Unleashing Medusa: Fast and scalable smart contract fuzzing 文章介绍了Medusa v1，一个基于EVM的智能合约模糊测试框架，旨在提升合约安全性。其功能包括覆盖率引导模糊测试、并行模糊测试、智能变异值生成和链上模糊测试等，显著提升了效率和可扩展性。Medusa基于Geth构建，采用Go语言编写，相较于前代工具Echidna更具优势。开发者可通过简单步骤快速上手，并通过社区资源进一步优化使用体验。... 2025-2-14 00:0:0 | 阅读: 6 | 收藏 | Trail of Bits Blog - blog.trailofbits.com medusa echidna security fuzzer developers

We’re partnering to strengthen TON’s DeFi ecosystem TVM Ventures与Trail of Bits合作，提升TON开发者的生态系统安全。双方将共同制定DeFi协议标准，并为竞赛获胜项目提供全面安全服务。TVM Ventures还将举办持续的开发者竞赛，展示创新应用。... 2025-2-13 14:0:3 | 阅读: 7 | 收藏 | Trail of Bits Blog - blog.trailofbits.com security ton tvm ventures defi

The call for invariant-driven development 这篇文章探讨了智能合约安全性的关键问题，并提出了一种基于“不变式”（invariants）的开发方法来提升其安全性。通过在设计、实现、测试和监控等阶段嵌入不变式（即必须始终成立的关键属性），开发者可以显著增强智能合约的健壮性。文章还详细介绍了如何定义、分类和应用这些不变式，并强调了其在减少漏洞和攻击面方面的有效性。... 2025-2-12 14:30:36 | 阅读: 6 | 收藏 | Trail of Bits Blog - blog.trailofbits.com invariants invariant development security formal

We’re partnering to strengthen TON’s DeFi ecosystem TON Ventures与Trail of Bits合作，提供全面安全服务和竞赛支持，助力开发者构建安全的区块链项目，并制定DeFi协议标准。... 2025-2-7 08:0:3 | 阅读: 10 | 收藏 | Trail of Bits Blog - blog.trailofbits.com ton security defi blockchain development

Preventing account takeover on centralized cryptocurrency exchanges in 2025 这篇文章讨论了中心化加密货币交易所（CEX）账户接管（ATO）的风险及其防范措施。随着ATO攻击的增加，CEX的安全设计漏洞成为主要威胁。文章指出，缺乏抗钓鱼多因素认证、不当密码重置流程及不足的日志监控使用户易受攻击。建议CEX加强技术安全机制、完善安全控制并提供用户指南以降低风险。... 2025-2-5 14:0:37 | 阅读: 7 | 收藏 | Trail of Bits Blog - blog.trailofbits.com ato security attacker cex cexes

PyPI now supports archiving projects By Facundo TuescaPyPI now supports marking projects as archived. Project owners... 2025-1-30 14:0:22 | 阅读: 7 | 收藏 | Trail of Bits Blog - blog.trailofbits.com pypi archived statuses security archival

Best practices for key derivation By Marc IlungaKey derivation is essential in many cryptographic applications, in... 2025-1-28 14:0:18 | 阅读: 8 | 收藏 | Trail of Bits Blog - blog.trailofbits.com randomness hkdf salt kdf security

Celebrating our 2024 open-source contributions While Trail of Bits is known for developing security tools like Slither, Medusa,... 2025-1-23 14:0:30 | 阅读: 6 | 收藏 | Trail of Bits Blog - blog.trailofbits.com github sigstore woodruffw pypi python

Auditing the Ruby ecosystem’s central package repository This is a joint post with the Ruby Central team. The full report, which includes... 2024-12-11 22:0:59 | 阅读: 8 | 收藏 | Trail of Bits Blog - blog.trailofbits.com rubygems security analysis starttls

35 more Semgrep rules: infrastructure, supply chain, and Ruby By Matt Schwager and Travis PetersWe are publishing another set of custom Semgre... 2024-12-9 22:0:43 | 阅读: 11 | 收藏 | Trail of Bits Blog - blog.trailofbits.com semgrep hcl oidc security prefer

Evaluating Solidity support in AI coding assistants By Artem DinaburgAI-enabled code assistants (like GitHub’s Copilot, Continue.dev... 2024-11-19 22:0:37 | 阅读: 5 | 收藏 | Trail of Bits Blog - blog.trailofbits.com solidity deepseek compchomper evaluation coder

Attestations: A new generation of signatures on PyPI Read the official announcement on the PyPI blog as well!For the past year, we’v... 2024-11-14 22:0:15 | 阅读: 13 | 收藏 | Trail of Bits Blog - blog.trailofbits.com pypi publishing provenance sigstore

Killing Filecoin nodes By Simone MonicaIn January, we identified and reported a vulnerability in the Lo... 2024-11-13 19:0:12 | 阅读: 10 | 收藏 | Trail of Bits Blog - blog.trailofbits.com bls blsincludes msgs tipsetidx tipsets

Fuzzing between the lines in popular barcode software By Artur CyganFuzzing—one of the most successful techniques for finding security... 2024-10-31 21:0:18 | 阅读: 9 | 收藏 | Trail of Bits Blog - blog.trailofbits.com zbar nix fuzzer drv memory

A deep dive into Linux’s new mseal syscall By Alan CaoIf you love exploit mitigations, you may have heard of a new system c... 2024-10-25 21:0:18 | 阅读: 9 | 收藏 | Trail of Bits Blog - blog.trailofbits.com vma mseal memory sealing shellcode

Auditing Gradio 5, Hugging Face’s ML GUI framework This is a joint post with the Hugging Face Gradio team; read their announcement h... 2024-10-11 00:0:29 | 阅读: 8 | 收藏 | Trail of Bits Blog - blog.trailofbits.com gradio frp security attacker tob

Securing the software supply chain with the SLSA framework By Cliff SmithSoftware supply chain security has been a hot topic since the Sola... 2024-10-1 21:0:58 | 阅读: 6 | 收藏 | Trail of Bits Blog - blog.trailofbits.com provenance slsa software artifact security

A few notes on AWS Nitro Enclaves: Attack surface By Paweł PłatekIn the race to secure cloud applications, AWS Nitro Enclaves have... 2024-9-24 21:0:36 | 阅读: 9 | 收藏 | Trail of Bits Blog - blog.trailofbits.com enclave enclaves clock security nitro

Announcing the Trail of Bits and Semgrep partnership At Trail of Bits, we aim to share and develop tools and resources used in our sec... 2024-9-19 21:0:30 | 阅读: 9 | 收藏 | Trail of Bits Blog - blog.trailofbits.com semgrep security trail handbook broader

Inside DEF CON: Michael Brown on how AI/ML is revolutionizing cybersecurity At DEF CON, Michael Brown, Principal Security Engineer at Trail of Bits, sat down... 2024-9-17 21:0:8 | 阅读: 9 | 收藏 | Trail of Bits Blog - blog.trailofbits.com security software aixcc