As a security company, CertiK believes that it should provide a full range of security solutions to projects to better cover the security needs of different stages of project development. At the same time, it should popularize security knowledge to all users, provide easy-to-use independent security tools, and provide security prevention measures for every member of Web 3.0.

Article author: Wu Tianyi

Source: DeThings

There is a line in the movie (Enemy of the State): "Who's gonna monitor the monitors of the monitors?" As the Web3.0 ecosystem continues to improve, more and more funds are pouring into the crypto industry. At the same time, hackers can directly profit by attacking loopholes on the chain. In contrast, once the project party is attacked, there are few means to deal with it. Sometimes they can only offer bonuses to attract hackers to return the illegal profits and no longer pursue them.

Therefore, a group of related security companies came into being. In addition to auditing code security, they are sometimes called "white hat hackers" who actively explore security vulnerabilities. CertiK is the leader among them, with a valuation of nearly $2 billion. Whether or not a project can pass CertiK's audit has even become the community's criterion for judging an emerging project. However, back to the question at the beginning: Who should supervise the supervisors? This question also laid the groundwork for the controversy that CertiK encountered later.

In June this year, CertiK discovered a serious security vulnerability in the US crypto exchange Kraken, which sparked a controversy. DeThings interviewed Professor Gu Ronghui, co-founder of CertiK, about the controversy surrounding CertiK and how security companies can conduct self-regulation.

DeThings: What is the response to the Kraken incident?

Professor Ronghui Gu: Regarding the dispute with Kraken, it was caused by the discovery of a serious security vulnerability on the Kraken platform by the CertiK research team during white hat security research. We quickly informed Kraken of the discovery so that the vulnerability could be fixed in a timely manner. However, there were some miscommunications, which led to a dispute. We have published a detailed announcement on our official website, where you can learn more details.

DeThings: What do you think of the term "white hat hacker"?

Professor Ronghui Gu: Although there is no unified definition of "white hat hacker", in general, we think that white hat actions refer to the act of accessing computers with good intentions to test, investigate and/or fix security holes or flaws. Such activities are carried out in a way that avoids causing losses to individuals or the public, and the information obtained from the activities is mainly used to improve the security of related devices, machines or online services, or to protect users who use these devices, machines or online services.

CertiK also has a strict set of white hat codes. Since 2020, we have conducted more than 70 white hat operations without harming personal or public interests. Among them, we received the highest bug bounty so far for discovering critical vulnerabilities. At the same time, combined with our own audit work, CertiK has reported more than 4,000 security incidents for the Web3.0 community, discovered more than 115,000 code vulnerabilities in total, and protected more than $360 billion in digital assets from potential losses.

DeThings: How do you evaluate the current track you are on? What will be the focus in the future security field?

Professor Gu Ronghui: The current blockchain security field is in a stage of rapid development, especially at the intersection of Web3.0 and Web2.0, where security risk management has become the focus of the industry. With the expansion of blockchain technology applications, security vulnerabilities and attack methods are also constantly escalating, affecting multiple tracks including DeFi, NFT, and cross-chain interoperability.

At present, the security pressure of Web3.0 comes not only from technical loopholes in the project, but also from some common network security risks, such as the protection of privacy data, vigilance against phishing attacks, and common telecommunications fraud.

To this day, private key security remains one of the main challenges facing the Web3.0 field. According to CertiK's 2023 statistics, financial losses caused by private key leaks accounted for nearly half of the total losses of all blockchain security incidents.

CertiK's upcoming Q3 2024 security report further reveals that private key leaks and phishing attacks are still the cause of the most significant financial losses this quarter. These data show that it is urgent to strengthen private key management and introduce technologies such as multi-signature and multi-party computing.

In addition, with the rapid development of Web3.0, a large number of Web3.0 applications rely on Web2.0 infrastructure, such as cloud storage and DNS services, and are vulnerable to Web2.0-specific attack methods (such as DNS hijacking and phishing). These hybrid attacks have increased the complexity of security management.

In summary, we believe that the focus of blockchain security in the future is the following two points:

1. In order to avoid dependence on Web2.0 infrastructure, Web3.0 must accelerate the construction and promotion of decentralized infrastructure, especially in identity authentication, data storage, and governance systems. This will effectively reduce the penetration of centralized attacks into decentralized platforms. CertiK will also strive to provide technical support for the secure integration of Web2.0 and Web3.0, and will also support and cultivate related high-potential projects through CertiK Ventures to provide new impetus for the security of the Web3.0 ecosystem.

2. Phishing attacks are becoming more and more sophisticated, especially AI-driven deepfakes, which make phishing tools more difficult to prevent. In the future, we need to increase investment in intelligent protection mechanisms and user security education to ensure that users can identify and avoid risks.

CertiK continues to be committed to helping Web3.0 members increase their prevention measures and raise their awareness. Therefore, it has launched security tools represented by Token Scan and Wallet Scan, which are open to the community for free; at the same time, through CertiK Quest, users can better understand the project and acquire security knowledge.

DeThings: As a "supervisor" to some extent, how do you ensure that you are supervised?

Professor Gu Ronghui: As the "supervisor" in the blockchain field, security companies should also improve our transparency in the face of members of the Web3.0 world to give back the trust of users. We hope to supervise Web3.0 security companies in a decentralized way: CertiK is the first in the industry to maintain transparency of audit results by fully disclosing audit reports.

