Publications from Trail of Bits

• Publications from Trail of Bits
  • Academic Papers
  • White Papers
  • Guides and Handbooks
  • Conference Presentations
    • Automated bug finding and exploitation
    • Blockchain
    • Compilers
    • Cryptography
    • Engineering
    • Education
    • Infrastructure
    • Machine Learning
    • Mobile security
    • Programming
    • Side channels
    • Supply chain
    • Threat analysis & malware
  • Podcasts
  • Webinars
  • Public Comments
  • Security Reviews
    • Major Clients
      • Offchain Labs
      • Scroll
      • Uniswap
      • Frax Finance
      • Reserve Protocol
      • MobileCoin
      • Western Digital
    • AI/ML Reviews
    • Cryptography Reviews
    • Technology Product Reviews
    • Cloud-Native Reviews
    • Invariant Testing and Development Engagements
    • Blockchain Reviews
      • Wallet Reviews
      • Algorand
      • Avalanche
      • Bitcoin & Derivatives
      • Ethereum/EVM
      • NervOS
      • Starknet
      • Solana
      • Substrate
      • Tendermint/Cosmos
      • Tezos
      • TON
      • Other/Multi-Chain
  • Disclosures and exploits
  • Workshops
  • Datasets
  • Service Overviews
• Legend

Academic Papers

Paper Title	Venue	Publication Date
A Broad Comparative Evaluation of Software Debloating Tools	USENIX Security 2024	2024
PolyTracker: Whole-Input Dynamic Information Flow Tracing	ISSTA 2024	2024
Endokernel: A Thread Safe Monitor for Lightweight Subprocess Isolation	Usenix Security 2024	2024
Design and Implementation of a Coverage-Guided Ruby Fuzzer	CSET 24	2024
Test Harness Mutilation	Mutation 2024	2024
VAST: MLIR compiler for C/C++	EuroLLVM Devs' Meeting 2024	2024
PoTATo: Points-to analysis via domain specific MLIR dialect	EuroLLVM Devs' Meeting 2024	2024
Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol	Euro S&P 2023	2023
Weak Fiat-Shamir Attacks on Modern Proof Systems	IEEE S&P 2023	2023
Endoprocess: Programmable and Extensible Subprocess Isolation	NSPW 2023	2023
CIVSCOPE: Analyzing Potential Memory Corruption Bugs in Compartment Interfaces	SOSP KISV 2023	2023
Detecting variability bugs through hybrid control and data flow analysis	LangSec 2023	2023
Blind Spots: Automatically detecting ignored program inputs	LangSec 2023	2023
Efficient Proofs of Software Exploitability for Real-world Processors	PETS 2023	2023
Toward Comprehensive Risk Assessments and Assurance of AI Systems	arXiv	2023
A Broad Comparative Evaluation of x86-64 Binary Rewriters	CSET 22	2022
On the Optimization of Equivalent Concurrent Computations	PLDI EGRAPHS 2022	2022
Evaluating Static Analysis Tools via Differential Mutation	QRS 2021	2021
echidna-parade: Diverse multicore smart contract fuzzing	ISSTA 2021	2021
Differential analysis of x86-64 instruction decoders	LangSec 2021	2021
Echidna: effective, usable, and fast fuzzing for smart contracts	ISSTA 2020	2020
ICARUS: Understanding De Facto Formats By Way of Feathers and Wax	LangSec 2020	2020
Toward Automated Grammar Extraction via Semantic Labeling of Parser Implementations	LangSec 2020	2020
What are the Actual Flaws in Important Smart Contracts?	FC 2020	2020
Echidna: A Practical Smart Contract Fuzzer	FC 2020	2020
RSA GTFO	PoC||GTFO 0x20	2020
Manticore: Symbolic Execution for Binaries and Smart Contracts	ASE 2019	2019
Slither: A Static Analysis Framework For Smart Contracts	WETSEB 2019	2019
Toward Smarter Vulnerability Discovery Using Machine Learning	AISec 2018	2018
The Past, Present, and Future of Cyberdyne	IEEE S&P	2018
DeepState - Symbolic Unit Testing for C and C++	BAR 2018	2018
Cyber-Deception and Attribution in Capture-the-Flag Exercises	FOSINT-SI 2015	2015

White Papers

Paper Title	Author(s)	Publication Date
Detecting Implicit Conversions in OpenVPN2 Using CodeQL	Paweł Płatek	September 2025
Preventing Account Takeovers on Centralized Cryptocurrency Exchanges Recommended Practices	Shaun Mirani, Kelly Kaoudis, and Evan Sultanik	Feb 2025
Input-Driven Recursion: Ongoing Security Risks	Alexis Challande and Brad Swain	Dec 2024
OpenSearch Benchmark Assessment	Evan Downing, Riccardo Schirone, Francesco Bertolaccini, and Ronald Eytchison	Aug 2024
Cedar, Rego, and OpenFGA Policy Languages: Comparative Language Security Assessment	Ian Smith and Kelly Kaoudis	Aug 2024
Toward Comprehensive Risk Assessments and Assurance of AI-Based Systems	Heidy Khlaaf	Mar 2023
Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers	Evan Sultanik et al.	Jun 2022
Do You Really Need a Blockchain? An Operational Risk Assessment	Evan Sultanik and Mike Myers	Jun 2022

Guides and Handbooks

Link	Description
Testing Handbook	Guides for configuring and automating static and dynamic analysis tools
ZKDocs	Interactive documentation on zero-knowledge proof systems
Building Secure Smart Contracts	Best practices for developing secure smart contracts
CTF Field Guide	Field guide to winning at Capture The Flag competitions
Ruby Security Field Guide	Practical Ruby security guide

Conference Presentations

Automated bug finding and exploitation

Presentation Title	Author(s)	Year
Buttercup: Autonomously Finding and Fixing Bugs at Scale in Open-Source Software	Ronald Eytchison	2025
Our experience competing in the AI Cyber Challenge	Michael Brown et al.	2025
Your Mitigations are My Opportunities	Yarden Shafir	2023
Detecting variability bugs with hybrid control and data flow	Kelly Kaoudis, Henrik Brodin, Evan Sultanik	2023
Blind Spots: Identifying Exploitable Program Inputs	Henrik Brodin, Evan Sultanik, and Marek Surovič	2023
MLIR is the future of program analysis	Peter Goodman	2023
A Sermon on the Indulgences of Computational Sacrifice; or, The Superabundant Benedictions of Programming an Absurd NES Game	Evan Sultanik	2021
Differential analysis of x86-64 instruction decoders	William Woodruff, Niki Carroll, Sebastiaan Peters	2021
How to find bugs when (ground) truth isn't real	William Woodruff	2020
The Treachery of Files and Two New Tools that Tame It	Evan Sultanik	2019
Symbolically Executing a Fuzzy Tyrant	Stefan Edwards	2019
Kernel space fault injection with KRF	William Woodruff	2019
Binary Symbolic Execution With KLEE-Native	Sai Vegasena	2019
Going sicko mode on the Linux Kernel	William Woodruff	2019
Vulnerability Modeling with Binary Ninja	Josh Watson	2018
File Polyglottery; or, This PoC is also a picture of cats	Evan Sultanik	2017
Be a binary rockstar	Sophia D'Antoine	2017
Symbolic Execution for Humans	Mark Mossberg	2017
The spirit of the 90s is still alive in Brooklyn	Ryan Stortz, Sophia D'Antoine	2017
The dream of a static and dynamic analysis shootout	Ryan Stortz	2016
Binary constraint solving for automatic exploit generation	Sophia D'Antoine	2016
The Smart Fuzzer Revolution	Dan Guido	2016
Making a scaleable automated hacking system	Artem Dinaburg	2016
Cyberdyne - Automatic bug-finding at scale	Peter Goodman	2016
McSema: Static translation of x86 to LLVM IR	Andrew Ruef, Artem Dinaburg	2014

