2025 | AIxCC |
| [Click Here Show](https://podcasts.apple.com/us/podcast/mic-drop-the-ego-exploit/id1225077306?i=1000712717394) | Dan Guido | Jun 2025 | Zoom remote control attacks |
| [Security Weekly 336](https://youtu.be/1YvQi5Bc9_M?si=j-grngtTaI7Rloq6) | Artur Cygan | Jun 2025 | Fuzzing Barcodes |
| [Protect AI](https://youtu.be/saLKE9y4EoU?si=9xqCNiY_Fx3ad9Mu) | Keith Hoodlet | Jun 2025 | MCP Security |
| [Open Source Security](https://www.youtube.com/watch?v=EKXV6vxRTHM) | William Woodruff | May 2025 | Zizmor & GitHub Actions security |
| [MLSecOps](https://youtu.be/8WsgV0svqPM?si=iB_9rUl33vPIT8sL) | Keith Hoodlet | Apr 2025 | AI/ML security |
| [Risky Biz 786](https://youtu.be/DNAOwukOQi4?si=4KPfY2RnPMxVwSJJ&t=2556) | Tjaden Hess | Apr 2025 | Cryptography & blockchain |
| [Security Weekly 323](https://youtu.be/zn3LT4BqOJo?si=3zY5YkRU4ArgM-vn) | Keith Hoodlet | Mar 2025 | GenAI in Appsec |
| [Xyonix](https://youtu.be/y8TF7MELevg?si=gv60OR2_L86fsL2L) | Keith Hoodlet | Mar 2025 | AI/ML security |
| [The Impulsive Thinker](https://theimpulsivethinker.libsyn.com/unlocking-ai-a-tool-not-a-magic-bullet-for-adhd-entrepreneurs) | Dan Guido | Feb 2025 | Neurodivergence |
| [Bugcrowd](https://youtu.be/b7EULU_X7fQ?si=DZFenK1x00PaD5yV) | Keith Hoodlet | Oct 2024 | AI/ML Bias |
| [Risky Biz](https://risky.biz/RBNEWSSI62/)  | Dan Guido | Oct 2024 | Post-quantum cryptography |
| [Risky Biz 759](https://youtu.be/4zpPk3Y4CYA?si=Pvd8px1DQHRPsRtM&t=3046)  | Dan Guido | Aug 2024 | DARPA's AI Cyber Challenge |
| [Resilience Rundown](https://www.youtube.com/watch?v=EB2oV1umU3Y&list=PLciHOL_J7IwpS8Cdl9lMB8Mxqu0as8yPi&index=7)  | Josiah Dykstra | May 2024 | Bias in security |
| [Risky Biz](https://risky.biz/RBNEWSSI40/)  | Dan Guido | Apr 2024 | Open source tooling |
| [MLSecOps March 20](https://mlsecops.com/podcast/redos-vulnerability-reports-security-relevance-vs.-noisy-nuisance)  | William Woodruff | Mar 2024 | Supply chain security |
| [yWhales](https://www.youtube.com/watch?v=LqkH1jYFE2g&list=PLciHOL_J7IwpS8Cdl9lMB8Mxqu0as8yPi&index=6) | Dan Guido | Dec 2023 | Blockchain security |
| [Risky Biz 707](https://risky.biz/RB707/) | Dan Guido | May 2023 | ML security |
| [ASW 229](https://youtu.be/wHuZzV0Da_s) | Nick Selby | Feb 2023 | Threat modeling, cloud-native audits |
| [Risky Biz 690](https://risky.biz/RB690/) | Dan Guido | Jan 2023 | Vuln disclosure |
| [Risky Biz 672](https://risky.biz/RB672/) | Dan Guido | Jul 2022 | Blockchain security |
| [Cloud Security Reinvented](https://orca.security/resources/podcast/?blaid=3070895&wchannelid=v7ih6xfqse&wmediaid=ll04oa1n8n) | Nick Selby | Jun 2022 | Cloud security |
| [Skiff Office Hours](https://twitter.com/i/web/status/1503822822237368321) | Dan Guido | Mar 2022 | Privacy technology |
| [Risky Biz 652](https://risky.biz/RB652/) | Dan Guido | Jan 2022 | Zero-knowledge proofs |
| [Secureum Safecast #3](https://www.youtube.com/watch?v=Ycj0ZVWof5E) | Josselin Feist | Nov 2021 | Blockchain security |
| [Secureum Safecast #2](https://www.youtube.com/watch?v=NSzniIpPYdw) | Dan Guido | Oct 2021 | Blockchain security |
| [Press Freedom Foundation](https://www.twitch.tv/videos/1102962356) | Dan Guido | Jul 2021 | Mobile security and iVerify |
| [Employee Cycle](https://employeecycle.com/podcast/how-to-onboard-yourself-as-the-first-people-leader-with-hannah-hanks/) | Hannah Hanks | Mar 2021 | First PeopleOps hire |
| [Risky Biz 614](https://risky.biz/RB614/) | Dan Guido | Feb 2021 | iVerify |
| [Building Better Systems 6](https://www.youtube.com/watch?v=QXF6agsYqV0) | Dan Guido | Jan 2021 | What blockchain got right |
| [WCBS 880](https://www.radio.com/podcasts/wcbs-880-small-business-spotlight-32986/pandemic-gap-year-leads-to-career-development-322317063) | Dan Guido | Sep 2020 | Gap years and intern hiring |
| [Risky Biz 594](https://risky.biz/RB594/) | Dan Guido | Aug 2020 | Apple security |
| [Epicenter 346](https://epicenter.tv/episodes/346) | Dan Guido | Jun 2020 | Smart contract security |
| [Absolute AppSec 97](https://www.youtube.com/watch?v=GvNXxOc30lM) | Stefan Edwards | May 2020 | Threat modeling |
| [Unchained 170](https://unchainedpodcast.com/defi-security-with-so-many-hacks-will-it-ever-be-safe/) | Dan Guido | May 2020 | DeFi security |
| [Risky Biz 580](https://risky.biz/RB580/) | Dan Guido | Apr 2020 | Mobile voting |
| [Absolute AppSec 91](https://www.youtube.com/watch?v=HlGcJRhgNG0) | Stefan Edwards | Apr 2020 | Mobile voting |
| [Zero Knowledge 122](https://www.zeroknowledge.fm/122) | Ben Perez | Mar 2020 | Cryptography reviews, ZKPs |
| [Changelog](https://changelog.com/podcast/377) | Dan Guido | Jan 2020 | AlgoVPN |
| [Risky Business 559](https://risky.biz/RB559/) | Stefan Edwards | Oct 2019 | Kubernetes |
| [FOSS Weekly 545](https://www.youtube.com/watch?v=mkjoTAdZd3Q) | William Woodruff | Sep 2019 | PyPI security improvements |
| [`Podcast.__init__` 225](https://www.pythonpodcast.com/pypi-improvements-episode-225/) | William Woodruff | Aug 2019 | PyPI security, UX, and sustainability |
| [Absolute AppSec 68](https://www.youtube.com/watch?v=bOR21l96zz4) | Stefan Edwards, Bobby Tonic | Aug 2019 | Kubernetes |
| [Hashing it Out 53](https://thebitcoinpodcast.com/hashing-it-out-53/) | Dan Guido | Jul 2019 | Smart contract testing |
| [Absolute AppSec 60](https://www.youtube.com/watch?v=BZ0U7K0IxNQ) | Stefan Edwards | May 2019 | Android, programming languages |
| [Absolute AppSec 55](https://www.youtube.com/watch?v=Q0pKAlGLFtY) | Stefan Edwards | Apr 2019 | Security testing |
| [Hashing it Out 35](https://thebitcoinpodcast.com/hashing-it-out-35/) | Dan Guido, Josselin Feist | Jan 2019 | Ethereum's failed EIP-1283 |
| [Risky Biz 526](https://risky.biz/RB526/) | JP Smith | Jan 2019 | Post-quantum crypto in CTFs |
| [Absolute AppSec 37](https://www.youtube.com/watch?v=beGo7l0u5cY) | Stefan Edwards | Nov 2018 | Programming languages,  symbex |
| [Risky Biz 510](https://risky.biz/RB510/) | Lauren Pearl | Aug 2018 | Open source security engineering |
| [Absolute AppSec 34](https://www.youtube.com/watch?v=gtikYoT6vKc) | Stefan Edwards | Oct 2018 | Security testing, blockchain |
| [The Smartest Contract 15](https://web.archive.org/web/20181018135712/http://www.thesmartestcontract.com/15) | JP Smith | Aug 2018 | Trail of Bits security tools & auditing |
| [Zero Knowledge 16](https://www.zeroknowledge.fm/16) | JP Smith | Mar 2018 | Smart contract security |
| [Risky Biz 488](https://risky.biz/RB488/) | JP Smith | Feb 2018 | Smart contract testing w/ Manticore |
| [Risky Biz 474](https://risky.biz/RB474/) | Dan Guido | Oct 2017 | How to engineer secure software |
| [Georgian Partners 47](https://georgianpartners.com/the-problem-with-the-tor-network-and-commercial-vpns/) | Dan Guido | May 2017 | [AlgoVPN](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/) and Tor |
| [VUC 643](https://www.youtube.com/watch?v=r_FV-uHYDgs) | Dan Guido | Apr 2017 | [AlgoVPN](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/) |
| [Risky Biz 449](https://risky.biz/RB449/) | Dan Guido | Mar 2017 | Control Flow Integrity |
| [Risky Biz 425](https://risky.biz/RB425/) | Dan Guido | Sep 2016 | Recap the week's news |
| [Risky Biz 421](https://risky.biz/RB421/) | Dan Guido | Aug 2016 | Car hacking and the week's news |
| [Risky Biz 416](https://risky.biz/RB416/) | Dan Guido | Jul 2016 | DARPA Cyber Grand Challenge |
| [Risky Biz 399](https://risky.biz/RB399/) | Dan Guido | Feb 2016 | [Apple vs the FBI](https://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/) |
| [Risky Biz 348](https://risky.biz/RB348/) | Dan Guido | Jun 2015 | DARPA Cyber Grand Challenge |
| [Risky Biz 370](https://risky.biz/RB370/) | Dan Guido | Feb 2015 | DARPA Cyber Grand Challenge |

## Webinars

| Title | Speakers | Date |
| --- | --- | --- |
| [Top TEE bugs you should fix before your audit](https://watch.getcontrast.io/register/trail-of-bits-top-tee-bugs-you-should-fix-before-your-audit) | Tjaden Hess, Paul Bottinelli, & Jules Drean | Dec 2025 |
| [Building secure end-to-end encrypted systems](https://watch.getcontrast.io/register/trail-of-bits-running-effective-threat-models-in-e2ee) | Marc Ilunga & Fredrik Dahlgren | Dec 2025 |
| [After Wiretap and Battering RAM: What Changes for TEE-Based Blockchain Infrastructure](https://watch.getcontrast.io/register/trail-of-bits-after-wiretap-and-battering-ram-what-changes-for-tee-based-blockchain-infrastructure) | Tjaden Hess & Andy Campbell | Nov 2025 |
| [MCP Security Deep Dive: From Attacks to Defense](https://app.getcontrast.io/register/trail-of-bits-mcp-security-deep-dive-from-vulnerability-to-defense) | Keith Hoodlet, Cliff Smith, Vineeth Sai Narajala, Manish Bhatt | Jul 2025 |
| [Security Audits: Best Practices with Trail of Bits](https://workbrew.com/webinars/security-audits) | Chris Dahlheimer, Lindsay Rakowski, & Vanessa Gennarelli | Mar 2025 |
| [Mastering Web Research with Burp Suite](https://www.youtube.com/watch?v=0PV5QEQTmPg) | Keith Hoodlet, Cliff Smith, & James Kettle | Jun 2024 |
| [Introduction to CodeQL: Examples, Tools and CI Integration](https://www.youtube.com/watch?v=rQRlnUQPXDw) | Filipe Casal & Fredrik Dahlgren | Mar 2024 |
| [Introduction to Semgrep](https://www.youtube.com/watch?v=yKQlTbVlf0Q) | Maciej Domanski & Matt Schwager | Jan 2024 |

## Public Comments

| Topic | Agency | Date |
| --- | --- | --- |
| [Automated Artifical Intelligence Bill Of Materials for AI/ML Ops](./public-comments/AIBOM-RFI-response.pdf) | U.S. Army PEO IEW&S | Dec 2023 |
| [Open-Source Software Security: Areas of Long-Term Focus and Prioritization](./public-comments/tob-response-to-oncd-cisa-rfi-2023.pdf) | ONCD, CISA, NSF, DARPA, OMB | Nov 2023 |
| [Understanding the National Security Implications of AI](https://www.trailofbits.com/documents/whitehouse_otsp_national_security_ai.pdf) | Whitehouse OTSP | Jul 2023 |
| [AI Accountability, Regulation, and Audits](https://blog.trailofbits.com/2023/06/16/trail-of-bitss-response-to-ntia-ai-accountability-rfc/) | NTIA | Jun 2023 |
| [A Comprehensive Risk Assessment Framework for AI Assurance in Ethical, Legal, and Societal Domains](./public-comments/comprehensive-risk-assessment-framework-AI-Assurance-ELS-Domains.pdf) | DARPA | Jun 2023 |
| [Understanding Crypto Markets Security](https://github.com/trailofbits/publications/blob/master/presentations/public/CFTC_TAC_presentation_March_2023.pdf) | CFTC | Mar 2023 |
| [Regulation of Intrusion and Surveillance Software](https://www.regulations.gov/document/BIS-2015-0011-0209) | Commerce Dept | Jul 2015 |

## Security Reviews

Companies that have allowed us to speak about our work can be found here. Many more remain confidential.

### Major Clients

The following clients have engaged Trail of Bits for 5 or more security reviews:

#### Frax Finance

| Product | Date | Level of <br />Effort | Announcement | Report |
| --- | --: | :-: | --- | :-: |
| [FraxGov](https://frax.finance/) | May 2023 | 4 | | [📄✅](reviews/2023-05-fraxgov-securityreview.pdf) |
| [Fraxlend and veFPIS](https://frax.finance/) | Jan 2023 | 4 | | |
| [Fraxlend and FraxFerry](https://frax.finance/) | Oct 2022 | 4 | | [📄](reviews/2022-10-fraxfinance-fraxlend-fraxferry-securityreview.pdf) |
| [Frax](https://frax.finance/) | May 2022 | 4 | | [📄](reviews/FraxQ22022.pdf) |
| [Frax](https://frax.finance/) | Dec 2021 | 4 | | [📄](reviews/FraxQ42021.pdf) |
| [Frax](https://frax.finance/) | May 2021 | 4 | | [📄](reviews/FraxFinance.pdf) |

#### MobileCoin

| Product | Date | Level of <br />Effort | Announcement | Report |
| --- | --: | :-: | --- | :-: |
| [MobileCoin](https://mobilecoin.com/homepage) | Jul 2022 | 2 | | [📄](reviews/2022-07-mobilecoin-securityreview.pdf) |
| [Fog Protocol](https://www.mobilecoin.com/) | Jan 2021 | 4 | | [📄](reviews/MobilecoinFog.pdf) |
| [MobileCoin BFT](https://www.mobilecoin.com/) | Oct 2020 | 4 | | [📄](reviews/MobileCoinBFT.pdf) |
| [MobileCoin](https://www.mobilecoin.com/) | Aug 2020 | 4 | | [📄](reviews/Mobilecoin.pdf) |

