2025 on The Trail of Bits Blog

Detect Go’s silent arithmetic bugs with go-panikint

Wed, 31 Dec 2025 07:00:00 -0500

We’re releasing go-panikint, a modified Go compiler that turns silent integer overflows into explicit panics. We used it to find a live integer overflow in the Cosmos SDK’s RPC pagination logic, showing how this approach eliminates a major blind spot for anyone fuzzing Go projects.

Can chatbots craft correct code?

Fri, 19 Dec 2025 07:00:00 -0500

LLMs fundamentally differ from compilers because they lack determinism and semantic guarantees, making them useful coding assistants but unreliable for autonomous code generation without human review and formal verification.

Use GWP-ASan to detect exploits in production environments

Tue, 16 Dec 2025 07:00:00 -0500

GWP-ASan is a sampling-based memory error detection tool that catches critical bugs like use-after-free and buffer overflows in production environments with near-zero performance overhead, unlike AddressSanitizer which is too resource-intensive for deployment.

Catching malicious package releases using a transparency log

Fri, 12 Dec 2025 07:00:00 -0500

We’re getting Sigstore’s rekor-monitor ready for production use, making it easier for developers to detect tampering and unauthorized uses of their identities in the Rekor transparency log.

Introducing mrva, a terminal-first approach to CodeQL multi-repo variant analysis

Thu, 11 Dec 2025 07:00:00 -0500

Our new tool mrva is a terminal-first tool for running CodeQL multi-repository variant analysis locally,allowing users to download pre-built databases, analyze them with custom queries, and view results directly in the terminal.

Introducing constant-time support for LLVM to protect cryptographic code

Tue, 02 Dec 2025 07:00:00 -0500

Trail of Bits developed constant-time coding support for LLVM that prevents compilers from breaking cryptographic implementations vulnerable to timing attacks, introducing the __builtin_ct_select family of intrinsics that preserve constant-time properties throughout compilation.

We found cryptography bugs in the elliptic library using Wycheproof

Tue, 18 Nov 2025 07:00:00 -0500

Trail of Bits discovered and disclosed two vulnerabilities in the widely used elliptic JavaScript library that could allow signature forgery or prevent valid signature verification, with one vulnerability still unfixed after the 90-day disclosure window.

Level up your Solidity LLM tooling with Slither-MCP

Sat, 15 Nov 2025 07:00:00 -0500

We’re releasing Slither-MCP, a new tool that augments LLMs with Slither’s unmatched static analysis engine.

How we avoided side-channels in our new post-quantum Go cryptography libraries

Fri, 14 Nov 2025 07:00:00 -0500

We’ve released open-source Go implementations of ML-DSA and SLH-DSA.

Building checksec without boundaries with Checksec Anywhere

Thu, 13 Nov 2025 07:00:00 -0500

Checksec Anywhere consolidates fragmented binary security analysis tools into a browser-based platform that analyzes ELF, PE, and Mach-O formats locally without compromising privacy or performance.

Balancer hack analysis and guidance for the DeFi ecosystem

Fri, 07 Nov 2025 18:00:00 -0500

A retrospective on the $100M Balancer hack that occurred in November 2025, including long-term, strategic guidance on how to avoid similar bugs.

The cryptography behind electronic passports

Fri, 31 Oct 2025 07:00:00 -0400

This blog post describes how electronic passports work, the threats within their threat model, and how they protect against those threats using cryptography. It also discusses the implications of using electronic passports for novel applications, such as zero-knowledge identity proofs.

Vulnerabilities in LUKS2 disk encryption for confidential VMs

Thu, 30 Oct 2025 07:00:00 -0400

Trail of Bits is disclosing vulnerabilities in confidential computing systems that use LUKS2 for disk encryption. These vulnerabilities allow attackers with access to storage disks to extract confidential data and modify contents.

Prompt injection to RCE in AI agents

Wed, 22 Oct 2025 07:00:00 -0400

We bypassed human approval protections for system command execution in AI agents, achieving RCE in three agent platforms.

Taming 2,500 compiler warnings with CodeQL, an OpenVPN2 case study

Thu, 25 Sep 2025 07:00:00 -0400

We created a CodeQL query that reduced 2,500+ compiler warnings about implicit conversions in OpenVPN2 to just 20 high-priority cases, demonstrating how to effectively identify potentially dangerous type conversions in C code.