Blockchain

Presentation Title	Author(s)	Year
Test your tests: the do's and don'ts of testing	Kurt Willis	2023
Slither: a static analysis tool for Vyper and Solidity	Troy Sargent	2023
Roundme: rounding analysis made simpler	Josselin Feist	2023
Smart Contracts: The Beta	Nat Chin	2023
Fuzzing like a security engineer	Nat Chin	2023
Write better smart contracts with Slither's Python API	Troy Sargent	2022
Building Secure Cairo	Filipe Casal, Simone Monica	2022
How to fuzz like a pro	Josselin Feist, Nat Chin	2022
Demystifying Fuzzing	Nat Chin	2022
Building a Practical Static Analyzer for Smart Contracts	Josselin Feist	2021
Testing and Verifying Smart Contracts: From Theory to Practice	Josselin Feist	2021
Safely integrating with ERC20 tokens	Josselin Feist	2021
Detecting transaction replacement attacks with Manticore	Sam Moelius	2020
Fantastic Bugs and How to Squash Them; or, the Crimes of Solidity	Evan Sultanik	2019
SlithIR: High-Precision Security Analysis with an IR for Solidity	Josselin Feist	2019
Slither: A Static Analysis Framework for Smart Contracts	Josselin Feist	2019
What blockchain got right	Dan Guido	2019
Property-testing of smart contracts	JP Smith	2018
Anatomy of an unsafe programming language	Evan Sultanik	2018
Contract upgrade risks and recommendations	Josselin Feist	2018
Blackhat Ethereum	Ryan Stortz, Jay Little	2018
Blockchain Autopsies - Analyzing Smart Contract Deaths	Jay Little	2018
Rattle - an Ethereum EVM binary analysis framework	Ryan Stortz	2018
Securing value on the Ethereum blockchain	Dan Guido	2018
Binary analysis, meet the blockchain	Mark Mossberg	2018
Automatic bug finding for the blockchain	Felipe Manzano, Josselin Feist	2017

Compilers

Presentation Title	Author(s)	Year
A Broad Comparative Evaluation of Software Debloating Tools	Michael D. Brown, Adam Meily, Eric Kilmer, Ronald Eytchison	2024
Repurposing LLVM analyses in MLIR: Also there and back again across the tower of IRs	Henrich Lauko	2024
VAST: MLIR for program analysis of C/C++	Henrich Lauko	2022
A Broad Comparative Evaluation of x86-64 Binary Rewriters	Michael D. Brown	2022
On the Optimization of Equivalent Concurrent Computations	Henrich Lauko, Lukáš Korenčik, Peter Goodman	2022

Cryptography

Presentation Title	Author(s)	Year
One, Two, TEE: Trust in Numbers Meets Hardware Security	Paul Bottinelli	2025
Weak Fiat-Shamir attacks on modern proof systems	Jim Miller	2024
Building a Rusty path validation library for PyCA Cryptography	William Woodruff	2024
Implementing X.509 path validation for Python	William Woodruff	2024
Careful with MAc-then-SIGn	Marc Ilunga	2023
die, PGP, die	William Woodruff	2022
Seriously, stop using RSA	Ben Perez	2019
Best Practices for Cryptography in Python	Paul Kehrer	2019
Analyzing the MD5 collision in Flame	Alex Sotirov	2012

Engineering

Presentation Title	Author(s)	Year
Repeatable Benchmarking: An Exploration of OpenSearch vs Elasticsearch	Evan Downing	2025
Linux Security Event Monitoring with osquery	Alessandro Gario	2019
osql: The community oriented osquery fork	Stefano Bonicatti, Mark Mossberg	2019
Getting started with osquery	Lauren Pearl, Andy Ying	2018
osquery Super Features	Lauren Pearl	2018
osquery Extension Skunkworks	Mike Myers	2018
Build it Break it Fix it	Andrew Ruef	2014

Education

Presentation Title	Author(s)	Year
Introduction to Semgrep and Semgrep Practice Exercises	Maciej Domański, Matt Schwager, Spencer Michaels	2024
A mostly gentle introduction to LLVM	William Woodruff	2022
JWTs, and why they suck	Rory M	2021
The Joy of Pwning	Sophia D'Antoine	2017
How to CTF - Getting and using Other People's Computers (OPC)	Jay Little	2014
Low-level Security	Andrew Ruef	2014
Security and Your Business	Andrew Ruef	2014
Bringing nothing to the party	Vincenzo Iozzo	2013
From One Ivory Tower to Another	Vincenzo Iozzo	2012

Infrastructure

Presentation Title	Author(s)	Year
Return to the 100 Acre Woods	Stefan Edwards	2019
Swimming with the kubectl fish	Stefan Edwards	2019

Machine Learning

Presentation Title	Author(s)	Year
Incubated Machine Learning Exploits: Backdooring ML Pipelines Using Input-Handling Bugs	Suha Sabi Hussain	2024
Holistic ML Threat Models	Adelin Travers	2024
Using Graph-Based Machine Learning Algorithms for Software Analysis	Michael D. Brown	2023
Exploiting Machine Learning Pickle Files	Carson Harmon, Evan Sultanik, Jim Miller, Suha Sabi Hussain	2021
PrivacyRaven: Comprehensive Privacy Testing for Deep Learning	Suha Sabi Hussain	2020

Mobile security

Presentation Title	Author(s)	Year
Swift Reversing	Ryan Stortz	2016
Modern iOS Application Security	Sophia D'Antoine, Dan Guido	2016
The Mobile Exploit Intelligence Project	Dan Guido	2012
A Tale of Mobile Threats	Vincenzo Iozzo	2012

Programming

Presentation Title	Author(s)	Year
Python internals - let's talk about dicts	Dominik Czarnota	2019
Low-level debugging with Pwndbg	Dominik Czarnota	2018
Insecure Things to Avoid in Python	Dominik Czarnota	2018

Side channels

Presentation Title	Author(s)	Year
Hardware side channels in virtualized environments	Sophia D'Antoine	2015
Exploiting Out-of-Order Execution	Sophia D'Antoine	2015

Supply chain

Presentation Title	Author(s)	Year
Attestations: a new generation of signatures on PyPI	William Woodruff	2025
The Next 5 Years of Supply Chain Security on PyPI	William Woodruff	2024
PEP 740 and PyPI: Bootstrapping Provenance for the Python Ecosystem	William Woodruff	2024
Imagining a zero-trust future for PyPI	William Woodruff	2024
Build Provenance: Lessons (so far) from Homebrew	Joe Sweeney	2024
What does it look like to code-sign for an entire packaging ecosystem?	William Woodruff	2023
Securing your Package Ecosystem with Trusted Publishing	William Woodruff	2023
Trusted Publishing: Lessons from PyPI	William Woodruff	2023
Ergonomic codesigning for the Python ecosystem with Sigstore	William Woodruff	2023
Sigstore for Python Packaging: Next Steps for Adoption	William Woodruff	2022
Python Packaging Mystery Meat	William Woodruff	2022
Automated Tools for Securing the Software Supply Chain	Michael D. Brown	2022
Improving PyPI's security with Two Factor Authentication	William Woodruff	2019

Threat analysis & malware

Presentation Title	Author(s)	Year
Peeling back the 'Shlayers' of macOS Malware	Josh Watson, Erika Noerenberg	2019
The Exploit Intelligence Project Revisited	Dan Guido	2013

