There is a line in the movie "National Treasure" that says: "who's gonna monitor the monitors of the monitors?" As the Web3.0 ecosystem continues to improve, more and more funds are pouring into the crypto industry. At the same time, hackers can directly profit by attacking on-chain vulnerabilities. In comparison, once a project is attacked, the project team has very limited means to respond, and sometimes can only offer bounties to attract hackers to return the illegal gains without further investigation.
Therefore, a group of relevant security companies have emerged. In addition to auditing code security, they are sometimes called "white hat hackers" who actively discover security vulnerabilities. CertiK is one of the leaders, with a valuation of nearly $2 billion. Whether a project can pass the CertiK audit has even become a criterion for the community to judge a new emerging project. However, going back to the opening question: who should supervise the supervisors? This question also sows the seeds of controversy for CertiK's subsequent encounters.
In June this year, CertiK discovered a serious security vulnerability in the US crypto exchange Kraken, which sparked a controversy. Regarding the controversy surrounding CertiK and the issue of how security companies can self-regulate, DeThings interviewed Professor Gu Ronghui, the co-founder of CertiK.
DeThings: What is your response to the Kraken incident?
Professor Gu Ronghui: Regarding the controversy with Kraken, the cause was that CertiK's research team discovered a serious-level security vulnerability on the Kraken platform while conducting white hat security research. We promptly notified Kraken of this finding so that the vulnerability could be fixed in a timely manner. However, there were some communication issues during the process, which led to a controversy. We have published a detailed announcement on our official website, which can provide more details.
DeThings: How do you view the term "white hat hacker"?
Professor Gu Ronghui: Although there is no unified definition of "white hat hacker", in general, we believe that white hat actions refer to accessing computers for the purpose of testing, investigating and/or fixing security vulnerabilities or defects out of goodwill. Such activities are carried out in a way that avoids causing harm to individuals or the public, and the information obtained from the activities is mainly used to enhance the security of the relevant devices, machines or online services, or to protect the users of these devices, machines or online services.
CertiK also has a set of strict white hat protocols internally. Since 2020, we have conducted more than 70 white hat actions while ensuring that we do not harm individual or public interests, and have received the highest bug bounty on Sui so far due to the discovery of critical vulnerabilities. Combining our own audit work, CertiK has reported more than 4,000 security incidents to the Web3.0 community, and has discovered more than 115,000 code vulnerabilities, protecting over $360 billion in digital assets from potential loss.
DeThings: How do you evaluate the current track, and what will be the focus of the security field in the future?
Professor Gu Ronghui: The current blockchain security field is in a stage of rapid development, with security risk management at the intersection of Web3.0 and Web2.0 becoming the industry focus. As the application of blockchain technology expands, security vulnerabilities and attack methods are also constantly evolving, affecting multiple tracks including DeFi, Non-Fungible Token and cross-chain interoperability.
Currently, the security pressure of Web3.0 comes not only from project technology vulnerabilities, but also from some common network security risks, such as the protection of privacy data, vigilance against phishing attacks, and ordinary telecommunications fraud.
To this day, private key security remains one of the major challenges facing the Web3.0 field. According to CertiK's 2023 statistics, losses caused by private key leaks account for nearly half of the total losses from all blockchain security incidents.
CertiK's upcoming Q3 2024 security report further reveals that private key leaks and phishing attacks are still the main causes of the most significant financial losses this quarter. These data indicate that strengthening private key management and introducing technologies such as multi-signature and multi-party computation are imperative.
Furthermore, as Web3.0 develops rapidly, a large number of Web3.0 applications rely on Web2.0 infrastructure, such as cloud storage and DNS services, making them vulnerable to attack methods specific to Web2.0 (such as DNS hijacking and phishing). These hybrid attacks have exacerbated the complexity of security management.
In summary, we believe that the focus of the future blockchain security field will be on the following two points:
1. To avoid reliance on Web2.0 infrastructure, Web3.0 must accelerate the construction and promotion of decentralized infrastructure, especially in the areas of identity authentication, data storage and governance systems. This will effectively reduce the penetration of centralized attacks into decentralized platforms. CertiK will also strive to provide technical support for the security integration of Web2.0 and Web3.0, and will support and cultivate relevant high-potential projects through CertiK Ventures to provide new impetus for the security of the Web3.0 ecosystem.
2. Phishing attacks are becoming increasingly sophisticated, with AI-driven deep fakes making phishing tools even more difficult to defend against. In the future, more investment will be needed in smart protection mechanisms and user security education to ensure that users can identify and avoid risks.
CertiK is committed to helping Web3.0 members increase their defense measures and raise their awareness of prevention, and has launched security tools such as Token Scan and Wallet Scan, which are freely open to the community. At the same time, through CertiK Quest, users can better understand projects and acquire security knowledge.
DeThings: As a kind of "supervisor", how do you ensure that you are supervised?
Professor Gu Ronghui: As security companies that serve as "supervisors" in the blockchain field, we should also increase our transparency to repay the trust of users in the Web3.0 world. We hope to use a decentralized approach to have Web3.0 security companies supervised: CertiK has taken the lead in the industry to maintain the transparency of audit results by fully disclosing audit reports.
