Trail of Bits

@[email protected]
1.7K Followers
5 Following
408 Posts
We help secure the world’s most targeted organizations and products. We combine security research with an attacker mentality to reduce risk and fortify code.
Websitehttps://trailofbits.com
Podcasthttps://trailofbits.audio
GitHubhttps://github.com/trailofbits
Bloghttps://blog.trailofbits.com
Trail of Bits2d ago
93% recall vs 50% for baseline prompts. Our new dimensional-analysis plugin for Claude Code doesn’t ask the LLM to find bugs. It annotates your codebase with dimensional types, then flags mismatches mechanically. Tested against real audit findings. https://blog.trailofbits.com/2026/03/25/try-our-new-dimensional-analysis-claude-plugin/
Try our new dimensional analysis Claude plugin

We released a Claude plugin that uses LLMs to annotate code with dimensional types and mechanically detect mismatches, achieving 93% recall versus 50% for baseline prompts when tested against real audit findings.

The Trail of Bits Blog
Trail of Bits3d ago

Adding token A to token B in a DeFi formula is as meaningless as adding meters to seconds. Different dimensions, meaningless result.

Physicists learn this on day one. Smart contract developers rarely think about it, but the same rules apply to on-chain arithmetic.

During an audit, we caught a function passing decimals where assets were expected. Dimensional analysis spotted it instantly. https://blog.trailofbits.com/2026/03/24/spotting-issues-in-defi-with-dimensional-analysis/

Spotting issues in DeFi with dimensional analysis

Dimensional analysis from physics can be applied to DeFi smart contracts to catch arithmetic and logic bugs by ensuring formulas maintain consistent dimensions across tokens, prices, and liquidity calculations. The post demonstrates how explicit dimensional annotations in code comments, like those used in Reserve Protocol, can prevent vulnerabilities and improve auditability.

The Trail of Bits Blog
Trail of BitsMar 11

A single bug in an ERC-4337 smart account can be as catastrophic as leaking a private key.

We've audited dozens of smart accounts and found six vulnerability patterns that consistently reappear across codebases.

If you're working with smart accounts, each pattern includes safe code examples so you can reference them for your own implementation: https://blog.trailofbits.com/2026/03/11/six-mistakes-in-erc-4337-smart-accounts/

Trail of BitsMar 6

We open-sourced 10 new Claude Code skills from our internal repository.

Including:
agentic-actions-auditor finds security vulnerabilities in GitHub Actions workflows where attacker-controlled input reaches AI agents running with elevated CI permissions.

let-fate-decide draws Tarot cards using cryptographic randomness when your prompt is too vague for a real plan.

git-cleanup categorizes your accumulated branches and worktrees and walks you through safe deletion with gated confirmation.

https://github.com/trailofbits/skills/

GitHub - trailofbits/skills: Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows

Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows - trailofbits/skills

GitHub
Trail of BitsMar 5
We're sponsoring RE//verse in Orlando this week. Sam Sharps, Kyle Elliott, and Julius Alexandre will be there. Come find them if you want to talk reverse engineering or binary analysis. https://re-verse.io/
Trail of BitsMar 2
How do you rebuild a security consultancy around AI without breaking what works? Our CEO, Dan Guido, talks systems, feedback loops, and what it actually takes to go AI-native at [un]prompted on March 4th at 9:10 AM https://unpromptedcon.org/
Agenda - [un]prompted

[un]prompted
Trail of BitsFeb 28
What if the compiler itself flagged your bugs? Blockchain Engineer, Kevin Valerio, is in Tokyo for SECCON 14 to show how Go’s IR can be modified to catch deterministic bug classes.
If you're attending, Kevin will present from 14:20-14:40 (GMT+9) https://www.seccon.jp/14/ep260228.html
SECCON14 電脳会議 2026.2.28(sat)-3.1(sun)

情報セキュリティをテーマに多様な競技を開催する情報セキュリティコンテスト SECCON。2026年2月28日(土)-3月1日(日)の2日間行われる「SECCON14 電脳会議」の情報ページです。

Trail of BitsFeb 25
New tool release! Linux memory forensics requires external debug symbols that precisely match your kernel version, symbols rarely installed on production systems and often missing after updates.mquire eliminates this dependency entirely by extracting BTF type information and Kallsyms symbol addresses directly from the memory dump. Works on kernel 4.18+ with BTF enabled.
https://blog.trailofbits.com/2026/02/25/mquire-linux-memory-forensics-without-external-dependencies/
mquire: Linux memory forensics without external dependencies

We’re open-sourcing mquire, a tool that analyzes Linux memory dumps without requiring any external debug information.

The Trail of Bits Blog
Trail of BitsFeb 20
Before launch, Perplexity hired us to test the security of Comet, their AI browser assistant. We demonstrated how four prompt injection techniques could extract users' private information from Gmail. https://blog.trailofbits.com/2026/02/20/using-threat-modeling-and-prompt-injection-to-audit-comet/
Using threat modeling and prompt injection to audit Comet

Trail of Bits used ML-centered threat modeling and adversarial testing to identify four prompt injection techniques that could exploit Perplexity’s Comet browser AI assistant to exfiltrate private Gmail data. The audit demonstrated how fake security mechanisms, system instructions, and user requests could manipulate the AI agent into accessing and transmitting sensitive user information.

The Trail of Bits Blog
Trail of BitsFeb 18
Today at 12:55 PM MT on the Future Llama stage at ETH Denver, our CEO, Dan Guido, opens the hood on how he made Trail of Bits AI-native.