Skip to content

Latest commit

 

History

History
133 lines (103 loc) · 16.5 KB

tob_blogposts.md

File metadata and controls

133 lines (103 loc) · 16.5 KB

Trail of Bits blogposts

The following contains the blockchain related blogposts made by Trail of Bits.

Consensus algorithms

Research in the distributes systems area

Date Title Description
2021/11/11 Motivating global stabilization Review of Fischer, Lynch, and Paterson’s classic impossibility result and global stabilization time assumption
2019/10/25 Formal Analysis of the CBC Casper Consensus Algorithm with TLA+ Verification of finality of the Correct By Construction (CBC) PoS consensus protocol
2019/07/12 On LibraBFT’s use of broadcasts Liveness of LibraBFT and HotStuff algorithms
2019/07/02 State of the Art Proof-of-Work: RandomX Summary of our audit of ASIC and GPU-resistant PoW algorithm
2018/10/12 Introduction to Verifiable Delay Functions (VDFs) Basics of VDFs - a class of hard to compute, not paralelizable, but easily verifiable functions

Fuzzing compilers

Our work in the topic of fuzzing the solc compiler

Date Title Description
2021/03/23 A Year in the Life of a Compiler Fuzzing Campaign Results and feature of fuzzing solc
2020/06/05 Breaking the Solidity Compiler with a Fuzzer Our approach to fuzzing solc

General

Security research, analyses, announcements, and writeups

Date Title Description
2022/10/12 Porting the Solana eBPF JIT compiler to ARM64 Low-level writeup of the work done to make Solana compiler work on ARM64
2022/06/24 Managing risk in blockchain deployments Summary of "Do You Really Need a Blockchain? An Operational Risk Assessment" report
2022/06/21 Are blockchains decentralized? Summary of "Are Blockchains Decentralize? Unintended Centralities in Distributed Ledgers" report
2020/08/05 Accidentally stepping on a DeFi lego Writeup of a vulnerability in yVault project
2020/05/15 Bug Hunting with Crytic Description of 9 bugs found by Trail of Bits tools in public projects
2019/11/13 Announcing the Crytic $10k Research Prize Academic research prize promoting open source work
2019/10/24 Watch Your Language: Our First Vyper Audit Pros and cons of Vyper language and disclosure of vulnerability in the Vyper's compiler
2019/08/08 246 Findings From our Smart Contract Audits: An Executive Summary Publication of data aggregated from our audits. Discussion about possibility of automatic and manual detection of vulnerabilities, and usefulness of unit tests
2018/11/19 Return of the Blockchain Security Empire Hacking
2018/02/09 Parity Technologies engages Trail of Bits
2017/11/06 Hands on the Ethernaut CTF First write-up on Ethernaut

Guidance

General guidance

Date Title Description
2021/02/05 Confessions of a smart contract paper reviewer Six requirements for a good research paper
2018/11/27 10 Rules for the Secure Use of Cryptocurrency Hardware Wallets Recommendations for the secure use of hardware wallets.
2018/10/04 Ethereum security guidance for all Announcement of office hours, Blockchain Security Contacts, and Awesome Ethereum Security
2018/04/06 How to prepare for a security review Checklist for before having a security audit

Presentations

Talks, videos, and slides

Date Title Description
2019/01/18 Empire Hacking: Ethereum Edition 2 Talks include: Anatomy of an unsafe smart contract programming language, Evaluating digital asset security fundamentals, Contract upgrade risks and recommendations, How to buidl an enterprise-grade mainnet Ethereum client, Failures in on-chain privacy, Secure micropayment protocols, Designing the Gemini dollar: a regulated, upgradeable, transparent stablecoin, Property testing with Echidna and Manticore for secure smart contracts, Simple is hard: Making your awesome security thing usable
2018/11/16 Trail of Bits @ Devcon IV Recap Talks include: Using Manticore and Symbolic Execution to Find Smart Contract Bugs, Blockchain Autopsies, Current State of Security
2017/12/22 Videos from Ethereum-focused Empire Hacking Talks include: A brief history of smart contract security, A CTF Field Guide for smart contracts, Automatic bug finding for the blockchain, Addressing infosec needs with blockchain technology