We allow community users, security agencies, individual white hats and other groups both inside and outside the industry to access our audit reports and supervise our work. On the CertiK Skynet platform, anyone can access CertiK's audit reports and provide feedback to CertiK directly if any issues are found.
In addition, CertiK strictly complies with regulatory standards for Web3.0 around the world and accepts third-party verification and supervision. CertiK is currently the Web3.0 security audit company with the most regulatory data security certifications, and we implement strict security measures to ensure the highest security standards for customer data and our own systems.
This not only reflects our commitment to the mission of "customer interests first", but also demonstrates our determination to protect user asset security. We firmly believe that accepting the supervision of the Web3.0 community and complying with national regulatory requirements are the keys to ensuring the transparency and accountability of Web3.0 security companies.
DeThings: In the context of governments promoting compliance, what is the significance of security?
Professor Gu Ronghui: In the context of governments around the world promoting blockchain compliance, security plays a critical role on multiple levels:
1. Enhancing trust: Compliance often requires transparency and accountability, and security mechanisms can ensure that platforms meet regulatory requirements, thereby enhancing user and institutional trust in blockchain systems. Government compliance requirements often include anti-money laundering and KYC, and secure transaction traceability and information collection become particularly important.
2. Reducing systemic risk: In the context of compliance, security mechanisms can reduce systemic financial risks and asset losses caused by hacker attacks. Security protocols, smart contract audits, and phishing protection measures are key to ensuring the stability and sustainability of blockchain networks.
3. Driving compliant innovation: Security is the foundation of compliance, and by enhancing security capabilities, compliant innovation of decentralized technologies can be promoted, such as using zero-knowledge proof technology to balance data privacy and regulatory requirements.
As global regulatory requirements become increasingly stringent, CertiK also attaches great importance to compliance, and therefore cooperates with the regulatory authorities of many countries. I personally serve as an international technology advisory committee member of the Monetary Authority of Singapore and a member of the Hong Kong Web3.0 Development Task Force.
DeThings: What are the pain points in the current field and how to solve them?
Professor Gu Ronghui: With the advancement of the technology stack and the rise of zero-knowledge proof (ZK) technology, the technical complexity of Web3.0 security has increased significantly. CertiK's collaboration with zkWasm has successfully completed a comprehensive formal verification of zkWasm, which is the first of its kind in the entire industry and the only attempt so far. We believe that this comprehensive verification approach will become the standard practice in the future industry. Currently, the relevant technologies are being written into papers, and it is expected that after the publication of the papers, these technologies will have a more far-reaching impact on the industry. Faced with the challenges brought by the advancement of the technology stack, traditional individual or small audit teams may find it difficult to provide sufficient support. CertiK will continue to promote formal verification and plans to provide formal verification services for consensus protocols in the future to adapt to this change.
The necessity of security audits has become a consensus in the industry, but there is no clear answer yet on how much investment in security should be made. For example, a project may only submit part of the code for audit, but once a risk occurs, the risks may not be within the scope of our audit. Code security is just a static point, and we need to conduct in-depth security checks at various stages of the project, especially before deployment. In addition, the security of private key management and node services is also crucial, and these are key links that need to be carefully checked throughout the project cycle.
Therefore, for the iteration and update of internal systems, a single auditor is difficult to achieve the standardization of the audit process. CertiK uses large language models (LLM) and code classification technologies to adopt different audit methods according to different code classifications. Each method corresponds to specific tools, such as testing, formal verification, and phased audits, to ensure that each step can produce auditable results and be clearly presented in the report. Our goal is to go beyond just finding problems, but to provide a complete audit process to help customers understand each step of the audit.
Currently, blockchain security services are mainly focused on the B-end market, but the security needs of the C-end are equally strong. For example, users need to know if there are any security risks of tokens in their wallets, whether they have interacted with risky addresses, and whether there are any hidden attack risks. CertiK is committed to serving C-end users, although this area is more challenging, but we are preparing to provide services to a large number of users to help C-end users ensure asset security.
DeThings: Compared to Web2.0, how is the development of the security field in Web3.0?
Professor Gu Ronghui: Compared to Web2.0, the security field in Web3.0 is more complex.
On the one hand, many Web3.0 applications still rely on the infrastructure of Web2.0, which makes them vulnerable to the centralized defects of Web2.0; at the same time, the integration of Web2.0 and Web3.0 provides opportunities for criminals to combine traditional phishing attacks with new technologies, thereby giving rise to more complex forms of fraud.
On the other hand, Web3.0 technology is still under development, and contracts are prone to vulnerabilities, making them vulnerable to hacker attacks. Compared to Web2.0, the feature of Web3.0 is openness and transparency, but this also means that smart contracts run on the blockchain, and once deployed, their code is difficult to change. Once hackers exploit vulnerabilities to launch attacks, the resulting losses can be much greater than in the Web2.0 network.
Therefore, security in the Web3.0 world is particularly important. To ensure the safety of projects and users, project parties should take on the responsibility of community building and protect the interests of the team and project supporters. As a security company, CertiK believes that we should provide comprehensive security solutions for projects, better covering the security needs of different stages of project development. At the same time, we should popularize security knowledge to all users, provide easy-to-use self-security tools, and provide security protection measures for every member of the Web3.0 community.
Original link: https://m.dethings.com/app/h5/#/pages/common/topicDetail/topicDetail?id=10704