Trail of Bits Tribune
June 2025
|
|
|
We've published the Custodial Stablecoin Rekt Test, a comprehensive framework for evaluating stablecoin issuer security that focuses on operational and infrastructure risks. Though this test targets stablecoin issuers, it is applicable to any blockchain organization, especially those facing significant private key or multisig vulnerabilities.
We audited Go's standard cryptographic library, used by millions worldwide, and found a record-low number of vulnerabilities. Meanwhile, our open source contributions earned recognition in an OpenSSF member spotlight, highlighting our work on PEP 740 (now securing 270,000+ Python packages), Sigstore, and Homebrew build provenance.
|
|
This month in talk and text
|
|
AI/ML
Application Security
-
Paweł Płatek reported a chain of vulnerabilities to Apple that allowed for local privilege escalation on macOS Sequoia by exploiting a SUID binary. Apple fixed the bugs in macOS Sequoia 15.4 and 15.5 and assigned them CVE-2025-24195, CVE-2025-30440, and CVE-2025-31222.
Blockchain
-
Our new Custodial Stablecoin Rekt Test distills the most critical security controls into an easy-to-access checklist, facilitating productive conversations between operators, developers, and users in this new $27.6 trillion ecosystem.
Cryptography
Open Source
-
OpenSSF featured us in a member spotlight, recognizing our contributions to open source security. These include our work authoring PEP 740 for secure Python packaging (with over 270,000 package distributions now using attestations), our collaboration with OpenSSF to prototype OpenSSF Scorecard dashboards, and our contributions to Sigstore and Homebrew build provenance initiatives.
- We achieved an 81% performance improvement in PyPI's test suite (from 163 to 30 seconds) using four simple techniques any Python developer can replicate in their own codebase to accelerate test suites without adding complexity.
|
|
|
Our commitment to reduce risk and fortify code is on display this month with five new reviews.
-
Go Language Cryptographic Libraries: Go's core cryptographic packages power thousands of libraries and millions of users worldwide. Our comprehensive audit used manual review and custom Semgrep/CodeQL rules to evaluate these critical libraries ahead of Go’s FIPS certification.
-
Monopoly GO!: Monopoly GO! is a $5 billion mobile gaming platform that faced fairness concerns from users about dice roll manipulation. We assessed the security architecture of their pseudorandom number generator system to counter "cheating overlays" and validate fair gameplay for millions of players.
-
Lagrange LAToken: Lagrange built DeepProve, a zkML system for proving AI inference correctness. Our three-day audit of their omnichain token system found one key issue: insufficient testing coverage for LayerZero cross-chain transfers, which could create maintenance challenges as the underlying OFT library evolves.
-
Reserve Protocol's Solana DTFs: Reserve’s DTFs (Decentralized Token Folios) represent baskets of funds. Our audit identified 12 vulnerabilities, including missing access controls and reward calculation errors. After our audit, ABC Labs refactored the system’s architecture from a two-program to a single-program design and resolved 10 of the identified issues.
-
Serai DEX: Serai is a forthcoming decentralized exchange compatible with Ethereum, Bitcoin, and Monero blockchains. Our three engineer-week audit of the Ethereum smart contract components found zero high, medium, or low-severity vulnerabilities, with only two informational findings and three code quality suggestions.
View all of our public reviews on our GitHub page.
Reach out to us if you’re interested in learning more about our security consulting services, designed to tackle complex technical challenges.
|
|
|
Here are the tool and library updates we’ve made since the last newsletter:
Testing & Quality Assurance Tools
-
Necessist v2.1.1 now supports Vitest as a test runner for Anchor, expanding its compatibility beyond Anchor, Foundry, Go, Hardhat, and Rust. The mutation-based testing tool identifies broken tests by running them with statements and method calls removed, and now accepts directory names on the command line.
-
Test-fuzz v7.2.0 features an improved parallel fuzzing UI that displays each target's output in separate panels, allowing side-by-side analysis. The tool now warns when fuzzing harnesses run without the required TEST_FUZZ=1 environment variable.
-
Cargo-unmaintained v1.8.1 improved the --purge option to clean up cache directories more effectively when identifying unmaintained packages in Rust dependency trees.
-
Check-up-to-dateness v1.0 launched as a new tool to verify whether merge group PRs stay current with their base branches.
-
Cast_checks v0.1.6 fixed compatibility with recent nightly compilers, ensuring the CAST_CHECKS_LOG feature continues working for procedural macro cast validation.
Security & Attestation Tools
-
PyPI-attestations had four releases (v0.0.24-0.0.27) with significant improvements including support for Google Cloud-based Trusted Publishers, better distribution filename parsing that fixes wheel tag ordering issues, and removal of overly strict "ultranormalization" requirements.
-
Pylock-attestations released initial alpha versions (v0.0.1a1 and v0.0.1a2) as a CLI tool for adding attestation identities to pylock.toml files.
-
RFC3161-client v1.0.2 added HashAlgorithm exports and a new verify_message method to the Verifier class, along with improved testing capabilities for multiple TSAs.
Experimental Compiler Tools
- VAST v0.0.86 continued development of the experimental MLIR-based compiler pipeline for C/C++ program analysis, adding dependabot configuration for better maintenance.
|
|
|
Welcome to our new team members:
-
Kimberly Espinoza: Senior Project Manager
-
Tara Goodwin Ruffus: Senior Project Manager
-
Thereasa Roy: Director, Technical Marketing
-
Axel Mierczuk: Senior Security Engineer, AppSec
-
Graham Sutherland: Senior Security Engineer, AppSec
-
Kevin Valerio: Security Engineer, Blockchain
Join Trail of Bits: If you are a security engineer, we have 4 open roles we’d love to discuss with you.
-
Senior Security Engineer, Application Security
-
Senior Security Engineer, Blockchain
-
Senior Security Engineer, Research
-
Senior Software Engineer, Compilers
Visit our Careers page to learn about these roles and our perks or share your info for future roles!
|
|
|
We look forward to seeing you in person at any of these events in the next few months. Schedule a time to meet with our team here!
- OpenSearchCon North America (September 8–10), in San Jose: Evan Downing will present on our experience and lessons learned in creating repeatable benchmarking on OpenSearch and Elasticsearch.
-
Linux Foundation's Open Source Summit (June 23–25), in Denver
-
REcon (June 27–29), in Montreal
-
EthCC (June 30–July 3), Cannes:
-
Our Engineering Director of Blockchain, Ben Samuels, is presenting on how to build safer, more robust cold storage solutions on Ethereum that can even endure multisig compromise.
-
Nicolas Donboly will share his journey becoming a smart contract auditor, covering how to get started and what the work involves—perfect for anyone considering a career transition into blockchain security.
-
Most of our blockchain team will attend the conference, so if you’d like to talk or hang out, reach out to Ben Samuels.
-
DEF CON / BSides / Black Hat (August 2–10), in Las Vegas: The winners of the AI Grand Cyber Challenge will be announced at DEF CON. We're preparing our submission, Buttercup, for the third exhibition round, and gearing up for the scored round on June 26.
|
|
|
Meet Amanda Stickler’s Reggie, the newest addition to the Trail of Bits furry family!
|
|
|
|
|
