In the cryptocurrency industry, security is the cornerstone of every project and platform. With the development of blockchain technology and the widespread adoption of digital assets, security issues have increasingly become a focus of attention.

At the 2024 Singapore FinTech Festival (SFF), CertiK co-founder and Columbia University computer science professor Ronghui Gu delivered a keynote speech titled "Beyond Code, Leading Trust." Professor Gu reviewed his academic journey in the speech, as well as the transition from academic research to co-founding the Web3 security company CertiK, emphasizing the core idea that "security is not only a competitive advantage but also a shared responsibility."

Professor Gu mentioned in his speech that the $2 million hack suffered by the DeFi protocol Merlin in April 2023 served as a profound warning to the entire blockchain industry.

The Singapore FinTech Festival (SFF), as a top global annual event in financial technology, is jointly organized by the Monetary Authority of Singapore (MAS) and Elevandi. Seizing this opportunity, BlockBeats and CertiK co-founder Ronghui Gu had a chat.

Academic Beginnings and the Birth of CertiK

In the Tsinghua Garden of the 2010s, computer science gradually became the hot choice of elite students. However, unlike many students chasing hot research topics, Ronghui Gu chose a niche but profound direction—formal verification. This field focuses on ensuring the correctness of software systems through mathematical proofs and is a core guarantee of infrastructure such as compilers and operating systems. Despite starting late in China, formal verification has always had high demand, especially in ensuring system security and stability.

During his time at Tsinghua, Ronghui Gu studied under Professor Yuan Dong and was introduced to formal verification technology for the first time. The research project RA (Region-based Allocation) he was involved in laid the theoretical foundation for him. His four years at Tsinghua sparked a strong interest in academic research in him and drove him to pursue higher-level academic breakthroughs. After graduating from Tsinghua in 2012, Ronghui Gu chose to go to Yale University to further his studies under the guidance of the renowned scholar Professor Zhong Shao.

The lab at Yale was not only Ronghui Gu's academic birthplace but also where he first encountered the blockchain industry. In Professor Shao's lab, Ronghui Gu met the legendary figure in the crypto industry—Roasting Cat. Before disappearing in 2013, Roasting Cat had already created a Bitcoin mining empire, and Ronghui Gu was a witness to that early period of history.

Specifically, Toastcat is a Ph.D. student of Professor Zhong Shao, Co-founder of CertiK, a student at Yale-NUS Joint Lab, and also a senior schoolmate of Ronghui Gu and office mate at the Yale Computer Science Department 301 office. "At that time, I was studying the XCAP framework (the work of CertiK CTO Dr. Ronghui Gu), and I couldn't understand much of the Coq code. Whenever I had questions, I would go ask Toastcat. At that time, at Yale, Toastcat was already preaching about Bitcoin," recalled Ronghui Gu.

However, regarding Toastcat's legendary disappearance, Ronghui Gu also had no inside information. "In 2013, when I returned to Suzhou, China (where the Yale-NUS lab is located), Toastcat treated me to hotpot. That was also the last time I saw him. There was no contact after his disappearance."

Commercialization of Academic Innovation: From CertiKOS to CertiK

Ronghui Gu's research experience at Yale made him acutely aware of the potential of formal verification. In 2016, he and his team successfully developed CertiKOS, the world's first fully formally verified multi-core operating system kernel.

In addition, Ronghui Gu's team also developed the first fully verified commercial cloud hypervisor system, SeKVM; collaborated with Arm to complete the verification work of the Confidential Computing Architecture (CCA), which will be applied to the next-generation Arm V9 chips; and collaborated with Ant Group to complete the verification work of the HyperEnclave system.

These achievements not only attracted attention in the academic world but also allowed Ronghui Gu to see the wide application potential of formal verification technology in the real world. "The success of CertiKOS made me realize that formal verification should not just stay in the lab; it can fully provide strong security guarantees for the blockchain and Web3 fields," said Ronghui Gu.

Therefore, in January 2018, Ronghui Gu and Professor Zhong Shao co-founded CertiK. The company's name comes from "CertiKOS," symbolizing "verifiable security," which has also become a symbol of the company's core philosophy. CertiK's goal is to bring the rigor of formal verification into the blockchain field and provide top-notch security for digital assets.