#### Offchain Labs

| Product | Date | Level of <br />Effort | Announcement | Report |
| --- | --: | :-: | --- | :-: |
| [Offchain Labs Arbitrum Quorum Changes](https://www.offchainlabs.com/) | Feb 2026 | 1.2 | | [📄](reviews/2026-02-offchain-arbitrum-quorum-changes-securityreview.pdf) |
| [Offchain Labs Arbitrum Nitro External DA](https://www.offchainlabs.com/) | Jan 2026 | 4 | | [📄✅](reviews/2026-01-offchain-nitro-external-da-securityreview.pdf) |
| [Offchain Labs Arbitrum ArbOS 50 and 51 (Fusaka)](https://www.offchainlabs.com/) | Dec 2025 | | | [📄](reviews/2025-12-offchain-arbos50-and-51-securityreview.pdf) |
| [Offchain Labs Arbitrum Chains Genesis File Generator](https://www.offchainlabs.com/) | Dec 2025 | 1.6 | | [📄✅](reviews/2025-12-offchain-arbitrum-chains-genesis-generator-securityreview.pdf) |
| [Offchain Labs Upgrade Executor](https://www.offchainlabs.com/) | Jul 2025 | 0.2 | | [📄](reviews/2025-07-offchain-upgrade-executor-securityreview.pdf) |
| [Offchain SetCoreGovernorQuorumAction](https://www.offchainlabs.com/) | Jun 2025 | 1.2 | | [📄](reviews/2025-06-offchain-setcoregovernorquorumaction-securityreview.pdf) |
| [Offchain Arbitrum Mint/Burn Precompile](https://www.offchainlabs.com/) | Jun 2025 | 1.8 | | [📄✅](reviews/2025-06-offchain-arbitrum-mint-burn-precompile-securityreview.pdf) |
| [Offchain Arbitrum Block Hash Pusher](https://www.offchainlabs.com/) | Jun 2025 | 1.8 | | [📄](reviews/2025-06-offchain-arbitrum-block-hash-pusher-securityreview.pdf) |
| [Offchain ArbOS 40 Nitro](https://www.offchainlabs.com/) | May 2025 | 6 | | [📄](reviews/2025-05-offchainlabs-arbos40nitro-securityreview.pdf) |
| [Offchain Reward Distributor Fixes](https://www.offchainlabs.com/) | Apr 2025 | 0.8 | | [📄](reviews/2025-04-offchainlabs-reward-distributor-fixes-securityreview.pdf) |
| [Offchain Sequencer Liveness](https://www.offchainlabs.com/) | Mar 2025 | 3 | | [📄](reviews/2025-03-offchain-sequencer-liveness-securityreview.pdf) |
| [Offchain Custom Fee Bridge & EIP-7702](https://www.offchainlabs.com/) | Mar 2025 | 1 | | [📄](reviews/2025-03-offchain-custom-fee-erc20-bridge-securityreview.pdf) |
| [Offchain Geth 14.4 Pectra](https://www.offchainlabs.com/) | Mar 2025 | 0.8 | | [📄](reviews/2025-03-offchain-geth-14.4-securityreview.pdf) |
| [Offchain Custom Fee Exchange Rate](https://www.offchainlabs.com/) | Mar 2025 | 1 | | [📄](reviews/2025-03-offchain-custom-fee-token-exchange-rate-securityreview.pdf) |
| [Offchain Security Council Rotation](https://www.offchainlabs.com/) | Mar 2025 | 1.6 | | [📄](reviews/2025-03-offchain-security-council-rotation-securityreview.pdf) |
| [Offchain DisableGateway USDT](https://www.offchainlabs.com/) | Mar 2025 | 0.4 | | [📄](reviews/2025-03-offchain-disablegateway-action-securityreview.pdf) |
| [Offchain BoLD Fixes](https://www.offchainlabs.com/) | Dec 2024 | 0.8 | | [📄](reviews/2024-12-offchain-boldfixes-securityreview.pdf) |
| [Offchain Stylus Emergency Fixes](https://www.offchainlabs.com/) | Oct 2024 | 2 | | [📄](reviews/2024-10-offchain-stylus-emergency-fixes-securityreview.pdf) |
| [Offchain BoLD History Commits](https://www.offchainlabs.com/) | Oct 2024 | 2 | | [📄](reviews/2024-10-offchain-bold-optimized-history-commit-securityreview.pdf) |
| [Offchain Nitro with BoLD](https://www.offchainlabs.com/) | Oct 2024 | 2.6 | | [📄](reviews/2024-10-30-Offchain-NitroContractswithBoLD-securityreview.pdf) |
| [Offchain Stylus](https://www.offchainlabs.com/) | Sep 2024 | 2 | | [📄✅](reviews/2024-09-offchain-stylus-securityreview.pdf) |
| [Offchain RARI](https://www.offchainlabs.com/) | Aug 2024 | 0.6 | | [📄](reviews/2024-08-offchainlabs-register-and-set-arb-custom-gateway-action-governance-action-securityreview.pdf) |
| [Offchain Office Hours Action](https://www.offchainlabs.com/) | Aug 2024 | 0.6 | | [📄](reviews/2024-08-offchainlabs-office-hours-governance-action-securityreview.pdf) |
| [Offchain Timeboost Auction](https://www.offchainlabs.com/) | Aug 2024 | 3 | | [📄](reviews/2024-08-offchainlabs-timeboost-auction-contracts-securityreview.pdf) |
| [Offchain Orbit Actions](https://www.offchainlabs.com/) | Aug 2024 | 1 | | [📄](reviews/2024-08-offchainlabs-orbit-actions-securityreview.pdf) |
| [Offchain USDC Gateway](https://www.offchainlabs.com/) | Jul 2024 | 2 | | [📄](reviews/2024-08-offchainlabs-usdc-custom-gateway-securityreview.pdf) |
| [Offchain BoLD & DAC Rewards](https://www.offchainlabs.com/) | Jun 2024 | 3 | | [📄](reviews/2024-06-offchain-labs-bold-dac-rewards-updates-securityreview.pdf) |
| [Offchain Arbitrum Stylus](https://www.offchainlabs.com/) | May 2024 | 47 | | [📄](reviews/2024-05-offchain-arbitrumstylus-securityreview.pdf) |
| [Offchain L1-L3 Teleporter](https://www.offchainlabs.com/) | Apr 2024 | 2 | | [📄](reviews/2024-04-offchain-l1-l3-teleporter-securityreview.pdf) |
| [Offchain ArbOS 31](https://www.offchainlabs.com/) | Apr 2024 | 2 | | [📄](reviews/2024-04-offchain-arbos-31-securityreview.pdf) |
| [Offchain ArbOS 30 Nitro](https://www.offchainlabs.com/) | Apr 2024 | 6 | | [📄](reviews/2024-04-offchain-arbos-30-nitro-upgrade-securityreview.pdf) |
| [Offchain BoLD](https://www.offchainlabs.com/) | Apr 2024 | 5 | | [📄](reviews/2024-04-offchainbold-securityreview.pdf) |
| [Offchain ArbOS](https://www.offchainlabs.com/) | Feb 2024 | 4 | | [📄](reviews/2024-02-offchainlabsarbos-securityreview.pdf) |
| [Offchain Arbitrum](https://www.offchainlabs.com/) | Jan 2024 | 2 | | [📄](reviews/2024-01-offchainarbitrum-securityreview.pdf) |
| [Offchain Token Bridge Creator](https://www.offchainlabs.com/) | Dec 2023 | 6 | | [📄](reviews/2023-12-offchain-labs-arbitrum-token-bridge-creator-securityreview.pdf) |
| [Offchain Custom Fee Token](https://www.offchainlabs.com/) | Sep 2023 | 3 | | [📄](reviews/2023-09-offchain-labs-custom-fee-token-securityreview.pdf) |
| [Offchain Arbitrum Challenge v2](https://www.offchainlabs.com/) | Aug 2023 | 20 | | [📄✅](reviews/2023-8-offchain-challenge-protocol-V2-securityreview.pdf) |

#### Reserve Protocol

| Product | Date | Level of <br />Effort | Announcement | Report |
| --- | --: | :-: | --- | :-: |
| [Reserve Protocol Solidity 4.0.0](https://reserve.org/) | Jun 2025 | 3.6 | | [📄✅](reviews/2025-06-reserveprotocol-solidity400-securityreview.pdf) |
| [Reserve Protocol Solana DTFs](https://reserve.org/) | Apr 2025 | 2 | | [📄✅](reviews/2025-04-reserve-solana-dtfs-securityreview.pdf) |
| [Reserve Folio Solidity-Based Contracts](https://reserve.org/) | Apr 2025 | 2 | | [📄✅](reviews/2025-04-reserve-folio-solidity-securityreview.pdf) |
| [Reserve Protocol](https://reserve.org/) | Aug 2022 | 8 | | [📄](reviews/2022-08-reserve-protocol-securityreview.pdf), [✅](reviews/2022-08-reserve-protocol-fixreview.pdf) |
| [Reserve Protocol](https://reserve.org/) | Mar 2019 | 1 | | [📄](reviews/Reserve_LOA.pdf) |

#### Scroll

| Product | Date | Level of <br />Effort | Announcement | Report |
| --- | --: | :-: | --- | :-: |
| [Scroll Feynman Upgrade Smart Contract Changes](https://scroll.io/) | Jul 2025 | 1 | | [📄](reviews/2025-07-scroll-feynmanupgradesmartcontractchanges-securityreview.pdf) |
| [Scroll Euclid Phase 2](https://scroll.io) | Apr 2025 | 4 | [Scroll](https://gov.scroll.io/proposals/81939631158579841171219988954315753236293867421581097385921335841780903893992) | [📄✅](reviews/2025-04-scroll-euclid-phase2-securityreview.pdf)[🔖](reviews/2025-03-scroll-euclidphase2-loa.pdf) |
| [Scroll Euclid Phase 1](https://scroll.io) | Apr 2025 | 3 | [Scroll](https://gov.scroll.io/proposals/81939631158579841171219988954315753236293867421581097385921335841780903893992) | [📄✅](reviews/2025-04-scroll-euclid-phase1-securityreview.pdf)[🔖](reviews/2025-03-scroll-euclidphase1-loa.pdf) |
| [Scroll zstd Compression](https://scroll.io/) | Jun 2024 | 12 | | [📄✅](reviews/2024-06-scroll-zstd-compression-securityreview.pdf) |
| [Scroll ZkEVM 4844 Blob](https://scroll.io/) | Apr 2024 | 6 | | [📄✅](reviews/2024-04-scroll-4844-blob-securityreview.pdf) |
| [Scroll ZkEVM Wave 3](https://scroll.io/) | Sep 2023 | 9 | | [📄✅](reviews/2023-09-scroll-zkEVM-wave3-securityreview.pdf) |
| [Scroll l2geth [diff] ](https://scroll.io/) | Aug 2023 | 2 | | [📄](reviews/2023-08-scrollL2geth-securityreview.pdf) |
| [Scroll l2geth [initial]](https://scroll.io/) | Aug 2023 | 2 | | [📄](reviews/2023-08-scrollL2geth-initial-securityreview.pdf) |
| [Scroll ZkEVM Wave 2](https://scroll.io/) | Aug 2023 | 6 | | [📄✅](reviews/2023-08-scroll-zkEVM-wave2-securityreview.pdf) |
| [Scroll zkTrie](https://scroll.io/) | Jul 2023 | 4 | | [📄✅](reviews/2023-07-scroll-zktrie-securityreview.pdf) |
| [Scroll ZkEVM Wave 1](https://scroll.io/) | Apr 2023 | 23 | | [📄✅](reviews/2023-04-scroll-zkEVM-wave1-securityreview.pdf) |

#### Uniswap

| Product | Date | Level of <br />Effort | Announcement | Report |
| --- | --: | :-: | --- | :-: |
| [Uniswap v4 Core](https://docs.uniswap.org/contracts/v4/concepts/intro-to-v4) | Jul 2024 | 6 | | [📄✅](reviews/2024-07-uniswap-v4-core-securityreview.pdf) |
| [Uniswap Browser Extension](https://uniswap.org/) | Feb 2024 | 6 | | [📄✅](reviews/2024-02-uniswap-wallet-browserextension-securityreview.pdf) |
| [Uniswap](https://uniswap.org/) | Sep 2023 | 4 | | [📄✅](reviews/2023-09-uniswap-wallet-securityreview.pdf) |
| [Uniswap Mobile Wallet](https://freewallet.org/uni-wallet) | Aug 2022 | 4 | | [📄](reviews/UniswapMobileWallet-securityreview.pdf)[✅](reviews/UniswapMobileWallet-fixreview.pdf) |
| [Uniswap V3 Staker](https://uniswap.org/blog/uniswap-v3/) | Jun 2021 | 2 | | |
| [Uniswap V3](https://uniswap.org/) | Mar 2021 | 10 | [Uniswap](https://uniswap.org/blog/uniswap-v3/) | [📄](reviews/UniswapV3Core.pdf) |

#### Western Digital

| Product | Date | Level of <br />Effort | Announcement | Report |
| --- | --: | :-: | --- | :-: |
| [ArmorLock](https://www.westerndigital.com/) | Apr 2022 | 6 | | |
| [Optimus ROM](https://www.westerndigital.com/) | Jan 2022 | 4 | | |
| [Secure Transport](https://www.westerndigital.com/) | Apr 2020 | 4 | |
| [Western Digital Sweet B](https://github.com/westerndigitalcorporation/sweet-b) | Jan 2020 | 4 | [Western Digital](https://www.westerndigital.com/company/newsroom/press-releases/2020/2020-09-03-western-digital-sets-a-new-standard-in-data-protection) | [📄](reviews/SweetB.pdf) |
| [SanDisk X600](https://www.westerndigital.com/) | May 2019 | 6 | [Multiple vulnerabilities in SanDisk X600](https://www.westerndigital.com/support/productsecurity/wdc-19006-sandisk-x600-sata-ssd) | [📄](reviews/sandiskx600.pdf) |

### AI/ML Reviews

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [YOLOv7](https://github.com/WongKinYiu/yolov7/) | Oct 2023 | 4 | | [📄](reviews/2023-10-yolov7-securityreview.pdf) |
| [SafeTensors](https://github.com/huggingface/safetensors) | Mar 2023 | 2 | | [📄](reviews/2023-03-eleutherai-huggingface-safetensors-securityreview.pdf) |

