Are crypto audits uneven? Take you through 8 security companies you need to know
Recently, the security auditing company CertiK was exposed to insider black hat hacking behavior and stole 3 million US dollars from the Kraken exchange, which shocked the entire crypto. Auditors' failure to report code vulnerabilities and insiders' self-stealing behavior have once again made the credibility of auditing companies the focus of the market.
According to DeFiLlama , there have been a total of more than 8.29 billion US dollars in major hacking incidents since 2016 (statistics do not include individual incidents), and only a very small proportion can be recovered afterwards. This shows that projects with contract risks cannot be trusted by the market. , will further affect the total locked position (TVL), trading volume and fundamentals.
This article will introduce the methodology for quickly testing audit companies and provide an overview of 8 important security companies in the encryption industry.
How to evaluate the security audit quality of a DeFi project?
According to OKX Web3 Wallet Security Special Issue No. 05, the following 5 inspection criteria can be used to help project parties find an ideal audit company. Users can also use this method to check whether each project has found a safe audit company.
What is the professional background of the core personnel?
Have you audited well-known projects?
Is there any record of audit projects being attacked before?
Does the audit firm have a dark history?
Audit report to judge safety quality
The first four points can be realized more quickly than the fifth point. The fifth point relies on the long-term experience of reading audit reports, and the time cost is high. However, it is enough to only judge the background of the core personnel of the security audit company, audit projects, black history, etc. Finding enough insights will help identify the pros and cons of each audit company in a short time.
Overview of 8 Must-Know Security Audit Firms
Trail of Bits
Founded in 2012, Trail of Bit is a Tier 1 information security team whose audit scope spans artificial intelligence, machine learning, cryptography, blockchain, and privacy technology. Emphasizing that what they do is not a "security audit" but a "security valuation", the team believes that starting from a valuation perspective can more comprehensively present the value of a project from a programming perspective. In addition to security valuation services, Trail of Bit's products also include mobile anti-virus software iVerify.
Well-known evaluation projects:
Apple Private Cloud Compute (PCC) technology
Public chain/ecosystem: Solana, Cosmos SDK, Starknet, Polkadot
EVM Rollups: Starknet, Arbitrum, Optimism
DeFi: Elixir Protocol, Uniswap V3, AAVE, yearn, Balancer
Oracle: Chainlink
ChainSecurity
ChainSecurity is a Swiss company founded in 2017. It has audited a large number of top DeFi projects in the past. The co-founders all graduated from the Institute of Electrical Engineering or Finance at ETH Zürich. Since its establishment, it has maintained a cooperative relationship with the accounting firm PwC Switzerland. , including external audit reports from the Tezos Foundation and others, until PwC funded the acquisition of ChainSecurity in 2020.
After Curve was hacked in July 2023, ChainSecurity immediately gave Curve revision suggestions and released a complete security audit report in December 2023 for Curve and the Vyper programming language (the source of the vulnerability in this incident).
Well-known audit projects include:
Ethereum Foundation EIP-4788
Cross-chain bridge: WBTC, Layer Zero, Polygon official bridge, Polkadot
DeFi: 1inch, Uniswap, AAVE, MAKER, Curve Sanchi, yearn
Recently, a security audit report was released on the Tron ecosystem’s RWA project stUSDT and SparkLend’s oracle function.
Slowmist
SlowMist is the top blockchain security company in the industry. Since its establishment in 2018, it has led the investigation of a large number of exchanges and project parties being hacked. In August 2021, Poly Network was hacked to the tune of US$610 million in less than a day. Although the official pointed out the specific reason, some news pointed out that it was because SlowMist quickly obtained the hacker's email and IP location after the incident.
The founder Yu Xian (real name Zhong Chenming) is very active in sharing information security related knowledge on social platforms. Before founding Slow Mist, he served as the vice president of technology at the information security company Zhichuangyu, the head of the 404 security laboratory, and a well-known cyberspace search company. The founder of the engine Zhong Kui Eye (ZoomEye), has led a large number of bug catching and fire fighting incidents in the past. He is also the editor of the "Blockchain Dark Forest Self-Rescue Manual" , teaching safe on-chain interaction techniques from scratch.
In addition to security audit and fund tracing services, SlowMist Technology also provides an efficient and easy-to-use currency flow tracking tool MistTrack for users to quickly analyze addresses.
