While Web3 security audit companies are still competing for audit shares, CertiK has already begun to set its sights on traditional business giants that are about to enter Web3. CertiK has not only received official thanks from companies such as Apple for its white hat operations in traditional industries, but is also the only Web3 security company in the Web3 industry with SOC 2 and ISO certifications. Based on this, it has become the preferred company for traditional industries to enter the Web3 field for security consulting.
However, as a leader in Web3 security auditing, CertiK’s strength is not limited to its precise business strategy, but also its technical strength. Security auditing in the ZK (zero-knowledge proof) field has always been a difficult problem in the industry, but CertiK has pioneered the industry’s first successful attempt at ZK formal verification through its full formal verification of zkWasm.
During the Token 2049 event in Singapore in 2024, CertiK announced the funding scale of its CertiK Ventures of US$45 million and released its product links. While this move has attracted widespread attention from the industry and the media, it also makes people curious. As a leading company in the security track of the Web3 industry, what technical advantages or business logic does CertiK rely on to make such a positive strategic judgment in the continued sluggish market?
To reveal the logic behind CertiK’s strategic adjustments and business layout, Techub News conducted an exclusive interview with CertiK co-founder Professor Gu Ronghui during the TOKEN2049 event to explore how CertiK has grown from a single-business security company to an ecosystem center.
Techub News: CertiK recently readjusted its product and service structure. Can you introduce us to the current new services and products, and what considerations were behind this adjustment?
Professor Gu Ronghui: CertiK has recently adjusted our product service framework. We previously focused entirely on B2B services, mainly providing the highest level of security audits and security protection. CertiK's current strategic and product adjustments are mainly centered around the Web3 community. We will focus more on the Web3 community and pay more attention to the security of the Web3 community. The difference from before is that we will pay more attention to giving back to and investing in the community, rather than simply serving enterprise-level customers in the industry.
We hope to participate more deeply in the community and in the construction and development of the entire industry. To this end, we provide the community with product support that covers the entire life cycle. For example, our newly established CertiK Ventures hopes to provide funding and a series of subsequent post-investment services in the early stages of the company, such as the seed round or pre-seed round stage, to help these companies complete the process from 0 to 1. Previously, CertiK was more involved in the development of the company before it went online or deployed online, but now we hope to intervene earlier, discover and help these future unicorns complete the process from 0 to 1. We will provide a series of services, such as consulting services and support, as well as some developer tools and internal tools used in audits, to help these companies develop. In addition, in the pre-deployment and post-deployment stages, we provide audit services to ensure that the company is guaranteed in terms of contract security.
We also released a product called Skynet, which mainly provides secure access and presents the data of Web3 companies to the community in an open and transparent manner. We also have some tools for community users, such as Smart Calendar, Wallet Scan, and Token Scan, etc. These tools can help C-end users better reduce risks when participating in the products and activities of B-end companies. Smart Calendar records the airdrop and upgrade time of Web3 projects; Wallet Scan can help users scan wallets to check potential risks; Token Scan is designed for analyzing token security, helping users identify a variety of potential risks including "exit scams."
We also have secure node services. CertiK entered the node service market very early. We are one of the first 21 nodes of BNB Chain (early BSC), and we are also the secure node and the only security partner of Kishu. We hope to expand our products and services to the entire life cycle of the project, from the earliest stage to the final stage.
Currently, CertiK’s strategic focus is undergoing an important upgrade, and we will pay more attention to giving back to the community. We will gradually launch many of our internal tools and frameworks to the community, benefiting more project owners, developers, and even other Web3 security companies, which we are very happy to see.
Techub News: Can you tell us about CertiK Ventures’ current funding size and investment focus?
Professor Ronghui Gu: The current scale of the first phase of CertiK Ventures is 45 million US dollars, all of which are our own funds. We currently plan to invest all the funds of the first phase before the end of 2025. Our current investment is mainly focused on projects in the seed round and pre-seed round stage. The goal is to find potential unicorns in various tracks and use CertiK's resources and our full-cycle services to help them complete the process from 0 to 1, and from 1 to 100. At the same time, we will also make strategic investments, and we will also bet on some tracks and projects in the secondary market.
Techub News: What is unique about CertiK compared to other security auditing companies?
Professor Gu Ronghui: Messari mentioned in a report in 2022 that in 2021, CertiK almost single-handedly turned Web3 security auditing into a track and became a unicorn in this track. During that time, CertiK's market share reached 60% to 70%, making it the 13th unicorn company in the entire Web3 industry at that time, recognized by everyone as having the potential for IPO, except for exchanges.
In 2022, CertiK's valuation exceeded $2 billion. The top investment institutions such as Sequoia and Goldman Sachs have also invested in us, which also shows that we have done a very good job in compliance and we are fully capable of accepting compliance investigations by US commercial investment banks.
We are not limited to the protection of digital assets, but also actively participate in white hat operations. For example, we recently received official thanks from Apple for finding some security vulnerabilities in Apple Vision Pro. This is the sixth time that CertiK has received thanks from Apple. Last year, we were also selected into Samsung's Security Hall of Fame. In addition, we have been recognized by 9 traditional Internet industries such as Alibaba and ByteDance, which are very rare in the entire Web3 industry. And we should be the only Web3 security company with SOC 2 and ISO certifications. This makes CertiK the first choice for many traditional companies to enter the Web3 field for security help and security services. Some large banks such as DBS and UBS will choose us as the main security provider.
CertiK is also very different in technology. First of all, CertiK can serve many companies at the same time. CertiK can do this because we have many internally developed tools, such as tools that support formal verification, as well as many automated tools and systematic security audit processes.