Podcasts

Podcast	Guest	Date	Topic(s)
Risky Biz	Keith Hoodlet	Sep 2025	AI prompt injections
Zero Signal	Keith Hoodlet	Sep 2025	AI Security
Unsupervised Learning	Michael Brown	Aug 2025	AIxCC
Security Weekly #342	Will Vandevanter	Aug 2025	NVIDIA vulnerability disclosure
CTF Radiooo 01E	Michael Brown & Evan Downing	Aug 2025	AIxCC
Click Here Show	Dan Guido	Jun 2025	Zoom remote control attacks
Security Weekly #336	Artur Cygan	Jun 2025	Fuzzing Barcodes
Protect AI	Keith Hoodlet	Jun 2025	MCP Security
MLSecOps	Keith Hoodlet	Apr 2025	AI/ML security
Risky Biz 786	Tjaden Hess	Apr 2025	Cryptography & blockchain
Security Weekly #323	Keith Hoodlet	Mar 2025	GenAI in Appsec
Xyonix	Keith Hoodlet	Mar 2025	AI/ML security
Bugcrowd	Keith Hoodlet	Oct 2024	AI/ML Bias
Risky Biz	Dan Guido	Oct 2024	Post-quantum cryptography
Risky Biz 759	Dan Guido	Aug 2024	DARPA's AI Cyber Challenge
Resilience Rundown	Josiah Dykstra	May 2024	Bias in security
Risky Biz	Dan Guido	Apr 2024	Open source tooling
MLSecOps March 20	William Woodruff	Mar 2024	Supply chain security
yWhales	Dan Guido	Dec 2023	Blockchain security
Risky Biz 707	Dan Guido	May 2023	ML security
ASW 229	Nick Selby	Feb 2023	Threat modeling, cloud-native audits
Risky Biz 690	Dan Guido	Jan 2023	Vuln disclosure
Risky Biz 672	Dan Guido	Jul 2022	Blockchain security
Cloud Security Reinvented	Nick Selby	Jun 2022	Cloud security
Skiff Office Hours	Dan Guido	Mar 2022	Privacy technology
Risky Biz 652	Dan Guido	Jan 2022	Zero-knowledge proofs
Secureum Safecast #3	Josselin Feist	Nov 2021	Blockchain security
Secureum Safecast #2	Dan Guido	Oct 2021	Blockchain security
Press Freedom Foundation	Dan Guido	Jul 2021	Mobile security and iVerify
Employee Cycle	Hannah Hanks	Mar 2021	First PeopleOps hire
Risky Biz 614	Dan Guido	Feb 2021	iVerify
Building Better Systems 6	Dan Guido	Jan 2021	What blockchain got right
WCBS 880	Dan Guido	Sep 2020	Gap years and intern hiring
Risky Biz 594	Dan Guido	Aug 2020	Apple security
Epicenter 346	Dan Guido	Jun 2020	Smart contract security
Absolute AppSec 97	Stefan Edwards	May 2020	Threat modeling
Unchained 170	Dan Guido	May 2020	DeFi security
Risky Biz 580	Dan Guido	Apr 2020	Mobile voting
Absolute AppSec 91	Stefan Edwards	Apr 2020	Mobile voting
Zero Knowledge 122	Ben Perez	Mar 2020	Cryptography reviews, ZKPs
Changelog	Dan Guido	Jan 2020	AlgoVPN
Risky Business 559	Stefan Edwards	Oct 2019	Kubernetes
FOSS Weekly 545	William Woodruff	Sep 2019	PyPI security improvements
Podcast.__init__ 225	William Woodruff	Aug 2019	PyPI security, UX, and sustainability
Absolute AppSec 68	Stefan Edwards, Bobby Tonic	Aug 2019	Kubernetes
Hashing it Out 53	Dan Guido	Jul 2019	Smart contract testing
Absolute AppSec 60	Stefan Edwards	May 2019	Android, programming languages
Absolute AppSec 55	Stefan Edwards	Apr 2019	Security testing
Hashing it Out 35	Dan Guido, Josselin Feist	Jan 2019	Ethereum's failed EIP-1283
Risky Biz 526	JP Smith	Jan 2019	Post-quantum crypto in CTFs
Absolute AppSec 37	Stefan Edwards	Nov 2018	Programming languages, symbex
Risky Biz 510	Lauren Pearl	Aug 2018	Open source security engineering
Absolute AppSec 34	Stefan Edwards	Oct 2018	Security testing, blockchain
Zero Knowledge 16	JP Smith	Mar 2018	Smart contract security
Risky Biz 488	JP Smith	Feb 2018	Smart contract testing w/ Manticore
Risky Biz 474	Dan Guido	Oct 2017	How to engineer secure software
Georgian Partners 47	Dan Guido	May 2017	AlgoVPN and Tor
VUC 643	Dan Guido	Apr 2017	AlgoVPN
Risky Biz 449	Dan Guido	Mar 2017	Control Flow Integrity
Risky Biz 425	Dan Guido	Sep 2016	Recap the week's news
Risky Biz 421	Dan Guido	Aug 2016	Car hacking and the week's news
Risky Biz 416	Dan Guido	Jul 2016	DARPA Cyber Grand Challenge
Risky Biz 399	Dan Guido	Feb 2016	Apple vs the FBI
Risky Biz 370	Dan Guido	Feb 2015	DARPA Cyber Grand Challenge
Risky Biz 348	Dan Guido	Jun 2015	DARPA Cyber Grand Challenge

Webinars

Title	Speakers	Date
MCP Security Deep Dive: From Attacks to Defense	Keith Hoodlet, Cliff Smith, Vineeth Sai Narajala, Manish Bhatt	Jul 2025
Security Audits: Best Practices with Trail of Bits	Chris Dahlheimer, Lindsay Rakowski, & Vanessa Gennarelli	Mar 2025
Mastering Web Research with Burp Suite	Keith Hoodlet, Cliff Smith, & James Kettle	Jun 2024
Introduction to CodeQL: Examples, Tools and CI Integration	Filipe Casal & Fredrik Dahlgren	Mar 2024
Introduction to Semgrep	Maciej Domanski & Matt Schwager	Jan 2024

Public Comments

Topic	Agency	Date
Automated Artifical Intelligence Bill Of Materials for AI/ML Ops	U.S. Army PEO IEW&S	Dec 2023
Open-Source Software Security: Areas of Long-Term Focus and Prioritization	ONCD, CISA, NSF, DARPA, OMB	Nov 2023
Understanding the National Security Implications of AI	Whitehouse OTSP	Jul 2023
AI Accountability, Regulation, and Audits	NTIA	Jun 2023
A Comprehensive Risk Assessment Framework for AI Assurance in Ethical, Legal, and Societal Domains	DARPA	Jun 2023
Understanding Crypto Markets Security	CFTC	Mar 2023
Regulation of Intrusion and Surveillance Software	Commerce Dept	Jul 2015

Security Reviews

Companies that have allowed us to speak about our work can be found here. Many more remain confidential.

Major Clients

The following clients have engaged Trail of Bits for 5 or more security reviews:

Offchain Labs

Product	Date	Level of Effort	Announcement	Report
Offchain Labs Arbitrum Quorum Changes	December 2025	0.4		📄
Offchain Labs Arbitrum ArbOS 50 and 51 (Fusaka)	December 2025			📄
Offchain Labs Arbitrum Chains Genesis File Generator	December 2025	1.6		📄✅
Offchain Labs Upgrade Executor	July 2025	0.2		📄
Offchain SetCoreGovernorQuorumAction	Jun 2025	1.2		📄
Offchain Arbitrum Mint/Burn Precompile	Jun 2025	1.8		📄✅
Offchain Arbitrum Block Hash Pusher	Jun 2025	1.8		📄
Offchain ArbOS 40 Nitro	May 2025	6		📄
Offchain Reward Distributor Fixes	Apr 2025	0.8		📄
Offchain Sequencer Liveness	Mar 2025	3		📄
Offchain Custom Fee Bridge & EIP-7702	Mar 2025	1		📄
Offchain Geth 14.4 Pectra	Mar 2025	0.8		📄
Offchain Custom Fee Exchange Rate	Mar 2025	1		📄
Offchain Security Council Rotation	Mar 2025	1.6		📄
Offchain DisableGateway USDT	Mar 2025	0.4		📄
Offchain BoLD Fixes	Dec 2024	0.8		📄
Offchain Stylus Emergency Fixes	Oct 2024	2		📄
Offchain BoLD History Commits	Oct 2024	2		📄
Offchain Nitro with BoLD	Oct 2024	2.6		📄
Offchain Stylus	Sep 2024	2		📄✅
Offchain RARI	Aug 2024	.6		📄
Offchain Office Hours Action	Aug 2024	.6		📄
Offchain Timeboost Auction	Aug 2024	3		📄
Offchain Orbit Actions	Aug 2024	1		📄
Offchain USDC Gateway	Jul 2024	2		📄
Offchain BoLD & DAC Rewards	Jun 2024	3		📄
Offchain Arbitrum Stylus	May 2024	47		📄
Offchain L1-L3 Teleporter	Apr 2024	2		📄
Offchain ArbOS 31	Apr 2024	2		📄
Offchain ArbOS 30 Nitro	Apr 2024	6		📄
Offchain BoLD	Apr 2024	5		📄
Offchain ArbOS	Feb 2024	4		📄
Offchain Arbitrum	Jan 2024	2		📄
Offchain Token Bridge Creator	Dec 2023	6		📄
Offchain Custom Fee Token	Sep 2023	3		📄
Offchain Arbitrum Challenge v2	Aug 2023	20		📄✅