With the support of Professor Zhaong Shao and several Tsinghua and Yale alumni, CertiK assembled a startup team that can be described as "luxurious." Team members not only have outstanding academic backgrounds but also have rich industry experience. Co-founder Professor Zhong Shao, a middle school student at USTC, is not only the Chair of the Yale Computer Science Department but also a Princeton University Ph.D. and a world-renowned academic authority. CTO Dr. Ronghui Gu is Ronghui Gu's senior schoolmate from Tsinghua and Yale, served as the head coach of the International Olympiad in Informatics, and has guided students to win gold medals multiple times. Several executives and technical core members of the team also graduated from Tsinghua and have won numerous awards in informatics competitions and computer fields. This deep academic background and technical strength have made CertiK highly regarded in the industry since its inception.

Just two months after its founding, CertiK secured a $3.5 million seed round, led by Lightspeed Venture Partners. The company grew rapidly and continued to attract capital: in June 2020, IDG Capital led a $7 million Series A funding round; between 2021 and 2022, CertiK completed four consecutive rounds of funding, skyrocketing its valuation to $2 billion. Public information indicates that as of December 2021, CertiK achieved a 20x revenue growth and a 4x increase in the number of employees.

Despite its rapid growth, fast-paced funding rounds, and substantial amounts, CertiK has always remained restrained. "During 2021 and 2022, many investment institutions did approach us to invest, and we did reject a significant portion. Because CertiK's cash flow has always been healthy, we prefer strategic investments that can help drive our business, rather than just for financial investment purposes. Therefore, we selectively accepted investments," recalled Ronghui Gu.

From Product Innovation to Industry Impact: CertiK's Rise to Prominence

To become an industry unicorn, it takes not only a stellar team but also solid product innovation.

Throughout its development, CertiK has continuously introduced innovative products to address the evolving needs of the blockchain industry. Among them, CertiK Skynet for Community, launched in 2022, is a project security information search engine designed for Web3 users. The platform provides security scores for everyday users, helping them better assess project risks and laying the groundwork for industry-wide security awareness.

In 2023, CertiK further introduced SkyInsights, a real-time monitoring tool tailored for projects. SkyInsights is not only efficient but also cost-effective, assisting projects in maintaining security and compliance in a rapidly changing market. This tool quickly became an essential asset for project teams to ensure secure operations in the complex Web3 environment.

In 2024, CertiK once again upgraded its product lineup, launching two impactful new projects. CertiK Quest, in the form of question-and-answer sessions and knowledge cards, educates users on Web3-related security knowledge, cultivating a broader security awareness in the industry. At the same time, CertiK Ventures announced a $45 million investment plan aimed at supporting potential star projects in the Web3 field through funding, technology, and talent, further bolstering CertiK's influence in the industry and solidifying its position as a leader in the security space.

In addition, CertiK has also upgraded its product line, proposing the concept of a "Full Lifecycle Security Solution." This solution covers every growth stage of a project from inception to success, embedding security into every aspect of the Web3 ecosystem, accompanied by a new slogan: "Elevating Your Entire Web3 Journey." CertiK has focused its security services on more specific entities such as project teams, trading platforms, wallets, and end users, ensuring comprehensive security through customized solutions.

"Many projects may consider security as a one-time security audit before going live, treating it as a point-in-time service. However, security needs to accompany the entire project lifecycle. We hope to accompany users from the early stages all the way to deployment, blockchain integration, listing on exchanges, and into the mature operational phase."

CertiK's security engine is the core embodiment of its technological competitiveness. This engine relies on advanced formal verification, automated scanning, and deep specification analysis technologies to help security experts efficiently identify potential issues in the code. Professor Ronghui Gu describes it as a "smart assistant for security experts," similar to the role of ChatGPT in the text processing field.

The engine's model data is derived from CertiK's years of audit experience and knowledge base, encompassing code samples from 4,700 clients, 150,000 security vulnerabilities, and detailed reports on over 40 major vulnerabilities. This data provides the engine with powerful analytical capabilities, enabling it to quickly identify vulnerabilities in smart contracts and blockchain applications.

For example, in the case of the TON public chain, CertiK not only provided code audits and formal verification but also assisted in performance testing and community building post-launch. This end-to-end support has surpassed the traditional security domain, further providing multi-dimensional value-added services to project teams. This also reflects CertiK's transformation from a single-service provider to a "security partner" role.

Furthermore, as the blockchain industry becomes more widespread, CertiK has gradually shifted its focus from B2B (enterprise-facing) to B2C (consumer-facing) areas. In 2024, CertiK launched the free community security tools Token Scan and Wallet Scan, providing ordinary users with simple and user-friendly security scanning services. The introduction of these tools not only lowers the barrier to using security technology but also enables more people to participate in the construction of the Web3 security ecosystem.