Tooling

Description of our tools and their use cases

Date Tool Title Description
2022/08/17 slither Using mutants to improve Slither Inserting random bugs into smart contracts and detecting them with various static analysis tools - to improve Slither's detectors
2022/07/28 slither Shedding smart contract storage with Slither Announcement of the slither-read-storage tool
2022/04/20 Amarna: Static analysis for Cairo programs Overview of Cairo footguns and announcement of the new static analysis tool
2022/03/02 echidna Optimizing a smart contract fuzzer Measuring and improving performance of Echidna (Haskell code)
2021/12/16 slither Detecting MISO and Opyn’s msg.value reuse vulnerability with Slither Description of Slither's new detectors: delegatecall-loop and msg-value-loop
2021/04/02 Solar: Context-free, interactive analysis for Solidity Proof-of-concept static analysis framework
2020/10/23 slither Efficient audits with machine learning and Slither-simil Detect similar Solidity functions with Slither and ML
2020/08/17 echidna Using Echidna to test a smart contract library Designing and testing properties with differential fuzzing
2020/07/12 manticore Contract verification made easier Re-use Echidna properties with Manticore with manticore-verifier
2020/06/12 slither Upgradeable contracts made safer with Crytic 17 new Slither detectors for upgradeable contracts
2020/03/30 echidna An Echidna for all Seasons Announcement of new features in Echidna
2020/03/03 manticore Manticore discovers the ENS bug Using symbolic analysis to find vulnerability in Ethereum Name Service contract
2020/01/31 manticore Symbolically Executing WebAssembly in Manticore Using symbolic analysis on an artificial WASM binary
2019/08/02 Crytic: Continuous Assurance for Smart Contracts New product that integrates static analysis with GitHub pipeline
2019/07/03 slither Avoiding Smart Contract "Gridlock" with Slither Description of a DoS vulnerability resulting from a strict equality check, and Slither's dangerous-strict-equality detector
2019/05/27 slither Slither: The Leading Static Analyzer for Smart Contracts Slither design and comparison with other static analysis tools
2018/10/19 slither Slither – a Solidity static analysis framework Introduction to Slither's API and printers
2018/09/06 rattle Rattle – an Ethereum EVM binary analysis framework Turn EVM bytecode to infinite-register SSA form
2018/05/03 echidna State Machine Testing with Echidna Example use case of Echidna's Haskell API
2018/03/23 Use our suite of Ethereum security tools Overview of our tools and documents: Not So Smart Contracts, Slither, Echidna, Manticore, EVM Opcode Database, Ethersplay, IDA-EVM, Rattle
2018/03/09 echidna Echidna, a smart fuzzer for Ethereum First release and introduction to Echidna
2017/04/27 manticore Manticore: Symbolic execution for humans First release and introduction to Manticore (not adopted for EVM yet)

Upgradeability

Our work related to contracts upgradeability

Date Title Description
2020/12/16 Breaking Aave Upgradeability Description of Delegatecall Proxy vulnerability in formally-verified Aave contracts
2020/10/30 Good idea, bad design: How the Diamond standard falls short Audit of Diamond standard's implementation
2018/10/29 How contract migration works Alternative to upgradability mechanism - moving data to a new contract
2018/09/05 Contract upgrade anti-patterns Discussion of risks and recommendations for Data Separation and Delegatecall Proxy patterns. Disclosure of vulnerability in Zeppelin Proxy contract.

Zero-knowledge

Our work in Zero-Knowledge Proofs space

Date Title Description
2022/04/18 The Frozen Heart vulnerability in PlonK
2022/04/15 The Frozen Heart vulnerability in Bulletproofs
2022/04/14 The Frozen Heart vulnerability in Girault’s proof of knowledge
2022/04/13 Coordinated disclosure of vulnerabilities affecting Girault, Bulletproofs, and PlonK Introducing new "Frozen Heart" class of vulnerabilities
2021/12/21 Disclosing Shamir’s Secret Sharing vulnerabilities and announcing ZKDocs
2021/02/19 Serving up zero-knowledge proofs Fiat-Shamir transformation explained
2020/12/14 Reverie: An optimized zero-knowledge proof system Rust implementation of the MPC-in-the-head proof system
2020/05/21 Reinventing Vulnerability Disclosure using Zero-knowledge Proofs Announcement of DARPA sponsored work on ZK proofs of exploitability
2019/10/04 Multi-Party Computation on Machine Learning Implementation of 3-party computation protocol for perceptron and support vector machine (SVM) algorithms