Scroll

Product	Date	Level of Effort	Announcement	Report
Scroll Feynman Upgrade Smart Contract Changes	Jul 2025	1		📄
Scroll Euclid Phase 2	Apr 2025	4	Scroll	📄✅🔖
Scroll Euclid Phase 1	Apr 2025	3	Scroll	📄✅🔖
Scroll zstd Compression	Jun 2024	12		📄✅
Scroll ZkEVM 4844 Blob	Apr 2024	6		📄✅
Scroll ZkEVM Wave 3	Sep 2023	9		📄✅
Scroll l2geth [diff]	Aug 2023	2		📄
Scroll l2geth [initial]	Aug 2023	2		📄
Scroll ZkEVM Wave 2	Aug 2023	6		📄✅
Scroll zkTrie	Jul 2023	4		📄✅
Scroll ZkEVM Wave 1	Apr 2023	23		📄✅

Uniswap

Product	Date	Level of Effort	Announcement	Report
Uniswap v4 Core	Jul 2024	6		📄✅
Uniswap Browser Extension	Feb 2024	6		📄✅
Uniswap	Sep 2023	4		📄✅
Uniswap Mobile Wallet	Aug 2022	4		📄✅
Uniswap V3 Staker	Jun 2021	2
Uniswap V3	Mar 2021	10	Uniswap	📄

Frax Finance

Product	Date	Level of Effort	Announcement	Report
FraxGov	May 2023	4		📄✅
Fraxlend and veFPIS	Jan 2023	4
Fraxlend and FraxFerry	Oct 2022	4		📄
Frax	May 2022	4		📄
Frax	Dec 2021	4		📄
Frax	May 2021	4		📄

Reserve Protocol

Product	Date	Level of Effort	Announcement	Report
Reserve Protocol Solidity 4.0.0	Jun 2025	3.6		📄✅
Reserve Protocol Solana DTFs	Apr 2025	2		📄✅
Reserve Folio Solidity-Based Contracts	Apr 2025	2		📄✅
Reserve Protocol	Aug 2022	8		📄, ✅
Reserve Protocol	Mar 2019	1		📄

MobileCoin

Product	Date	Level of Effort	Announcement	Report
MobileCoin	Jul 2022	2		📄
Fog Protocol	Jan 2021	4		📄
MobileCoin BFT	Oct 2020	4		📄
MobileCoin	Aug 2020	4		📄

Western Digital

Product	Date	Level of Effort	Announcement	Report
ArmorLock	Apr 2022	6
Optimus ROM	Jan 2022	4
Secure Transport	Apr 2020	4
Western Digital Sweet B	Jan 2020	4	Western Digital	📄
SanDisk X600	May 2019	6	Multiple vulnerabilities in SanDisk X600	📄

AI/ML Reviews

Product	Date	Level of Effort	Announcement	Report
YOLOv7	Oct 2023	4		📄
SafeTensors	Mar 2023	2		📄

Cryptography Reviews

Product	Date	Level of Effort	Announcement	Report
Zama	Oct 2025	32.2
DFINITY Oisy	Sept 2025	4		📄✅
Google Longfellow	Aug 2025	4.6		📄✅
Open Quantum Safe liboqs	Apr 2025	5	Open Quantum Safe	📄
Go Crypto Libraries	Mar 2025	12	Go	📄✅
Zkonduit EZKL	Mar 2025	11	EZKL	📄✅
Scopely Monopoly Go!	Dec 2024	2		🔖
Aligned	Dec 2024	3		📄✅
Lit Protocol Cait-Sith	Jun 2024	10		📄✅
Discord DAVE	Sep 2024	5	Discord	📄✅
Discord DAVE	Aug 2024	4	Discord	📄✅
Iron Fish FishHash	Apr 2024	1	Iron Fish	📄✅
Silence Laboratories Silent Shard	Feb 2024	5		📄✅
Snow	Jan 2024	4		📄✅
Ockam	Nov 2023	11	Trail of Bits	📄
Axiom Halo2 Library Upgrades	Oct 2023	6	Axiom	📄✅
Axiom Halo2 Libraries	Jun 2023	14	Axiom	📄✅
Aleo snarkVM, snarkOS, BullsharkBFT	Oct 2023	18	Aleo	📄✅
Dfinity Candid	Nov 2023	3		📄✅
Dfinity ckBTC and BTC Integration	Jun 2023	2.5	Forum, Blog
Dfinity SNS Phase 2	Jun 2023	2.5	Forum, Blog	📄
Thesis tss-lib BitForge	Jun 2023	0.2	Threshold	📄✅
Chainflip	Apr 2023	12	Chainflip	📄✅
Stealth Addresses	Feb 2023	2		📄✅
Succinct ZK Light Client	Feb 2023	8	Succinct	📄✅
noble-curves Library	Jan 2023	2		📄✅
ParaSpace	Dec 2022	1		📄
Phantom Wallet	Nov 2022	2
ParaSpace	Nov 2022	7		📄✅
SimpleX Chat	Oct 2022	1	SimpleX	📄
Dfinity	Sep 2022	4	Forum, Blog	📄✅
Aleo snarkVM	Sep 2022	12		📄✅
Microsoft/Verasion Go-COSE	Jul 2022	4		📄✅
BLS Signature Scheme	Jul 2022	1
Binance CGGMP21 and FROST	May 2022	8
snarkVM and snarkOS	Apr 2022	12
Aleo snarkVM & snarkOS	Apr 2022	12
Phantom Wallet	Apr 2022	4
Parallel Finance	Mar 2022	6		📄
Polkadex	Feb 2022	10
Linux Kernel	Apr 2021	2	Release Signing and Management	📄
Standard Notes	Mar 2020	1	Standard Notes	📄
Project Callisto	Aug 2018	5