Let community users, security agencies, individual white hats and other groups inside and outside the industry view our audit reports and supervise our work. On the CertiK Skynet platform, anyone can view CertiK's audit reports and directly report any problems to CertiK.

In addition, CertiK strictly complies with the regulatory standards for Web3.0 around the world and accepts third-party verification and supervision. CertiK is currently the Web3.0 security audit company with the most regulatory audit data security certifications. We implement strict security measures to ensure the highest security standards for customer data and our systems.

This not only reflects our commitment to the mission of "customer interests first", but also demonstrates our determination to protect the security of user assets. We firmly believe that accepting supervision from the Web3.0 community and complying with national regulatory requirements are the key to ensuring the transparency and accountability of Web3.0 security companies.

DeThings: What is the significance of security in the context of governments promoting compliance?

Professor Gu Ronghui: As governments around the world promote blockchain compliance, security plays a key role at multiple levels:

1. Enhance trust: Compliance often requires transparency and accountability, and security mechanisms can ensure that the platform complies with regulations and enhance the trust of users and institutions in the blockchain system. Government compliance requirements usually include anti-money laundering and KYC, and secure transaction tracing and information collection are particularly important.

2. Reduce systemic risks: In the context of compliance, security mechanisms can reduce systemic financial risks and asset losses caused by hacker attacks. Security protocols, smart contract audits, and phishing protection are key to ensuring the stability and sustainability of blockchain networks.

3. Promote compliance innovation: Security is the basis of compliance. By enhancing security performance, it is possible to promote compliance innovation in decentralized technologies, such as using technologies such as zero-knowledge proof to achieve a balance between data privacy and regulatory requirements.

As global regulatory requirements become increasingly stringent, CertiK also attaches great importance to compliance and therefore cooperates with regulators in many countries. I am a member of the International Technical Advisory Committee of the Monetary Authority of Singapore and a member of the Hong Kong Web3.0 Development Task Force.

DeThings: What are the pain points in the field right now and how can they be solved?

Professor Gu Ronghui: With the advancement of the technology stack and the rise of zero-knowledge proof (ZK) technology, the technical complexity faced by Web3.0 security has increased significantly. The cooperation between CertiK and zkWasm has successfully completed the comprehensive formal verification of zkWasm. This is the first time in the industry and the only attempt so far. We believe this fully validated approach will become standard practice in the industry in the future. Currently, relevant technologies are being written into papers. It is expected that after the papers are published, these technologies will have a more profound impact on the industry. Faced with the challenges brought by the technology stack moving forward, traditional individuals or small audit teams may have difficulty providing adequate support. CertiK will continue to promote formal verification and plans to provide secure formal verification services for consensus protocols in the future to adapt to this change.

The necessity of security audits has become a consensus in the industry, but the industry has not yet reached a clear answer to the extent of investment in security. For example, a project may only submit part of the code for audit, but once risks occur, these risks may not be within the scope of our audit. Code security is only a static point, and we need to conduct in-depth security checks at all stages of the project, especially before deployment. In addition, private key management and node service security are also crucial, and these are key links that need to be carefully checked in different cycles of the project.

Therefore, for the iteration and update of internal systems, it is difficult for a single auditor to standardize the audit process. CertiK uses large language models (LLM) and code classification technology to adopt different audit methods according to different code classifications. Each method corresponds to specific tools, such as testing, formal verification, phased auditing, etc., to ensure that each step can produce auditable results and clearly presented in the report. Our goal is to go beyond just finding problems and provide a complete process of audit reporting to help customers understand every aspect of the audit.

Currently, blockchain security services are mainly focused on the B-side market, but the security needs for the C-side are equally strong. For example, users need to know whether they have tokens with security risks in their wallets, whether they have interacted with risky addresses, and whether they are at risk of hidden attacks. CertiK is committed to serving C-side users. Although this area is more challenging, we are preparing to serve a large number of users and help C-side users ensure the security of their assets.

DeThings: Compared with Web2.0, how is the security field of Web3.0 developing?

Professor Gu Ronghui: Compared with Web2.0, the security field of Web3.0 is more complex.

On the one hand, many Web3.0 applications still rely on Web2.0 infrastructure, which makes them vulnerable to the centralized flaws of Web2.0; at the same time, the integration of Web2.0 and Web3.0 provides criminals with the opportunity to combine traditional phishing attacks with new technologies, thereby breeding more sophisticated forms of fraud.

On the other hand, Web3.0 technology is still under development, and contracts are prone to loopholes, which can lead to hacker attacks. Compared with Web2.0, Web3.0 is open and transparent, but this also means that smart contracts run on the blockchain, and once the code is deployed, it is difficult to change. Once hackers exploit loopholes to attack, it will cause greater losses than in the Web2.0 network.

Therefore, the security of the Web3.0 world is particularly important. For the safety of projects and users, project owners should assume the responsibility of community building and protect the interests of the team and project supporters. As a security company, CertiK believes that we should provide projects with comprehensive security solutions to better cover the security needs of different stages of project development. At the same time, we should popularize security knowledge to all users, provide easy-to-use autonomous security tools, and provide security precautions for every member of Web3.0.