CertiK
CertiK was founded in 2018. The co-founders are all Chinese professors in the Department of Computer Science at Columbia or Yale University. The team members and financing lineup all have Chinese backgrounds. The latest valuation was revealed to be as high as 2 billion U.S. dollars. It has received funding from Tiger Global, SoftBank Vision Fund, Goldman Sachs, Sequoia China, etc. support. It is worth noting that CertiK once issued the token $CTK, but the follow-up token economics, roadmap and other plans were not implemented. As a result, people who invested in currency rights were deceived. Institutions that invested in equity also did well because of CertiK’s currency issuance. Too ugly to show up.
In addition to audit services, CertiK also builds data and information websites for users to study the project’s security score, team member background, exchange security factor, asset reserves and other functions. These tools were very effective in increasing CertiK’s visibility among DeFi users. However, after that, the community began to criticize CertiK for becoming “an expensive stamped company wrapped in a halo.”
In June 2024, CertiK discovered a code vulnerability in the Kraken exchange and then reported it first. After being hacked, 3 million yuan of criminal proceeds were transferred to Tornado Cash. Although the funds were returned and a statement was issued afterwards, 100% was not returned. , unable to explain why funds were invested in coin mixers, etc., the market's confidence in it has dropped significantly.
Well-known audit projects:
Web2: Apple IOS 17, LINE Blockchain
Layer 1: SUI, TON, BNB Chain, Cronos
Projects hacked after audit:
MERLIN DEX of zkSync era ecosystem was hacked for US$1.8 million
Swaprum made $3 million in cash just weeks after receiving CertiK's audit report
Hacking group Lazarus compromised more Certik audit protocols than any other protocol
BlockSec
BlockSec is a mainland China team established in 2021. The core members of the engineering team, such as co-founder Zhou Yajin and chief technology officer Lei Wu , all have highly similar backgrounds, that is, they are in the doctoral program at the University of North Carolina, a researcher at 360 Security Guard, and a researcher at Zhejiang University. Faculty position.
According to Linkedin , most of the current information security employees graduated from Zhejiang University or studied in the school's doctoral program.
Co-founder Zhou Yajin holds a PhD in computer science from the University of North Carolina. After graduation, he joined the anti-virus software 360 Security Guard as a senior security researcher and then founded BlockSec. He is currently also a professor and doctoral tutor at Zhejiang University.
In addition to audit services, its products also include address identification plug-ins MetaSuites (formerly MetaDock) , currency flow tracking visualization tool MetaSleuth , white hat hacker team Phalcon and other tools. You can make good use of these plug-ins to identify phishing, fraud, and diamond transactions from etherscan. , tags such as large players of specific currencies, realize visual currency flow tracking, and track project party hacking events. The functions are very comprehensive and the threshold for use is low. It is favored by many users and project developers. For example, Symbiotic recently tweeted that someone tried to use Milady for re-staking, which is using the Phalcon browser.
Recently, Manta announced a partnership with Phalcon to incorporate Phalcon's Attack Detection Engine into Manta's own sequencer to improve rollup resilience.
Well-known audit projects:
DeFi: PancakeSwap, LiNEAR Protocol
LRT: Mellow Protocol, Puffer Finance, Magpie
Re-pledge: Octopus Restaking (NEAR ecological re-pledge project)
Cross-chain: PolyNetwork, Multichain , XY Finance, Radiant V2
EOS Network Foundation
It is worth noting that in BlockSec’s audit report on Multichain in April 2022, it can be found that BlockSec had already recommended that Multichain not to over-centralize the authority to control funds. Then this suggestion was not improved by the project side. Finally, Multichain failed in July 2023 due to The founder's personal private key was leaked, causing all funds to be hacked.
Quantstamp
Quantstamp is headquartered in Los Angeles, USA. The core personnel come from all over the world and are diverse. They have accumulated rich information security experience before the company was established, and have backgrounds in Smart Contract Alliance and Tower Research Capital.
CEO Richard Ma graduated from Cornell Computer Engineering Department and participated in Y Combinator in 2018. He has participated in many projects such as Ondo Finance, Astar, Spectral, etc.