Technology Product Reviews

Product	Date	Level of Effort	Announcement	Report
Zoo KittyCAD Code Review	June 2024	4		📄✅
Edera Runtime Container	Oct 2025	4		📄
Meta WhatsApp Private Processing	Aug 2025	12		📄✅
Discord E2EE WebAssembly	Jun 2025	3		📄
NATS Server	Feb 2025	6		📄✅
Istio Ztunnel	Dec 2024	2	OSTIF, Istio	📄✅
RubyGems.org	Dec 2024	5		📄
Kraken Wallet In-App Browser	Nov 2024	4		📄✅
Polygon Labs Iden3 Circuits	May 2024	2		📄✅
Kraken Wallet iCloud Backup	Sep 2024	2		📄✅
Hugging Face Gradio	Jul 2024	4	Hugging Face, Trail of Bits	📄✅
Kraken Mobile Wallet	Jan 2024	7	Kraken	📄✅
Eclipse Temurin	Dec 2023	4	Response, OSTIF, Eclipse Foundation	📄✅
Arch Linux Pacman	Dec 2023	2	OTF	📄✅
cURL HTTP3	Dec 2023	4	OSTIF, Daniel Stenberg	📄
Lisk SDK 6.1 modules	Sep 2023	4		📄✅
OpenSSL	Sep 2023	9	OSTIF, OpenSSL	📄✅
PyPI Warehouse	Sep 2023	10	PyPI, Trail of Bits	📄✅
wasmCloud	Sep 2023	6		📄✅
Worldcoin	Aug 2023	6		📄✅
Homebrew	Aug 2023	6		📄
DigitalOcean OIDC	Aug 2023	4		📄
Flux	Aug 2023	4	OSTIF, Flux	📄✅
Lisk SDK	Jul 2023	30		📄✅
DragonFly2	Jul 2023	4	Dragonfly, OSTIF	📄✅
Eclipse JKube	May 2023	5	OSTIF, Eclipse	📄✅
Chainflip	Apr 2023	12	Chainflip	📄✅
Eclipse Mosquitto	Mar 2023	4	OSTIF, Eclipse	📛📄✅
Eclipse Jetty	Mar 2023	6	Jetty, Eclipse	📄✅
Spool Platform	Mar 2023	8		📄✅
Redpanda Platform	Jan 2023	4
Injective Labs Options Market	Jan 2023	4
OpenVPN3	Jan 2023	6
OpenVPN2	Dec 2022	4	OpenVPN	📄✅
OpenArchive Save (Android)	Dec 2022	1	OpenArchive Save	📄✅
Enclave Markets	Nov 2022	9
Fiat Ramps	Nov 2022	4
cURL	Oct 2022	9.5	OSTIF, Daniel Stenberg. Trail of Bits	📄✅📛
CloudEvents	Oct 2022	4	OSTIF	📄
OpenArchive Save (iOS)	Oct 2022	1.2	OpenArchive Save	📄✅
AlphaSOC API	Sep 2022	1		📄✅
Consul Enterprise	Sep 2022	6
snarkVM	Sep 2022	12		📄✅
Hashicorp Boundary	Jul 2022	6
Skiff	Jul 2022	6
Terraform Cloud	Jun 2022	6
Datadog	May 2022	6
Datadog	May 2022	6
MATTR	May 2022	4
ArmorLock	Apr 2022	6
DigitalOcean Function	Apr 2022	4
Auvik Collector	Apr 2022	8
Fuchsia Platform	Mar 2022	8
Optimus ROM	Jan 2022	4
BitcoinBeach	Mar 2022	4		📄
osquery	Jan 2022	6		📄
Redjack	Dec 2021	2
DigitalOcean Cloud	Nov 2021	12
SpruceID	Oct 2021	12		📄
Doppler	Sep 2021	4
Datadog Agent	Aug 2021	8
Appian	Jun 2021	4
Cashero-2.0	Jun 2021	4
Orbit	Apr 2021	1
VGS Proxy	Apr 2021	4
Skiff	Feb 2021	4
CircleCI Server 3.0	Jan 2021	6	Penetration testing at CircleCI
BitMEX	Jan 2021	4
SecureDrop	Dec 2020	8	2nd audit of SecureDrop Workstation	📄
Citizen Browser	Dec 2020	0.43	How We Built a Facebook Inspector
Ren	Aug 2020	4	August Development Update	📄
Hey.com	Jun 2020	1	Serious Security	📄
Azure Sphere	Jun 2020	12	Azure Sphere 20.07 Security Enhancements
Zoom	May 2020	9	90 Days Done, What's Next for Zoom
Secure Transport	Apr 2020	4
ZeroTier 2.0	Mar 2020	2	ZeroTier	📄
Voatz	Feb 2020	12	Voatz, Tusk	📄📛
Vault	Feb 2020	12
Voice	Jan 2020	4
Azure Sphere	Jun 2019	12
zlib	Sep 2016	1		📄

Cloud-Native Reviews

Product	Date	Level of Effort	Announcement	Report
KEDA	Dec 2022	6	OSTIF	📄
Terraform Enterprise	Nov 2022	6
Nomad Enterprise	Nov 2022	6
HashiCorp Cloud	Jun 2022	9
Tekton	Mar 2022	4	Tekton Security Review Completed	📄
Linkerd	Feb 2022	4		📛📄✅
CoreDNS	Jan 2022	4		📄
Terraform Enterprise	Nov 2021	6
Nomad Enterprise	Nov 2021	6
Consul Enterprise	Oct 2021	6
Vault Enterprise	Oct 2021	6
HashiCorp Cloud	Jun 2021	8
Argo	Mar 2021	4		📛📄
Terraform Cloud	Jan 2021	6
Consul	Oct 2020	10
Nomad	Aug 2020	6
Helm	Aug 2020	4	Helm 2nd Security Audit	📄
Terraform	Mar 2020	6
OPA	Mar 2020	2	Open Policy Agent (OPA) Graduation Proposal	📄
etcd	Jan 2020	4	CNCF	📄
Rook	Dec 2019	2	CNCF	📄
Kubernetes	May 2019	12	Google, CNCF	📛📄📰

Invariant Testing and Development Engagements

Product	Date	Level of Effort	Announcement	Report	Public Suite
Panoptic	May 2024	9		📄
Curvance	Mar 2024	5		📄	Public invariants

Blockchain Reviews

Wallet Reviews

Product	Date	Level of Effort	Announcement	Report
Gemini Smart Wallet	August 2025	4		📄✅
Gemini Smart Wallet	August 2025	4		🔖
Otim Smart Wallet	Mar 2025	3		📄✅
dappOS v2 wallet	Jul 2023	3		📄✅
WalletConnect v2.0	Mar 2023	4	WalletConnect	📄✅
Phantom Wallet	Nov 2022	2
GameStop iOS Web Wallet	Nov 2022	1
GameStop Wallet	Mar 2022	2	GameStop wallet
RAILGUN	Feb 2022	4
Casper Web Wallet	Jul 2021	4		📄
Argent	Aug 2020	4
Magma	Jun 2020	1		📄
Dharma Wallet	Oct 2019	4		📄
ZecWallet	Apr 2019	2		📄
Web3	Mar 2018	2	W3F and TOB hardware wallet guidance	💬

Algorand

Product	Date	Level of Effort	Announcement	Report
Folks Finance Protocol	Nov 2022	6		📄✅
wXTZ	Nov 2020	4		📄
wALGO	Nov 2020	4		📄
Meld Gold	Jul 2020	2
Pixel	Dec 2019	4
Algorand	Mar 2019	14	Success and momentum of Algorand

Avalanche

Product	Date	Level of Effort	Announcement	Report
Ava Labs AvalancheGo	Aug 2025	10		📄
Alkimiya Silica V2	Jun 2022	6
Ava Labs	Apr 2022	8
Flare Network	Mar 2021	8

Bitcoin & Derivatives

Product	Date	Level of Effort	Announcement	Report
ZetaChain Bitcoin Inscriptions	Jan 2025	2		📄✅
Nomic	Nov 2024	10	Nomic	📄✅
STAS SDK	Oct 2021	4
STAS-JS SDK	Sep 2021	4
Bitcoin SV	Jan 2021	6
Zcoin	Jul 2020	2	Zcoin	📄
Zcash	Apr 2020	3	Electric Coin Co.	📄
Zcash	Nov 2019	6	NU3, Blossom, and Sapling security reviews	📄
Zcash	Nov 2019	6		📄
Paymail Protocol	Nov 2019	7
Bitcoin SV	Nov 2018	12
Simple Ledger	Oct 2019	3
RSKj	Nov 2017	6	RSK security audit results	📄

