Don’t recurse on untrusted input 文章指出递归函数处理不受信任输入可能引发堆栈溢出和DoS攻击，影响ElasticSearch、OpenSearch等项目。作者开发CodeQL查询检测问题，并建议通过代码审计和设置深度限制来防范。... 2025-2-21 00:0:0 | 阅读: 8 | 收藏 | Trail of Bits Blog - blog.trailofbits.com fibonacci protobuf recursive recursion buffers

The $1.5B Bybit Hack: The Era of Operational Security Failures Has Arrived Bybit遭遇史上最大规模加密货币盗窃事件，损失约15亿美元。此次攻击源于操作安全漏洞而非智能合约缺陷，黑客通过恶意软件操控员工设备并收集签名。事件揭示朝鲜网络威胁组织正针对加密货币交易所展开精准攻击。文章强调未来此类攻击可能频发，需加强运营安全措施以应对威胁。... 2025-2-21 00:0:0 | 阅读: 5 | 收藏 | Trail of Bits Blog - blog.trailofbits.com security operational attackers hardware rgb

Unleashing Medusa: Fast and scalable smart contract fuzzing 文章介绍了Medusa v1，一个基于EVM的智能合约模糊测试框架，旨在提升合约安全性。其功能包括覆盖率引导模糊测试、并行模糊测试、智能变异值生成和链上模糊测试等，显著提升了效率和可扩展性。Medusa基于Geth构建，采用Go语言编写，相较于前代工具Echidna更具优势。开发者可通过简单步骤快速上手，并通过社区资源进一步优化使用体验。... 2025-2-14 00:0:0 | 阅读: 5 | 收藏 | Trail of Bits Blog - blog.trailofbits.com medusa echidna security fuzzer developers

We’re partnering to strengthen TON’s DeFi ecosystem TVM Ventures与Trail of Bits合作，提升TON开发者的生态系统安全。双方将共同制定DeFi协议标准，并为竞赛获胜项目提供全面安全服务。TVM Ventures还将举办持续的开发者竞赛，展示创新应用。... 2025-2-13 14:0:3 | 阅读: 6 | 收藏 | Trail of Bits Blog - blog.trailofbits.com security ton tvm ventures defi

The call for invariant-driven development 这篇文章探讨了智能合约安全性的关键问题，并提出了一种基于“不变式”（invariants）的开发方法来提升其安全性。通过在设计、实现、测试和监控等阶段嵌入不变式（即必须始终成立的关键属性），开发者可以显著增强智能合约的健壮性。文章还详细介绍了如何定义、分类和应用这些不变式，并强调了其在减少漏洞和攻击面方面的有效性。... 2025-2-12 14:30:36 | 阅读: 5 | 收藏 | Trail of Bits Blog - blog.trailofbits.com invariants invariant development security formal

We’re partnering to strengthen TON’s DeFi ecosystem TON Ventures与Trail of Bits合作，提供全面安全服务和竞赛支持，助力开发者构建安全的区块链项目，并制定DeFi协议标准。... 2025-2-7 08:0:3 | 阅读: 9 | 收藏 | Trail of Bits Blog - blog.trailofbits.com ton security defi blockchain development

Preventing account takeover on centralized cryptocurrency exchanges in 2025 这篇文章讨论了中心化加密货币交易所（CEX）账户接管（ATO）的风险及其防范措施。随着ATO攻击的增加，CEX的安全设计漏洞成为主要威胁。文章指出，缺乏抗钓鱼多因素认证、不当密码重置流程及不足的日志监控使用户易受攻击。建议CEX加强技术安全机制、完善安全控制并提供用户指南以降低风险。... 2025-2-5 14:0:37 | 阅读: 6 | 收藏 | Trail of Bits Blog - blog.trailofbits.com ato security attacker cex cexes

PyPI now supports archiving projects By Facundo TuescaPyPI now supports marking projects as archived. Project owners... 2025-1-30 14:0:22 | 阅读: 6 | 收藏 | Trail of Bits Blog - blog.trailofbits.com pypi archived statuses security archival

Best practices for key derivation By Marc IlungaKey derivation is essential in many cryptographic applications, in... 2025-1-28 14:0:18 | 阅读: 7 | 收藏 | Trail of Bits Blog - blog.trailofbits.com randomness hkdf salt kdf security

Celebrating our 2024 open-source contributions While Trail of Bits is known for developing security tools like Slither, Medusa,... 2025-1-23 14:0:30 | 阅读: 6 | 收藏 | Trail of Bits Blog - blog.trailofbits.com github sigstore woodruffw pypi python

Auditing the Ruby ecosystem’s central package repository This is a joint post with the Ruby Central team. The full report, which includes... 2024-12-11 22:0:59 | 阅读: 6 | 收藏 | Trail of Bits Blog - blog.trailofbits.com rubygems security analysis starttls

35 more Semgrep rules: infrastructure, supply chain, and Ruby By Matt Schwager and Travis PetersWe are publishing another set of custom Semgre... 2024-12-9 22:0:43 | 阅读: 10 | 收藏 | Trail of Bits Blog - blog.trailofbits.com semgrep hcl oidc security prefer

Evaluating Solidity support in AI coding assistants By Artem DinaburgAI-enabled code assistants (like GitHub’s Copilot, Continue.dev... 2024-11-19 22:0:37 | 阅读: 4 | 收藏 | Trail of Bits Blog - blog.trailofbits.com solidity deepseek compchomper evaluation coder

Attestations: A new generation of signatures on PyPI Read the official announcement on the PyPI blog as well!For the past year, we’v... 2024-11-14 22:0:15 | 阅读: 12 | 收藏 | Trail of Bits Blog - blog.trailofbits.com pypi publishing provenance sigstore

Killing Filecoin nodes By Simone MonicaIn January, we identified and reported a vulnerability in the Lo... 2024-11-13 19:0:12 | 阅读: 9 | 收藏 | Trail of Bits Blog - blog.trailofbits.com bls blsincludes msgs tipsetidx tipsets

Fuzzing between the lines in popular barcode software By Artur CyganFuzzing—one of the most successful techniques for finding security... 2024-10-31 21:0:18 | 阅读: 8 | 收藏 | Trail of Bits Blog - blog.trailofbits.com zbar nix fuzzer drv memory

A deep dive into Linux’s new mseal syscall By Alan CaoIf you love exploit mitigations, you may have heard of a new system c... 2024-10-25 21:0:18 | 阅读: 8 | 收藏 | Trail of Bits Blog - blog.trailofbits.com vma mseal memory sealing shellcode

Auditing Gradio 5, Hugging Face’s ML GUI framework This is a joint post with the Hugging Face Gradio team; read their announcement h... 2024-10-11 00:0:29 | 阅读: 6 | 收藏 | Trail of Bits Blog - blog.trailofbits.com gradio frp security attacker tob

Securing the software supply chain with the SLSA framework By Cliff SmithSoftware supply chain security has been a hot topic since the Sola... 2024-10-1 21:0:58 | 阅读: 5 | 收藏 | Trail of Bits Blog - blog.trailofbits.com provenance slsa software artifact security

A few notes on AWS Nitro Enclaves: Attack surface By Paweł PłatekIn the race to secure cloud applications, AWS Nitro Enclaves have... 2024-9-24 21:0:36 | 阅读: 9 | 收藏 | Trail of Bits Blog - blog.trailofbits.com enclave enclaves clock security nitro