### Cryptography Reviews

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [Ripple Labs XRP Ledger Confidential Transfer](https://ripple.com/) | Apr 2026 | 6 | | [📄✅](reviews/2026-04-ripple-labs-xrp-ledger-confidential-transfer-securityreview.pdf) |
| [Open Home Foundation SecureTar v3](https://www.openhomefoundation.org/) | Mar 2026 | 1 | | [📄✅](reviews/2026-03-open-home-foundation-securetar-v3-securityreview.pdf) |
| [Obsidian Sync](https://obsidian.md/) | Dec 2025 | 2 | | [📄✅](reviews/2025.12-obsidiansync-securityreview.pdf) |
| [NEAR One PedPop+](https://nearone.org/) | May 2025 | 4 | | [📄](reviews/2025-05-near-one-pedpop+-securityreview.pdf) |
| [NEAR One MPC Chain Signatures](https://docs.near.org/chain-abstraction/chain-signatures) | Mar 2025 | 6 | | [📄](reviews/2025-03-near-one-mpc-chain-signatures-securityreview.pdf) |
| [NEAR One Robust ECDSA](https://docs.near.org/chain-abstraction/chain-signatures) | Feb 2026 | 6.4 | | [📄✅](reviews/2026-02-near-one-robust-ecdsa-securityreview.pdf) |
| [Anza BLS Signatures](https://anza.xyz) | Mar 2026 | 1 | | [📄](reviews/2026-03-anza-blssignatures-securityreview.pdf) |
| [DV Labs Charon Pedersen DKG](https://github.com/ObolNetwork/charon) | Feb 2026 | 2 | | [📄✅](reviews/2026-02-dv-labs-charon-pedersen-dkg-securityreview.pdf) |
| [Anza Token-2022 Confidential Transfer, Cryptography](https://www.anza.xyz/) | Jan 2026 | 7 | | [📄](reviews/2026-01-anza-token-2022-confidential-transfer-cryptography-securityreview.pdf) |
| [Calyx Institute HSM Provisioning Ceremony Scripts](https://calyxos.org/) | Jan 2026 | 1 | | [📄✅](reviews/2026-01-calyx-hsm-provisioning-ceremony-scripts-securityreview.pdf) |
| [BSV Blockchain TS-SDK](https://bsvassociation.org/) | Jan 2026 | 6 | | [📄✅](reviews/2026-01-bsv-association-ts-sdk-securityreview.pdf) |
| [Bron Labs MCP Library](https://bron.org/) | Jan 2026 | 8 | | [📄✅](reviews/2026-01-bron-mcp-securityreview.pdf) |
| [NEAR One Confidential Key Derivation](https://docs.near.org/chain-abstraction/chain-signatures) | Dec 2025 | 4 | | [📄✅](reviews/2025-12-near-one-confidential-key-derivation-securityreview.pdf) |
| [Zama](https://docs.zama.org/protocol/zama-protocol-litepaper) | Oct 2025 | 32.2 | | |
| [DFINITY Orbit](https://dfinity.org/) | Sep 2025 | 4 | | [📄✅](reviews/2025-09-dfinity-orbit-securityreview.pdf) |
| [DFINITY Oisy](https://oisy.com/) | Sep 2025 | 4 | | [📄✅](reviews/2025-09-dfinity-oisy-securityreview.pdf) |
| [Google Longfellow](https://github.com/google/longfellow-zk) | Aug 2025 | 4.6 | | [📄✅](reviews/2025-08-googlelongfellow-securityreview.pdf) |
| [Open Quantum Safe liboqs](https://openquantumsafe.org/) | Apr 2025 | 5 | [Open Quantum Safe](https://openquantumsafe.org/liboqs/security.html) | [📄](reviews/2025-04-quantum-open-safe-liboqs-securityreview.pdf) |
| [Go Crypto Libraries](https://go.dev) | Mar 2025 | 12 | [Go](https://go.dev/blog/tob-crypto-audit) | [📄✅](reviews/2025-03-google-gocryptographiclibraries-securityreview.pdf) |
| [Zkonduit EZKL](https://github.com/zkonduit/ezkl) | Mar 2025 | 11 | [EZKL](https://blog.ezkl.xyz/post/audit/) | [📄✅](reviews/2025-03-zkonduit-ezkl-securityreview.pdf) |
| [Scopely Monopoly Go!](https://www.monopolygo.com) | Dec 2024 | 2 | | [🔖](reviews/2025-01-scopely-monopolygo-letterofattestation.pdf) |
| [Aligned](https://www.alignedlayer.com/) | Dec 2024 | 3 | | [📄✅](reviews/2024-12-alignedlayer-aligned-securityreview.pdf) |
| [Discord DAVE](https://discord.com/) | Sep 2024 | 5 | [Discord](https://discord.com/blog/meet-dave-e2ee-for-audio-video) | [📄✅](reviews/2024-09-discord-dave-protocol-codereview.pdf) |
| [Discord DAVE](https://discord.com/) | Aug 2024 | 4 | [Discord](https://discord.com/blog/meet-dave-e2ee-for-audio-video) | [📄✅](reviews/2024-08-discord-dave-protocol-designreview.pdf) |
| [Lit Protocol Cait-Sith](https://www.litprotocol.com/) | Jun 2024 | 10 | | [📄✅](reviews/2024-06-lit-protocol-cait-sith-securityreview.pdf) |
| [Iron Fish FishHash](https://ironfish.network/) | Apr 2024 | 1 | [Iron Fish](https://ironfish.network/learn/blog/2024-05-14-fish-hash-audit) | [📄✅](reviews/2024-04-ironfish-fishhash-securityreview.pdf) |
| [Silence Laboratories Silent Shard](https://www.silencelaboratories.com) | Feb 2024 | 5 | | [📄✅](reviews/2024-02-silencelaboratories-silentshard-securityreview.pdf) |
| [Snow](https://github.com/mcginty/snow) | Jan 2024 | 4 | | [📄✅](reviews/2024-01-agilebits-snow-securityreview.pdf) |
| [Ockam](https://docs.ockam.io) | Nov 2023 | 11 | [Trail of Bits](https://blog.trailofbits.com/2024/03/05/cryptographic-design-review-of-ockam/) | [📄](reviews/2023-11-ockam-designreview.pdf) |
| [Dfinity Candid](https://dfinity.org/) | Nov 2023 | 3 | | [📄✅](reviews/2023-11-dfinity-candid-securityreview.pdf) |
| [Axiom Halo2 Library Upgrades](https://www.axiom.xyz/) | Oct 2023 | 6 | [Axiom](https://docs.axiom.xyz/docs/transparency-and-security/security) | [📄✅](reviews/2023-10-axiom-halo2libraryupgrades-securityreview.pdf) |
| [Aleo snarkVM, snarkOS, BullsharkBFT](https://aleo.org/) | Oct 2023 | 18 | [Aleo](https://aleo.org/post/aleo-completes-security-audits-of-snarkos-and-snarkvm/) | [📄✅](reviews/2023-10-aleo-securityreview.pdf) |
| [Axiom Halo2 Libraries](https://www.axiom.xyz/) | Jun 2023 | 14 | [Axiom](https://docs.axiom.xyz/docs/transparency-and-security/security) | [📄✅](reviews/2023-06-axiom-halo2libraries-securityreview.pdf) |
| [Dfinity ckBTC and BTC Integration](https://dfinity.org/) | Jun 2023 | 2.5 | [Forum](https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380), [Blog](https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68) | |
| [Dfinity SNS Phase 2](https://dfinity.org/) | Jun 2023 | 2.5 | [Forum](https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380), [Blog](https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68) | [📄](reviews/2023-06-dfinity-sns-securityreview.pdf) |
| [Thesis tss-lib BitForge](https://threshold.network/) | Jun 2023 | 0.2 | [Threshold](https://blog.threshold.network/bitforge-and-tsshock/) | [📄✅](reviews/2023-06-thesistsslib-securityreview.pdf) |
| [Chainflip](https://chainflip.io/) | Apr 2023 | 12 | [Chainflip](https://blog.chainflip.io/trail-of-bits-security-audit/) | [📄✅](reviews/2023-04-chainflip-securityreview.pdf) |
| [Stealth Addresses](https://gist.github.com/shea256/e4a8dccd1e83fa801c7328a0af611798) | Feb 2023 | 2 | | [📄✅](reviews/2023-02-ryanshea-practicalstealthaddresses-securityreview.pdf) |
| [Succinct ZK Light Client](https://www.succinct.xyz/) | Feb 2023 | 8 | [Succinct](https://blog.succinct.xyz/blog/telepathy) | [📄✅](reviews/2023-02-succinct-securityreview.pdf) |
| [noble-curves Library](https://github.com/paulmillr/noble-curves) | Jan 2023 | 2 | | [📄✅](reviews/2023-01-ryanshea-noblecurveslibrary-securityreview.pdf) |
| [ParaSpace](https://para.space/) | Dec 2022 | 1 | | [📄](reviews/ParallelFinance3.pdf) |
| [Phantom Wallet](https://phantom.app/) | Nov 2022 | 2 | | |
| [ParaSpace](https://para.space/) | Nov 2022 | 7 | | [📄](reviews/ParallelFinance2.pdf)[✅](reviews/ParallelFinance2FixReview.pdf) |
| [SimpleX Chat](https://simplex.chat/) | Oct 2022 | 1 | [SimpleX](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) | [📄](reviews/SimpleXChat.pdf) |
| [Dfinity](https://dfinity.org/) | Sep 2022 | 4 | [Forum](https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380), [Blog](https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68) | [📄✅](reviews/2022-09-dfinity-sns-securityreview.pdf) |
| [Aleo snarkVM](https://www.aleo.org/) | Sep 2022 | 12 | | [📄✅](reviews/2022-09-aleosystems-snarkvm-securityreview.pdf) |
| [Microsoft/Verasion Go-COSE](https://github.com/veraison) | Jul 2022 | 4 | | [📄✅](reviews/2022-07-microsoft-go-cose-securityreview.pdf) |
| [BLS Signature Scheme](https://www.binance.com/) | Jul 2022 | 1 | | |
| [Binance CGGMP21 and FROST](https://www.binance.com/) | May 2022 | 8 | | |
| [Aleo snarkVM & snarkOS](https://www.aleo.org/) | Apr 2022 | 12 | | |
| [Phantom Wallet](https://phantom.app/) | Apr 2022 | 4 | | |
| [Parallel Finance](https://parallel.fi/) | Mar 2022 | 6 | | [📄](reviews/ParallelFinance.pdf) |
| [Polkadex](https://www.polkadex.trade/) | Feb 2022 | 10 | | |
| [Linux Kernel](https://kernelci.org/about/) | Apr 2021 | 2 |  [Release Signing and Management](https://ostif.org/a-review-of-the-linux-kernels-release-signing-and-key-management-policies/) | [📄](reviews/LinuxKernelReleaseSigning.pdf) |
| [Standard Notes](https://standardnotes.com/) | Mar 2020 | 1 | [Standard Notes](https://standardnotes.com/blog/standard-notes-security-audits-2021) | [📄](reviews/StandardNotes.pdf) |
| [Project Callisto](https://www.projectcallisto.org/) | Aug 2018 | 5 | | |

### Technology Product Reviews

| Product | Date | Level of <br />Effort | Announcement | Report |
| --- | --: | :-: | --- | :-: |
| [PyPI Warehouse](https://warehouse.pypa.io/) | Apr 2026 | 6 | | [📄](reviews/2026-04-pypi-warehouse-securityreview.pdf) |
| [X XChat](https://x.com/) | Oct 2025 | 4 | | [📄✅](reviews/2025-10-x-xchat-securityreview.pdf) |
| [Edera Runtime Container](https://edera.dev/) | Oct 2025 | 4 | | [📄](reviews/2025-11-edera-container-runtime-securityreview.pdf) |
| [Meta WhatsApp Private Processing](https://www.meta.com/whatsapp/) | Aug 2025 | 12 | [WhatsApp](https://blog.whatsapp.com/get-the-tone-of-your-message-right-with-private-writing-help), [Trail of Bits](https://blog.trailofbits.com/2026/04/07/what-we-learned-about-tee-security-from-auditing-whatsapps-private-inference/) | [📄✅](reviews/2025-08-meta-whatsapp-privateprocessing-securityreview.pdf) |
| [Discord E2EE WebAssembly](https://discord.com/) | Jun 2025 | 3 | | [📄](reviews/2025-06-discord-e2eewebassembly-securityreview.pdf) |
| [libVLC](https://images.videolan.org/vlc/libvlc.html) | May 2025 | 5 | | [📄](reviews/2025-05-libvlc-securityreview.pdf) |
| [NATS Server](https://nats.io/) | Feb 2025 | 6 | | [📄✅](reviews/2025-04-ostif-nats-securityreview.pdf) |
| [Istio Ztunnel](https://istio.io/) | Dec 2024 | 2 | [OSTIF](https://ostif.org/istio-ztunnel-audit-complete/), [Istio](https://istio.io/latest/blog/2025/ztunnel-security-assessment/) | [📄✅](/reviews/2024-12-istio-ztunnel-securityreview.pdf) |
| [RubyGems.org](https://www.rubygems.org) | Dec 2024 | 5 | | [📄](reviews/2024-12-rubycentral-rubygemsorg-securityreview.pdf) |
| [Kraken Wallet In-App Browser](https://www.kraken.com/wallet) | Nov 2024 | 4 | | [📄✅](reviews/2024-11-kraken-wallet-in-app-browser-securityreview.pdf) |
| [Kraken Wallet iCloud Backup](https://www.kraken.com/wallet) | Sep 2024 | 2 | | [📄✅](reviews/2024-09-kraken-mobile-wallet-icloud-backup-securityreview.pdf) |
| [Hugging Face Gradio](https://huggingface.co/gradio) | Jul 2024 | 4 | [Hugging Face](https://huggingface.co/blog/gradio-5-security), [Trail of Bits](https://blog.trailofbits.com/2024/10/10/auditing-gradio-5-hugging-faces-ml-gui-framework/) | [📄✅](reviews/2024-10-huggingface-gradio-securityreview.pdf) |
| [Zoo KittyCAD](https://zoo.dev/) | Jun 2024 | 4.6 | | [📄✅](reviews/2024-06-zoo-kittycad-securityreview.pdf) |
| [Polygon Labs Iden3 Circuits](https://polygon.technology/) | May 2024 | 2 | | [📄✅](reviews/2024-05-polygonlabs-iden3circuits-securityreview.pdf) |
| [Kraken Mobile Wallet](https://www.kraken.com/wallet) | Jan 2024 | 7 | [Kraken](https://blog.kraken.com/product/kraken-wallet/kraken-wallet-security)| [📄✅](reviews/2024-1-kraken-mobile-wallet-securityreview.pdf) |
| [Eclipse Temurin](https://adoptium.net/temurin/) | Dec 2023 | 4 | [Response](https://adoptium.net/pdf/temurin-audit-response.pdf), [OSTIF](https://ostif.org/temurin-audit-complete/), [Eclipse Foundation](https://adoptium.net/blog/2024/06/external_audit) | [📄✅](reviews/2023-12-eclipse-temurin-securityreview.pdf) |
| [Arch Linux Pacman](https://archlinux.org/pacman/) | Dec 2023 | 2 | [OTF](https://www.opentech.fund/security-safety-audits/arch-linuxs-pacman-package-manager-security-audit/) | [📄✅](reviews/2023-12-pacman-securityreview.pdf) |
| [cURL HTTP3](https://curl.se/) | Dec 2023 | 4 | [OSTIF](https://ostif.org/curl-audit-complete/), [Daniel Stenberg](https://daniel.haxx.se/blog/2024/02/23/curl-http-3-security-audit/) | [📄](reviews/2023-12-curl-http3-securityreview.pdf) |
| [Lisk SDK 6.1 modules](https://lisk.com/) | Sep 2023 | 4 | | [📄✅](reviews/2023-09-lisksdk-securityreview.pdf) |
| [OpenSSL](https://www.openssl.org/) | Sep 2023 | 9 | [OSTIF](https://ostif.org/openssl-audit-complete/), [OpenSSL](https://www.openssl.org/blog/blog/2024/05/02/ostif/) | [📄✅](reviews/2023-09-openssl-securityreview.pdf) |
| [PyPI Warehouse](https://warehouse.pypa.io/) | Sep 2023 | 10 | [PyPI](https://blog.pypi.org/posts/2023-11-14-1-pypi-completes-first-security-audit/), [Trail of Bits](https://blog.trailofbits.com/2023/11/14/our-audit-of-pypi/) | [📄✅](reviews/2023-09-pypi-warehouse-securityreview.pdf) |
| [wasmCloud](https://wasmcloud.com/) | Sep 2023 | 6 | | [📄✅](reviews/2023-09-wasmCloud-securityreview.pdf) |
| [Worldcoin](https://worldcoin.org/) | Aug 2023 | 6 | | [📄✅](reviews/2023-08-worldcoin-orb-securityreview.pdf) |
| [Homebrew](https://brew.sh) | Aug 2023 | 6 | | [📄](reviews/2023-08-28-homebrew-securityreview.pdf) |
| [DigitalOcean OIDC](https://www.digitalocean.com/) | Aug 2023 | 4 | | [📄](reviews/2023-08-digitalocean-oidc-securityreview.pdf) |
| [Flux](https://fluxcd.io) | Aug 2023 | 4 | [OSTIF](https://ostif.org/?p=3065&preview=true), [Flux](https://fluxcd.io/blog/2023/11/flux-security-audit/) | [📄✅](reviews/2023-08-flux-securityreview.pdf) |
| [Lisk SDK](https://lisk.com/) | Jul 2023 | 30 | | [📄✅](reviews/2023-07-liskv4.0-securityreview.pdf) |
| [DragonFly2](https://d7y.io/) | Jul 2023 | 4 |  [Dragonfly](https://d7y.io/blog), [OSTIF](https://ostif.org/dragonfly-audit/) | [📄✅](reviews/2023-07-dragonfly2-securityreview.pdf) |
| [Eclipse JKube](https://eclipse.dev/jkube/) | May 2023 | 5 | [OSTIF](https://ostif.org/jkube-audit/), [Eclipse](https://blogs.eclipse.org/post/mika%C3%ABl-barbero/eclipse-foundation-publishes-results-eclipse-jkube-security-audit) | [📄✅](reviews/2023-05-eclipse-jkube-securityreview.pdf) |
| [Chainflip](https://chainflip.io/) | Apr 2023 | 12 | [Chainflip](https://blog.chainflip.io/trail-of-bits-security-audit/) | [📄✅](reviews/2023-04-chainflip-securityreview.pdf) |
| [Eclipse Mosquitto](https://mosquitto.org/) | Mar 2023 | 4 | [OSTIF](https://ostif.org/mosquitto-security-audit/), [Eclipse](https://blogs.eclipse.org/post/mika%C3%ABl-barbero/eclipse-mosquitto-security-audit-has-been-completed) | [📛](reviews/2023-02-eclipse-mosquitto-lightweight-threatmodel.pdf)[📄✅](reviews/2023-03-eclipse-mosquitto-securityreview.pdf) |
| [Eclipse Jetty](https://eclipse.dev/jetty/) | Mar 2023 | 6 | [Jetty](http://webtide.com/security-audit-with-trail-of-bits/), [Eclipse](https://blogs.eclipse.org/post/mika%C3%ABl-barbero/eclipse-jetty-security-audit-has-been-completed) | [📄✅](reviews/2023-03-eclipse-jetty-securityreview.pdf) |
| [Spool Platform](https://www.spool.fi/) | Mar 2023 | 8 | | [📄✅](reviews/2023-03-spool-platformv2-securityreview.pdf) |
| [Redpanda Platform](https://redpanda.com/) | Jan 2023 | 4 | | |
| [Injective Labs Options Market](https://injective.com/) | Jan 2023 | 4 | | |
| [OpenVPN3](https://openvpn.net/) | Jan 2023 | 6 | | |
| [OpenVPN2](https://openvpn.net/) | Dec 2022 | 4 | [OpenVPN](https://openvpn.net/blog/trail-of-bits/) | [📄✅](reviews/2022-12-openvpn-openvpn2-securityreview.pdf) |
| [OpenArchive Save (Android)](https://open-archive.org/) | Dec 2022 | 1 |[OpenArchive Save](https://www.opentech.fund/results/security-safety-audits/openarchive-save-android-ios/) | [📄✅](reviews/2022-12-openarchivesaveandroid-securityreview.pdf) |
| [Enclave Markets](https://www.enclave.market/) | Nov 2022 | 9 | | |
| [Fiat Ramps](https://cashero.com/) | Nov 2022 | 4 | | |
| [cURL](https://curl.se/) | Oct 2022 | 9.5 | [OSTIF](https://ostif.org/the-ostif-audit-of-curl-with-trail-of-bits-is-complete/), [Daniel Stenberg](https://daniel.haxx.se/blog/2022/12/21/the-2022-curl-security-audit/). [Trail of Bits](https://blog.trailofbits.com/2022/12/22/curl-security-audit-threat-model/) | [📄✅](reviews/2022-12-curl-securityreview.pdf)[📛](reviews/2022-12-curl-threatmodel.pdf) |
| [CloudEvents](https://cloudevents.io/) | Oct 2022 | 4 | [OSTIF](https://ostif.org/results-of-the-cloudevents-security-assessment/) | [📄](reviews/CloudEvents.pdf) |
| [OpenArchive Save (iOS)](https://open-archive.org/) | Oct 2022 | 1.2 |[OpenArchive Save](https://www.opentech.fund/results/security-safety-audits/openarchive-save-android-ios/) | [📄✅](reviews/2022-10-openarchivesaveios-securityreview.pdf) |
| [AlphaSOC API](https://alphasoc.com/) | Sep 2022 | 1 | | [📄✅](reviews/2022-09-alphasoc-alphasocapi-securityreview.pdf) |
| [Consul Enterprise](https://www.hashicorp.com/products/consul) | Sep 2022 | 6 | | |
| [snarkVM](https://www.aleo.org/) | Sep 2022 | 12 | | [📄✅](reviews/2022-09-aleosystems-snarkvm-securityreview.pdf) |
| [Hashicorp Boundary](https://www.hashicorp.com/) | Jul 2022 | 6 | | |
| [Skiff](https://skiff.com/) | Jul 2022 | 6 | |
| [Terraform Cloud](https://www.hashicorp.com/) | Jun 2022 | 6 | | |
| [Datadog](https://www.datadoghq.com/) | May 2022 | 6 | | |
| [MATTR](https://mattr.global/) | May 2022 | 4 | | |
| [ArmorLock](https://www.westerndigital.com/) | Apr 2022 | 6 | | |
| [DigitalOcean Function](https://www.digitalocean.com/) | Apr 2022 | 4 | | |
| [Auvik Collector](https://www.auvik.com/system-security/) | Apr 2022 | 8 | | |
| [Fuchsia Platform](https://fuchsia.dev/) | Mar 2022 | 8 | |
| [Optimus ROM](https://www.westerndigital.com/) | Jan 2022 | 4 | | |
| [BitcoinBeach](https://galoy.io/) | Mar 2022 | 4 | | [📄](reviews/Galoy.pdf) |
| [osquery](https://osquery.io/) | Jan 2022 | 6 | | [📄](reviews/osquery.pdf) |
| [Redjack](https://www.redjack.com/) | Dec 2021 | 2 | |
| [DigitalOcean Cloud](http://cloud.digitalocean.com/) | Nov 2021 | 12 | |
| [SpruceID](https://tezos.foundation/) | Oct 2021 | 12 | | [📄](reviews/SpruceID.pdf) |
| [Doppler](https://www.doppler.com/) | Sep 2021 | 4 | |
| [Datadog Agent](https://www.datadoghq.com/) | Aug 2021 | 8 | |
| [Appian](https://appian.com/) | Jun 2021 | 4 | | |
| [Cashero-2.0](https://www.cashero.com/) | Jun 2021 | 4 | | |
| [Orbit](https://fleetdm.com/) | Apr 2021 | 1 | | |
| [VGS Proxy](https://www.verygoodsecurity.com/) | Apr 2021 | 4 | | |
| [Skiff](https://www.skiff.org/) | Feb 2021 | 4 | | |
| [CircleCI Server 3.0](https://circleci.com/) | Jan 2021 | 6 | [Penetration testing at CircleCI](https://circleci.com/blog/penetration-testing-at-circleci/) |
| [BitMEX](https://www.bitmex.com/) | Jan 2021 | 4 | | |
| [SecureDrop](https://freedom.press/) | Dec 2020 | 8 | [2nd audit of SecureDrop Workstation](https://securedrop.org/news/second-independent-audit-of-securedrop-workstation-completed/) | [📄](reviews/SecureDropWorkstation.pdf) |
| [Citizen Browser](https://themarkup.org/) | Dec 2020 | 0.43 | [How We Built a Facebook Inspector](https://themarkup.org/citizen-browser/2021/01/05/how-we-built-a-facebook-inspector)|
| [Ren](https://renproject.io/) | Aug 2020 | 4 | [Aug Development Update](https://medium.com/@loong/4ce9bb0fb98b) | [📄](reviews/renvm.pdf) |
| [Hey.com](https://www.hey.com/) | Jun 2020 | 1 | [Serious Security](https://www.hey.com/security/) | [📄](reviews/Hey.pdf) |
| [Azure Sphere](https://azure.microsoft.com/en-us/services/azure-sphere/) | Jun 2020 | 12 | [Azure Sphere 20.07 Security Enhancements](https://techcommunity.microsoft.com/t5/internet-of-things/azure-sphere-20-07-security-enhancements/ba-p/1548973) |
| [Zoom](https://zoom.us/) | May 2020 | 9 | [90 Days Done, What's Next for Zoom](https://blog.zoom.us/ceo-report-90-days-done-whats-next-for-zoom/) |
| [Secure Transport](https://www.westerndigital.com/) | Apr 2020 | 4 | |
| [ZeroTier 2.0](https://www.zerotier.com/) | Mar 2020 | 2 | [ZeroTier](https://mobile.twitter.com/zerotier/status/1314343535303446531) | [📄](reviews/ZeroTierProtocol.pdf) |
| [Voatz](https://voatz.com/) | Feb 2020 | 12 | [Voatz](https://blog.voatz.com/?p=1287), [Tusk](https://mobilevoting.org/2020/03/a-note-on-security/) | [📄](reviews/voatz-securityreview.pdf)[📛](reviews/voatz-threatmodel.pdf) |
| [Vault](https://www.hashicorp.com/products/vault/) | Feb 2020 | 12 | |
| [Voice](https://block.one/) | Jan 2020 | 4 | |
| [Azure Sphere](https://azure.microsoft.com/en-us/services/azure-sphere/) | Jun 2019 | 12 | | |
| [zlib](https://www.zlib.net/) | Sep 2016 | 1 | | [📄](reviews/zlib.pdf) |