Ethereum/EVM

Product	Date	Level of Effort	Announcement	Report
VeChain VeChainThor Hayabusa Upgrade	October 2025	6		📄✅
Franklin Templeton BenjiSwap Contract	October 2025	1		📄✅
Radius Technology EVMAuth	October 2025	1.2		📄✅
Shape Token Contract	May 2025	1		📄✅
Shape Buyback Contract	September 2025	0.4		📄✅
Starkware StarkEx Diff Review	August 2025	0.2		📄
CAP Labs Covered Agent Protocol	May 2025	9		📄✅
Fabric Labs Zipper Protocol	May 2025	1		📄✅
Lagrange LAToken	Apr 2025	3		📄
Serai DEX	Apr 2025	3		📄✅
Automata	Feb 2025	8		📄✅
Bunni v2	Jan 2025	8		📄✅
Everstake Staking	Jan 2025	3		📄✅
Parabol Smart Contracts Updates	Jan 2025	0.4		📄
BeethovenX Sonic Staking	Jan 2025	1		📄✅
Balancer v3	Dec 2024	6		📄✅
Parabol Smart Contracts	May 2024	2		📄✅
ULTI	Dec 2024	1		📄✅
EthStaker Deposit CLI	Dec 2024	4		📄✅
Plume	Nov 2024	1		📄✅
Wonderland Prophet	May 2024	4		📄✅
Elixir Protocol	Aug 2024	4		📄✅
Treehouse tETH Protocol	Sep 2024	4		📄✅
Acronym Foundation	Dec 2023	4		📄✅
Pyth Entropy	Dec 2023	4		📄
Onchain Pass	Aug 2024	1		📄✅
Taraxa Ficus Bridge	Jul 2024	1.6		📄✅
Intuition	Mar 2024	2		📄
Devcon Auction Raffle	Jun 2024	1		📄✅
Aladdin f(x) Oracle	Jun 2024	2		📄✅
AiLayer 6079 Contracts	May 2024	3		📄✅
Hydrogen Rover Protocol	May 2024	.45		📄
Lisk Smart Contracts	May 2024	4		📄✅
SEDA Chain Token Migration	Mar 2024	1		📄✅
Lisk Smart Contracts	Mar 2024	4.6		📄✅
Bondex Smart Contracts	Mar 2024	0.6		📄
Aladdin f(x) Protocol	Mar 2024	4		📄✅
Puffer Finance Contracts	Mar 2024	1.2		📄✅
Helios Global	Feb 2024	1		📄✅
ScopeLift Stealth Addresses	Feb 2024	1		📄✅
MetaLayer Blast	Jan 2024	4		📄✅
Unibot Router	Dec 2023	1.6		📄✅
Salty.IO Protocol	Oct 2023	6		📄✅
Immutable Bridge	Nov 2023	2		📄✅
Spiko Smart Contracts	Oct 2023	1		📄✅
Hyperlane v3	Sep 2023	2		📄✅
Elixir Contracts	Sep 2023	2		📄✅
NZDD token	Aug 2023	0.6		📄✅
Immutable	Aug 2023	4		📄✅
Sandclock	Jul 2023	8		📄✅
Arcade	Jul 2023	8		📄✅
Nested Tetris/HyVM	Jun 2023	1		📄✅
Franklin Templeton	May 2023	4		📄✅
Prysm	Apr 2023	8		📄✅
Ajna Protocol	Apr 2023	12		📄✅
Raft	Apr 2023	2		📄✅
MYSO v2	Apr 2023	2	MYSO	📄✅
Smardex AMM	Apr 2023	2		📄✅
Waymont	Mar 2023	1
Atlendis	Mar 2023	6	Atlendis	📄✅
Primitive Hyper	Mar 2023	8		📄✅
Succinct Light Client	Feb 2023	8	Succinct	📄✅
Nested Finance	Feb 2023	4		📄✅
Polygon Edge	Jan 2023	6
Optimism	Dec 2022	8
Paxos PayPal PYUSD	Dec 2022	1		📄✅
GSquared	Oct 2022	6		📄✅
Meson Protocol	Oct 2022	6		📄✅
Managed Pools	Oct 2022	4		📄
Ondo	Oct 2022	4		📄✅
Maple Protocol v2	Sep 2022	8		📄✅
Increment Protocol	Sep 2022	4		📄✅
Subspace Farmer	Sep 2022	2		📄✅
Optimism	Sep 2022	16		📄
Nayms	Sep 2022	6
Aggregator	Aug 2022	2
The Franchiser	Aug 2022	3
Meson Protocol	Jul 2022	0.6		📄
ChainPort	Jul 2022	8		📄✅
Relay	Jul 2022	1
Beanstalk	Jul 2022	8	Beanstalk	📄✅
Purpose for Profit	Jul 2022	3
Solon	Jul 2022	6
Roll	Jul 2022	2
Ante Protocol	May 2022	2		📄✅
Sherlock	Jun 2022	4
FlareFinance	Jun 2022	4
TBTv2	Jun 2022	6
Morpho	Jun 2022	4	Morpho	📄
Relayer Contracts	Jun 2022	2
AuctionRaffle	May 2022	2
Seaport Protocol	May 2022	4	OpenSea	📄
Shell Protocol v2	May 2022	4		📄
Optimism	Apr 2022	6
NFTX	Apr 2022	4	NFTX	📄
ReserveLending+	Apr 2022	4	unFederalReserve
Firefly	Apr 2022	4
Maple Finance	Mar 2022	1		📄✅
Gyroscope	Mar 2022	6
LooksRare	Mar 2022	4		📄
Symbiosis	Mar 2022	2
RAILWAY	Feb 2022	4
Persistence ETH2.0	Feb 2022	4
Advanced Blockchain	Feb 2022	6		📄
Perpetual Protocol V2	Feb 2022	4		📄
Futureswap V4.1	Feb 2022	4
Firefly	Feb 2022	8
API3	Feb 2022	8		📄
Beethoven X	Feb 2022	1		📄
Minterest Finance	Jan 2022	6
pSTAKE	Jan 2022	6
Primitive	Jan 2022	8	Primitive	📄
Strips Finance	Jan 2022	8
Cardstack	Dec 2021	4
Sherlock Protocol V2	Dec 2021	4		📄
Maple	Nov 2021	4	Maple	📄
Advanced Blockchain	Nov 2021	6		📄
Opyn	Nov 2021	6		📄
Aave V3	Nov 2021	12		📄✅
Tokemak	Oct 2021	3
Fuji Finance	Oct 2021	6		📄
V2 Vault	Oct 2021	4
Yield V2	Sep 2021	6		📄
Gro protocol	Sep 2021	2
Futureswap V4	Sep 2021	6
RocketPool	Aug 2021	5		📄
AlphaX	Aug 2021	6
Bug Bounty Platform	Aug 2021	8
88mph V3	Aug 2021	6		📄
Timeswap	Jul 2021	2
CompliFi	Jul 2021	6		📄
Optics	Jul 2021	2
FlareFinance	Jun 2021	4
Abyss Lockup	Jun 2021	2
Futureswap V3	Jun 2021	6
CompliFi	Jun 2021	6
Syndicate	May 2021	4
Opyn Gamma	May 2021	6		📄
Yearn v2 Vaults	Apr 2021	6		📄
Balancer v2	Apr 2021	4		📄
DFX Finance	Apr 2021	6
Tokemak	Apr 2021	1
Warp Contracts	Apr 2021	6	Composable	📄
FlareFinance	Apr 2021	3
MC Dai	Mar 2021	6
dForce Lending	Mar 2021	6
Liquity Proxy Contract	Feb 2021	0.57		📄
Liquity Protocol	Feb 2021	8		📄
RAY-DAO	Feb 2021	4
Futureswap	Jan 2021	2
Balancer V2	Jan 2021	6
C.R.E.A.M.	Jan 2021	1		📄
LUSD	Dec 2020	8		📄
Origin Dollar	Nov 2020	4	Origin Protocol	📄
Zerion SDK	Nov 2020	4
Teller Protocol	Nov 2020	4
Hermez	Nov 2020	4	Hermez	📄
Graph Protocol	Oct 2020	3
OVM	Oct 2020	6
Prysm	Sep 2020	6
DODO	Sep 2020	3		📄
Yield Protocol	Aug 2020	6		📄
Smart Pool	Aug 2020	1
DeFiner	Aug 2020	1
ETH2.0 Deposit CLI	Aug 2020	4		📄
CurveDAO	Jul 2020	6		📄
Amp	Jul 2020	3		📄
Federated Bridge	Jul 2020	1
dForce dToken	Jul 2020	2		📄
Matic	Jun 2020	4
Lighthouse	Jun 2020	4
tBTC	May 2020	6		📄
QTUM	Apr 2020	0.43		📄
Hegic	Apr 2020	0.43		📄
Golem Network	Mar 2020	2
Reddit	Mar 2020	1	A New Frontier
Chai	Feb 2020	0.28		📄
Compound	Feb 2020	2		📄
WorkLock	Jan 2020	2	NuCypher	📄
Balancer	Jan 2020	4		📄
Curve.fi	Jan 2020	1		📄
Livepeer	Oct 2019	3
Topo Finance	Oct 2019	4
0x Protocol	Oct 2019	10		📄
Flexa	Sep 2019	2	Flexa	📄
AZTEC Protocol	Sep 2019	10		📄
Oasis Labs	Sep 2019	13
Aave Protocol	Sep 2019	4		📄
MC Dai	Aug 2019	13	MakerDAO	📄
Staked	Aug 2019	4
Compound	Aug 2019	2		📄
Computable	Jul 2019	8	Computable	📄
Numerai	May 2019	3	Numerai	📄
MerkleX	May 2019	4
TokenCard	May 2019	5		📄
Unity Coin	Apr 2019	1
Compound	Apr 2019	8	Compound	📄
Ocean Protocol	Mar 2019	4	Ocean Protocol
UMA Project	Mar 2019	3
Centrifuge	Mar 2019	5
Nomisma	Mar 2019	1
Set Protocol	Mar 2019	5	Set Protocol	📄
NuCypher	Feb 2019	4	NuCypher	📄
AMP StableWire	Jan 2019	1
EIP-1283	Jan 2019	1	ChainSecurity	📄
Ampleforth	Nov 2018	4	Ampleforth	📄
Origin Protocol	Nov 2018	4	Origin Protocol	📄
Paxos Standard	Oct 2018	4		📄
Basecoin	Oct 2018	12		📄
Pantheon	Oct 2018	8	PegaSys	📄
Compound	Sep 2018	12	Compound
NuCypher	Aug 2018	12	NuCypher	📄
CENTRE	Jul 2018	4	CENTRE
Bloom	Jul 2018	1	Bloom
Gemini Dollar	Jun 2018	8	Gemini	📄
Dharma	May 2018	1	Dharma
Golem	Apr 2018	4	Golem	📄
LivePeer	Mar 2018	4	Livepeer	📄
DappHub	Dec 2017	8		📄
MakerDAO Sai	Oct 2017	8	MakerDAO	📄
Omega One	Aug 2017	6

