CertiK’s Co-Founder Ronghui Gu discusses Web3 Security in the DeFi space, among other things, in an exclusive interview with CoinEdition. Gu is a computer science professor at Columbia University who leads a team of over 250 people who inspect crypto code for bugs. CertiK is the largest smart-contract auditor in Web3.
Q: How has CertiK helped shape the Web3 security industry in recent years?
CertiK is the largest blockchain security firm. We’ve audited over 3,800 projects and secured more than $364 billion of market capitalization. Since our founding in 2017, we’ve led the charge to make auditing an essential step for all legitimate Web3 projects. We provide a set of products and tools to assist web3 developers in securing their projects. We also publish curated security data to increase community transparency and trust.
Q: How do you ensure the security of Web3 wallets, and what measures do you take to protect against potential threats such as phishing attacks or malware?
As a blockchain security company, all aspects of Web3 security fall under our purview. This includes wallet security, and we’ve published a number of research articles on this subject recently. Our team of security experts also conduct proactive security research, which recently led to us uncovering a vulnerability in the popular ZenGo wallet application. We reported this vulnerability to the ZenGo team and worked with them to patch it. Our comprehensive penetration testing services also cover wallet applications, from their interactions with Web3 smart contracts to the Web 2.0 backend.
Q: What steps do you take to mitigate the risk of rug pulls and exit scams in the decentralized finance (DeFi) space, and how do you identify warning signs of such activities?
We flag the centralization and privilege issues that lead to teams being able to pull off an exit scam each and every time we find them. We make audit reports public so users can see the risks that may or may not be involved with a project. We also publish educational content to raise awareness about the shared characteristics of these types of scams. Our KYC for project teams service also helps protect users from the threat of rug pulls. They can identify the projects that have earned a KYC Badge by verifying their team and publicly standing behind their platform, stay away from those that don’t, and rest assured that in the event of an exit scam any team that has undergone KYC will be swiftly referred to law enforcement.
Q: Can you discuss the importance of secure coding practices in the development of web3 applications?
Security is paramount. Blockchain technology cannot deliver on its promise if it is not secure. The most successful Web3 applications are those that take security seriously. As a consequence, they work as intended and are around to serve their users for a long time.
As a blockchain security company, we aim to raise the standard of security and transparency across the entire Web3 ecosystem. We publish a lot of technical and developer-focused content, including a series on secure coding practices.
In general, developers should be trained on common code vulnerabilities and coding practices to avoid them and hold frequent design reviews to catch issues early. They should also use an unbiased security team to create a threat model around what’s being developed to improve security.
Q: How do you approach the challenge of ensuring cross-chain interoperability while maintaining the security of the entire web3 ecosystem?
That’s a great question, and it’s one that many of the brightest minds in Web3 are working on. Security must be a primary concern in the development of cross-chain bridges. Bridges aren’t functional if they’re not secure; connecting to multiple chains or being the fastest bridge out there means an insecure bridge is just going to lose your money faster and more efficiently. As we’ve seen, bridges are high-value targets. While there is strong demand for this kind of infrastructure, secure engineering of blockchain bridges must be given the time it is due.
Q: Can you discuss your experience in developing and implementing disaster recovery and business continuity plans for web3 platforms?
We’ve worked closely with projects that have been affected by security incidents to help them develop a response plan. This is best prepared ahead of time, but we recognize that it is not always possible to plan for every scenario. We have a dedicated team that is on call around the clock to assist with incident response for any and all affected projects.
Q: Can you discuss the implications of centralization issues when it comes to Web3 security?
Centralization is in many ways antithetical to Web3. In some cases, however, some degree of centralization is necessary in order to build a functional product. Not everything can be a completely autonomous smart contract running on a decentralized blockchain. Treading this line and prioritizing decentralization is the challenge. Centralization gives certain people heightened privileges, and there should always be a good reason for why this must be the case. We flag all centralization issues in our publicly-available audit reports so users know what they’re getting into.
Q: How can people stay updated on the latest security threats and vulnerabilities in the web3 space?
Following our Twitter accounts (@CertiKAlert, @CertiK, and @CertiKCommunity) is one of the best ways to stay up to date. Reading our blog, where we have hundreds of educational and technical articles, is another way. You can find our blog resources and Skynet leaderboard on our official website.
Q: What is your perspective on the role of KYC practices in the context of Web3 security?
CertiK has developed an industry-leading KYC Badge program for Web3 projects who wish to stand behind their project publicly and build trust with their community. Anonymity and pseudo-anonymity have a strong tradition in crypto, going all the way back to Satoshi Nakamoto’s creation of Bitcoin, but the difference is that Satoshi was not building an explicitly financial product, nor were they soliciting investment from the community. Plus, Bitcoin’s code is all open-source and the network is highly decentralized. A Web3 founder who launches a project should take their investors’ security seriously and should be willing to stand behind their project. Any founder who does not want to undergo their own KYC verification (the details of which are always kept securely) must have a good reason for doing so. In the absence of a codebase as transparent and an application as decentralized as Bitcoin, a KYC Badge goes a long way toward building trust.
Q: How do you see AI being used in the context of web3 security, and what are some potential benefits and drawbacks of this approach?
We’ve published some interesting research on this topic. What we’ve found so far is that AI-powered tools are oftentimes correct with their findings, but too often incorrect so as to be unreliable as they currently are. Current AI also overlooks critical flaws. Both the false positive and false negative rates are generally high. They can be useful for quickly understanding the code and performing a quick sanity check, but not for in-depth analysis.
Our team of experienced human auditors reviews each and every project that comes to us, and while they’d surely appreciate any tool that makes their job easier, we won’t be sacrificing the quality of our audits for speed or a lower cost. Our current set of automated tools combines well with the expertise of our auditors to deliver fast and comprehensive audits at an extremely competitive price point. AI will surely improve in the coming years, and we look forward to incorporating it where applicable.