### Cloud-Native Reviews

| Product | Date | Level of <br />Effort |  Announcement | Report |
| --- | --: | :-: | --- | :-: |
| [KEDA](https://keda.sh/) | Dec 2022 | 6 | [OSTIF](https://ostif.org/our-audit-of-kubernetes-event-driven-autoscaling-keda-is-complete/) | [📄](reviews/2023-01-keda-securityreview.pdf) |
| [Terraform Enterprise](https://developer.hashicorp.com/terraform/enterprise) | Nov 2022 | 6 | | |
| [Nomad Enterprise](https://www.nomadproject.io/) | Nov 2022 | 6 | | |
| [HashiCorp Cloud](https://cloud.hashicorp.com/) | Jun 2022 | 9 | |
| [Tekton](https://tekton.dev/) | Mar 2022 | 4 | [Tekton Security Review Completed](https://cd.foundation/blog/2022/08/26/tekton-security-review-completed/) | [📄](reviews/Tekton.pdf) |
| [Linkerd](https://linkerd.io/) | Feb 2022 | 4 | | [📛](reviews/Linkerd-threatmodel.pdf)[📄](reviews/Linkerd-securityreview.pdf)[✅](reviews/Linkerd-fixreview.pdf)
| [CoreDNS](https://coredns.io/) | Jan 2022 | 4 | | [📄](reviews/CoreDNS.pdf)
| [Terraform Enterprise](https://www.terraform.io/) | Nov 2021 | 6 | |
| [Nomad Enterprise](https://www.nomadproject.io/) | Nov 2021 | 6 | |
| [Consul Enterprise](https://www.consul.io/) | Oct 2021 | 6 | |
| [Vault Enterprise](https://www.vaultproject.io/) | Oct 2021 | 6 | |
| [HashiCorp Cloud](https://cloud.hashicorp.com/) | Jun 2021 | 8 | |
| [Argo](https://argoproj.github.io/) | Mar 2021 | 4 | |  [📛](reviews/argo-threatmodel.pdf)[📄](reviews/argo-securityreview.pdf) |
| [Terraform Cloud](https://www.terraform.io/cloud) | Jan 2021 | 6 | |
| [Consul](https://www.consul.io/) | Oct 2020 | 10 | |
| [Nomad](https://www.nomadproject.io/) | Aug 2020 | 6 | |
| [Helm](https://helm.sh/) | Aug 2020 | 4 |  [Helm 2nd Security Audit](https://helm.sh/blog/helm-2nd-security-audit/) | [📄](reviews/Helm.pdf) |
| [Terraform](https://www.hashicorp.com/products/terraform/) | Mar 2020 | 6 | |
| [OPA](https://github.com/open-policy-agent/gatekeeper) | Mar 2020 | 2 |  [Open Policy Agent (OPA) Graduation Proposal](https://github.com/cncf/toc/blob/main/proposals/graduation/opa.md) | [📄](reviews/OPAGatekeeper.pdf) |
| [etcd](https://etcd.io/) | Jan 2020 | 4 | [CNCF](https://www.cncf.io/blog/2020/08/05/etcd-security-audit/) | [📄](reviews/etcd.pdf) |
| [Rook](https://github.com/rook/rook/tree/release-1.1) | Dec 2019 | 2 |  [CNCF](https://www.cncf.io/announcements/2020/10/07/cloud-native-computing-foundation-announces-rook-graduation/) | [📄](reviews/rook.pdf) |
| [Kubernetes](https://kubernetes.io/) | May 2019 | 12 |  [Google](https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-security-audit-what-gke-and-anthos-users-need-to-know), [CNCF](https://www.helpnetsecurity.com/2019/08/12/kubernetes-security-matures/) | [📛](https://github.com/trailofbits/audit-kubernetes/blob/master/reports/Kubernetes%20Threat%20Model.pdf)[📄](https://github.com/trailofbits/audit-kubernetes/blob/master/reports/Kubernetes%20Security%20Review.pdf)[📰](https://github.com/trailofbits/audit-kubernetes/blob/master/reports/Kubernetes%20White%20Paper.pdf)

### Invariant Testing and Development Engagements

| Product | Date | Level of <br />Effort | Announcement | Report | Public Suite |
| ---| --: | :-: | --- | :-: | --- |
| [Panoptic](https://panoptic.xyz/) | May 2024 | 9 | | [📄](reviews/2024-05-panoptic-liquidation-engine-invariant-development.pdf) | |
| [Curvance](https://www.curvance.com/) | Mar 2024 | 5 | | [📄](reviews/2024-03-curvance-invariant-development.pdf) | [Public invariants](https://github.com/curvance/Curvance-CantinaCompetition/tree/CodeFAQAndAdjustments/tests/fuzzing) |

### Blockchain Reviews

#### Wallet Reviews
| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [Gemini Smart Wallet](https://www.gemini.com/wallet/) | Aug 2025 | 4 | | [📄✅](reviews/2025-08-gemini-smartwallet-securityreview.pdf)[🔖](reviews/2025-08-gemini-smartwallet-letterofattestation.pdf) |
| [Otim Smart Wallet](https://otim.com/) | Mar 2025 | 3 | | [📄✅](reviews/2025-03-otim-smart-wallet-securityreview.pdf) |
| [dappOS v2 wallet](https://dappos.com/) | Jul 2023 | 3 | | [📄✅](reviews/2023-07-dappos-securityreview.pdf) |
| [WalletConnect v2.0](https://walletconnect.com/) | Mar 2023 | 4 | [WalletConnect](https://medium.com/walletconnect/walletconnect-v2-0s-independent-security-audit-by-trail-of-bits-e8e59d11e517) | [📄✅](reviews/2023-03-walletconnectv2-securityreview.pdf) |
| [Phantom Wallet](https://phantom.app/) | Nov 2022 | 2 | | |
| [GameStop iOS Web Wallet](https://www.gamestop.com/) | Nov 2022 | 1 | | |
| [GameStop Wallet](https://www.gamestop.com/) | Mar 2022 | 2 | [GameStop wallet](https://investor.gamestop.com/news-releases/news-release-details/gamestop-launches-wallet-cryptocurrencies-and-nfts) | |
| [RAILGUN](https://righttoprivacy.foundation/) | Feb 2022 | 4 | | |
| [Casper Web Wallet](https://casperlabs.io/) | Jul 2021 | 4 | | [📄](reviews/CasperLedger.pdf) |
| [Argent](https://www.argent.xyz/) | Aug 2020 | 4 | | |
| [Magma](https://magmawallet.com/) | Jun 2020 | 1 | | [📄](reviews/MagmaWallet.pdf) |
| [Dharma Wallet](https://www.dharma.io/) | Oct 2019 | 4 | | [📄](reviews/dharma-smartwallet.pdf) |
| [ZecWallet](https://github.com/ZcashFoundation/zecwallet) | Apr 2019 | 2 | | [📄](reviews/zecwallet.pdf) |
| [Web3](https://web3.foundation/) | Mar 2018 | 2 | [W3F and TOB hardware wallet guidance](https://medium.com/web3foundation/w3f-and-trail-of-bits-release-guidance-for-secure-use-of-hardware-wallets-b12f14182db7) | [💬](https://blog.trailofbits.com/2018/11/27/10-rules-for-the-secure-use-of-cryptocurrency-hardware-wallets/)|

#### Algorand

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [Folks Finance Protocol](https://folks.finance/) | Nov 2022 | 6 | | [📄✅](reviews/2022-11-folksfinance-securityreview.pdf) |
| [wXTZ](https://www.stakerdao.com/) | Nov 2020 | 4 | | [📄](reviews/wXTZ.pdf) |
| [wALGO](https://www.stakerdao.com/) | Nov 2020 | 4 | | [📄](reviews/wALGO.pdf) |
| [Meld Gold](https://meld.gold/) | Jul 2020 | 2 | | |
| [Pixel](https://www.algorand.com/) | Dec 2019 | 4 | | |
| [Algorand](https://www.algorand.com/) | Mar 2019 | 14 | [Success and momentum of Algorand](https://medium.com/algorand/success-and-momentum-of-algorand-the-platform-technology-for-the-borderless-economy-35b22cae63c6) | |

#### Avalanche

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [Ava Labs AvalancheGo](https://www.avalabs.org/) | Aug 2025 | 10 | | [📄](reviews/2025-08-ava-labs-avalanchego-securityreview.pdf)|
| [Alkimiya Silica V2](https://alkimiya.io/) | Jun 2022 | 6 | | |
| [Ava Labs](https://www.avalabs.org/) | Apr 2022 | 8 | | |
| [Flare Network](https://flare.xyz/) | Mar 2021 | 8 | | |

#### Bitcoin & Derivatives

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [ZetaChain Bitcoin Inscriptions](https://www.zetachain.com/) | Jan 2025 | 2 | | [📄✅](reviews/2025-01-zetachain-bitcoin-inscriptions-securityreview.pdf) |
| [Nomic](https://www.nomic.io/) | Nov 2024 | 10 | [Nomic](https://blog.nomic.io/security-audit-trail-of-bits-8ae87ce19bf0) | [📄✅](reviews/2024-11-nomic-securityreview.pdf) |
| [STAS SDK](https://www.taal.com/) | Oct 2021 | 4 | | |
| [STAS-JS SDK](https://www.taal.com/#) | Sep 2021 | 4 | | |
| [Bitcoin SV](https://nchain.com/) | Jan 2021 | 6 | |
| [Zcoin](https://zcoin.io/) | Jul 2020 | 2 | [Zcoin](https://zcoin.io/lelantus-cryptographic-library-audit-results/) | [📄](reviews/zcoin-lelantus-summary.pdf) |
| [Zcash](https://electriccoin.co/) | Apr 2020 | 3 | [Electric Coin Co.](https://electriccoin.co/blog/heartwood-security-assessment-turns-up-no-major-issues/) | [📄](reviews/Zcash2.pdf) |
| [Zcash](https://electriccoin.co/) | Nov 2019 | 6 | [NU3, Blossom, and Sapling security reviews](https://electriccoin.co/blog/security-assessments-nu3-specifications-blossom-implementation-and-sapling-documentation/)| [📄](reviews/Zcash.pdf) |
| [Zcash](https://electriccoin.co/) | Nov 2019 | 6 | | [📄](reviews/ZcashWP.pdf) |
| [Paymail Protocol](https://nchain.com/en/) | Nov 2019 | 7 | | |
| [Simple Ledger](https://simpleledger.cash/) | Oct 2019 | 3 | | |
| [Bitcoin SV](https://bitcoinsv.io/) | Nov 2018 | 12 | |
| [RSKj](https://www.rsk.co/) | Nov 2017 | 6 | [RSK security audit results](https://www.rsk.co/noticia/rsk-security-audit-results/) | [📄](reviews/RSKj.pdf) |

