Trail of Bits

Over 700,000 repos ship crypto libraries that default to a static IV, creating widespread key reuse. We also released mquire, a Linux memory forensics tool, and added 12 new open-source Claude Code skills for security engineering. March Tribune: mailchi.mp/trailofbits/ma…

Lack of mutation testing in Rust has always been a bummer (tbh it is such a rare treat in any language). Could be huge, excited to check this out. Mutation testing + property testing are just orders of magnitude more effective than industry standard.

MuTON and mewt introduce bugs, run tests, and find what coverage misses. MuTON supports TON languages, built in collaboration with @ton_blockchain. mewt covers Solidity, Rust, and more. blog.trailofbits.com/2026/04/01/mut…

We saw high coverage mask a fund-draining vulnerability, and caught it with mutation testing. Then we built the tools to make this routine. 🧵

We’re sponsoring the event and will be on-site. Come find us and get some swag.

The full toolkit lives at github.com/crytic. Static analysis, fuzzing, EVM disassembly, compiler management, and pre-built security properties.

If you're competing in the @‌Wonderland CTF later today, these are the most common open-source tools we use to review contracts in production. 🧵

We made the paper. Dimensional analysis catching Solidity bugs hiding in plain sight. 13 down in the @RektHQ Summit crossword. Come find us in Cannes.

@trailofbits 's dimensional-analysis is *provenly the best auditing skill to detect logic vulnerabilities in smart contracts you may disagree - as I only compared it to 2 other logic-focused bug finding skills, and only ran a couple of iterations against each - but that's the best benchmark out there for this so far best part - you just need 1 click and an AI agent to contribute to the benchmark and try it yourself forefy.com/benchmarks/058…

Four phases: discover a vocabulary of base units, annotate the codebase, propagate dimensions across function boundaries, then validate for mismatches. It also generates a DIMENSIONAL_UNITS.md you can commit to your repo. blog.trailofbits.com/2026/03/25/try…

We tested against dimensional mismatch issues from several unpublished audits. The plugin also cut standard deviation from 20% to 12%. Better results, more consistent. github.com/trailofbits/sk…

93% recall vs 50% for baseline prompts. Our new dimensional-analysis plugin for Claude Code doesn't ask it to find bugs. It annotates your codebase with dimensional types, then flags mismatches mechanically. 🧵

This should be a wakeup call to exchanges relying on simple block delays to determine finality on the BTC (or any PoW) network 1/x

Our flavor of this technique is inspired by @reserveprotocol, which annotates every variable with its dimension and decimal scale. Best practice for protocols. blog.trailofbits.com/2026/03/24/spo…

We've used this technique successfully in real audits. During an audit, dimensional analysis caught code passing decimals where it expected token amounts. Identified in seconds, no deep code review needed.

Physicists catch formula errors in seconds with a trick most DeFi developers have never heard of. You should learn dimension analysis. 🧵

How many stablecoin providers are actually resistant to private key compromise? If there's one thing everyone should learn from Resolv, it's that you must EXPECT your private keys to be compromised.🧵