Supply chain attacks are exploiting our assumptions

Wed, 24 Sep 2025 07:00:00 -0400

Supply chain attacks exploit fundamental trust assumptions in modern software development, from typosquatting to compromised build pipelines, while new defensive tools are emerging to make these trust relationships explicit and verifiable.

Use mutation testing to find the bugs your tests don't catch

Thu, 18 Sep 2025 07:00:00 -0400

Mutation testing reveals blind spots in test suites by systematically introducing bugs and checking if tests catch them. Blockchain developers should use mutation testing to measure the effectiveness of their test suites and find bugs that traditional testing can miss.

Fickling’s new AI/ML pickle file scanner

Tue, 16 Sep 2025 07:00:00 -0400

We’ve added a pickle file scanner to Fickling that uses an allowlist approach to protect AI/ML environments from malicious pickle files that could compromise models or infrastructure.

How Sui Move rethinks flash loan security

Wed, 10 Sep 2025 07:00:00 -0400

Sui’s Move language significantly improves flash loan security by replacing Solidity’s reliance on callbacks and runtime checks with a “hot potato” model that enforces repayment at the language level. This shift makes flash loan security a language guarantee rather than a developer responsibility.

Safer cold storage on Ethereum

Fri, 05 Sep 2025 07:00:00 -0400

By using smart contract programmability, exchanges can build custody solutions that remain secure even when multisig keys are compromised.

Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more

Thu, 04 Sep 2025 00:00:00 -0400

A vulnerability in Electron applications allows attackers to bypass code integrity checks by tampering with V8 heap snapshot files, enabling local backdoors in applications like Signal, 1Password, and Slack.

Intern projects that outlived the internship

Thu, 28 Aug 2025 07:00:00 -0400

Our business operations intern at Trail of Bits built two AI-powered tools that became permanent company resources—a podcast workflow that saves 1,250 hours annually and a Slack exporter that enables efficient knowledge retrieval across the organization.

Implement EIP-7730 today

Wed, 27 Aug 2025 07:00:00 -0400

EIP-7730 enables hardware wallets to decode transactions into human-readable formats, eliminating blind signing vulnerabilities with minimal implementation effort for dApp developers.

Speedrunning the New York Subway

Mon, 25 Aug 2025 07:00:00 -0400

We optimized the route for visiting every NYC subway station using algorithms from combinatorial optimization, creating a 20-hour tour that beats the existing world record by 45 minutes.

Weaponizing image scaling against production AI systems

Thu, 21 Aug 2025 07:00:00 -0400

In this blog post, we’ll detail how attackers can exploit image scaling on Gemini CLI, Vertex AI Studio, Gemini’s web and API interfaces, Google Assistant, Genspark, and other production AI systems. We’ll also explain how to mitigate and defend against these attacks, and we’ll introduce Anamorpher, our open-source tool that lets you explore and generate these crafted images.

Marshal madness: A brief history of Ruby deserialization exploits

Tue, 19 Aug 2025 07:00:00 -0400

This post traces the decade-long evolution of Ruby Marshal deserialization exploits, demonstrating how security researchers have repeatedly bypassed patches and why fundamental changes to the Ruby ecosystem are needed rather than continued patch-and-hope approaches.

Trail of Bits' Buttercup wins 2nd place in AIxCC Challenge

Sat, 09 Aug 2025 10:30:00 -0400

Our team won the runner-up prize of $3M at DARPA’s AI Cyber Challenge, demonstrating Buttercup’s world-class automated vulnerability discovery and patching capabilities with remarkable cost efficiency.

Buttercup is now open-source!

Fri, 08 Aug 2025 00:00:00 -0400

Now that DARPA’s AI Cyber Challenge (AIxCC) has officially ended, we can finally make Buttercup, our CRS (Cyber Reasoning System), open source!

AIxCC finals: Tale of the tape

Thu, 07 Aug 2025 00:00:00 -0400

While the AIxCC winner has not yet been announced, differences in the finalists’ approaches show that there are multiple viable paths forward to using AI for vulnerability detection.

