DARPA's AI Cyber Challenge finals are underway. Seven autonomous AI systems are competing to find and patch vulnerabilities in critical open-source programs like the Linux kernel, SQLite, and cURL that power our digital infrastructure.

Learn more: https://blog.trailofbits.com/2025/07/02/buckle-up-buttercup-aixccs-scored-round-is-underway/

Did you know the biggest cause of crypto hacks in 2024 goes entirely unnoticed by most security audits? This attack vector was responsible for 43% of the crypto stolen in 2024, and isn't eligible as a finding in audit contests or most audit engagements

Answer: Private key compromise.

In this post, you'll learn how to make protocols resilient to private key leaks using our 4-level framework: https://blog.trailofbits.com/2025/06/25/maturing-your-smart-contracts-beyond-private-key-risk/

As a Go developer, do you fully understand Go's JSON/XML/YAML parsers? They are surprisingly prone to attacks with simple misconfigurations:
Three unexpected attack scenarios:
1. Marshaling private data with misconfigured tags
2. Parser differentials in a microservices architecture
3. Cross-format confusion attacks (JSON→XML)

https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/

$5B in revenue, millions of mobile players, one question: are the dice rolls fair?

When Monopoly GO! players questioned their dice roll outcomes, the game's developers hired us to conduct an independent cryptographic design assessment of their PRNG architecture.

Our cryptographic design assessment evaluated two core concerns:
✅ If the random number generator produces unbiased outcomes for all players
✅ Do the countermeasures effectively prevent malicious actors from predicting or manipulating results through client-side attacks

Read the case study: https://trailofbits.info/monopolygo-casestudy

In 2023, we audited Axiom's Halo2 circuits and found 35 security issues, including 4 high-severity soundness bugs that could break the ZK system entirely.

The Axiom team engaged us early in development. They fixed all issues, and we helped them build comprehensive test suites to strengthen their security posture.

https://trailofbits.info/axiom-blog

We audited the Go language cryptographic library, used by thousands of libraries and millions of users.

Security report: https://github.com/trailofbits/publications/blob/master/reviews/2025-03-google-gocryptographiclibraries-securityreview.pdf

Our assessment uncovered one low-severity and five informational issues within the algorithms, following a comprehensive four-week review by three consultants focused on identifying cryptographic weaknesses such as side-channel attacks.

Beyond manual review, we created custom CodeQL and Semgrep rules for the project. We used these rules to:
- Identify memory management issues
- Analyze math.Big library usage (which "doesn't have strong constant time guarantees")
- Confirm that a detected bug was the only instance of that issue

Read their blog: https://go.dev/blog/tob-crypto-audit

If you are interested in learning more about how to securely design and build a cryptographic library or module, reach out to our engineering team: https://trailofbits.info/3YVvFXP