НОВОСТИ

April was undoubtedly a rocky month in security. $635M was lost across 28 crypto incidents. The Axios npm package was compromised on day one, exposing an estimated 600,000 installs in three hours. Vercel was breached…

JPMorgan recently made headlines by citing persistent security flaws as a barrier to institutional DeFi participation, and the numbers behind that are hard to ignore: Bybit ($1.5 billion), KelpDAO ($292 million), Drift…

Go’s native fuzzing is useful, but it stands far behind state-of-the-art tooling that the Rust, C, and C++ ecosystems offer with LibAFL and AFL++. Path constraints are hard to solve. Structured inputs usually need…

Modern onchain systems don't behave like the ones traditional security models were built for. Code ships continuously, architectures evolve, and a clean security report from six months ago says little about a system…

Summary

Summary Type: Blockchain Infrastructure Timeline: From 2026-03-16 → To 2026-04-02 Languages: Solidity Findings Total issues: 18 (16 resolved, 1 partially resolved) Critical: 0 (0 resolved) · High: 0 (0 resolved) ·…

The OpenZeppelin Relayer now supports Zama FHEVM, bringing transaction infrastructure to confidential smart contract applications.

We recently added a C/C++ security checklist to the Testing Handbook and challenged readers to spot the bugs in two code samples : a deceptively simple Linux ping program and a Windows driver registry handler. If you…

Financial institutions are no longer asking whether to deploy onchain. They are asking which network, with what guarantees, and what happens when something goes wrong - and their regulators are demanding answers.

In partnership with the Sui Foundation, OpenZeppelin has been equipping developers with tools to build production-ready applications on Sui, including libraries for DeFi Math and Access Management in OpenZeppelin Move…

Introduction Move’s type system prevents entire classes of bugs that plague Solidity. Objects can’t be copied or silently dropped, ownership is enforced by both the type system and the runtime, and there's no dynamic…

LibAFL is all the rage in the fuzzing community these days, especially with LLVM’s libFuzzer being placed in maintenance mode . Written in Rust, LibAFL claims improved performance, modularity, state-of-the-art fuzzing…

Summary Type: Library Timeline: From 2026-03-02 → To 2026-03-19 Languages: Rust Findings Total issues: 21 (18 resolved) Critical: 0 (0 resolved) · High: 1 (1 resolved) · Medium: 6 (5 resolved) · Low: 9 (7 resolved)…

OpenZeppelin worked with Miden, a privacy blockchain, to build Guardian: a coordination layer for private accounts that supports synchronization, backup, recovery, and multi-party signing without custody and without…

We’re open-sourcing Trailmark , a library that parses source code into a queryable call graph of functions, classes, call relationships, and semantic metadata, then exposes that graph through a Python API that Claude…

Two weeks ago, Google’s Quantum AI group published a zero-knowledge proof of a quantum circuit so optimized, they concluded that first-generation quantum computers will break elliptic curve cryptography keys in as…

We added a new chapter to our Testing Handbook: a comprehensive security checklist for C and C++ code . We’ve identified a broad range of common bug classes, known footguns, and API gotchas across C and C++ codebases…

Public blockchains solved settlement. They didn't solve privacy. Institutions need to protect positions, counterparty relationships, and transaction amounts without abandoning transparency entirely - and every…

WhatsApp’s new “Private Inference” feature represents one of the most ambitious attempts to combine end-to-end encryption with AI-powered capabilities, such as message summarization. To make this possible, Meta built a…

Mixed Boolean-Arithmetic (MBA) obfuscation disguises simple operations like x + y behind tangles of arithmetic and bitwise operators. Malware authors and software protectors rely on it because no standard simplification…

Code coverage is one of the most dangerous quality metrics in software testing. Many developers fail to realize that code coverage lies by omission: it measures execution, not verification. Test suites with high…

This post is adapted from a talk I gave at [un]prompted , the AI security practitioner conference. Thanks to Gadi Evron for inviting me to speak. You can watch the recorded presentation below or download the slides …

We’re releasing a new Claude plugin for developing and auditing code that implements dimensional analysis, a technique we explored in our most recent blog post . Most LLM-based security skills ask the model to find…

Using dimensional analysis, you can categorically rule out a whole category of logic and arithmetic bugs that plague DeFi formulas. No code changes required, just better reasoning! One of the first lessons in physics is…

Account abstraction transforms fixed “private key can do anything” models into programmable systems that enable batching, recovery and spending limits, and flexible gas payment. But that programmability introduces…

If you’ve ever done Linux memory forensics, you know the frustration: without debug symbols that match the exact kernel version, you’re stuck. These symbols aren’t typically installed on production systems and must be…

Privacy is no longer a cypherpunk slogan - it’s turning into core blockchain infrastructure. Public blockchains proved they can move money quickly, but they also expose balances, relationships, and behavior permanently…

Before launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection…

Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. These bugs potentially affect thousands of downstream projects. When we…

Last year, our engineers submitted over 375 pull requests that were merged into non–Trail of Bits repositories, touching more than 90 projects from cryptography libraries to the Rust compiler. This work reflects one of…