Back to all stories
Blogs
Educational
Interview with Professor Ronghui Gu: “Who Monitors the Monitors?"
10/17/2024
Interview with Professor Ronghui Gu: “Who Monitors the Monitors?"

In the 1998 thriller film, Enemy of the State, there’s a famous line: “Well, who’s gonna monitor the monitors of the monitors?”

As the Web3 ecosystem continues to evolve, more and more capital is flowing into the crypto industry — which, in many cases, has provided more opportunities for hackers to profit from this by exploiting vulnerabilities on-chain. Unfortunately, when projects are attacked, they often have limited means of response, sometimes resorting to offering bounties to incentivize hackers to return stolen funds, without pursuing further consequences.

This is where security companies come in — they are able to audit code and act as "white hat hackers" to proactively identify security flaws in these projects. CertiK stands as the leader in this space, with a valuation nearing $2 billion. In fact, passing a CertiK audit has become a community benchmark for assessing emerging projects.

However, this raises a fundamental question: Who monitors the monitors? In a recent DeThings interview, Professor Ronghui Gu, Co-Founder of CertiK, addressed this question and discussed how security companies self-regulate. Here are some key findings from the interview.

DeThings: What’s your take on the term "white hat hacker"?

Professor Gu: While there is no unified definition of a "white hat hacker," we generally believe it refers to those who, with good intentions, test, investigate, and/or fix security vulnerabilities or flaws by accessing computer systems. Such activities are conducted in ways that avoid harm to individuals or the public. Information gained from these actions is primarily used to enhance the security of devices, machines, or online services, and protect users.

At CertiK, we adhere to strict internal white hat protocols. Since 2020, we’ve carried out over 70 white hat operations, identifying critical vulnerabilities that earned the highest bounty to date on the Sui platform. Alongside our auditing work, CertiK has reported over 4,000 security incidents in the Web3 community, and discovered more than 115,000 code vulnerabilities, safeguarding over $360 billion in digital assets.

DeThings: How do you view the current state of the industry and the future focus areas for security?

Professor Gu: The blockchain security industry is currently undergoing rapid development, with particular attention focused on managing the intersection of Web3 and Web2 risks. As blockchain technology expands, so too do the vulnerabilities and attack methods, affecting areas like DeFi, NFTs, and cross-chain interoperability.

Looking forward, Web3’s security challenges stem not only from technical vulnerabilities, but also from common cybersecurity risks, such as data privacy protection, phishing attacks, and telecommunications fraud.

Private key security remains one of the primary challenges in the Web3 space. According to CertiK’s 2023 statistics, nearly half of all financial losses in blockchain security incidents are due to private key leaks. Our Q3 2024 security report reveals that private key leaks and phishing attacks continue to be the leading causes of financial loss.

Moreover, as Web3 continues to develop, many of its applications still rely on Web2 infrastructure, such as cloud storage and DNS services, which makes them susceptible to attacks like DNS hijacking and phishing. These hybrid attacks further complicate security management.

In summary, we believe there are two key areas of focus for blockchain security:

  1. Decentralizing Infrastructure: To avoid reliance on Web2 infrastructure, Web3 must accelerate the construction and adoption of decentralized alternatives, particularly in authentication, data storage, and governance. CertiK will continue supporting this transition by offering technical solutions for bridging Web2 and Web3 security, and investing in high-potential projects through CertiK Ventures.

  2. Phishing Attacks: As phishing attacks become increasingly sophisticated — especially with AI-driven deepfake techniques — investment in smart protective mechanisms and user security education is critical.

CertiK remains committed to empowering Web3 participants with enhanced defense mechanisms and heightened awareness. To this end, we’ve introduced free security tools like Token Scan and Wallet Scan for the community, and CertiK Quest, which helps users better understand projects and gain security knowledge.

DeThings: As "monitors" in the blockchain space, how does CertiK ensure its own accountability?

Professor Gu: As a security company in the Web3 world, transparency is crucial for earning users’ trust. We aim to be supervised in a decentralized manner. CertiK was the first in the industry to make audit reports fully public to ensure transparency. Our Skynet platform allows community members, security institutions, and individual white hats to review our audit reports and provide feedback when issues arise.

Additionally, CertiK strictly adheres to global Web3 regulatory standards and undergoes third-party verification and oversight. We’ve earned the most regulatory security certifications of any Web3 security audit firm, ensuring we maintain the highest security standards for client data and our own systems. This demonstrates our commitment to our mission of "putting customer interests first," and underscores our determination to protect user assets.

DeThings: How does security play a role in the push for blockchain compliance by governments?

Professor Gu: Security is critical in enhancing trust, mitigating systemic risks, and fostering compliance innovation within blockchain networks.

  1. Enhancing Trust: Compliance often requires transparency and accountability, and security mechanisms ensure platforms meet regulatory standards, increasing user and institutional trust in blockchain systems. This is especially important for anti-money laundering (AML) and Know Your Customer (KYC) requirements.

  2. Reducing Systemic Risks: Security mechanisms can reduce the financial risks posed by system-wide vulnerabilities or hacking, protecting the integrity of blockchain networks.

  3. Driving Innovation: Strengthening security can facilitate decentralized technologies' compliance innovation, such as using zero-knowledge proofs to balance data privacy with regulatory requirements.

CertiK is working closely with regulators worldwide, and I personally serve on the international advisory committees for Singapore’s Monetary Authority and Hong Kong’s Web3 development task force.

DeThings: What are the current pain points in the security field, and how can they be addressed?

Professor Gu: With the rapid advancement of technology stacks and the rise of zero-knowledge proof (ZK) technology, the complexity of Web3 security has significantly increased. CertiK recently collaborated with zkWasm to complete a full formal verification — the first and only attempt of its kind in the industry so far. We believe this approach will become a standard practice in the future.

Security auditing has become an industry consensus, but the extent of investment in security remains unclear. For example, a project may submit only a portion of its code for auditing, but risks could arise outside the scope of the audit. Thorough security checks across all project phases are essential, particularly before deployment. Additionally, managing private keys and node services remains critical throughout a project’s lifecycle.

CertiK is adopting large language models (LLMs) and code classification techniques to improve auditing processes. Different auditing methods are applied based on the code classification, with each step designed to yield auditable results. Our goal is to go beyond merely identifying issues, and provide clients with a comprehensive understanding of the auditing process.

While blockchain security services are currently focused on B2B markets, there’s also a strong demand from individual users. CertiK is committed to helping C-end users ensure the safety of their assets, despite the greater challenges this entails.

DeThings: How does Web3 security compare to Web2?

Professor Gu: Compared to Web2, Web3 security is far more complex.

Many Web3 applications still rely on Web2 infrastructure, making them susceptible to centralized vulnerabilities. Additionally, the blending of Web2 and Web3 creates opportunities for sophisticated attacks that combine traditional phishing with new technologies.

On the other hand, Web3’s transparency makes it both a strength and a challenge. Once deployed, smart contracts are difficult to alter, meaning a vulnerability can lead to much more significant damage than in a Web2 environment.

To ensure the safety of both projects and users, Web3 projects must take on the responsibility of community protection. CertiK aims to provide comprehensive security solutions for all stages of project development, while also educating users and offering accessible self-protection tools for all members of the Web3 community.

Original Link: https://mp.weixin.qq.com/s/8H7jrRK1SshBDXWjxpt2ew