Prompt injection engineering for attackers: Exploiting GitHub Copilot

Wed, 06 Aug 2025 00:00:00 -0400

Prompt injection pervades discussions about security for LLMs and AI agents. But there is little public information on how to write powerful, discreet, and reliable prompt injection exploits. In this post, we will design and implement a prompt injection exploit targeting GitHub’s Copilot Agent, with a focus on maximizing reliability and minimizing the odds of detection.

Uncovering memory corruption in NVIDIA Triton (as a new hire)

Tue, 05 Aug 2025 07:00:00 -0400

In my first month at Trail of Bits as an AI/ML security engineer, I found two remotely accessible memory corruption bugs in NVIDIA’s Triton Inference Server during a routine onboarding practice.

The Unconventional Innovator Scholarship

Fri, 01 Aug 2025 07:00:00 -0400

Trail of Bits founder Dan Guido establishes a $2,500 scholarship at his alma mater, Mineola High School, to recognize students who demonstrate the hacker spirit through self-driven learning, creative problem-solving, and unconventional technological exploration. The scholarship celebrates tomorrow’s security innovators who push boundaries and think differently about technology.

Hijacking multi-agent systems in your PajaMAS

Thu, 31 Jul 2025 09:00:00 -0400

We’re releasing pajaMAS: a curated set of MAS hijacking demos that illustrate important principles of MAS security.

We built the security layer MCP always needed

Mon, 28 Jul 2025 07:00:00 -0400

Today we’re announcing the beta release of mcp-context-protector, a security wrapper for LLM apps using the Model Context Protocol (MCP). It defends against the line jumping attacks documented earlier in this blog series, such as prompt injection via tool descriptions and ANSI terminal escape codes.

Exploiting zero days in abandoned hardware

Fri, 25 Jul 2025 07:00:00 -0400

We successfully exploited two discontinued network devices at DistrictCon’s inaugural Junkyard competition in February, winning runner-up for Most Innovative Exploitation Technique. Our exploit chains demonstrate why end-of-life hardware poses persistent security risks.

Inside EthCC[8]: Becoming a smart contract auditor

Wed, 23 Jul 2025 07:00:00 -0400

At EthCC[8], Trail of Bits blockchain security engineer Nicolas Donboly laid out a clear, actionable path for aspiring smart contract auditors, drawing from his own experience transitioning from a non-technical background into a leading security role.

Detecting code copying at scale with Vendetect

Mon, 21 Jul 2025 07:00:00 -0400

Vendetect is our new open-source tool for detecting copied and vendored code between repositories. It uses semantic fingerprinting to identify similar code even when variable names change or comments disappear. More importantly, unlike academic plagiarism detectors, it understands version control history, helping you trace vendored code back to its exact source commit.

Building secure messaging is hard: A nuanced take on the Bitchat security debate

Fri, 18 Jul 2025 07:00:00 -0400

The release of Bitchat last week was met with a mixture of glowing praise and sharp criticism. Both extremes bear some truth, but they also miss the mark and reveal gaps in how we discuss security in emerging products.

Investigate your dependencies with Deptective

Tue, 08 Jul 2025 07:00:00 -0400

Deptective, our new open-source tool, automatically finds the packages needed to install software dependencies. It does so not based on the software’s self-reported requirements, but by observing what the software needs at runtime.

Buckle up, Buttercup, AIxCC’s scored round is underway!

Wed, 02 Jul 2025 07:00:00 -0400

Our CRS (Cyber Reasoning System), Buttercup, is now competing in the one and only scored round of DARPA’s AI Cyber Challenge (AIxCC) against six other teams to see which autonomous AI-driven system can find and patch the most software vulnerabilities.

Maturing your smart contracts beyond private key risk

Tue, 24 Jun 2025 07:00:00 -0400

Private key compromise accounted for 43.8% of crypto hacks in 2024, yet traditional smart contract audits rarely address architectural access control weaknesses. This post introduces a four-level maturity framework for designing protocols that can tolerate key compromise, progressing from single EOA control to radical immutability, with practical examples demonstrating multisigs, timelocks, and the principle of least privilege.

Unexpected security footguns in Go's parsers

Wed, 18 Jun 2025 07:00:00 -0400

File parsers in Go contain unexpected behaviors that can lead to serious security vulnerabilities. This post examines how JSON, XML, and YAML parsers in Go handle edge cases in ways that have repeatedly resulted in high-impact security issues in production systems. We explore three real-world attack scenarios: marshaling/unmarshaling unexpected data, exploiting parser differentials, and leveraging data format confusion. Through examples, we demonstrate how attackers can bypass authentication, circumvent authorization controls, and exfiltrate sensitive data by exploiting these parser behaviors.

