Get a comprehensive understanding of your security landscape. Companies large and start-up choose us for:
Exceptional code analysis and recommendations
We find the bugs other firms miss and make holistic recommendations to help you eliminate entire classes of them.
Formal verification of code correctness
We can confirm that your code behaves only as intended.
We’ve built the best available tools (many open-source) to dig deeper into your code than any other company.
You get best-effort support and guidance even after the audit ends, and you’ll receive the tools used in our assessments (plus updates).
Every assurance project includes:
Whether you need assurance for a complex platform or due diligence on a small codebase, contact us.
Blockchain is a rapidly evolving field that comes with unique challenges.
Given their decentralized nature and underlying value, blockchain applications exist in adversarial environments, where a single exploit can result in losses amounting to millions of dollars.
Trail of Bits was among the first security-oriented organizations transitioning from the Web 2.0 space to explore blockchain technologies.
We have become experts in reviewing all facets of blockchain applications, from smart contracts to off-chain components. Our areas of expertise include:
At Trail of Bits, we do more than just understanding blockchain security; we build industry-leading tools to identify and rectify vulnerabilities.
We have authored numerous cutting-edge tools, which include:
Leading protocols have trusted us to assist them in building more secure applications, including Aave, Acala, Algorand, Arbitrum, Balancer, Bitcoin SV, Chainlink, Compound, Curve, Frax, Liquity, MakerDao, Optimism, Parity, Polygon, Solana, Starknet, and Yearn (see our publications).
In addition to detecting vulnerabilities, our security reviews provide actionable recommendations on enhancing your system's security maturity, design, and code quality. We guide our clients in understanding their system's security invariants, and demonstrate how to define and test them using automated tools, such as a fuzzer. Our reports include these invariants that have been developed throughout the engagement, thus empowering our clients to integrate them into their development process.
While we have a strong focus on blockchain, our engineers leverage their extensive knowledge gained from traditional infosec exposure, combined with years of blockchain technology reviews. Our team regularly contributes to the state of the art through blog posts, industrial conferences (e.g., Devcon, EthCC, ...), and academic conferences (e.g., FC, ISSTA, ...). We have also authored secure-contracts.com, which provides guidelines and best practices for writing secure smart contracts.
We are particularly well equipped to review novel and challenging uses of blockchain technology. Whether you are an established business or a new entrant in this field, we are prepared to strengthen the security of your blockchain applications. Reach out to us to know more about how Trail of Bits can help securing your blockchain applications.
Understanding and rigorously testing system invariants are essential aspects of developing robust smart contracts. Invariants are facts about the protocol that should remain true no matter what happens. Trail of Bits has crafted a dedicated Blockchain Invariant Development service, ideal for in progress codebases, emphasizing a holistic focus on invariants for long term security.
Our service includes
Clients engaged in our invariant suite secure preferential access to Trail of Bits' service portfolio, optimizing future security endeavors.
Costs and timelines vary based on protocol size and complexity:
|Project||ERCs (20, 71, 4626, ...)||Standalone arithmetic lib||AMM or lending protocol|
|Timeline||1 week||1-2 weeks||2-4 weeks|
Trail of Bits stands as a pioneer in Blockchain Invariant Development. Our seasoned engineers have been writing invariants for more than half of a decade (for examples, see the Balancer, Primitive, and Liquity reports), authored multiple fuzzers (Echidna, Medusa, test-fuzz), and delivered several educational materials on fuzzing (+150 pre-defined invariants, How to fuzz like a pro (conference workshop), 10-hour fuzzing workshop, fuzzing tutorials).
Choose Trail of Bits to transition from a reactive to a proactive stance in safeguarding your codebase, ensuring comprehensive bug prevention and seamless integration of invariant reasoning into your daily workflows
Modern cryptography underpins all secure communication and collaboration. Correctly implemented,
cryptography maintains the confidentiality and integrity of data in even the most extreme circumstances.
However, this high level of assurance is fragile due to the mathematically complex nature of cryptographic
security. Not only do the underlying libraries need to be flawless, but an incorrect combination of
primitives or API calls can introduce subtle and dangerous vulnerabilities. Even well known protocols like
have been compromised
by incorrect use of cryptographic primitives.
Trail of Bits has extensive experience reviewing a variety of complex cryptographic libraries and protocols.
We also pride ourselves on keeping up with the latest research in cryptography and cryptanalysis. We know
where to look for bugs, and we know the classes of attack to protect against. Whether you’re building a key
management system or developing a protocol that achieves confidential transactions through zero-knowledge
proofs, we can certify your product has the protection guarantees you need. Count on us to:
Deliverables will be custom to your situation and may include:
Rapid development lifecycles and out-of-date tools and techniques can lead to vulnerabilities in software
that leave your organization open to exploits. Testing for logic flaws, memory errors, over-provisioned
access, and more is necessary to reduce your organization’s attack surface.
Trail of Bits’ Assurance team assesses your software using a multi-point evaluation framework. Testing
If your software passes, we will provide recommendations for continuous testing and improvement. If we find vulnerabilities, our Engineering team can work with you to bring your codebase up to the highest security standards and train your team on techniques and tools that Trail of Bits has built for continuous security improvement and attack surface reduction.
We help our clients identify and harden environment-critical infrastructures so they can deploy production systems with confidence. To do this, we audit cloud configurations and architectures against best security practices through manual and automated reviews of cloud services and Infrastructure as Code files such as Terraform, CloudFormation, and Azure Resource Manager files.
Organizations spend hundreds of work hours to build applications and services that will benefit customers
and employees alike. Whether the application/service is externally facing or for internal use only, it is
mandatory to identify and understand the scope of potential cyber risks and threats it poses to the
Can the software be reached from an external source? What is the likelihood that an attacker would want
access to it? If the software were exploited, what impact would that have on the organization from a
business, operational, and financial point of view?
These are just a few of the questions your company needs to ask as you’re building, deploying, and updating
applications and services.
But where and how do you start with an accurate threat model?
Trail of Bits has developed a comprehensive threat model that: