blocks with lines connecting them representing a blockchain

Trail of Bits was among the first security-oriented organizations transitioning from the Web 2.0 space to explore blockchain technologies. We have become experts in reviewing all facets of blockchain applications, from smart contracts to off-chain components.

Our areas of expertise include:

  • Smart contracts, including
    • Ethereum (Solidity, Vyper, YUL, EVM, ...)
    • Algorand (Pyteal, Teal, ...)
    • Cairo/Starknet
    • Cosmos (Cosmos SDK, CosmWasm, ...)
    • Solana
    • Substrate/Polkadot
  • Blockchain node (L1/L2, consensus, VM, network, ...)
  • Bridges
  • Decentralized finance
  • Gaming applications
  • Offchain components (Oracle, ...)

Many blockchain firms, including Aave, Acala, Algorand, Arbitrum, Balancer, Bitcoin SV, Chainlink, Compound, Curve, Frax, Liquity, MakerDao, Optimism, Parity, Polygon, Solana, Starknet, and Yearn, trust our expertise to help secure their code. We've found vulnerabilities in highly verified systems and create or maintain the best tools in the industry to aid engineers while fuzzing, performing static analysis, and increasing coverage area, to name a few.

Book a technical office hours session

Book a complimentary one-hour meeting with one of our engineers to dive into a challenging technical issue, explore tooling options, and gain valuable insights directly from our experts.

Book a session

Blockchain Services:

Design Assessment

Our Design Assessment analyzes the fundamental design of the system. We assess the system architecture and component specifications, identify potential security shortcomings, and offer tailored risk mitigation strategies. We can also assess the testing strategies, emphasizing the effective use of security tools throughout the development life cycle. Finally, we provide customized solutions that address your concerns and enhance security.

  • Strategic solution analysis

    We assess the proposed end-to-end solution to pinpoint potential security blockers and offer risk mitigations. We discuss the deployment plan and provide guidance on integrating an incident response plan and a monitoring strategy early on in the process.

  • Component-level recommendations

    We assess component specifications, emphasizing high-level considerations such as arithmetic risks, access controls, and upgradeability. Additionally, we analyze risks tied to external interactions, such as oracles or third-party DeFi components. We evaluate alignment and interaction with the system for components integrating into existing codebases, including potential risks in live protocol deployment.

  • Advanced testing techniques and tooling guidance

    We identify how to efficiently leverage security tools (e.g., static analyzer, fuzzing, formal verification methods) and advise you on what techniques to prioritize at various SDLC stages. We also guide training and upskilling opportunities related to using security tools.

  • Customized client solutions

    We discuss your explicit concerns in detail, customizing our work to address your specific questions. Leveraging our extensive expertise, we can answer questions beyond the scope of blockchain protocols and cover cryptographic and application security concerns.

Leveraging a design review provides immediate feedback, minimizing project risks, saving development time and costs by reducing the need for late-stage refactoring.

Explore our Design Assessments: Public Report for Meson

Early Stage Assessment

The Early Stage Assessment provides guidance and recommendations that will aid your developers for the long term of the project. This service is a perfect fit for projects that are early on in their SDLC but are ready to receive feedback. This includes projects for which the code is not finalized or is nonexistent, the documentation and testing are ongoing, and the technical solution may evolve.
We can guide projects that build smart contracts, bridges, decentralized finance, and decentralized gaming applications. We also have strong in-house expertise on blockchain nodes and have worked with numerous geth-based projects.

  • Lightweight Code Review

    We review the code in order to understand the technical solution. While we won't look for in-depth vulnerabilities during an early stage review, we will identify surface-level bugs and look for low hanging fruits.

  • Architecture recommendations

    We evaluate the architectural choices and look for risky designs. We review the access controls and look for an adequate separation of privileged actors. We look for ways to reduce the code complexity, such as improvements in the code modularity or inheritance. We also evaluate if the system's decentralization is adequate with respect to what is advertised, including for future decentralization’s plans. We look for improvements in the on-chain and off-chain logic separation. Finally we also review the upgradeability schema, including the overall structure, the adequate usage of upgradeability and migration, and the integration of pausablable-like mechanism..

  • Risk mitigation recommendations

    We identify existing risks and propose mitigation strategies. We assess whether the system is designed with maximum extractable value (MEV) risks in mind. We also check whether an oracle integration properly accounts for its underlying risks. Additionally, we evaluate the protocol’s reliance on blockchain risks (e.g., reorgs) and identify potential gaps in the handling of common ERCs. Finally, we assess the reliance and risks related to third-party component integration.

  • Security gap identification

    We identify any areas that do not align with security best practices, including gaps and misplaced priorities in the project documentation. We also evaluate whether the testing strategy is sufficient for the long-term health of the project. Additionally, we review the monitoring plan and evaluate whether events—or similar logging information—are sufficient to identify issues in the system and recover in case of incidents. Finally, we evaluate the use of automated tools and provide recommendations about how to more effectively use tools.

  • Tailored design recommendations

    We adapt our assessment based on the project’s unique needs and requirements and provide recommendations tailored to the protocol business logic.

  • Codebase maturity evaluation

    We evaluate the maturity of the codebase from a security standpoint and provide actionable recommendations to help developers write more secure code in the long term.

This service helps projects to set a strong security foundation, receive expert recommendations earlier, and reduce costs by preventing late refactoring.

Invariant Testing & Development

Enhance your blockchain security with our Invariant Testing & Development, which focuses exclusively on identifying, developing, and testing invariants. While security reviews typically contain some development of invariants in areas believed to contain bugs, this service is focused entirely on invariants to achieve a more holistic approach to long-term security.

  • Invariant identification

    Our skilled engineers collaborate with your team to pinpoint invariants for your system. These may include function- or system-level invariants. We'll specify these and their preconditions not just in code but in plain English, ensuring a tailored approach for your development.

  • Invariant writing

    We translate invariants into Solidity and determine the optimal testing method (internal, external, or partial testing), create necessary wrappers, and establish fuzzing initialization with contract deployments and preconditions. Our goal is minimal disruption to your codebase, selecting an approach that ensures long-term use of the invariants.

  • Invariant testing and integration

    We run invariants locally and on dedicated cloud infrastructure, refining specifications based on fuzz testing results. Collaborating with your team, we integrate short-term fuzzing into CI (e.g., GitHub actions) and provide recommendations for long-term fuzzing campaigns, locally or in the cloud.

  • Training and guidance

    We also include developer training through regular meetings throughout the service. We provide guidance and advice on how to maintain the provided invariants, write new ones, and improve the system’s design. Upon request, we can provide half a day of dedicated training, delving into the nuances of various testing methodologies and best practices.

Trail of Bits stands as a pioneer in Blockchain Invariant Development. Our seasoned engineers have been writing invariants for more than half of a decade (for examples, see the Balancer, Primitive, and Liquity reports), authored multiple fuzzers (Echidna, Medusa, test-fuzz), and delivered several educational materials on fuzzing ((+150 pre-defined invariants, How to fuzz like a pro (conference workshop), 10-hour fuzzing workshop, fuzzing tutorials).

This service will help your team to become proactive instead of reactive in securing your codebase, identify and develop the most impactful invariants, and educate the team on invariant-driven development.

Comprehensive Code Assessment

Our comprehensive code assessment, covering the entire codebase, is our most thorough offering and includes all aspects of secure code review.

  • Smart contract analysis

    We perform an in-depth examination of the codebase to identify vulnerabilities that stem from the blockchain environment, the language, and the target. This includes reentrancy, arithmetic issues, improper access controls, incorrect upgradeability schema, transactions replay, and programming language misuses. Our team has developed strong in-house expertise on smart contract languages (including Solidity, Vyper, YUL, Cairo, Teal/Pyteal, Go and Rust based languages) allowing us to cover the full spectrum of language-related risks.

  • Business logic analysis

    We assess the logic and functionality of the target and identify potential business logic flaws. We look for economic-related issues, such as price manipulation, incorrect slippage, and unprotected liquidation. We also look for improper validation of external components. We explore the risk of stakeholders collision, and issues related to token integrations. We look for application-specific issues, such as incorrect Merkle tree usage, incorrect signature validation, and risks related to on-chain voting.

  • L1/L2 node review

    We review the blockchain nodes and look for flaws that can break the liveness or safety of the blockchain protocol, as well as impersonate or isolate validators. We look at the VM to ensure that opcodes cannot be abused or lead to unintended side effects. We look for ways to crash the nodes with malformed transactions. We look at the replay risks at the network and consensus levels. We also leverage our strong in-house expertise on geth-related codebases. We look at the correctness of challenge protocols for rollups-related codebases, as well as incorrect state transition between L1 and L2.

  • Bridges review

    We evaluate the bridges by leveraging our experience with smart contract and non smart contract components. We review every side of the bridge to ensure proper validation of transactions are applied. We look at the cross chain assets transfers to make sure the bridge bookkeeping is robust. We explore the risks to slashing, including preventing a valid slashing event from happening, as well as slashing honest behaviors. We have experience with EVM and non-EVM chains, allowing us to review complex bridges setup.

  • Off chain components review

    We assess off chain components with a focus on the on-chain and off-chain interactions, and ensure adequate validation is present. We look for incorrect logic, and tailor our exploration based on the business logic. We look for incorrect block finality assumptions, as well as inadequate transactions validation. We review the indexing of on-chain events to ensure the application runs with the correct on-chain data. We also look for denial of service risks. We look at the data aggregation for multiple stakeholders systems, and ensure that the underlying assumptions hold.

  • Code maturity analysis

    We evaluate the maturity of the codebase from a security standpoint. We provide actionable recommendations allowing developers to fix gaps in their security posture, and empowering them to write more secure code in the long term. Our experience has demonstrated that the likelihood of vulnerabilities is directly related to the software engineering practice. Our recommendations include on how to design better arithmetic and access control, how to reduce the code complexity, and where to focus on with respect to the documentation and testing.

  • Automated tools integration

    Through our process, we leverage automated analysis tools to enhance our analysis; we aim to identify and write invariants and test them through the state of the art fuzzers, as well as leveraging custom static analysis rules tailored to the target’s logic.

  • Users of this service benefit from a holistic review of their system, gaining insight into potential vulnerabilities and architectural risks, along with actionable guidance into both short term and long term actions that improve your project’s security and integrity.

Secure Your Smart Contract Development with Optimism Grant Support

Trail of Bits has partnered with Optimism to offer grant-funded security assessments to projects deploying on Optimism.

  • Reduce financial risk: Save development time and cost with design and early stage reviews.
  • Short & long-term recommendations: Receive recommendations for improving not just the code but your overall security, and training on tools used and custom rule sets.
  • Proactive, not reactive: Anticipate and solve security issues before they arise, ensuring a more efficient and resilient development process.
Why we offer assessments and not audits

Unlike many firms that provide security audits, we offer security assessments. Standard audits follow a predefined checklist that limits the scope and capabilities, our assessments don't look to check boxes but discover the root causes of security weaknesses identified. This approach allows us to provide nuanced, actionable insights that do more than fix the immediate problems—they also enhance the system's overall resilience and security for the future. By focusing on the root causes and broader implications of security vulnerabilities, we empower our clients to not just respond to bugs but to develop stronger, more resilient software design, development, and coding practices.

Read our assessment of Uniswap v3
Our services

We believe in the power of collaboration and the synthesis of knowledge across various fields to deliver unparalleled services to our clients. Our diverse company lines are not isolated silos of expertise. Instead, they represent a spectrum of capabilities that we seamlessly blend to meet the unique needs of each project.