Managing Director Don Ho is also the co-founder of OrangeDAO. OrangeDAO is a DAO composed of blockchain entrepreneurs. It has an independent venture capital fund and a new startup incubator. In the past, he has participated in investments in Hinkal Protocol, 0G, Analog, Mezo, Toku, etc. project
Martinet Lee, Head of Developer Relations, is also the founder of ETH Taipei.
In addition to security audits, Quantstamp has also participated in some primary market seed round investments, investing in 0G, Analog, Hinkan Protocol, etc...
It is worth noting that the TVL is as high as 2.3 billion US dollars. The core team of zk Rollup Zircuit, which ranks 15th among DeFi projects, originated from Quantstamp. The co-founders Martin Derka and Jan Gorzny were originally the Head of New Project Department of Quantstamp respectively. Initiatives) and Head of L2 Scaling
Zircuit is currently ranked first in the DeFillama Farm classification , followed by Swell, AlLayer, Pencils and other protocols.
https://defillama.com/protocols/farm
Well-known audit projects:
L1/L2: ETH 2.0 , Solana , TON, Avalanche , BNB Chain
Gaming & NFT: OpenSea , Parallel, Sandbox
DeFi: Maker, Curve, Lido , Ethena , Pendle , Puffer Finance
Infrastructure: ssv.network, Luganodes , Galxe
Web 2: VISA , Revolut, Sequoia, BitGo
PeckShield
The PeckShield team is mainly from mainland China. Its founder, Jiang Xuxian, was originally the chief scientist of 360 Security Guard and a professor at the University of North Carolina. Reports indicate that Jiang Xuxian was Zhou Yajin’s teacher at the school. From the audit objects provided on the official website, we can find that most of PeckShield’s customers are from Asian backgrounds.
Well-known audit projects:
L1/L2: Avalanche, BNB Chain, polygon
DeFi: Maker, Curve, Gearbox, 1inch, dYdX
Infrastructure: Starkware
Cross-chain related: Multichain, PolyNetwork
OtterSec
OtterSec's core members are located all over the world, and core members of the engineering team, including founder Robert Chen , were active participants in the code bug bounty (Bug Bounty) platform HackerOne in the past. The company has participated in many important infrastructure and DeFi projects such as SUI and Solana.
Well-known audit projects ( audit portfolio )
SUI ecosystem: Navi, Scallop, Cetus, volo, Mysten zk login, Bluefin
Solana Ecology: Solayer, Sanctum, Jito, Jupiter, Raydium, Pyth
Cross-chain bridge: Wormhole , LayerZero
Infrastructure: Celestia , Cosmos , NEAR, Solana
Code4rena - Audit Bounty Campaign Platform
Code4rena is a web3 security audit competition platform. Different from traditional audit services and bug rewards, it establishes a complete reward review mechanism, attracts project parties to create bug bounty prize pools, promotes smart contract private experts to participate in audits, and achieves a win-win situation for all three parties. Cooperation Platform.
Founded in 2021, it received $6 million in financing from Paradigm in 2023 (purchased in cash $ARENA). Co-founder Scott Lewis is also a serial entrepreneur and angel investor. He co-founded DeFi Pulse, SlingShot and other projects, and is also a core contributor to Canto.
In the currently active Debug prize pool, private auditors can jointly share tens of thousands of USDC. In the past, zkSync established a sky-high Debug prize pool of up to 1.1 million US dollars in Code4rena.
Well-known participating projects:
DeFi: AAVE, GMX
Infrastructure: EigenLayer, Optimism Super Chain, Chainlink, ENS
L1/L2: Base, Polkadot, Starknet, zkSync
DePIN: The Graph
NFT: OpenSea, Blur
summary
Maintaining a good audit firm is not easy. CertiK has become famous in 2021, but we could not have predicted that regrets would happen. Also in 2024, it is difficult for us to find which companies are facing the same problem. It usually takes several security incidents to be verified repeatedly.
In addition, the assessment of whether the audit company has failed in its duties cannot only rely on the timing relationship, but requires a detailed examination of the content of the audit report. For example, BlockSec pointed out problems with Multichain as early as a year before it was hacked, but the project did not improve it.
It takes a lot of time to review the entire audit report, but investors focus on project evaluation. Project owners can consider cooperating with multiple auditing companies to gain market trust by ensuring program code security.