Through these tools, CertiK aims to enhance end-user security awareness and resilience. Ronghui Gu candidly said, "CertiK has served 4,700 clients, found 150,000 security vulnerabilities, reported over 40 major vulnerabilities. It can be said that we have made a significant contribution to the community, but we still have room for improvement in the consumer and developer community." In the future, CertiK plans to launch more free security tools to give back to the community's support and drive the healthy development of the industry.

Clarification and Response: Misconceptions About "Stamp Audit"

In a rapidly evolving technical landscape with complex and ever-changing security requirements, controversy is inevitable. From criticism of "stamp" audits to public skepticism following issues in certain projects, CertiK has undergone multiple tests from both the public and the industry. Confronting these issues, explaining the reasons behind them, and making a greater contribution to the industry have become CertiK's unavoidable mission.

Security audits, fundamentally, are a professional assessment of code security at a specific point in time, rather than comprehensive protection throughout the project lifecycle. As a provider of audit services, CertiK faces several key challenges:

1. Limitations on code scope: Many project teams, when submitting for an audit, only provide partial code or code from a test version. This means that the audit can only assess risks based on this content and does not cover the entire project's codebase. If there are code changes post-launch that have not been audited, it can lead to security vulnerabilities.

2. Post-audit modifications: Some project teams, post-audit, make changes or add features to the code to quickly go live, but these changes are not subjected to a security audit. These "follow-up changes" are often the primary cause of security incidents, rather than oversights during the initial audit.

3. Cost and resources: A thorough and in-depth security audit is costly and not every project can afford it. Even well-known projects sometimes opt for partial audits instead of full code coverage due to budget constraints, further increasing potential risks.

4. Gap between audit and execution: Even though CertiK provides detailed risk assessments and optimization suggestions, the ultimate implementation is the responsibility of the project team. However, some project teams do not fully implement audit recommendations or rectification plans, which becomes another significant reason for security issues.

Facing skepticism, CertiK has also provided its response. For example, since 2020, CertiK has made all audit reports public for users and the community to oversee. The decision to make audit reports public was widely contested at the time, facing opposition from within the company, partners, and even investment institutions.

"Because once made public, any security incidents that occur, everyone will associate them with CertiK. To this day, no other security company has dared to make all audit information public, because it means that they cannot hide from issues. For CertiK, transparently open information is a double-edged sword, but for the industry, it is a positive driver," explained Ronghui Gu.

"We insist that even though this choice presents challenges for CertiK, as long as it is beneficial to the industry, CertiK will steadfastly execute it. From 2020 to the present, CertiK has always stayed true to its original intentions. Even when project teams encounter issues, CertiK has taken on the ensuing negative impact. Until today, we still publish the reports openly on our website," Gu Ronghui stated.

In addition, to address these issues, CertiK has launched the CertiK Skynet Leaderboard and Security Scoring System to enhance the transparency and authenticity of audit reports. By using the leaderboard and project information pages to ensure the accessibility and authenticity of audit reports, the risk of tampering or forgery has been avoided. CertiK's security rating system takes into account multiple dimensions such as on-chain data, GitHub code repositories, audit information, and community status, providing users with more comprehensive project security information.

On the other hand, CertiK has also introduced the Quest feature, which is a question-and-answer reward mechanism designed to showcase more technical details and security knowledge to the community. This helps users gain a deeper understanding of the project's security-related information and the role of security.

The Web3 security field has never been a guarantee of "perfect security" but rather a dynamic balance between technology and risk. In this process, CertiK must face both technical limitations and project execution issues, as well as the pressure of public scrutiny.

Responsibility in Crisis

In the world of Web3, the boundary of hacker behavior is more blurred than in the traditional Internet. In Web3, there is a large gray area between the traditional "black hat" and "white hat" distinctions. For example, some hackers claim to expose vulnerabilities for the "public good," but their actions may not necessarily comply with existing laws and regulations. This complexity poses more challenges for security companies.

Since 2020, CertiK has conducted over 70 white hat operations, strictly adhering to white hat principles and, without harming user or public interests, discovered and resolved tens of thousands of security vulnerabilities. For example, CertiK received the highest vulnerability bounty for discovering critical vulnerabilities in the Sui project. CertiK has industry-leading real-time on-chain attack monitoring and alerting capabilities and focuses on tracking the fund flows of the Lazarus Group-related cases, providing valuable security protection experience to the industry.

However, CertiK is also aware that relying solely on technical means is not sufficient to comprehensively solve problems. The security issues of Web3 not only exist at the technical level but also involve the complex interaction of human nature and trust.

For example, in the Merlin incident, the mastermind behind it was not a code vulnerability but malicious behavior by internal project personnel. Through rigorous background checks and real-time monitoring, CertiK further enhances mechanisms to prevent internal threats.

