Trail of Bits: How Crypto’s Top Code Auditor Fights Exploits
Trail of Bits audits the smart contracts that move billions and gives away the tools rival auditors use. Here is what the firm does, and why an audit alone never makes crypto safe.
Every few weeks, a crypto protocol loses a fortune to a bug that almost nobody noticed until it was too late. The money is real, the code is public, and the teams that write that code increasingly call the same short list of security firms before they ship. One name keeps appearing on the audit reports, on the open-source tools, and in the research the rest of the industry quotes: Trail of Bits.
Trail of Bits is not a household name like an exchange or a token, but inside crypto engineering it carries unusual weight. The New York firm audits smart contracts, builds the free tools that rival auditors run every day, and publishes research that has shifted how builders talk about risk. With more than three billion dollars stolen from the ecosystem last year, understanding what a firm like this does, and what it cannot do, matters for anyone who holds or builds on chain.
From the DAO hack to a $3.4 billion problem
Security auditing in crypto grew up alongside the disasters. The 2016 hack of The DAO, which drained around $60 million worth of Ether through a reentrancy bug, was the moment serious security researchers realized smart contracts were a new and unforgiving attack surface. Code that controlled money could not be patched as casually as a website.
The stakes have only climbed. Blockchain analytics firm Chainalysis reported that thieves stole more than $3.4 billion in 2025, up from roughly $2.2 billion the year before. One event accounted for nearly 44 percent of that total: the February 2025 theft of about $1.5 billion from the exchange Bybit, the largest crypto heist on record, which investigators tied to North Korea’s Lazarus Group.
Buried in those figures is a quieter story. Losses from pure DeFi smart contract hacks stayed low even as total value locked recovered, which Chainalysis read as a sign that security standards across the sector are improving. Audits, better tooling, and bug bounties are part of why. The damage has shifted toward stolen keys, social engineering, and compromised front ends, a change that reshapes what an auditor is even being asked to protect.
Who Trail of Bits actually is
Trail of Bits was founded in 2012 in New York by three well known security researchers: Dan Guido, who serves as chief executive; Dino Dai Zovi, the chief technology officer; and Alexander Sotirov, the chief scientist (Trail of Bits). Their background is hard security, not crypto marketing: browser exploits, binary analysis, and multi-year research contracts with the U.S. Defense Advanced Research Projects Agency, alongside work for clients across finance and defense.
The DAO hack pulled the firm into blockchain, and that side of the business grew quickly. It has publicly discussed reviewing code for projects such as MakerDAO, Golem, and Livepeer, along with many clients it cannot name. Today the firm says it examines every layer of a blockchain system, from individual smart contracts up to nodes and bridges, and Guido has served on the U.S. Commodity Futures Trading Commission’s Technology Advisory Committee, a sign of how closely security expertise and policy now sit.
The open-source toolkit that became a standard
What separates Trail of Bits from a typical consultancy is that it gives away its best tools. Under the Crytic brand, the firm maintains a suite of free, open-source software that smart contract engineers, and competing audit shops, run as part of daily work (Trail of Bits Open Source).
| Tool | Type | What it does |
|---|---|---|
| Slither | Static analysis | Scans Solidity and Vyper for known vulnerability patterns in seconds |
| Echidna | Property-based fuzzer | Throws random transactions at a contract to break stated rules |
| Medusa | Parallel fuzzer | A Go-based fuzzer inspired by Echidna for faster campaigns |
| Manticore | Symbolic execution | Explores many execution paths to prove or disprove conditions |
| Building Secure Contracts | Guidance | Free training and secure coding patterns for auditors and developers |
Slither in particular has become close to a default first pass for Ethereum developers, and the firm calls it the industry’s most widely used static analysis framework for smart contracts. Giving the tools away is partly strategy: the more teams that catch shallow bugs themselves, the more an expensive human review can focus on the deep, design-level flaws that machines still miss.
Fuzzing, invariants, and what a real audit looks like
A serious audit is not someone reading code and ticking boxes. The modern approach Trail of Bits champions is invariant testing: the team works with developers to write down the properties that must always hold (for example, that the sum of user balances can never exceed the total supply), then unleashes fuzzers like Echidna and Medusa to bombard the contract with random transactions trying to violate them.
The firm has argued publicly for this style over heavier formal methods in most cases. In a 2024 post titled Why fuzzing over formal verification?, its engineers showed where automated fuzzing finds real violations faster, and at lower cost, than mathematical proofs. The firm has since pushed invariant development as a standalone service and folded fuzzing into continuous integration, so every code change is re-tested rather than checked once and forgotten.
Are blockchains decentralized? The DARPA wake-up call
Trail of Bits’ most cited contribution may not be an audit at all. In 2022, DARPA commissioned the firm to test a basic assumption: are blockchains really as decentralized as their advocates claim? The resulting report, Are Blockchains Decentralized?, argued that the answer is often no, with the full study published as Unintended Centralities in Distributed Ledgers.
The researchers documented several unintended centralities. A small number of mining or validation entities can dominate a network. A large share of Bitcoin traffic at the time flowed through a handful of internet service providers, creating a routing choke point. Outdated, unpatched nodes added fragility. And because core developers can ship software changes that alter how a chain behaves, they form a concentrated point of trust. The lasting lesson was that decentralization is a spectrum to be measured, not a slogan to be assumed, a framing that now informs how careful auditors weigh systemic risk.
When the code is clean but the humans are not
The Bybit theft showed why even a flawless contract is not enough. According to a technical breakdown by NCC Group, the attackers did not exploit a Solidity bug at all. They compromised a developer machine connected to Safe{Wallet}, the multi-signature interface Bybit used, and injected malicious JavaScript that made a fund-draining transaction look routine to the human signers approving it (BleepingComputer).
This is the new frontier, and Trail of Bits has been blunt about it. In a 2025 post on maturing your smart contracts beyond private key risk, the firm urged teams to treat key management, signing workflows, and operational security as part of the threat model rather than an afterthought. An auditor can certify the math of a contract and still watch funds leave through a poisoned front end or a stolen key. The scope of the review has to match where the money can actually go.
What an audit can and cannot promise
The limits matter, because an audited label is too often mistaken for a safety guarantee. An audit is a point-in-time review of a defined scope. Change the code after the report, widen the scope, or move the risk to people and process, and the assurance erodes. The table below sketches where a standard smart contract audit is strong and where it is not.
| Risk | Typical audit coverage |
|---|---|
| Reentrancy and arithmetic bugs | Strong; static analysis and fuzzing catch most |
| Access control mistakes | Strong, within the reviewed scope |
| Economic and game-theory design flaws | Partial; depends on scope and modeling |
| Governance and admin-key abuse | Limited; often outside a pure code review |
| Private-key theft and signing fraud | Out of scope unless operations are reviewed |
| Code changed after the report | Not covered by the original audit |
Plenty of protocols that were audited, sometimes by top firms, were later exploited. That is not proof the audits were worthless; it is a reminder that a review lowers risk rather than removing it, and that the date, scope, and follow-up matter as much as the logo on the cover.
The SEC starts asking who audited the code
Regulators are beginning to treat audits as closer to an expectation than a nicety. On April 10, 2025, the staff of the SEC’s Division of Corporation Finance issued a statement on how existing disclosure rules apply to crypto asset securities, which Commissioner Hester Peirce welcomed at SEC.gov. Among the details it flagged: issuers should disclose whether the asset’s smart contracts or underlying code have been subject to a third-party security audit, and they may file the code itself as an exhibit defining holders’ rights.
That guidance is non-binding staff commentary, issued in a year when the SEC leaned toward building frameworks rather than bringing cases, including the launch of a dedicated Crypto Task Force. The direction still matters. If a U.S. issuer has to state in a filing whether its code was independently reviewed, the presence, quality, and scope of an audit stop being a private engineering choice and start being a disclosed, investor-facing fact.
What it means for builders and investors
For builders, the practical takeaways are direct. Run the free tools before paying for human review, so the audit budget buys deep analysis instead of shallow bug-finding. Ask for fuzzing and invariant work, not just a checklist. Treat keys, signers, and front ends as part of the attack surface. And remember that any report covers a specific commit on a specific day.
For investors weighing an audited badge, a few questions cut through the marketing:
- Who performed the audit, and when, relative to the code that is live today?
- Was the whole system in scope, or only a couple of contracts?
- Did the work include fuzzing, invariants, and operational security, or only a manual read?
- Were the findings fixed and re-checked, and is the report public?
Trail of Bits’ larger bet is that security is continuous, not a certificate. Free tooling, invariant-driven testing baked into the development pipeline, and research that treats decentralization as something you measure all point the same way. In an ecosystem that lost billions again last year, the firms hunting bugs before the attackers do are not a luxury. They are part of the cost of building something that holds other people’s money.
By the HOGE Wire editorial desk, reporting on crypto security and exploits.