#### Ethereum/EVM

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [Kiln Lagoon Vault Diff Review](https://docs.lagoon.finance/resources/audits) | May 2026 | 1 | | [📄✅](reviews/2026-05-kiln-lagoonvaultdiffreview-securityreview.pdf) |
| [Franklin Templeton BenjiSwap Differential Review](https://digitalassets.franklintempleton.com/benji/) | Apr 2026 | 1.2 | | [📄✅](reviews/2026-04-franklintempleton-benjiswapdifferentialreview-securityreview.pdf) |
| [Gensyn Buyback-and-Burn Vault](https://www.gensyn.ai/) | Apr 2026 | 1 | | [📄✅](reviews/2026-04-gensyn-buyback-and-burn-vault-securityreview.pdf) |
| [Gensyn Bridged Token](https://www.gensyn.ai/) | Apr 2026 | 0.2 | | [📄](reviews/2026-04-gensyn-bridged-gensyn-token-securityreview.pdf) |
| [Gensyn ERC-20 Token](https://www.gensyn.ai/) | Sep 2025 | 0.2 | | [📄](reviews/2026-04-gensyn-erc-20-token-securityreview.pdf) |
| [Gensyn Delphi Dynamic Paramutuel Markets](https://app.delphi.fyi/) | Apr 2026 | 3.4 | | [📄✅](reviews/2026-04-gensyn-delphidynamicparamutuelmarkets-securityreview.pdf) |
| [Shape TokenLock](https://shape.network/audits) | Mar 2026 | 0.4 | | [📄✅](reviews/2026-03-shape-tokenlock-securityreview.pdf) |
| [Aave v4](https://aave.com) | Feb 2026 | 6 | | [📄✅](reviews/2026-02-aave-v4-securityreview.pdf) |
| [VeChain VeChainThor Hayabusa Upgrade](https://github.com/vechain/thor/releases/tag/v2.3.0) | Oct 2025 | 6 | | [📄✅](reviews/2025-10-vechain-vechainthorhayabusaupgrade-securityreview.pdf) |
| [Franklin Templeton BenjiSwap Contract](https://www.franklintempleton.com/about-us/our-teams/specialist-investment-managers/digital-assets/digital-assets-technology) | Oct 2025 | 1 | | [📄✅](reviews/2025-10-franklintempleton-benjiswapcontract-securityreview.pdf) |
| [Radius Technology EVMAuth](https://evmauth.io/) | Oct 2025 | 1.2 | | [📄✅](reviews/2025-10-radiustechnology-evmauth-securityreview.pdf) |
| [Shape Buyback Contract](https://shape.network/) | Sep 2025 | 0.4 | | [📄✅](reviews/2025-09-shapenetwork-buybackcontract-securityreview.pdf) |
| [Starkware StarkEx Diff](https://starkware.co/starkex/) | Aug 2025 | 0.2 | | [📄](reviews/2025-08-starkware-starkex-diff-review-securityreview.pdf) |
| [Shape Token Contract](https://shape.network/) | May 2025 | 1 | | [📄✅](reviews/2025-05-shapenetwork-token-securityreview.pdf) |
| [CAP Labs Covered Agent Protocol](https://cap.app/) | May 2025 | 9 | | [📄✅](reviews/2025-05-caplabs-coveredagentprotocol-securityreview.pdf) |
| [Fabric Labs Zipper Protocol](https://zipper.trade/) | May 2025 | 1 | | [📄✅](reviews/2025-05-fabriclabs-zipperprotocol-securityreview.pdf) |
| [Lagrange LAToken](https://www.lagrange.dev/) | Apr 2025 | 3 | | [📄](reviews/2025-04-lagrange-latoken-securityreview.pdf) |
| [Serai DEX](https://serai.exchange/) | Apr 2025 | 3 | | [📄✅](reviews/2025-04-serai-dex-security-review.pdf) |
| [Automata](https://www.ata.network/) | Feb 2025 | 8 | | [📄✅](reviews/2025-02-automata-dcap-attestation-onchain-pccs-securityreview.pdf) |
| [Bunni v2](https://bunni.pro/) | Jan 2025 | 8 | | [📄✅](reviews/2025-01-bacon-labs-bunniv2-securityreview.pdf) |
| [Everstake Staking](https://everstake.one/) | Jan 2025 | 3 | | [📄✅](reviews/2025-1-everstake-ethereum-staking-protocol-securityreview.pdf) |
| [Parabol Smart Contracts Updates](https://parabol.fi/) | Jan 2025 | 0.4 | | [📄](reviews/2025-01-parabollabs-protocolcontractsupdates-securityreview.pdf) |
| [BeethovenX Sonic Staking](https://beets.fi/) | Jan 2025 | 1 | | [📄✅](reviews/2025-01-beethovenx-sonicstaking-securityreview.pdf) |
| [Balancer v3](https://balancer.fi/) | Dec 2024 | 6 | | [📄✅](reviews/2024-12-balancer-v3-securityreview.pdf) |
| [ULTI](https://www.ulti.org/) | Dec 2024 | 1 | | [📄✅](reviews/2024-12-ULTI-securityreview.pdf) |
| [EthStaker Deposit CLI](https://ethstaker.cc/) | Dec 2024 | 4 | | [📄✅](reviews/2024-12-ethstaker-depositcli-securityreview.pdf) |
| [Plume](https://www.plumenetwork.xyz/) | Nov 2024 | 1 | | [📄✅](reviews/2024-11-plume-securityreview.pdf) |
| [Treehouse tETH Protocol](https://www.treehouse.finance/) | Sep 2024 | 4 | | [📄✅](reviews/2024-09-treehouse-finance-teth-extension-securityreview.pdf) |
| [Elixir Protocol](https://www.elixir.xyz/) | Aug 2024 | 4 | | [📄✅](reviews/2024-08-elixir-technologies-ltd-elixir-protocol-securityreview.pdf) |
| [Onchain Pass](https://www.onchain.ro/) | Aug 2024 | 1 | | [📄✅](reviews/2024-08-onchain-pass-app-contracts-securityreview.pdf) |
| [Taraxa Ficus Bridge](https://docs.taraxa.io/) | Jul 2024 | 1.6 | | [📄✅](reviews/2024-07-taraxa-bridge-smart-contracts-v2-securityreview.pdf) |
| [Devcon Auction Raffle](https://raffle.devcon.org/) | Jun 2024 | 1 | | [📄✅](reviews/2024-06-ethereum-foundation-devcon-auction-raffle-securityreview.pdf) |
| [Aladdin f(x) Oracle](https://fx.aladdin.club/) | Jun 2024 | 2 | | [📄✅](reviews/2024-06-aladdinfx-oracle-securityreview.pdf) |
| [AiLayer 6079 Contracts](https://6079.ai) | May 2024 | 3 | | [📄✅](reviews/2024-05-ailayerlabs-6079smartcontracts-securityreview.pdf) |
| [Hydrogen Rover Protocol](https://roverstaking.com/) | May 2024 | 0.45 | | [📄](reviews/2024-05-hydrogenlabs-securityreview.pdf) |
| [Lisk Smart Contracts](https://lisk.com/) | May 2024 | 4 | | [📄✅](reviews/2024-05-lisksmartcontracts-securityreview.pdf) |
| [Parabol Smart Contracts](https://parabol.fi/) | May 2024 | 2 | | [📄✅](reviews/2024-05-parabollabs-protocolcontracts-securityreview.pdf) |
| [Wonderland Prophet](https://defi.sucks/) | May 2024 | 4 | | [📄✅](reviews/2024-05-wonderland-prophet-securityreview.pdf) |
| [SEDA Chain Token Migration](https://www.seda.xyz/) | Mar 2024 | 1 | | [📄✅](reviews/2024-03-seda-chaintokenmigration-securityreview.pdf) |
| [Lisk Smart Contracts](https://lisk.com/) | Mar 2024 | 4.6 | | [📄✅](reviews/2024-03-lisksmartcontracts-securityreview.pdf) |
| [Bondex Smart Contracts](https://bondex.app/) | Mar 2024 | 0.6 | | [📄](reviews/2024-03-bondexecosystem-loa.pdf) |
| [Aladdin f(x) Protocol](https://fx.aladdin.club/) | Mar 2024 | 4 | | [📄✅](reviews/2024-03-aladdinfxprotocol-securityreview.pdf) |
| [Puffer Finance Contracts](https://www.puffer.fi/) | Mar 2024 | 1.2 | | [📄✅](reviews/2024-03-pufferfinance-securityreview.pdf) |
| [Intuition](https://www.intuition.systems) | Mar 2024 | 2 | | [📄](reviews/2024-03-intuition-smart-contracts-securityreview.pdf) |
| [Helios Global](https://www.helios.eco/) | Feb 2024 | 1 | | [📄✅](reviews/2024-02-heliosglobal-securityreview.pdf) |
| [ScopeLift Stealth Addresses](https://scopelift.co/) | Feb 2024 | 1 | | [📄✅](reviews/2024-02-scopelift-securityreview.pdf) |
| [MetaLayer Blast](https://blast.io/en) | Jan 2024 | 4 | | [📄✅](reviews/2024-01-metalayerblast-securityreview.pdf) |
| [Unibot Router](https://unibot.app/) | Dec 2023 | 1.6 | | [📄✅](reviews/2023-12-unibot-securityreview.pdf) |
| [Acronym Foundation](https://acronymfoundation.org/) | Dec 2023 | 4 | | [📄✅](reviews/2023-12-acronym-foundation-securityreview.pdf) |
| [Pyth Entropy](https://docs.pyth.network/entropy) | Dec 2023 | 4 | | [📄](reviews/2024-01-pyth-entropy-securityreview.pdf) |
| [Immutable Bridge](https://www.immutable.com/) | Nov 2023 | 2 | | [📄✅](reviews/2023-11-immutable-zkevmbridgecontracts-securityreview.pdf) |
| [Salty.IO Protocol](https://docs.salty.io/) | Oct 2023 | 6 | | [📄✅](reviews/2023-10-saltyio-securityreview.pdf) |
| [Spiko Smart Contracts](https://www.spiko.xyz/) | Oct 2023 | 1 | | [📄✅](reviews/2023-10-spiko-securityreview.pdf) |
| [Hyperlane v3](https://www.hyperlane.xyz/) | Sep 2023 | 2 | | [📄✅](reviews/2023-09-hyperlane-securityreview.pdf) |
| [Elixir Contracts](https://elixir.finance/) | Sep 2023 | 2 | | [📄✅](reviews/2023-09-elixir-securityreview.pdf) |
| [NZDD token](https://easycrypto.com/) | Aug 2023 | 0.6 | | [📄✅](reviews/2023-08-easycrypto-securityreview.pdf) |
| [Immutable](https://www.immutable.com/) | Aug 2023 | 4 | | [📄✅](reviews/2023-08-immutable-securityreview.pdf) |
| [Sandclock](https://www.sandclock.org/) | Jul 2023 | 8 | | [📄✅](reviews/2023-07-sandclock-securityreview.pdf) |
| [Arcade](https://www.arcade.xyz/) | Jul 2023 | 8 | | [📄✅](reviews/2023-07-arcade-securityreview.pdf) |
| [Nested Tetris/HyVM](https://nested.fi/) | Jun 2023 | 1 | | [📄✅](reviews/2023-06-nestedfinance-tetrishyvm-securityreview.pdf) |
| [Franklin Templeton](https://www.franklintempleton.com/) | May 2023 | 4 | | [📄✅](reviews/2023-05-franklintempleton-moneymarket-securityreview.pdf) |
| [Prysm](https://prysmaticlabs.com/) | Apr 2023 | 8 | | [📄✅](reviews/2023-04-prysm-securityreview.pdf) |
| [Ajna Protocol](https://www.ajna.finance/) | Apr 2023 | 12 | | [📄✅](reviews/2023-04-ajnalabs-securityreview.pdf) |
| [Raft](https://docs.tempus.finance/products/raft) | Apr 2023 | 2 | | [📄✅](reviews/2023-04-tempus-raft-securityreview.pdf) |
| [MYSO v2](https://www.myso.finance) | Apr 2023 | 2 | [MYSO](https://twitter.com/MysoFinance/status/1649191996978786305) | [📄✅](reviews/2023-04-mysoloans-securityreview.pdf) |
| [Smardex AMM](https://www.smardex.io/) | Apr 2023 | 2 | | [📄✅](reviews/2023-04-smardexamm-realestateexecutives-securityreview.pdf) |
| [Waymont](https://www.waymont.co/) | Mar 2023 | 1 | | |
| [Atlendis](https://www.atlendis.io/) | Mar 2023 | 6 | [Atlendis](https://www.atlendis.io/blog/Atlendis-V2-Trail-of-Bits-Audit) | [📄✅](reviews/2023-03-atlendis-atlendissmartcontracts-securityreview.pdf) |
| [Primitive Hyper](https://primitive.xyz/) | Mar 2023 | 8 | | [📄✅](reviews/2023-03-primitive-securityreview.pdf) |
| [Succinct Light Client](https://www.succinct.xyz/) | Feb 2023 | 8 | [Succinct](https://blog.succinct.xyz/blog/telepathy) | [📄✅](reviews/2023-02-succinct-securityreview.pdf) |
| [Nested Finance](https://nested.fi/) | Feb 2023 | 4 | | [📄✅](reviews/2023-02-nestedfinance-smartcontracts-securityreview.pdf) |
| [Polygon Edge](https://polygon.technology/) | Jan 2023 | 6 | | |
| [Optimism](https://www.optimism.io/) | Dec 2022 | 8 | | |
| [Paxos PayPal PYUSD](https://paxos.com/pyusd/) | Dec 2022 | 1 | | [📄✅](reviews/2022-12-paxos-paypal-pyusd-securityreview.pdf) |
| [GSquared](https://docs.gro.xyz/gro-docs/) | Oct 2022 | 6 | | [📄](reviews/2022-10-GSquared-securityreview.pdf)[✅](reviews/2022-10-GSquared-fixreview.pdf) |
| [Meson Protocol](https://docs.meson.fi/references/audit-reports) | Oct 2022 | 6 | | [📄](reviews/MesonProtocol.pdf)[✅](reviews/MesonProtocolFixReview.pdf) |
| [Managed Pools](https://balancer.fi/) | Oct 2022 | 4 | | [📄](reviews/2022-10-balancerlabs-managedpoolsmartcontracts-securityreview.pdf) |
| [Ondo](https://ondo.finance/) | Oct 2022 | 4 | | [📄](reviews/2022-10-shimacapital-ondo-securityreview.pdf)[✅](reviews/2022-10-shimacapital-ondo-fixreview.pdf) |
| [ Maple Protocol v2](https://www.maple.finance/) | Sep 2022 | 8 | | [📄✅](reviews/2022-09-maplefinance-mapleprotocolv2-securityreview.pdf) |
| [Increment Protocol](https://increment.finance/) | Sep 2022 | 4 | | [📄](reviews/2022-09-incrementprotocol-securityreview.pdf)[✅](reviews/2022-09-incrementprotocol-fixreview.pdf) |
| [Subspace Farmer](https://subspace.network/) | Sep 2022 | 2 | | [📄](reviews/2022-09-subspacenetwork-subspacenetworkdesktopfarmer-securityreview.pdf)[✅](reviews/2022-09-subspacenetwork-subspacenetworkdesktopfarmer-fixreview.pdf)|
| [Optimism](https://www.optimism.io/) | Sep 2022 | 16 | | [📄](reviews/2022-11-optimism-securityreview.pdf) |
| [Nayms](https://nayms.com/) | Sep 2022 | 6 | | |
| [Aggregator](https://www.solon.network/) | Aug 2022 | 2 | | |
| [The Franchiser](https://uniswap.org/) | Aug 2022 | 3 | | |
| [Meson Protocol](https://docs.meson.fi/references/audit-reports) | Jul 2022 | 0.6 | | [📄](reviews/MesonProtocolDesignReview.pdf) |
| [ChainPort](http://chainport.io/) | Jul 2022 | 8 | | [📄](reviews/2023-02-chainport-securityreview.pdf)[✅](reviews/2023-02-chainport-fixreview.pdf) |
| [Relay](https://thesis.co/) | Jul 2022 | 1 | | |
| [Beanstalk](https://bean.money/) | Jul 2022 | 8 | [Beanstalk](https://bean.money/blog/trail-of-bits-audit-of-beanstalk-completed) | [📄](reviews/2022-07-beanstalk-securityreview.pdf)[✅](reviews/2022-07-beanstalk-fixreview.pdf) |
| [Purpose for Profit](https://x.company/) | Jul 2022 | 3 | | |
| [Solon](https://www.solon.finance/) | Jul 2022 | 6 | | |
| [Roll](https://tryroll.com/) | Jul 2022 | 2 | | |
| [Ante Protocol](https://www.ante.finance/) | May 2022 | 2 | | [📄](reviews/AnteProtocol.pdf)[✅](reviews/AnteProtocolFixReview.pdf) |
| [Sherlock](https://www.sherlock.xyz/) | Jun 2022 | 4 | | |
| [FlareFinance](https://flr.finance/) | Jun 2022 | 4 | | |
| [TBTv2](https://thesis.co/) | Jun 2022 | 6 | | |
| [Morpho](https://www.morpho.best/) | Jun 2022 | 4 | [Morpho](https://twitter.com/morpholabs/status/1533818817918517250?s=21&t=x0tkW-pNfG0Hq7pyyVWFrg) | [📄](reviews/MorphoLabs.pdf) |
| [Relayer Contracts](https://balancer.fi/) | Jun 2022 | 2 | | |
| [AuctionRaffle](https://ethereum.org/en/foundation/) | May 2022 | 2 | | |