In addition, CertiK once reported a vulnerability to another trading platform that allowed arbitrary assignment of exchange prices, and this alert was provided almost free of charge. If this vulnerability had not been discovered, the trading platform could have faced a crisis. Professor Ronghui Gu stated in an interview, "Many times, our work is not seen by the outside world, but it is these invisible efforts that prevent many potential significant losses."

In the security battlefield of Web3, hacker groups' attack methods are becoming increasingly sophisticated, with the Lazarus group being a typical example. This organization, known for its advanced social engineering attacks, supply chain attacks, and vulnerability implantation under the guise of developers, has caused numerous security incidents globally.

CertiK not only combats the Lazarus group from a technical standpoint but also continuously monitors the flow of illicit funds through fund tracing and anti-money laundering tools. In 2022, the mastermind behind the Merlin incident was confirmed by the United Nations to be linked to the Lazarus group, and CertiK's investigative work in this incident was considered a model of a close encounter with hackers. This has prompted CertiK to undergo a comprehensive upgrade in areas such as fund tracing, vulnerability scanning, and KYC (Know Your Customer).

"The Web3 security industry requires a 24/7 high alertness, always being at the forefront of battling hackers, constantly engaging in mental combat to defend the interests of clients and the community. Although this war may never be able to be permanently extinguished, it is precisely this characteristic that gives CertiK a strong sense of mission. We will uphold our original intention and consistently safeguard Web3 security," stated CertiK.

Unwavering in its original intention, CertiK will lead blockchain security and compliance, collaboratively building the future of the Web3 ecosystem

On the path ahead, CertiK, dedicated to promoting the blockchain industry's goodness and upholding the white hat spirit, will not only continue its status as a unicorn in the blockchain industry but will also actively take on new responsibilities and roles. Currently, CertiK has established partnerships with regulatory bodies in five countries and regions, playing a significant role in policy-making and compliance support.

Professor Ronghui Gu, as a member of the Monetary Authority of Singapore's (MAS) International Technology Advisory Panel, has participated in discussions on several important frameworks. He has also been invited to join the Hong Kong Web3 Development Task Force to assist in shaping regulations for digital asset management.

At the Singapore FinTech Festival, Professor Ronghui Gu shared his insights as a keynote speaker. He said, "The core of regulation lies in being 'manageable, visible, and enforceable.' In today's increasingly complex on-chain transactions, security has become a key pillar of regulation."

CertiK's government collaborations are extensive and in-depth. For example, CertiK provided professional advice for the stablecoin regulatory regime jointly issued by the Hong Kong Monetary Authority and the Treasury; participated in the drafting of the Financial Services Agency's (FSA) compliance policy concerning Japanese yen stablecoins; collaborated with the Malaysia Digital Economy Development Agency to formulate policy documents for the Metaverse and Web3; and signed memorandums of understanding with the Seoul and Busan city governments in South Korea to provide technical support for blockchain security and risk prevention. These efforts not only solidify CertiK's leadership position in the industry but also demonstrate its profound sense of responsibility for industry development.

Meanwhile, CertiK has announced the launch of its venture arm, CertiK Ventures, and has established a $45 million investment program aimed at supporting highly promising projects within the Web3 ecosystem. This initiative is not only a commitment to the future of the industry but also a significant step for CertiK in transitioning from a technology provider to an ecosystem enabler.

CertiK Ventures focuses its investments on security and infrastructure-related projects, especially those with sustainable and scalable business models. CertiK aims to help these projects stand out in the fast-paced race with funding and technical support, establishing long-term technical partnerships. CertiK Ventures is expected to start distributing funds from Q4 2024, continuing through the end of 2025, providing comprehensive growth support to more projects.

In addition to government partnerships and the establishment of a VC arm, CertiK has also revealed its latest initiative, the "21 Plan," with the goal of achieving listing standards within 21 months and placing Client Insights First as a core strategic focus. By delving deep into customer needs, CertiK is committed to building a product optimization and service enhancement system guided by customer feedback.

Under this initiative, CertiK has introduced a full life cycle security solution. This solution covers the entire growth process of a project from the conceptual stage to post-launch, including initial design reviews, code audits, community management post-launch, and performance optimization. CertiK has expanded security services from defense to support, allowing Web3 projects to achieve sustained innovation on a secure foundation.

CertiK's outlook for the future extends beyond the traditional security realm. With Web3 gradually becoming mainstream, CertiK plans to expand its service scope to more traditional enterprises, helping them smoothly enter the blockchain ecosystem. In the face of alternating industry bull and bear markets, CertiK has laid a foundation for continued growth through optimizing its team structure and enhancing its technical capabilities.

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia