Josselin Feist on The Trail of Bits Blog

Unleashing Medusa: Fast and scalable smart contract fuzzing

Fri, 14 Feb 2025 00:00:00 -0500

Introducing Medusa v1, a cutting-edge fuzzing framework designed to enhance smart contract security.

The call for invariant-driven development

Wed, 12 Feb 2025 09:30:36 -0500

Writing smart contracts requires a higher level of security assurance than most other fields of software engineering. The industry has evolved from simple ERC20 tokens to complex, multi-component DeFi systems that leverage domain-specific algorithms and handle significant monetary value. This evolution has unlocked immense potential but has also introduced an escalating number […]

Why fuzzing over formal verification?

Fri, 22 Mar 2024 09:00:28 -0400

We recently introduced our new offering, invariant development as a service. A recurring question that we are asked is, “Why fuzzing instead of formal verification?” And the answer is, “It’s complicated.” We use fuzzing for most of our audits but have used formal verification methods in the […]

Secure your blockchain project from the start

Wed, 13 Mar 2024 09:00:45 -0400

Systemic security issues in blockchain projects often appear early in development. Without an initial focus on security, projects may choose flawed architectures or make insecure design or development choices that result in hard-to-maintain or vulnerable solutions. Traditional security reviews can be used to identify some security issues, but by the time they are complete, it […]

Introducing invariant development as a service

Thu, 05 Oct 2023 08:00:52 -0400

Understanding and rigorously testing system invariants are essential aspects of developing robust smart contracts. Invariants are facts about the protocol that should remain true no matter what happens. Defining and testing these invariants allows developers to prevent the introduction of bugs and make their code more robust in the long term. However, it is difficult […]

Evaluating blockchain security maturity

Fri, 14 Jul 2023 03:00:03 -0400

Holistic security reviews should reveal far more than simple bugs. Often, these bugs indicate deeper issues that can be challenging to understand and address. Given the time-boxed nature of reviews, security engineers may not have the opportunity to identify all bugs caused by these problems—and they may continue to […]

Codex (and GPT-4) can’t beat humans on smart contract audits

Wed, 22 Mar 2023 07:00:49 -0400

Is artificial intelligence (AI) capable of powering software security audits? Over the last four months, we piloted a project called Toucan to find out. Toucan was intended to integrate OpenAI’s Codex into our Solidity auditing workflow. This experiment went far […]

The road to the apprenticeship

Fri, 12 Aug 2022 09:00:13 -0400

Finding talent is hard, especially in the blockchain security industry. The space is new, so you won’t find engineers with decades of experience with smart contracts. Training is difficult, as the technology evolves constantly, and online content quickly becomes outdated. There are also a lot of misconceptions about blockchain […]

Breaking Aave Upgradeability

Wed, 16 Dec 2020 11:01:55 -0500

On December 3rd, Aave deployed version 2 of their codebase. While we were not hired to look at the code, we briefly reviewed it the following day. We quickly discovered a vulnerability that affected versions 1 and 2 of the live contracts and reported the issue. Within an hour of sending our analysis to Aave, […]

Good idea, bad design: How the Diamond standard falls short

Fri, 30 Oct 2020 13:19:18 -0400

TL;DR: We audited an implementation of the Diamond standard proposal for contract upgradeability and can’t recommend it in its current form—but see our recommendations and upgrade strategy guidance. We recently audited an implementation of the Diamond standard code, a new upgradeability pattern. It’s a laudable undertaking, but the Diamond proposal and implementation raise many concerns. […]

Upgradeable contracts made safer with Crytic

Fri, 12 Jun 2020 07:50:52 -0400

Upgradeable contracts are not as safe as you think. Architectures for upgradeability can be flawed, locking contracts, losing data, or sabotaging your ability to recover from an incident. Every contract upgrade must be carefully reviewed to avoid catastrophic mistakes. The most common delegatecall proxy comes with drawbacks that we’ve catalogued before. Crytic now includes a […]

Bug Hunting with Crytic

Fri, 15 May 2020 07:50:31 -0400

Crytic, our Github app for discovering smart contract flaws, is kind of a big deal: It detects security issues without human intervention, providing continuous assurance while you work and securing your codebase before deployment. Crytic finds many bugs no other tools can detect, including some that are not widely known. Right now, Crytic has 90+ […]

Financial Cryptography 2020 Recap

Wed, 18 Mar 2020 07:50:32 -0400

A few weeks ago, we went to the 24th Financial Cryptography (FC) conference and the Workshop on Trusted Smart Contracts (WTSC), where we presented our work on smart contract bug categorization (see our executive summary) and a poster on Echidna. Although FC is not a blockchain conference, it featured several blockchain-oriented presentations this year and […]

Announcing the Crytic $10k Research Prize

Wed, 13 Nov 2019 07:00:35 -0500

At Trail of Bits, we make a significant effort to stay up to date with the academic world. We frequently evaluate our work through peer-reviewed conferences, and we love to attend academic events (see our recent ICSE and Crypto recaps).

Watch Your Language: Our First Vyper Audit

Thu, 24 Oct 2019 07:00:04 -0400

A lot of companies are working on Ethereum smart contracts, yet writing secure contracts remains a difficult task. You still have to avoid common pitfalls, compiler issues, and constantly check your code for recently discovered risks. A recurrent source of vulnerabilities comes from the early state of the programming languages available. Most developers are using […]

Crytic: Continuous Assurance for Smart Contracts

Fri, 02 Aug 2019 06:50:36 -0400

Note: This blog has been reposted from Truffle Suite’s blog. We are proud to announce our new smart contract security product: https://crytic.io/. Crytic provides continuous assurance for smart contracts. The platform reports build status on every commit and runs a suite of security analyses for immediate feedback. The beta will be open soon. Follow us […]

Trail of Bits @ ICSE 2019 – Recap

Wed, 19 Jun 2019 10:35:13 -0400

Three weeks ago, we presented our work on Slither at WETSEB, an ICSE workshop. ICSE is a top-tier academic conference, focused on software engineering. This edition of the event went very well. The organizers do their best to attract and engage industrials to the discussions. The conference had many talks in parallel. We wish we […]

How contract migration works

Mon, 29 Oct 2018 06:50:16 -0400

Smart contracts can be compromised: they can have bugs, the owner’s wallet can be stolen, or they can be trapped due to an incorrect setting. If you develop a smart contract for your business, you must be prepared to react to events such as these. In many cases, the only available solution is to deploy […]

Slither – a Solidity static analysis framework

Fri, 19 Oct 2018 06:50:09 -0400

Slither is the first open-source static analysis framework for Solidity. Slither is fast and precise; it can find real vulnerabilities in a few seconds without user intervention. It is highly customizable and provides a set of APIs to inspect and analyze Solidity code easily. We use it in all of our security reviews. Now you […]

Contract upgrade anti-patterns

Wed, 05 Sep 2018 06:00:21 -0400

A popular trend in smart contract design is to promote the development of upgradable contracts. At Trail of Bits, we have reviewed many upgradable contracts and believe that this trend is going in the wrong direction. Existing techniques to upgrade contracts have flaws, increase the complexity of the contract significantly, and ultimately introduce bugs. To […]

Hands on the Ethernaut CTF

Mon, 06 Nov 2017 14:32:19 -0500

Last week Zeppelin released their Ethereum CTF, Ethernaut. This CTF is a good introduction to discover how to interact with a blockchain and learn the basics of the smart contract vulnerabilities. The CTF is hosted on the ropsten blockchain, and you can receive free ethers for it. The browser developer console is used to interact […]