| [Seaport Protocol](https://opensea.io/) | May 2022 | 4 | [OpenSea](https://opensea.io/blog/announcements/introducing-seaport-protocol/) | [📄](reviews/SeaportProtocol.pdf) |
| [Shell Protocol v2](https://shellprotocol.io/) | May 2022 | 4 | | [📄](reviews/ShellProtocolv2.pdf) |
| [Optimism](https://www.optimism.io/) | Apr 2022 | 6 | | |
| [NFTX](https://nftx.io/) | Apr 2022 | 4 | [NFTX](https://docs.nftx.io/smart-contracts/bug-bounty/trail-of-bits-audit) | [📄](reviews/NFTX.pdf) |
| [ReserveLending+](https://unfederalreserve.com/) | Apr 2022 | 4 | [unFederalReserve](https://unfederalreserve.medium.com/security-audit-for-reservelending-update-60b1a90a2d6) | |
| [Firefly](https://dtrade.org/) | Apr 2022 | 4 | | |
| [Maple Finance](https://www.maple.finance/) | Mar 2022 | 1 | | [📄✅](reviews/2022-03-maplefinance-securityreview.pdf) |
| [Gyroscope](https://gyro.finance/) | Mar 2022 | 6 | | |
| [LooksRare](https://looksrare.org/) | Mar 2022 | 4 | | [📄](reviews/LooksRare.pdf) |
| [Symbiosis](https://symbiosis.finance/) | Mar 2022 | 2 | | |
| [RAILWAY](https://righttoprivacy.foundation/) | Feb 2022 | 4 | | |
| [Persistence ETH2.0](https://persistence.one/) | Feb 2022 | 4 | | |
| [Advanced Blockchain](https://www.advancedblockchain.com/) | Feb 2022 | 6 | | [📄](reviews/AdvancedBlockchainQ12022.pdf) |
| [Perpetual Protocol V2](https://perp.com/) | Feb 2022 | 4 | | [📄](reviews/PerpetualProtocolV2.pdf) |
| [Futureswap V4.1](https://www.futureswap.com/) | Feb 2022 | 4 | | |
| [Firefly](https://dtrade.org/) | Feb 2022 | 8 | | |
| [API3](https://api3.org/) | Feb 2022 | 8 | | [📄](reviews/API3.pdf) |
| [Beethoven X](https://beets.fi/) | Feb 2022 | 1 | | [📄](reviews/BeethovenXSummary.pdf) |
| [Minterest Finance](https://minterest.com/) | Jan 2022 | 6 | | |
| [pSTAKE](https://persistence.one/) | Jan 2022 | 6 | | |
| [Primitive](https://primitive.finance/) | Jan 2022 | 8 | [Primitive](https://twitter.com/PrimitiveFi/status/1518665248756051968) | [📄](reviews/Primitive.pdf) |
| [Strips Finance](https://strips.finance/) | Jan 2022 | 8 | | |
| [Cardstack](https://cardstack.com/) | Dec 2021 | 4 | | |
| [Sherlock Protocol V2](https://www.sherlock.xyz/) | Dec 2021 | 4 | | [📄](reviews/Sherlockv2.pdf) |
| [Maple](https://www.maple.finance/) | Nov 2021 | 4 | [Maple](https://github.com/maple-labs/loan#audit-reports) | [📄](reviews/MapleFinance.pdf) |
| [Advanced Blockchain](https://www.advancedblockchain.com/) | Nov 2021 | 6 | | [📄](reviews/AdvancedBlockchainQ42021.pdf) |
| [Opyn](https://www.opyn.co/) | Nov 2021 | 6 | | [📄](reviews/Opyn.pdf) |
| [Aave V3](https://aave.com/) | Nov 2021 | 12 | | [📄✅](reviews/2021-11-aave-v3-securityreview.pdf) |
| [Tokemak](https://www.tokemak.xyz/) | Oct 2021 | 3 | | |
| [Fuji Finance](https://app.fujidao.org/#/) | Oct 2021 | 6 | | [📄](reviews/FujiProtocol.pdf) |
| [V2 Vault](https://www.riskharbor.com/) | Oct 2021 | 4 | | |
| [Yield V2](https://yield.is/) | Sep 2021 | 6 | | [📄](reviews/YieldV2.pdf) |
| [Gro protocol](https://www.gro.xyz/) | Sep 2021 | 2 | | |
| [Futureswap V4](https://www.futureswap.com/) | Sep 2021 | 6 | | |
| [RocketPool](https://rocketpool.net/) | Aug 2021 | 5 | | [📄](reviews/RocketPool.pdf) |
| [AlphaX](https://alphafinance.io/) | Aug 2021 | 6 | | |
| [Bug Bounty Platform](https://solidified.io/) | Aug 2021 | 8 | | |
| [88mph V3](https://88mph.app/) | Aug 2021 | 6 | | [📄](reviews/88mph.pdf) |
| [Timeswap](https://timeswap.io/) | Jul 2021 | 2 | | |
| [CompliFi](https://compli.fi/) | Jul 2021 | 6 | | [📄](reviews/CompliFi.pdf) |
| [Optics](https://celo.org/) | Jul 2021 | 2 | | |
| [FlareFinance](https://flr.finance/) | Jun 2021 | 4 | | |
| [Abyss Lockup](https://www.allnodes.com/) | Jun 2021 | 2 | | |
| [Futureswap V3](https://www.futureswap.com/) | Jun 2021 | 6 | | |
| [CompliFi](https://compli.fi/) | Jun 2021 | 6 | | |
| [Syndicate](https://www.syndicateprotocol.org/) | May 2021 | 4 | | |
| [Opyn Gamma](https://www.opyn.co/) | May 2021 | 6 | | [📄](reviews/Opyn-Gamma-Protocol.pdf) |
| [Yearn v2 Vaults](https://yearn.finance/) | Apr 2021 | 6 | | [📄](reviews/YearnV2Vaults.pdf) |
| [Balancer v2](https://balancer.fi/) | Apr 2021 | 4 | | [📄](reviews/2021-04-balancer-balancerv2-securityreview.pdf) |
| [DFX Finance](https://dfx.finance/) | Apr 2021 | 6 | | |
| [Tokemak](https://www.tokemak.xyz/) | Apr 2021 | 1 | | |
| [Warp Contracts](https://en.advancedblockchain.com/) | Apr 2021 | 6 |[Composable](https://composablefi.medium.com/composable-announces-the-completion-of-trail-of-bits-audit-c46bd84333de) | [📄](reviews/AdvancedBlockchain.pdf) |
| [FlareFinance](https://flr.finance/) | Apr 2021 | 3 | | |
| [MC Dai](https://makerdao.com) | Mar 2021 | 6 | | |
| [dForce Lending](https://dforce.network/) | Mar 2021 | 6 | | |
| [Liquity Proxy Contract](https://www.liquity.org/) | Feb 2021 | 0.57 | | [📄](reviews/LiquityProxyContracts.pdf) |
| [Liquity Protocol](https://www.liquity.org/) | Feb 2021 | 8 | | [📄](reviews/LiquityProtocolandStabilityPoolFinalReport.pdf)|
| [RAY-DAO](https://staked.us/) | Feb 2021 | 4 | | |
| [Futureswap](https://www.futureswap.com/) | Jan 2021 | 2 | | |
| [Balancer V2](https://balancer.finance/) | Jan 2021 | 6 | | |
| [C.R.E.A.M.](https://app.cream.finance/) | Jan 2021 | 1 | | [📄](reviews/CREAMSummary.pdf) |
| [LUSD](https://www.liquity.org/) | Dec 2020 | 8 | | [📄](reviews/Liquity.pdf) |
| [Origin Dollar](https://www.ousd.com/) | Nov 2020 | 4 | [Origin Protocol](https://medium.com/originprotocol/origin-dollar-ousd-relaunches-to-offer-hassle-free-defi-returns-b8ee0c601dad) | [📄](reviews/OriginDollar.pdf) |
| [Zerion SDK](https://zerion.io/) | Nov 2020 | 4 | | |
| [Teller Protocol](https://www.teller.finance/) | Nov 2020 | 4 | | |
| [Hermez](https://iden3.io/) | Nov 2020 | 4 | [Hermez](https://blog.hermez.io/hermez-second-audit-by-trail-of-bits/) | [📄](reviews/hermez.pdf) |
| [Graph Protocol](https://thegraph.com/) | Oct 2020 | 3 | | |
| [OVM](https://optimism.io/) | Oct 2020 | 6 | | |
| [Prysm](https://prysmaticlabs.com/) | Sep 2020 | 6 | | |
| [DODO](https://dodoex.io/) | Sep 2020 | 3 | | [📄](reviews/dodo.pdf) |
| [Yield Protocol](https://yield.is/Yield.pdf) | Aug 2020 | 6 | | [📄](reviews/YieldProtocol.pdf) |
| [Smart Pool](https://balancer.finance/) | Aug 2020 | 1 | | |
| [DeFiner](https://definer.org/) | Aug 2020 | 1 | | |
| [ETH2.0 Deposit CLI](https://ethereum.org/en/) | Aug 2020 | 4 | | [📄](reviews/ETH2DepositCLI.pdf)|
| [CurveDAO](https://dao.curve.fi/) | Jul 2020 | 6 | | [📄](reviews/CurveDAO.pdf) |
| [Amp](https://amptoken.org/) | Jul 2020 | 3 | | [📄](reviews/amp.pdf) |
| [Federated Bridge](https://www.rsk.co/) | Jul 2020 | 1 | | |
| [dForce dToken](https://dforce.network/) | Jul 2020 | 2 | | [📄](reviews/dtoken.pdf) |
| [Matic](https://matic.network/) | Jun 2020 | 4 | | |
| [Lighthouse](https://lighthouse.sigmaprime.io/) | Jun 2020 | 4 | | |
| [tBTC](https://thesis.co/) | May 2020 | 6 | | [📄](reviews/thesis-summary.pdf) |
| [QTUM](https://qtum.org/en) | Apr 2020 | 0.43 | | [📄](reviews/qtum_loa.pdf) |
| [Hegic](https://www.hegic.co/) | Apr 2020 | 0.43 | | [📄](reviews/hegic-summary.pdf) |
| [Golem Network](https://golem.network/) | Mar 2020 | 2 | | |
| [Reddit](https://www.reddit.com/community-points/) | Mar 2020 | 1 | [A New Frontier](https://www.reddit.com/community-points/) | |
| [Chai](https://chai.money/) | Feb 2020 | 0.28 | | [📄](reviews/chai-loa.pdf) |
| [Compound](https://compound.finance/) | Feb 2020 | 2 | | [📄](reviews/compound-governance.pdf) |
| [WorkLock](https://www.nucypher.com/) | Jan 2020 | 2 | [NuCypher](https://blog.nucypher.com/worklock-security-audit/) | [📄](reviews/WorkLock-Summary.pdf) |
| [Balancer](https://balancer.finance/) | Jan 2020 | 4 | | [📄](reviews/BalancerCore.pdf) |
| [Curve.fi](https://compound.curve.fi/) | Jan 2020 | 1 | | [📄](reviews/curve-summary.pdf) |
| [Livepeer](https://livepeer.org/) | Oct 2019 | 3 | | |
| [Topo Finance](https://topo.finance/) | Oct 2019 | 4 | | |
| [0x Protocol](https://0x.org/) | Oct 2019 | 10 | | [📄](reviews/0x-protocol.pdf) |
| [Flexa](https://flexa.network/) | Sep 2019 | 2 | [Flexa](https://medium.com/flexa/announcing-flexa-capacity-35c62ade9522) | [📄](reviews/Flexa.pdf) |
| [AZTEC Protocol](https://www.aztecprotocol.com/) | Sep 2019 | 10 | | [📄](reviews/aztec.pdf) |
| [Oasis Labs](https://www.oasislabs.com/) | Sep 2019 | 13 | | |
| [Aave Protocol](https://aave.com/) | Sep 2019 | 4 | | [📄](reviews/aaveprotocol.pdf) |
| [MC Dai](https://makerdao.com) | Aug 2019 | 13 | [MakerDAO](https://blog.makerdao.com/mcd-security-roadmap-update-october-2019/) | [📄](reviews/mc-dai.pdf) |
| [Staked](https://staked.us/) | Aug 2019 | 4 | | |
| [Compound](https://compound.finance/) | Aug 2019 | 2 | | [📄](reviews/compound-3.pdf) |
| [Computable](https://www.computable.io/) | Jul 2019 | 8 | [Computable](https://medium.com/computable-blog/computable-contract-audit-771e3d39ea7) | [📄](reviews/computable.pdf) |
| [Numerai](https://numer.ai/homepage) | May 2019 | 3 | [Numerai](https://medium.com/numerai/nmr2point0-66a45a9a5e70) | [📄](reviews/numerai.pdf) |
| [MerkleX](https://merklex.io/) | May 2019 | 4 | | |
| [TokenCard](https://tokencard.io/) | May 2019 | 5 | | [📄](reviews/TokenCard.pdf) |
| Unity Coin | Apr 2019 | 1 | | |
| [Compound](https://compound.finance/) | Apr 2019 | 8 | [Compound](https://medium.com/compound-finance/compound-v2-is-live-157db0b7cfc8) | [📄](reviews/compound-2.pdf) |
| [Ocean Protocol](https://oceanprotocol.com/) | Mar 2019 | 4 | [Ocean Protocol](https://blog.oceanprotocol.com/one-protocol-one-network-many-stakeholders-8be11a020cff) | |
| [UMA Project](https://umaproject.org/) | Mar 2019 | 3 | | |
| [Centrifuge](https://centrifuge.io/) | Mar 2019 | 5 | | |
| [Nomisma](http://nomisma.org/) | Mar 2019 | 1 | | |
| [Set Protocol](https://www.setprotocol.com/) | Mar 2019 | 5 | [Set Protocol](https://medium.com/set-protocol/the-road-to-mainnet-ab4877b73066) | [📄](reviews/setprotocol.pdf) |
| [NuCypher](https://www.nucypher.com/) | Feb 2019 | 4 | [NuCypher](https://blog.nucypher.com/security-audits-round-2/) | [📄](reviews/nucypher-2.pdf) |
| [AMP StableWire](https://amp.credit/) | Jan 2019 | 1 | | |
| [EIP-1283](https://github.com/ethereum/EIPs/pull/1283) | Jan 2019 | 1 | [ChainSecurity](https://medium.com/chainsecurity/constantinople-security-update-3d02017747f2) | [📄](reviews/EIP-1283.pdf) |
| [Ampleforth](https://www.ampleforth.org/) | Nov 2018 | 4 | [Ampleforth](https://medium.com/ampleforth/source-code-and-security-audits-with-trail-of-bits-2b1ad4a09a31) | [📄](reviews/ampleforth.pdf) |
| [Origin Protocol](https://www.originprotocol.com/en) | Nov 2018 | 4 | [Origin Protocol](https://medium.com/originprotocol/the-results-of-our-smart-contract-audit-with-trail-of-bits-and-how-we-approach-security-at-origin-175cc1646d71) | [📄](reviews/origin.pdf) |
| [Paxos Standard](https://www.paxos.com/standard/) | Oct 2018 | 4 | | [📄](reviews/paxos.pdf) |
| [Basecoin](https://www.basis.io/) | Oct 2018 | 12 | | [📄](reviews/basis.pdf) |
| [Pantheon](https://pegasys.tech/) | Oct 2018 | 8 | [PegaSys](https://pegasys.tech/what-we-learned-from-auditing-our-ethereum-client/) | [📄](reviews/pantheon.pdf) |
| [Compound](https://compound.finance/) | Sep 2018 | 12 | [Compound](https://medium.com/compound-finance/compound-launches-money-markets-for-ethereum-assets-f50920f04488) | |
| [NuCypher](https://www.nucypher.com/) | Aug 2018 | 12 | [NuCypher](https://blog.nucypher.com/security-audits--round-1--3/) | [📄](reviews/nucypher.pdf) |
| [CENTRE](https://www.centre.io/) | Jul 2018 | 4 | [CENTRE](https://medium.com/centre-blog/designing-an-upgradeable-ethereum-contract-3d850f637794) |
| [Bloom](https://bloom.co/) | Jul 2018 | 1 | [Bloom](https://blog.hellobloom.io/bloom-development-update-mainnet-launch-blockchain-ux-improvements-open-source-developer-c8ddc194fe83) |
| [Gemini Dollar](https://gemini.com/dollar/) | Jun 2018 | 8 | [Gemini](https://medium.com/gemini/stablecoins-understanding-counterparty-risk-241d55f0b392) | [📄](reviews/gemini-dollar.pdf) |
| [Dharma](https://dharma.io/) | May 2018 | 1 | [Dharma](https://blog.dharma.io/dharma-protocol-v1-is-live-on-mainnet-95f8ef770c2c) | |
| [Golem](https://golem.network/) | Apr 2018 | 4 | [Golem](https://medium.com/golem-project/smart-contracts-audit-report-ad41fdd5085b) | [📄](reviews/golem.pdf) |
| [LivePeer](https://livepeer.org/) | Mar 2018 | 4 | [Livepeer](https://medium.com/livepeer-blog/livepeer-smart-contract-security-audit-1-results-631c4d7d98a4) | [📄](reviews/livepeer.pdf) |
| [DappHub](https://dapphub.com/) | Dec 2017 | 8 | | [📄](reviews/dapphub.pdf) |
| [MakerDAO Sai](https://makerdao.com/en/) | Oct 2017 | 8 | [MakerDAO](https://medium.com/makerdao/single-collateral-dai-source-code-and-security-reviews-523e1a01a3c8) | [📄](reviews/sai.pdf) |
| [Omega One](https://dark.omega.one/) | Aug 2017 | 6 | | |