NervOS

Product	Date	Level of Effort	Announcement	Report
xUDT	Jun 2021	2
Nervos -RSA	Mar 2021	4
Cheque Cell & ORU	Feb 2021	8
Force Bridge - Solidity	Feb 2021	4
Force Bridge - Rust	Feb 2021	3
Nervos SUDT	Oct 2020	6		📄

Starknet

Product	Date	Level of Effort	Announcement	Report
Opus	Dec 2023	8		📄✅
Aura	Aug 2023	8		📄✅
Nostra	Dec 2022	8
StarkGate	Dec 2022	2
StarkEx	Oct 2022	1
StarkNet token	Jul 2022	1
StarkPerpetual	Jan 2022	8
StarkEx	Nov 2021	8

Solana

Product	Date	Level of Effort	Announcement	Report
Solang Code Generation	November 2023	4		📄
Solang Code Generation, Part 1	November 2023	2		📄
Solang Parser and Semantic Analysis	September 2023	2		📄
Solang Solana Library	July 2023	1		📄
Franklin Templeton Benji Contracts	Feb 2025	2		📄✅
ZetaChain Solana Gateway	Jan 2025	1		📄✅
Squads V4	Oct 2023	2	Squads	📄✅
Token-2022 Program	Feb 2023	1		📄✅
Drift Protocol	Dec 2022	6	Drift	📄✅
Solana	Apr 2022	12

Substrate

Product	Date	Level of Effort	Announcement	Report
zkVerify	Feb 2025	3		📄
ParaSpace	Dec 2022	1		📄
ParaSpace	Nov 2022	7		📄✅
Parallel Finance	Mar 2022	6		📄
Polkadex	Feb 2022	10
Polkadex	Dec 2021	4
PINT	Sep 2021	4
Polkaswap	Aug 2021	6		📄
AlephBFT	Jun 2021	4		📄
Acala Network	Jun 2021	4
Compound Chain	May 2021	6
Acala Network	Jan 2021	6		📄
Parity Fether	Aug 2019	4
Parity	Jul 2018	12	Parity completes Trail of Bits security review	📄

Tendermint/Cosmos

Product	Date	Level of Effort	Announcement	Report
Orga and Merk	Nov 2024	10	Orga & Merk Trail of Bits Security Audit	📄✅
Berachain polaris-geth	Aug 2023	8
Berachain berachain	Jun 2023	6
Umee	Feb 2022	8		📄
Columbus-5	Jan 2022	2
IBC Protocol	Dec 2021	4
THORChain	Aug 2021	12
Tendermint	Mar 2019	12
ndau	Nov 2018	8	Policy Council

Tezos

Product	Date	Level of Effort	Announcement	Report
Kolibri	Apr 2022	4
Tezori (T2)	Dec 2020	4		📄
Dexter	Jun 2020	4		📄
Tezori	Jul 2018	2	Thanks to @trailofbits for their security review

TON

Product	Date	Level of Effort	Announcement	Report
EVAA Finance	Aug 2025	8.6		📄✅
Swap Coffee TON DEX	Jul 2025	6		📄✅
FIVA Yield Protocol	May 2025	6		📄✅
FIVA Evaa Integration	May 2025	6		📄✅
Whales Holders	May 2025	4		📄✅
Whales Nominators	May 2025	4		📄✅
STON.fi DEX V2	Jan 2025	8		📄✅
Tact Compiler	Jan 2025	8		📄✅
TON Foundation Multisignature Wallet	Mar 2024	4		📄✅

Other/Multi-Chain

Product	Date	Level of Effort	Announcement	Report
Shape Gasback	Jan 2025	2		📄✅
PixelSwap DEX	Dec 2024	6		📄✅
Arkis Prime	Dec 2024	5		📄✅
Wormhole Governors and Watchers	Mar 2023	8		📄✅
DFINITY Canister Sandbox	Sep 2022	2		📄✅
DFINITY ECDSA/BTC	Sep 2022	4		📄✅
CAT Standard	Jun 2022	8
FROST BLS Protocols	Jul 2022	12
SORA Trustless Bridge	Jul 2022	8
DFINITY Threshold ECDSA	May 2022	8
Arbitrum Nitro	Mar 2022	16
DeGate	Feb 2022	4		📄
ShardX	Dec 2021	2
DeGate	Dec 2021	4
Threshold-DSA	Nov 2021	6
DFINITY Consensus	Nov 2021	2	DFINITY	📄
PolySign HSM	Oct 2021	6
Hop Protocol V2	Sep 2021	4
Golden Gate Library	Sep 2021	1
PolySign	Sep 2021	6
Qredo Blockchain	Sep 2021	6
Arbitrum	Sep 2021	16
go-schnorrkel	Aug 2021	4
ShardX	Aug 2021	4
AElf	Jul 2021	4
CrossChain-Bridge	Jul 2021	8
Open Oracle	Apr 2021	2
DFINITY	May 2021	24		📄
Arbitrum V2	Feb 2021	8
eFIL	Jan 2021	2
Highway Consensus	Nov 2020	4	CasperLabs	📄
Stacks V2	Sep 2020	6
VRFs	Aug 2020	2
Celo Oracle	Jul 2020	2		📄
Arbitrum	Jul 2020	6
MYKEY	Jul 2020	4
Symbol	Jul 2020	4	Symbol	📄
Ledger Filecoin	Jul 2020	2		📄
Chainlink	Jun 2020	8
Chainlink Flux	May 2020	4
Elrond	Mar 2020	6
EOSIO SDK	Jan 2020	4
NEAR Protocol	Nov 2019	8
EOSIO 2.0	Oct 2019	8
Status-go	Oct 2019	9
Celo	Sep 2019	8
Blockchain.com	Aug 2019	4
RandomX	Jun 2019	2	Monero and Arweave to Validate RandomX	📄
Interest Token	May 2019	0.28
Loom	May 2019	10	Loom SDK Q1 2019 Security Audit
Building Blocks	Aug 2018	7	UN WFP uses Ethereum to aid 100k refugees

Disclosures and exploits

Check the exploits repository too.