What we learned reviewing one of the first DKLs23 libraries from Silence Laboratories

Tue, 10 Jun 2025 07:00:00 -0400

In October 2023, we audited Silence Laboratories’ DKLs23 threshold signature scheme (TSS) library—one of the first production implementations of this then-novel protocol that uses oblivious transfer (OT) instead of traditional Paillier cryptography. Our review uncovered serious flaws that could enable key destruction attacks, which Silence Laboratories promptly fixed.

A deep dive into Axiom’s Halo2 circuits

Fri, 30 May 2025 07:00:00 -0400

Over two audits in 2023, we reviewed a blockchain system developed by Axiom that allows computing over the entire history of Ethereum, all verified by zero-knowledge proofs (ZKPs) on-chain using ZK-verified elliptic curve and SNARK recursion operations. This system is built using the Halo2 framework—a complex, emerging technology that presents many challenges when building a secure application, including potential under-constrained issues resulting from its low-level API.

The Custodial Stablecoin Rekt Test

Thu, 29 May 2025 00:00:00 -0400

Introducing the Custodial Stablecoin Rekt Test; a new spin on the classic Rekt Test for evaluating the security maturity of stablecoin issuers.

The cryptography behind passkeys

Wed, 14 May 2025 07:00:00 -0400

This post will examine the cryptography behind passkeys, the guarantees they do or do not give, and interesting cryptographic things you can do with them, such as generating cryptographic keys and storing certificates.

Datasig: Fingerprinting AI/ML datasets to stop data-borne attacks

Fri, 02 May 2025 07:00:00 -0400

Datasig generates compact, unique fingerprints for AI/ML datasets that let you compare training data with high accuracy—without needing access to the raw data itself.
This critical capability helps AIBOM (AI bill of materials) tools detect data-borne vulnerabilities that traditional security tools completely miss.

Making PyPI's test suite 81% faster

Thu, 01 May 2025 09:00:00 -0400

See how we slashed PyPI’s test suite runtime from 163 to 30 seconds.
The techniques we share can help you dramatically improve your own project’s
testing performance without sacrificing coverage.

Insecure credential storage plagues MCP

Wed, 30 Apr 2025 03:00:00 -0400

This post describes how many examples of MCP software store long-term API keys for third-party services in plaintext on the local filesystem, often with insecure, world-readable permissions.

Deceiving users with ANSI terminal codes in MCP

Tue, 29 Apr 2025 09:00:00 -0400

This post describes attacks using ANSI terminal code escape sequences to hide malicious instructions to the LLM, leveraging the line jumping vulnerability we discovered in MCP.

How MCP servers can steal your conversation history

Wed, 23 Apr 2025 10:30:00 -0400

Malicious MCP servers can inject trigger phrases into tool descriptions to exfiltrate entire conversation histories and steal sensitive credentials and IP.

Jumping the line: How MCP servers can attack you before you ever use them

Mon, 21 Apr 2025 10:30:00 -0400

MCP’s ’line jumping’ vulnerability lets malicious servers inject prompts through tool descriptions to manipulate AI behavior before tools are ever invoked.

Kicking off AIxCC’s Finals with Buttercup

Mon, 21 Apr 2025 09:00:00 -0400

Trail of Bits’ Buttercup competes in DARPA’s AIxCC Finals with expanded resources, multiple rounds, new challenge types, and custom AI model capabilities.

Sneak peek: A new ASN.1 API for Python

Fri, 18 Apr 2025 09:00:00 -0400

We’re working on integrating an ASN.1 API into PyCA Cryptography,
built on top of the same Rust ASN.1 implementation already used by
Cryptography’s X.509 APIs.

Mitigating ELUSIVE COMET Zoom remote control attacks

Thu, 17 Apr 2025 00:00:00 -0400

This post describes a sophisticated social engineering campaign using Zoom’s remote control feature and provides technical solutions to protect organizations against this attack vector.