#### NervOS

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [xUDT](https://www.nervos.org/) | Jun 2021 | 2 | | |
| [Nervos -RSA](https://www.nervos.org/) | Mar 2021 | 4 | | |
| [Cheque Cell & ORU](https://www.nervos.org/) | Feb 2021 | 8 | | |
| [Force Bridge - Solidity](https://www.nervos.org/) | Feb 2021 | 4 | | |
| [Force Bridge - Rust](https://www.nervos.org/) | Feb 2021 | 3 | | |
| [Nervos SUDT](https://www.nervos.org/) | Oct 2020 | 6 | | [📄](reviews/NervosSUDT.pdf) |

#### Starknet

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [Opus](https://lindylabs.net/opus) | Dec 2023 | 8 | | [📄✅](reviews/2023-12-opus-contracts-securityreview.pdf) |
| [Aura](https://lindylabs.net) | Aug 2023 | 8 | | [📄✅](reviews/2023-08-aura-securityreview.pdf) |
| [Nostra](https://docs.tempus.finance/products/nostra) | Dec 2022 | 8 | | |
| [StarkGate](https://starkgate.starknet.io/) | Dec 2022 | 2 | | |
| [StarkEx](https://starkware.co/starkex/) | Oct 2022 | 1 | | |
| [StarkNet token](https://starkware.co/starknet/) | Jul 2022 | 1 | | |
| [StarkPerpetual](https://docs.starkware.co/starkex-v4/starkex-deep-dive/message-encodings/in-perpetual) | Jan 2022 | 8 | | |
| [StarkEx](https://starkware.co/starkex/) | Nov 2021 | 8 | | |

#### Solana

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [Jobcoin Clock-in Program](https://jobcoin.app/clock-in/) | Mar 2026 | 0.6 | | [📄✅](reviews/2026.03-jobcoin-clockinprogram-securityreview.pdf) |
| [Anza Token-2022 Confidential Transfer, Blockchain](https://www.anza.xyz/) | Jan 2026 | 3 | | [📄](reviews/2026-01-anza-token-2022-confidential-transfer-blockchain-securityreview.pdf) |
| [Franklin Templeton Benji Contracts](https://www.franklintempleton.com/about-us/our-teams/specialist-investment-managers/digital-assets/digital-assets-technology) | Feb 2025 | 2 | | [📄✅](reviews/2025-02-franklintempleton-benjicontracts-securityreview.pdf) |
| [ZetaChain Solana Gateway](https://www.zetachain.com/) | Jan 2025 | 1 | | [📄✅](reviews/2025-01-zetachain-solana-gateway-security-review.pdf) |
| [Solang Code Generation](https://solana.com/) | Nov 2023 | 4 | | [📄](reviews/2023-11-solana-solang-code-generation-securityreview.pdf) |
| [Solang Code Generation, Part 1](https://solana.com/) | Nov 2023 | 2 | | [📄](reviews/2023-11-solana-solang-code-generation-part-1-securityreview.pdf) |
| [Squads V4](https://squads.so/) | Oct 2023 | 2 | [Squads](https://x.com/SquadsProtocol/status/1725548225804005464?s=20) | [📄✅](reviews/2023-10-squadsv4-securityreview.pdf) |
| [Solang Parser and Semantic Analysis](https://solana.com/) | Sep 2023 | 2 | | [📄](reviews/2023-09-solana-solang-parser-semantic-analysis-securityreview.pdf) |
| [Solang Solana Library](https://solana.com/) | Jul 2023 | 1 | | [📄](reviews/2023-07-solana-solang-library-securityreview.pdf) |
| [Token-2022 Program](https://spl.solana.com/token-2022) | Feb 2023 | 1 | | [📄✅](reviews/2023-02-solana-token-2022-program-securityreview.pdf) |
| [Drift Protocol](https://www.drift.trade/) | Dec 2022 | 6 | [Drift](https://twitter.com/driftprotocol/status/1635630624978640899?s=46&t=f8ijViICJAoKBBoQUh58Og) | [📄✅](reviews/2022-12-driftlabs-driftprotocol-securityreview.pdf) |
| [Solana](https://solana.com/) | Apr 2022 | 12 | | |

#### Substrate

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [zkVerify](https://zkverify.io/) | Feb 2025 | 3 | | [📄](reviews/2025-02-zkverify-foundation-blockchain-securityreview.pdf) |
| [ParaSpace](https://para.space/) | Dec 2022 | 1 | | [📄](reviews/ParallelFinance3.pdf) |
| [ParaSpace](https://para.space/) | Nov 2022 | 7 | | [📄](reviews/ParallelFinance2.pdf)[✅](reviews/ParallelFinance2FixReview.pdf) |
| [Parallel Finance](https://parallel.fi/) | Mar 2022 | 6 | | [📄](reviews/ParallelFinance.pdf) |
| [Polkadex](https://www.polkadex.trade/) | Feb 2022 | 10 | | |
| [Polkadex](https://www.polkadex.trade/) | Dec 2021 | 4 | | |
| [PINT](https://pub.finance/) | Sep 2021 | 4 | | |
| [Polkaswap](https://soramitsu.co.jp/) | Aug 2021 | 6 | | [📄](reviews/2021-08-soramitsu-polkaswap-securityreview.pdf) |
| [AlephBFT](https://alephzero.org/) | Jun 2021 | 4 | | [📄](reviews/AlephBFT.pdf) |
| [Acala Network](https://acala.network/) | Jun 2021 | 4 | | |
| [Compound Chain](https://compound.finance/) | May 2021 | 6 | | |
| [Acala Network](https://acala.network/) | Jan 2021 | 6 | | [📄](reviews/AcalaNetwork.pdf) |
| [Parity Fether](https://www.parity.io/) | Aug 2019 | 4 | | |
| [Parity](https://www.parity.io/) | Jul 2018 | 12 | [Parity completes Trail of Bits security review](https://medium.com/paritytech/parity-completes-trail-of-bits-security-review-bda9d48fd3d4) | [📄](reviews/parity.pdf) |

#### Tendermint/Cosmos

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [Orga and Merk](https://turbofish.org/) | Nov 2024 | 10 | [Orga & Merk Trail of Bits Security Audit](https://turbofish.org/blog/audit) | [📄✅](reviews/2024-11-orgaandmerk-securityreview.pdf) |
| [Berachain polaris-geth](https://www.berachain.com/) | Aug 2023 | 8 | | |
| [Berachain berachain](https://www.berachain.com/) | Jun 2023 | 6 | | |
| [Umee](https://www.umee.cc/) | Feb 2022 | 8 | | [📄](reviews/Umee.pdf) |
| [Columbus-5](https://www.terra.money/) | Jan 2022 | 2 | | |
| [IBC Protocol](https://www.interchain.berlin/) | Dec 2021 | 4 | | |
| [THORChain](https://thorchain.org/) | Aug 2021 | 12 | | |
| [Tendermint](https://interchain.io/) | Mar 2019 | 12 | | |
| [ndau](https://oneiro.io/) | Nov 2018 | 8 | [Policy Council](https://www.globenewswire.com/news-release/2019/05/22/1840819/0/en/ndau-Holders-Elect-Inaugural-Policy-Council-Votes-to-be-Listed-on-BitMart-Exchange.html) | |

#### Tezos

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [Kolibri](https://tezos.foundation/) | Apr 2022 | 4 | | |
| [Tezori (T2)](https://github.com/Cryptonomic/Tezori) | Dec 2020 | 4 | | [📄](reviews/Tezori.pdf) |
| [Dexter](https://dexter.exchange/) | Jun 2020 | 4 | | [📄](reviews/dexter.pdf) |
| [Tezori](https://github.com/Cryptonomic/Tezori) | Jul 2018 | 2 | [Thanks to @trailofbits for their security review](https://twitter.com/CryptonomicTech/status/1015686612641042434) |

#### TON
| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [TONCO CLAMM DEX v1.6](https://app.tonco.io/#/swap) | Jan 2026 | 11 | [TONCO v1.6 is live](https://x.com/Tonco_io/status/2020808567419195632) | [📄✅](reviews/2026-02-tonco-clamm-securityreview.pdf) |
| [EVAA Finance](https://evaa.finance/) | Aug 2025 | 8.6 | | [📄✅](reviews/2025-08-evaafinance-securityreview.pdf) |
| [Swap Coffee TON DEX](https://swap.coffee/dex/) | Jul 2025 | 6 | | [📄✅](reviews/2025-07-swapcoffee-tondex-securityreview.pdf) |
| [FIVA Yield Protocol](https://www.thefiva.com/) | May 2025 | 6 | | [📄✅](reviews/2025-05-FIVA-yieldtokenizationprotocol-securityreview.pdf) |
| [FIVA Evaa Integration](https://www.thefiva.com/) | May 2025 | 6 | | [📄✅](reviews/2025-05-FIVA-evaaintegration-securityreview.pdf) |
| [Whales Holders](https://whalesdmcc.com/) | May 2025 | 4 | | [📄✅](reviews/2025-05-whales-dmcc-holders-contracts-securityreview.pdf) |
| [Whales Nominators](https://whalesdmcc.com/) | May 2025 | 4 | | [📄✅](reviews/2025-05-whales-dmcc-nominators-contract-securityreview.pdf) |
| [STON.fi DEX V2](https://ston.fi/) | Jan 2025 | 8 | | [📄✅](reviews/2025-01-stonfi-ton-amm-dex-v2-securityreview.pdf) |
| [Tact Compiler](https://github.com/tact-lang/tact) | Jan 2025 | 8 | | [📄✅](reviews/2025-01-ton-studio-tact-compiler-securityreview.pdf) |
| [TON Foundation Multisignature Wallet](https://ton.foundation/en/) | Mar 2024 | 4 | | [📄✅](reviews/2024-03-tonfoundation-multisignaturewallet-securityreview.pdf) |

#### Other/Multi-Chain

| Product | Date | Level of <br />Effort | Announcement | Report |
| ---| --: | :-: | --- | :-: |
| [EthStaker Deposit CLI](https://github.com/ethstaker/ethstaker-deposit-cli) | Mar 2026 | 1 | | [📄✅](reviews/2026-03-ethstaker-deposit-cli-securityreview.pdf) |
| [Chainlink LlamaRisk LlamaGuard NAV CRE](https://chain.link/) | Feb 2026 | 1 | | [📄✅](reviews/2026-02-chainlink-llamariskllamaguardnavcre-securityreview.pdf) |
| [Shape Gasback](https://shape.network/) | Jan 2025 | 2 | | [📄✅](reviews/2025-01-shape-gasback-securityreview.pdf) |
| [PixelSwap DEX](https://www.pixelswap.io/) | Dec 2024 | 6 | | [📄✅](reviews/2024-12-pixelswap-dex-securityreview.pdf) |
| [Arkis Prime](https://www.arkis.xyz/) | Dec 2024 | 5 | | [📄✅](reviews/2024-12-arkis-defi-prime-brokerage-securityreview.pdf) |
| [Franklin Templeton Aptos](https://digitalassets.franklintempleton.com/benji/) | Oct 2024 | 3 | | [📄✅](reviews/2024-10-franklintempleton-aptos-securityreview.pdf) |
| [Wormhole Governors and Watchers](https://wormhole.com/) | Mar 2023 | 8 | | [📄✅](reviews/2023-03-wormhole-securityreview.pdf) |
| [DFINITY Canister Sandbox](https://dfinity.org/) | Sep 2022 | 2 | | [📄](reviews/DFINITYCanisterSandbox.pdf)[✅](reviews/DFINITYCanisterSandboxFixReview.pdf) |
| [DFINITY ECDSA/BTC](https://dfinity.org/) | Sep 2022 | 4 | | [📄](reviews/DFINITYThresholdECDSAandBtcCanisters.pdf)[✅](reviews/DFINITYThresholdECDSAandBtcCanistersFixReview.pdf) |
| [FROST BLS Protocols](https://www.polysign.io/) | Jul 2022 | 12 | | |
| [SORA Trustless Bridge](https://soramitsu.co.jp/) | Jul 2022 | 8 | | |
| [CAT Standard](https://chia.net/) | Jun 2022 | 8 | | |
| [DFINITY Threshold ECDSA](https://dfinity.org/) | May 2022 | 8 | | |
| [Arbitrum Nitro](https://offchainlabs.com/) | Mar 2022 | 16 | | |
| [DeGate](https://degate.com/?en-US) | Feb 2022 | 4 | | [📄](reviews/DeGate.pdf) |
| [ShardX](https://www.gemini.com/) | Dec 2021 | 2 | | |
| [DeGate](https://degate.com/?en-US) | Dec 2021 | 4 | | |
| [Threshold-DSA](https://anyswap.exchange/) | Nov 2021 | 6 | | |
| [DFINITY Consensus](https://dfinity.org/) | Nov 2021 | 2 | [DFINITY](https://forum.dfinity.org/t/internet-computer-consensus-security-assessment-by-trail-of-bits-third-party-security-audit-2/11453) | [📄](reviews/DFINITYConsensus.pdf) |
| [PolySign HSM](https://polysign.io/) | Oct 2021 | 6 | | |
| [Hop Protocol V2](https://hop.exchange/) | Sep 2021 | 4 | | |
| [Golden Gate Library](https://layerzero.network/) | Sep 2021 | 1 | | |
| [PolySign](https://www.polysign.io/) | Sep 2021 | 6 | | |
| [Qredo Blockchain](https://www.qredo.com/) | Sep 2021 | 6 | | |
| [Arbitrum](https://offchainlabs.com/) | Sep 2021 | 16 | | |
| [go-schnorrkel](https://chainsafe.io/) | Aug 2021 | 4 | | |
| [ShardX](https://www.gemini.com/) | Aug 2021 | 4 | | |
| [AElf](https://aelf.io/) | Jul 2021 | 4 | | |
| [CrossChain-Bridge](https://anyswap.exchange/bridge) | Jul 2021 | 8 | |
| [DFINITY](https://dfinity.org/) | May 2021 | 24 | | [📄](reviews/DFINITY.pdf) |
| [Open Oracle](https://chain.link/) | Apr 2021 | 2 | | |
| [Arbitrum V2](https://offchainlabs.com/) | Feb 2021 | 8 | | |
| [eFIL](https://www.gemini.com/blog/gemini-launches-wrapped-filecoin-efil-building-a-bridge-to-defi) | Jan 2021 | 2 | | |
| [Highway Consensus](https://casperlabs.io/en/) | Nov 2020 | 4 | [CasperLabs](https://blog.casperlabs.io/trail-of-bits-security-audit-casper-highway-protocol/) | [📄](reviews/CasperLabsHighwayProtocol.pdf) |
| [Stacks V2](https://www.blockstack.org/) | Sep 2020 | 6 | | |
| [VRFs](https://chain.link/) | Aug 2020 | 2 | | |
| [Celo Oracle](clabs.co) | Jul 2020 | 2 | | [📄](reviews/celo-oracle.pdf) |
| [Arbitrum](https://offchainlabs.com/) | Jul 2020 | 6 | | |
| [MYKEY](https://mykey.org/en) | Jul 2020 | 4 | | |
| [Symbol](https://symbolplatform.com/) | Jul 2020 | 4 | [Symbol](https://symbolplatform.com/latest/symbol-from-nem-completes-trail-of-bits-security-audit/) | [📄](reviews/Symbol.pdf) |
| [Ledger Filecoin](https://protocol.ai/) | Jul 2020 | 2 | | [📄](reviews/LedgerFilecoin.pdf) |
| [Chainlink](https://chain.link/) | Jun 2020 | 8 | | |
| [Chainlink Flux](https://chain.link/) | May 2020 | 4 | | |
| [Elrond](https://elrond.com/) | Mar 2020 | 6 | | |
| [EOSIO SDK](http://block.one/) | Jan 2020 | 4 | | |
| [NEAR Protocol](https://nearprotocol.com/) | Nov 2019 | 8 | | |
| [EOSIO 2.0](http://block.one/) | Oct 2019 | 8 | | |
| [Status-go](https://status.im/) | Oct 2019 | 9 | | |
| [Celo](https://celo.org/) | Sep 2019 | 8 | | |
| [Blockchain.com](https://www.blockchain.com/) | Aug 2019 | 4 | | |
| [RandomX](https://www.arweave.org/) | Jun 2019 | 2 | [Monero and Arweave to Validate RandomX](https://www.prnewswire.com/news-releases/monero-and-arweave-to-validate-the-proof-of-work-algorithm-randomx-300861697.html) | [📄](reviews/arweave-randomx.pdf) |
| Interest Token | May 2019 | 0.28 | | |
| [Loom](https://loomx.io/) | May 2019 | 10 | [Loom SDK Q1 2019 Security Audit](https://twitter.com/loomnetwork/status/1126748703530766336) | |
| [Building Blocks](https://innovation.wfp.org/project/building-blocks) | Aug 2018 | 7 | [UN WFP uses Ethereum to aid 100k refugees](https://www.parity.io/un-world-food-programme-uses-parity-ethereum-to-aid-100-000-refugees/) | |