Name	Product	Discoverer	Year	ID	Blog
Vulnerabilities in LUKS2 disk encryption for confidential VMs	Linux LUKS2	Tjaden Hess	2025	CVE-2025-59054, CVE-2025-58356	💬
Prompt injection to RCE in AI agents	AI Agents (multiple platforms)	Will Vandevanter	2025	❌	💬
Code integrity bypass in Electron applications	Electron Applications (Signal, 1Password, Slack)	Darius Houle	2025	CVE-2025-55305	💬
Weaponizing image scaling against production AI systems	Google Gemini, Vertex AI, Genspark	Kikimora Morozova, Suha Sabi Hussain	2025	❌	💬
Prompt injection engineering for attackers: Exploiting GitHub Copilot	GitHub Copilot Agent	Kevin Higgs	2025	❌	💬
Memory corruption in NVIDIA Triton Inference Server	NVIDIA Triton	Will Vandevanter	2025	CVE-2025-23310, CVE-2025-23311	💬
Exploiting zero days in abandoned hardware	Netgear WGR614v9, BitDefender Box V1	Alan Cao, Will Tan	2025	❌	💬
MCP plaintext API key storage	Model Context Protocol	Cliff Smith, Suha Hussain, and Will Vandevanter	2025	❌	💬
MCP ANSI escape sequence attacks	Model Context Protocol	Cliff Smith, Suha Hussain, and Will Vandevanter	2025	❌	💬
MCP Line Jumping vulnerability	Model Context Protocol	Cliff Smith, Suha Hussain, and Will Vandevanter	2025	❌	💬
User to root privilege escalation from an integer overflow in libinfo	macOS	Paweł Płatek	2025	CVE-2025-24195, CVE-2025-31222, CVE-2025-30440	💬
Cryptography bugs in elliptic library	elliptic JavaScript library	Markus Schiffermuller	2024	CVE-2024-48948, CVE-2024-48949, CVE-2024-48950, CVE-2024-48951, CVE-2024-48952	💬
Crash due to uncontrolled recursion in Well-KnownText	Elastic	Alexis Challande, Brad Swain	2024	CVE-2024-52981
Crash due to uncontrolled recursion in innerForbidCircularReferences	Elastic	Alexis Challande, Brad Swain	2024	CVE-2024-52980
Crash due to uncontrolled recursion in Wire	Wire	Alexis Challande, Brad Swain	2024	CVE-2024-58103
Crash due to uncontrolled recursion in protobuf crate	rust-protobuf	Alexis Challande, Brad Swain	2024	RUSTSEC-2024-0437
Denial of Service in XStream	XStream	Alexis Challande, Brad Swain	2024	GHSA-hfq9-hggm-c56q	💬
Denial of Service in protobuf-java	protobuf-java	Alexis Challande, Brad Swain	2024	GHSA-735f-pc8j-v9w8	💬
Insufficient validation of integration timestamp in sigstore-python	sigstore-python	William Woodruff	2024	CVE-2024-55655
Rust crates "stable" and "nightly" might be installed instead of the corresponding toolchains	Crates.io	Max Ammann	2024	❌
num-bigint disclosure	num-bigint	Samuel Moelius	2024	❌	💬
Memory corruption during X.509 validation in GnuTLS	GnuTLS	William Woodruff	2024	CVE-2024-28835
Linux kernel modules kASLR bypass	Linux	Dominik Czarnota	2024	❌	💬
Pedersen DKG vulnerability disclosure	Multiple	Fredrik Dahlgren	2024	❌	💬
LeftoverLocals disclosure	multiple GPUs	Tyler Sorensen	2024	CVE-2023-4969	💬
Billion hashes attack against Go JOSE libraries	go-jose	Matt Schwager	2023	GO-2023-2334, GO-2023-2409	💬
Expo Secure Store: Shortening AES GCM Authentication Tags	expo-secure-store	Joop van de Pol	2023	❌	💬
YOLOv7 disclosure	YOLOv7	Alvin Crighton, Anusha Ghosh, Suha Hussain, Heidy Khlaaf, Jim Miller	2023	❌	💬
Numbers turned weapons: DoS in Osmosis’ math library	Osmosis	Sam Alws	2023	❌	💬
The issue with ATS in Apple’s macOS and iOS	iOS, iPadOS, tvOS, macOS, and watchOS	Will Brattain	2023	CVE-2023-38596	💬
Eth ABI DoS disclosure	ethabi, eth_abi, etheriumjs-abi, alloy-rs	Max Ammann	2023	❌
Security flaws in an SSO plugin for Caddy	caddy-security	Maciej Domanski, Travis Peters, David Pokora	2023	CVE-2024-21500, CVE-2024-21499, CVE-2024-21498, CVE-2024-21497, CVE-2024-21496, CVE-2024-21493, CVE-2024-21495, CVE-2024-21494, CVE-2024-21492, CVE-2023-52430	💬
ktor Path Traversal	ktor	Vasco Franco	2023	CVE-2022-48476
Specialized Zero-Knowledge Proof failures	Binance's tss-lib; All forks of tss-lib: Joltify, SwipeChain, and ThorChain; Coinbase's kryptology	Opal Wright	2022	❌	💬
Forgery in Amis' Alice library	Amis' alice	Filipe Casal	2022	❌
Keeping the wolves out of wolfSSL	wolfSSL	Max Ammann	2022	CVE-2022-38152 CVE-2022-38153 CVE-2022-39173 CVE-2022-42905	💬
Escaping misconfigured VSCode extensions - Live Preview XSS	Live Preview VSCode extension	Vasco Franco	2022	MS-VULN-073448	💬
Escaping misconfigured VSCode extensions - Live Preview Path Traversal	Live Preview VSCode extension	Vasco Franco	2022	MS-VULN-073447	💬
Escaping well-configured VSCode extensions (for profit) - VSCode localResourceRoots Bypass	VSCode	Vasco Franco	2022	CVE-2022-41042	💬
Escaping misconfigured VSCode extensions - Sarif Viewer XSS	Sarif Viewer VSCode extension	Vasco Franco	2022	MS-VULN-071828	💬
Stranger Strings: An exploitable flaw in SQLite	SQLite	Andreas Kellas	2022	❌	💬
json-viewer XSS	jquery.json-viewer	Vasco Franco	2022	CVE-2022-30241
Shamir’s Secret Sharing vulnerabilities	Binance’s tss-lib; Clover Network’s threshold-crypto; Keep Network’s keep-ecdsa; Swingby’s tss-lib; THORchain’s tss-lib; ZenGo X’s curv	Filipe Casal	2021	❌	💬
OSX slack:// protocol handler javascript injection	Slack	Jay Little	2016	❌	💬
Double free in VLC's 3GP file format	VLC	Loren Maggiore	2015	CVE-2015-5949	💬

Workshops

Workshop Title	Venue	Date
Smart Contract Security Automation	TruffleCon 2019	Oct 2019
Introduction to Smart Contract Exploitation	GreHack 2018	Nov 2018
Manticore EVM Workshop	Devcon4 2018	Nov 2018
Smart Contract Security Automation	TruffleCon 2018	Oct 2018
DeepState: Bringing Vulnerability Detection Tools into the Dev Cycle	SecDev 2018	Oct 2018
Smart Contract Security Automation	ETH Berlin 2018	Sep 2018
Manticore EVM Workshop	EthCC 2018	Mar 2018
Manticore Workshop	GreHack 2017	Oct 2017

Datasets

Dataset	Date
Smart Contract Audit Findings	Aug 2019

Service Overviews

Service Title	Type of Document
AI Safety & Security Training	One-page service overview

Legend

Icon	Definition
💬	Blog post or other social media
📄	Security Assessment report
✅	Fix review report
🔖	Letter of Attestation
📛	Threat Model report
📰	Whitepaper

Header	Definition
Level of Effort	Defined in person-weeks for the project