And we are the only company in the Web3 space that publishes audit reports. We embrace transparency and encourage peer supervision, sharing, and learning. On the other hand, every mistake we make will be put under the scrutiny of the entire industry and everyone can see it. This is actually a double pressure for us, but it is also a way to urge us to move forward.
Techub News: What security challenges has CertiK encountered in the past year? How did CertiK respond?
Professor Ronghui Gu: With the advancement of the technology stack and the rise of ZK technology, the technical complexity faced by Web3 security has increased significantly. The complexity of ZK far exceeds most previous blockchain applications. How ZK can complete security audits is actually a very big problem, and the industry has also conducted a lot of exploration on this. For example, CertiK chose a major attempt to cooperate with zkWasm and completed the comprehensive formal verification of all ZK circuit translations of zkWasm. This is the first time in the industry and the only successful attempt so far. We have also released a series of videos on formal verification of ZK circuits, many of which have been played more than 1 million times.
The full formal verification of zkWasm is actually very difficult, including how to model the data, how to perform form verification, how to complete the verification of ZK storage use cases one by one, and how to improve human efficiency in order to further scale this technology. At present, we are submitting papers on related technologies, and it is expected that after the papers are published, these technologies will have a more profound impact on the industry.
The above is the first challenge we face: how to adapt to and provide the same or even higher levels of security services and products as industry technology is rapidly iterating and complexity is growing rapidly.
The second challenge we face is the lack of public awareness of security audits. The necessity of security audits has become a consensus in the industry, but the industry has not yet reached a clear answer to how much investment should be made in security.
We have indeed encountered many challenges in this regard. When conducting security audits, some project owners often only submit part of the code for review. Their attitude towards security is limited to the desire to give an explanation to the community. This practice actually hides many security risks. Once an attack really occurs, the auditor will face great pressure. Therefore, in terms of market education, we need to make more efforts to raise project owners' awareness of the importance of comprehensive security audits.
We will also encounter some other situations, such as the project's code is actually fine, but there are problems in the configuration link, such as the accidental loss of the private key. From these processes, we can find that security audit is actually a static point.
But security services need to be provided throughout the entire project cycle, because as the project progresses and the environment changes, the required security products and services will also change accordingly. However, many project parties have not yet reached such a consensus, and this lack of understanding may cause many security risks.
Techub News: What innovations or trends does CertiK have in improving security?
Professor Gu Ronghui: Facing the challenges brought by the advancement of the technology stack, such as how to complete the ZK audit, traditional individuals or small audit teams can no longer provide sufficient support. However, CertiK will continue to promote formal verification and plan to provide security formal verification services for consensus protocols in the future to adapt to this change.
In addition, our audit is systematic. We do not want the audit to remain at the stage of manual code reading, but to achieve large-scale audit work. To this end, we have applied LLM internally. We first classify the code, and then use the corresponding audit method to verify it according to different classifications.
Our services are not limited to B-end users, but also provide corresponding tools and services for C-end users. For example, the wallet security scanning service can detect whether the wallet address is authorized to risky smart contracts, whether it holds tokens with security risks, and whether it has interacted with risky addresses. In addition, we also have a compliance product called SkyInsights, which provides compliance-related services for individuals and project parties.
Techub News: Where do the compliance services needed by C-end individual users mainly exist?
Professor Gu Ronghui: For example, when we first helped 60,000 customers to scan addresses, we found that nearly 4,000 addresses were at risk. These addresses may have received remittances or interacted with sanctioned addresses. This means that the wallet address is contaminated. If the wallet address also sends tokens to the main compliance address, the main compliance account will also be contaminated, which may lead to the closure of the entire wallet.
Techub News: How to deal with this situation?
Professor Gu Ronghui: Many C-end users may lack awareness of the risks in this regard. If they trade with risky addresses without understanding, such as choosing over-the-counter (OTC) transactions, it may bring security risks. In order to prevent this, we will provide some address lists for users to check before interacting to avoid interacting with risky addresses.
If the address has been contaminated, we will help the user find out which specific transaction has a problem and provide corresponding documents to help the user unblock the account.
Techub News: Please share some typical cases or success stories of CertiK in conducting smart contract audits.
Professor Ronghui Gu: In July this year, Forbes announced the top ten best performing cryptocurrencies with a market value of more than $1 billion in the first half of 2024. Five of our clients, TON, PEPE, FLOKI, CORE DAO, and Bitget, were on the list. These clients chose our audit services early on, and we are very happy to help them on their road to success. Take TON as an example. CertiK has been working with it since the end of 2022 and has witnessed its growth all the way. We are proud to support these outstanding cryptocurrency projects, which is why we chose to launch CertiK Ventures, with the aim of discovering and supporting rising star projects like them.
Techub News: How does CertiK balance the depth and breadth of security audits?
Professor Gu Ronghui: In terms of depth, we continue to deepen formal verification technology to cope with the emerging new technology stacks, thereby continuously improving our security protection level. At the same time, we are also actively foreseeing and preparing for possible risks in the future to ensure that our security technology can adapt to the ever-changing environment.
In terms of breadth, we use a wide range of tools to meet various security needs through a large-scale audit process and classification method. This approach ensures that the project is auditable, that is, each step is clear and verifiable, ensuring that we can cover a wider range of security areas.
Techub News: Is there anything else that you think is very important but we didn’t cover in this question?
Professor Ronghui Gu: Web3 is at a critical juncture now. In the past few years, the entire industry has been in a bear market, and many participants have been under considerable pressure. I think there will be a wave of rapid development in the future, and the return of the bull market is not only expected, but also expected to continue. In this context, CertiK is actively looking for and supporting projects that have the potential to stand out in emerging tracks. Our goal is to help these projects achieve the same significant growth as in the last bull market through our expertise and resources.
Original link: https://techub.news/newDetails/?id=1bca98990e1640d5a475a8768dc29e8e