## Disclosures and exploits

Check the [exploits repository](https://github.com/trailofbits/exploits) too.

|Name|Product|Discoverer|Year|ID|Blog|
|---|---|---|---|---|---|
|Denial of Service in protobuf-python|protobuf-python|Alexis Challande|2025|[CVE-2025-4565](https://github.com/advisories/GHSA-8qvm-5x2c-j2w7)||
|Vulnerabilities in LUKS2 disk encryption for confidential VMs|Linux LUKS2|Tjaden Hess|2025|[CVE-2025-59054](https://nvd.nist.gov/vuln/detail/CVE-2025-59054), [CVE-2025-58356](https://nvd.nist.gov/vuln/detail/CVE-2025-58356)|[💬](https://blog.trailofbits.com/2025/10/30/vulnerabilities-in-luks2-disk-encryption-for-confidential-vms/)|
|Prompt injection to RCE in AI agents|AI Agents (multiple platforms)|Will Vandevanter|2025|❌|[💬](https://blog.trailofbits.com/2025/10/22/prompt-injection-to-rce-in-ai-agents/)|
|Code integrity bypass in Electron applications|Electron Applications (Signal, 1Password, Slack)|Darius Houle|2025|[CVE-2025-55305](https://nvd.nist.gov/vuln/detail/CVE-2025-55305)|[💬](https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/)|
|Weaponizing image scaling against production AI systems|Google Gemini, Vertex AI, Genspark|Kikimora Morozova, Suha Sabi Hussain|2025|❌|[💬](https://blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/)|
|Prompt injection engineering for attackers: Exploiting GitHub Copilot|GitHub Copilot Agent|Kevin Higgs|2025|❌|[💬](https://blog.trailofbits.com/2025/08/06/prompt-injection-engineering-for-attackers-exploiting-github-copilot/)|
|Memory corruption in NVIDIA Triton Inference Server|NVIDIA Triton|Will Vandevanter|2025|[CVE-2025-23310](https://nvd.nist.gov/vuln/detail/CVE-2025-23310), [CVE-2025-23311](https://nvd.nist.gov/vuln/detail/CVE-2025-23311)|[💬](https://blog.trailofbits.com/2025/08/04/uncovering-memory-corruption-in-nvidia-triton-as-a-new-hire/)|
|Exploiting zero days in abandoned hardware|Netgear WGR614v9, BitDefender Box V1|Alan Cao, Will Tan|2025|❌|[💬](https://blog.trailofbits.com/2025/07/25/exploiting-zero-days-in-abandoned-hardware/)|
|MCP plaintext API key storage|Model Context Protocol|Cliff Smith, Suha Hussain, and Will Vandevanter|2025|❌|[💬](https://blog.trailofbits.com/2025/04/30/insecure-credential-storage-plagues-mcp/)|
|MCP ANSI escape sequence attacks|Model Context Protocol|Cliff Smith, Suha Hussain, and Will Vandevanter|2025|❌|[💬](https://blog.trailofbits.com/2025/04/29/deceiving-users-with-ansi-terminal-codes-in-mcp/)|
|MCP Line Jumping vulnerability|Model Context Protocol|Cliff Smith, Suha Hussain, and Will Vandevanter|2025|❌|[💬](https://blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/)|
|User to root privilege escalation from an integer overflow in libinfo|macOS|Paweł Płatek|2025|[CVE-2025-24195](https://nvd.nist.gov/vuln/detail/CVE-2025-24195), [CVE-2025-31222](https://nvd.nist.gov/vuln/detail/cve-2025-31222), [CVE-2025-30440](https://nvd.nist.gov/vuln/detail/cve-2025-30440)|[💬](https://github.com/trailofbits/exploits/tree/main/obts-2025-macos-lpe)|
|Cryptography bugs in elliptic library|elliptic JavaScript library|Markus Schiffermuller|2024|[CVE-2024-48948](https://nvd.nist.gov/vuln/detail/CVE-2024-48948), [CVE-2024-48949](https://nvd.nist.gov/vuln/detail/CVE-2024-48949), [CVE-2024-48950](https://nvd.nist.gov/vuln/detail/CVE-2024-48950), [CVE-2024-48951](https://nvd.nist.gov/vuln/detail/CVE-2024-48951), [CVE-2024-48952](https://nvd.nist.gov/vuln/detail/CVE-2024-48952)|[💬](https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/)|
|Crash due to uncontrolled recursion in `Well-KnownText`|Elastic|Alexis Challande, Brad Swain|2024|[CVE-2024-52981](https://github.com/advisories/GHSA-5xm9-x7x4-4j5x)||
|Crash due to uncontrolled recursion in `innerForbidCircularReferences`|Elastic|Alexis Challande, Brad Swain|2024|[CVE-2024-52980](https://github.com/advisories/GHSA-ghfh-p92w-j4mg)||
|Crash due to uncontrolled recursion in Wire|Wire|Alexis Challande, Brad Swain|2024|[CVE-2024-58103](https://nvd.nist.gov/vuln/detail/CVE-2024-58103)||
|Crash due to uncontrolled recursion in protobuf crate|rust-protobuf|Alexis Challande, Brad Swain|2024|[RUSTSEC-2024-0437](https://rustsec.org/advisories/RUSTSEC-2024-0437.html)||
|Denial of Service in XStream|XStream|Alexis Challande, Brad Swain|2024|[GHSA-hfq9-hggm-c56q](https://github.com/advisories/GHSA-hfq9-hggm-c56q)|[💬](https://blog.trailofbits.com/2025/02/21/dont-recurse-on-untrusted-input/)|
|Denial of Service in protobuf-java|protobuf-java|Alexis Challande, Brad Swain|2024|[GHSA-735f-pc8j-v9w8](https://github.com/advisories/GHSA-735f-pc8j-v9w8)|[💬](https://blog.trailofbits.com/2025/02/21/dont-recurse-on-untrusted-input/)|
|Insufficient validation of integration timestamp in sigstore-python|sigstore-python|William Woodruff|2024|[CVE-2024-55655](https://www.cve.org/cverecord?id=CVE-2024-55655)||
|Rust crates "stable" and "nightly" might be installed instead of the corresponding toolchains|Crates.io|Max Ammann|2024|❌||
|num-bigint disclosure|num-bigint|Samuel Moelius|2024|❌|[💬](https://blog.trailofbits.com/2024/04/15/5-reasons-to-strive-for-better-disclosure-processes/)|
|Memory corruption during X.509 validation in GnuTLS|GnuTLS|William Woodruff|2024|[CVE-2024-28835](https://www.cve.org/cverecord?id=CVE-2024-28835)||
|Linux kernel modules kASLR bypass|Linux|Dominik Czarnota|2024|❌|[💬](https://blog.trailofbits.com/2024/03/08/out-of-the-kernel-into-the-tokens/)|
|Pedersen DKG vulnerability disclosure|Multiple|Fredrik Dahlgren|2024|❌|[💬](https://blog.trailofbits.com/2024/02/20/breaking-the-shared-key-in-threshold-signature-schemes/)|
|LeftoverLocals disclosure|multiple GPUs|Tyler Sorensen|2024|[CVE-2023-4969](https://www.cve.org/cverecord?id=CVE-2023-4969)|[💬](https://blog.trailofbits.com/2024/01/16/leftoverlocals-listening-to-llm-responses-through-leaked-gpu-local-memory/)|
|Billion hashes attack against Go JOSE libraries|go-jose|Matt Schwager|2023|GO-2023-2334, GO-2023-2409|[💬](https://blog.trailofbits.com/2024/03/08/out-of-the-kernel-into-the-tokens/)|
|Expo Secure Store: Shortening AES GCM Authentication Tags|expo-secure-store|Joop van de Pol|2023|❌|[💬](https://blog.trailofbits.com/2024/04/15/5-reasons-to-strive-for-better-disclosure-processes/)|
|YOLOv7 disclosure|YOLOv7|Alvin Crighton, Anusha Ghosh, Suha Hussain, Heidy Khlaaf, Jim Miller|2023|❌|[💬](https://blog.trailofbits.com/2023/11/15/assessing-the-security-posture-of-a-widely-used-vision-model-yolov7/)|
|Numbers turned weapons: DoS in Osmosis’ math library|Osmosis|Sam Alws|2023|❌|[💬](https://blog.trailofbits.com/2023/10/23/numbers-turned-weapons-dos-in-osmosis-math-library/)|
|The issue with ATS in Apple’s macOS and iOS|iOS, iPadOS, tvOS, macOS, and watchOS|Will Brattain|2023|[CVE-2023-38596](https://www.cve.org/cverecord?id=CVE-2023-38596)|[💬](https://blog.trailofbits.com/2023/10/30/the-issue-with-ats-in-apples-macos-and-ios/)|
|Eth ABI DoS disclosure|ethabi, eth_abi, etheriumjs-abi, alloy-rs|Max Ammann|2023|❌||
|L2 finality bugs in Juno and Pathfinder|Juno, Pathfinder|Benjamin Samuels|2023|❌|[💬](https://blog.trailofbits.com/2023/08/23/the-engineers-guide-to-blockchain-finality/)|
|Security flaws in an SSO plugin for Caddy|caddy-security|Maciej Domanski, Travis Peters, David Pokora|2023|[CVE-2024-21500](https://www.cve.org/cverecord?id=CVE-2024-21500), [CVE-2024-21499](https://www.cve.org/cverecord?id=CVE-2024-21499), [CVE-2024-21498](https://www.cve.org/cverecord?id=CVE-2024-21498), [CVE-2024-21497](https://www.cve.org/cverecord?id=CVE-2024-21497), [CVE-2024-21496](https://www.cve.org/cverecord?id=CVE-2024-21496), [CVE-2024-21493](https://www.cve.org/cverecord?id=CVE-2024-21493), [CVE-2024-21495](https://www.cve.org/cverecord?id=CVE-2024-21495), [CVE-2024-21494](https://www.cve.org/cverecord?id=CVE-2024-21494), [CVE-2024-21492](https://www.cve.org/cverecord?id=CVE-2024-21492), [CVE-2023-52430](https://www.cve.org/cverecord?id=CVE-2023-52430)|[💬](https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/)|
|ktor Path Traversal|ktor|Vasco Franco|2023|[CVE-2022-48476](https://www.cve.org/cverecord?id=CVE-2022-48476)||
|Specialized Zero-Knowledge Proof failures|Binance's tss-lib; All forks of tss-lib: Joltify, SwipeChain, and ThorChain; Coinbase's kryptology|Opal Wright|2022|❌|[💬](https://blog.trailofbits.com/2022/11/29/specialized-zero-knowledge-proof-failures/)|
|Forgery in Amis' Alice library|[Amis' alice](https://github.com/getamis/alice#acknowledgments)|Filipe Casal|2022|❌||
|Keeping the wolves out of wolfSSL|wolfSSL|Max Ammann|2022|[CVE-2022-38152](https://www.cve.org/cverecord?id=CVE-2022-38152) [CVE-2022-38153](https://www.cve.org/cverecord?id=CVE-2022-38153) [CVE-2022-39173](https://www.cve.org/cverecord?id=CVE-2022-39173) [CVE-2022-42905](https://www.cve.org/cverecord?id=CVE-2022-42905)|[💬](https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/)|
|Escaping misconfigured VSCode extensions - Live Preview XSS|Live Preview VSCode extension|Vasco Franco|2022|MS-VULN-073448|[💬](https://blog.trailofbits.com/2023/02/21/vscode-extension-escape-vulnerability/)|
|Escaping misconfigured VSCode extensions - Live Preview Path Traversal|Live Preview VSCode extension|Vasco Franco|2022|MS-VULN-073447|[💬](https://blog.trailofbits.com/2023/02/21/vscode-extension-escape-vulnerability/)|
|Escaping well-configured VSCode extensions (for profit) - VSCode localResourceRoots Bypass|VSCode|Vasco Franco|2022|[CVE-2022-41042](https://www.cve.org/cverecord?id=CVE-2022-41042)|[💬](https://blog.trailofbits.com/2023/02/23/escaping-well-configured-vscode-extensions-for-profit/)|
|Escaping misconfigured VSCode extensions - Sarif Viewer XSS|Sarif Viewer VSCode extension|Vasco Franco|2022|MS-VULN-071828|[💬](https://blog.trailofbits.com/2023/02/21/vscode-extension-escape-vulnerability/)|
|Stranger Strings: An exploitable flaw in SQLite|SQLite|Andreas Kellas|2022|❌|[💬](https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/)|
|json-viewer XSS|jquery.json-viewer|Vasco Franco|2022|[CVE-2022-30241](https://www.cve.org/cverecord?id=CVE-2022-30241)||
|ERC721 improper token transfer in cairo-contracts|OpenZeppelin cairo-contracts|Simone Monica|2022|❌|[💬](https://github.com/OpenZeppelin/cairo-contracts/issues/148)|
|Shamir's Secret Sharing vulnerabilities|Binance’s [tss-lib](https://github.com/binance-chain/tss-lib); Clover Network’s [threshold-crypto](https://github.com/clover-network/threshold-crypto); Keep Network’s [keep-ecdsa](https://github.com/keep-network/keep-ecdsa); Swingby’s [tss-lib](https://github.com/SwingbyProtocol/tss-lib); THORchain’s [tss-lib](https://gitlab.com/thorchain/tss/tss-lib); ZenGo X’s [curv](https://github.com/ZenGo-X/curv)|Filipe Casal|2021|❌|[💬](https://blog.trailofbits.com/2021/12/21/disclosing-shamirs-secret-sharing-vulnerabilities-and-announcing-zkdocs/)|
|Breaking Aave Upgradeability|Aave v1/v2|Josselin Feist|2020|❌|[💬](https://blog.trailofbits.com/2020/12/16/breaking-aave-upgradeability/)|
|Accidentally stepping on a DeFi lego|yVault (yEarn)|Sam Sun|2020|❌|[💬](https://blog.trailofbits.com/2020/08/05/accidentally-stepping-on-a-defi-lego/)|
|Smart contract vulnerabilities due to Tezos message passing architecture|Tezos|Simone Monica|2020|❌|[💬](https://forum.tezosagora.org/t/smart-contract-vulnerabilities-due-to-tezos-message-passing-architecture/2045)|
|Bug Hunting with Crytic|E&Y Nightfall, DeFiStrategies, Set Protocol, Computable, Aragon, Balancer|Josselin Feist|2020|❌|[💬](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/)|
|OSX slack:// protocol handler javascript injection|Slack|Jay Little|2016|❌|[💬](https://hackerone.com/reports/79348)|
|Double free in VLC's 3GP file format|VLC|Loren Maggiore|2015|[CVE-2015-5949](https://www.cve.org/cverecord?id=CVE-2015-5949)|[💬](https://blog.trailofbits.com/2015/09/10/summer-trail-of-bits/)|

## Workshops

| Workshop Title | Venue | Date |
| --- | --- | --: |
| [Smart Contract Security Automation](workshops/Automated%20Smart%20Contracts%20Audit%20-%20TruffleCon%202019) | TruffleCon 2019 | Oct 2019 |
| [Introduction to Smart Contract Exploitation](workshops/Introduction%20to%20Smart%20Contract%20Exploitation%20-%20GreHack%202018) | GreHack 2018 | Nov 2018 |
| [Manticore EVM Workshop](workshops/Using%20Manticore%20and%20Symbolic%20Execution%20to%20Find%20Smart%20Contracts%20Bugs%20-%20Devcon%204) | Devcon4 2018 | Nov 2018 |
| [Smart Contract Security Automation](workshops/Automated%20Smart%20Contracts%20Audit%20-%20TruffleCon%202018) | TruffleCon 2018 | Oct 2018 |
| [DeepState: Bringing Vulnerability Detection Tools into the Dev Cycle](workshops/DeepState:%20Bringing%20vulnerability%20detection%20tools%20into%20the%20development%20lifecycle%20-%20SecDev%202018) | SecDev 2018 | Oct 2018 |
| [Smart Contract Security Automation](workshops/Smart%20Contract%20Security%20Automation%20-%20ETHBerlin%202018) | ETH Berlin 2018 | Sep 2018 |
| [Manticore EVM Workshop](workshops/Manticore%20-%20EthCC%202018) | EthCC 2018 | Mar 2018 |
| [Manticore Workshop](workshops/Manticore%20-%20GreHack%202017) | GreHack 2017 | Oct 2017 |

## Datasets

| Dataset | Date |
| --- |---|
| [Smart Contract Audit Findings](datasets/smart_contract_audit_findings) | Aug 2019 |

## Service Overviews

| Service Title | Type of Document |
| --- | --- |
| [AI Safety & Security Training](service-overviews/AI-safety-security-training.pdf) | One-page service overview |

# Legend

| Icon | Definition |
| --- | --- |
| 💬 | Blog post or other social media |
| 📄 | Security Assessment report |
| ✅ | Fix review report |
| 🔖 | Letter of Attestation |
| 📛 | Threat Model report |
| 📰 | Whitepaper |

| Header | Definition |
| --- | --- |
| Level of Effort | Defined in person-weeks for the project |