Trail of Bits was among the first security-oriented organizations transitioning from the Web 2.0 space to
explore blockchain technologies. We have become experts in reviewing all facets of blockchain applications, from
smart contracts to off-chain components.
Here are some of our favorites:
Our Design Assessment analyzes the fundamental design of the system. We assess the system architecture and component specifications, identify potential security shortcomings, and offer tailored risk mitigation strategies. We can also assess the testing strategies, emphasizing the effective use of security tools throughout the development life cycle. Finally, we provide customized solutions that address your concerns and enhance security.
Security analysis of deployment plans with incident response integration
Risk assessment of oracles, DeFi integrations & upgradeability patterns
Strategic implementation of fuzzing, static analysis & formal verification
Cryptographic & application security beyond standard blockchain risks
The Early Stage Assessment provides guidance and recommendations that will aid your developers for the long term
of the project. This service is a perfect fit for projects that are early on in their SDLC but are ready to
receive feedback. This includes projects for which the code is not finalized or is nonexistent, the
documentation and testing are ongoing, and the technical solution may evolve.
We can guide projects that build smart contracts, bridges, DeFi, and decentralized gaming applications. We also
have strong in-house expertise on blockchain nodes and have worked with numerous geth-based projects.
Surface-level vulnerability detection in early-stage codebases
Decentralization analysis & upgradeability schema evaluation
MEV exposure analysis & oracle integration risk assessment
Testing coverage evaluation & monitoring system design
Protocol-specific security recommendations & best practices
Long-term security posture improvement roadmap
Enhance your blockchain security with our Invariant Testing & Development, which focuses exclusively on identifying, developing, and testing invariants. While security reviews typically contain some development of invariants in areas believed to contain bugs, this service is focused entirely on invariants to achieve a more holistic approach to long-term security.
System & function-level invariant identification with preconditions
Custom fuzzing initialization with minimal codebase disruption
CI/CD integration of fuzzing campaigns with cloud infrastructure
Hands-on developer training in invariant-driven testing methodologies
Our comprehensive code assessment, covering the entire codebase, is our most thorough offering and includes all aspects of secure code review.
Multi-language smart contract vulnerability analysis
Economic risk assessment including price manipulation & liquidation
VM security & cross-chain transaction validation for L1/L2
Bridge security with focus on cross-chain asset transfer validation
Off-chain component analysis & blockchain finality assumptions
Automated analysis tool integration & custom rule development
Our blockchain team develops and maintains multiple open-source tools, such as Slither, Echidna, and Medusa, used in our internal assessments. Click to view our tools on Github.
We are committed to sharing our knowledge with the community. We share our research and expertise whenever possible through our blog. Click to read one of our favorite blockchain blogs: Breaking Aave Upgradeability.
Our Building Secure Contracts Handbook offers guidelines and recommended practices for developing secure smart contracts, including development guidelines, EVM, Program analysis, and more. Get started using it today.
Unlike many firms that follow a predefined checklist that limits the scope and capabilities, our assessments don't look to check boxes but discover the root causes of security weaknesses identified. This approach allows us to provide nuanced, actionable insights that do more than fix the immediate problems—they also enhance the system's overall resilience and security for the future. By focusing on the root causes and broader implications of security vulnerabilities, we empower our clients to not just respond to bugs but to develop stronger, more resilient software design, development, and coding practices.
Read our assessment of Uniswap v3We believe in the power of collaboration and the synthesis of knowledge across various fields to deliver unparalleled services to our clients. Our diverse company lines are not isolated silos of expertise. Instead, they represent a spectrum of capabilities that we seamlessly blend to meet the unique needs of each project.