Introducing a new section on snapshot fuzzing for kernel-level testing in the Testing Handbook

Wed, 09 Apr 2025 09:00:00 -0400

Learn snapshot fuzzing for kernel-level testing. New Testing Handbook section shows how to test drivers, antivirus software, and complex kernel components.

Benchmarking OpenSearch and Elasticsearch

Thu, 06 Mar 2025 00:00:00 -0500

Trail of Bits’ independent study finds OpenSearch v2.17.1 is 1.6x faster than Elasticsearch v8.15.4 on Big5 workload and 11% faster on vector search.

Continuous TRAIL

Mon, 03 Mar 2025 00:00:00 -0500

Learn how to integrate TRAIL threat modeling into your SDLC, adapt and maintain models as your system evolves, and use them to identify security control gaps.

Threat modeling the TRAIL of Bits way

Fri, 28 Feb 2025 00:00:00 -0500

Discover TRAIL, Trail of Bits’ systematic threat modeling approach that identifies design-level security weaknesses and provides actionable remediation guidance.

How Threat Modeling Could Have Prevented the $1.5B Bybit Hack

Tue, 25 Feb 2025 00:00:00 -0500

Learn how comprehensive threat modeling could have identified the operational security gaps that led to Bybit’s $1.5B hack and prevented similar breaches.

Don’t recurse on untrusted input

Fri, 21 Feb 2025 00:00:00 -0500

We developed a simple CodeQL query to find denial-of-service (DoS) vulnerabilities in several high-profile Java projects.

The $1.5B Bybit Hack: The Era of Operational Security Failures Has Arrived

Fri, 21 Feb 2025 00:00:00 -0500

The $1.5B Bybit Hack demonstrates how the Era of Operational Security Failures has arrived, and most cryptocurrency companies are not prepared for its implications.

Unleashing Medusa: Fast and scalable smart contract fuzzing

Fri, 14 Feb 2025 00:00:00 -0500

Introducing Medusa v1, a cutting-edge fuzzing framework designed to enhance smart contract security.

We’re partnering to strengthen TON’s DeFi ecosystem

Thu, 13 Feb 2025 09:00:03 -0500

TVM Ventures has selected Trail of Bits as its preferred security partner to strengthen the TON developer ecosystem. Through this partnership, we’ll lead the development of DeFi protocol standards and provide comprehensive security services to contest-winning projects deploying on TON. TVM Ventures will host ongoing developer contests where teams can showcase innovative applications that advance […]

The call for invariant-driven development

Wed, 12 Feb 2025 09:30:36 -0500

Writing smart contracts requires a higher level of security assurance than most other fields of software engineering. The industry has evolved from simple ERC20 tokens to complex, multi-component DeFi systems that leverage domain-specific algorithms and handle significant monetary value. This evolution has unlocked immense potential but has also introduced an escalating number […]

Preventing account takeover on centralized cryptocurrency exchanges in 2025

Wed, 05 Feb 2025 09:00:37 -0500

This blog post highlights key points from our new white paper Preventing Account Takeovers on Centralized Cryptocurrency Exchanges, which documents ATO-related attack vectors and defenses tailored to CEXes. Imagine trying to log in to your centralized cryptocurrency exchange (CEX) account and your password and username just… don’t work. You […]

PyPI now supports archiving projects

Thu, 30 Jan 2025 09:00:22 -0500

PyPI now supports marking projects as archived. Project owners can now archive their project to let users know that the project is not expected to receive any more updates. Project archival is a single piece in a larger supply-chain security puzzle: by exposing archival statuses, PyPI enables downstream consumers to make more […]

Best practices for key derivation

Tue, 28 Jan 2025 09:00:18 -0500

Key derivation is essential in many cryptographic applications, including key exchange, key management, secure communications, and building robust cryptographic primitives. But it’s also easy to get wrong: although standard tools exist for different key derivation needs, our audits often uncover improper uses of these tools that could compromise key security. Flickr’s API […]

Celebrating our 2024 open-source contributions

Thu, 23 Jan 2025 09:00:30 -0500

While Trail of Bits is known for developing security tools like Slither, Medusa, and Fickling, our engineering efforts extend far beyond our own projects. Throughout 2024, our team has been deeply engaged with the broader security ecosystem, tackling challenges in open-source tools and infrastructure that security engineers rely on every day. This year, our engineers […]