CertiK CEO Explains Blockchain Security Threats and Defenses

Written by: Monica Younsoo Chung, IT Times

On April 17, the renowned South Korean technology media outlet Korea IT Times published an exclusive interview with Professor Ronghui Gu, co-founder and CEO of CertiK. The two parties engaged in an in-depth dialogue regarding CertiK's first quarter HACK3D security report, discussing the evolution of hacking techniques and innovative paths for security defense technologies.

Ronghui Gu believes that security should be viewed as a fundamental principle rather than a remedial measure after the fact. It should be integrated into the overall strategy from the project's inception. "A proactive strategy of 'security first' is crucial for building trustworthy Web3.0 applications." Specifically, he advocates for the proactive use of cutting-edge technologies such as formal verification, zero-knowledge proofs, and multi-party computation to comprehensively enhance the protective capabilities of blockchain protocols and smart contracts. This is also the original intention and vision behind the founding of CertiK: to make the Web3.0 world safer and more trustworthy through rigorous formal verification technology.

This commitment to security is not a product of short-term market trends but stems from Ronghui Gu's long-term exploration and practice of technological ideals. From participating in the development of the CertiKOS system, which was praised by the Google team as "flawless" during his doctoral studies at Yale, to now building a security moat for over $530 billion in digital assets, he has always been dedicated to safeguarding industry security and enhancing industry trust.

Ronghui Gu has repeatedly stated that security is not a competitive advantage but a shared responsibility. He transforms academic achievements from the lab into practical security implementations in the industry and incorporates the concept of "shared responsibility" into industry collaboration. This technology leader, emerging from top academic institutions, anchors the security coordinates of the Web3.0 era between technological ideals and reality, using verifiable mathematical logic to counter the uncertainties of hacker attacks.

In the rapidly evolving Web3.0 field, blockchain security has become a top priority. This article focuses on CertiK's mission—led by its co-founder and Columbia University computer science professor—to comprehensively strengthen the security defenses of the blockchain ecosystem. CertiK is committed to enhancing the security of blockchain and smart contracts through formal verification technology and has become an industry leader in Web3.0 security.

Korea IT Times delves into CertiK's recently released Hack3d: Q1 2025 Security Report, revealing new trends in digital asset theft and security threats. The article also discusses cutting-edge technologies such as zero-knowledge proofs and multi-party computation, providing practical advice to blockchain developers and exploring the dual role of AI in the security field. As traditional financial institutions gradually enter the blockchain space, security challenges are escalating, making proactive measures to protect users and maintain the integrity of the ecosystem crucial. This article aims to provide key insights for practitioners to help them navigate the complex blockchain security environment steadily.

Q: Please briefly introduce yourself and the core mission of CertiK.

A: I am the co-founder and CEO of CertiK, as well as a professor at Columbia University. Both my work and CertiK's mission are deeply rooted in enhancing the security of the Web3.0 ecosystem.

CertiK was founded in 2017, with the core idea of using formal verification technology to continuously monitor and strengthen the security of blockchain protocols and smart contracts, ensuring their safe and correct operation. We integrate cutting-edge solutions from academia and industry to help Web3.0 applications achieve sustainable scalability while ensuring security. To date, we have served over 4,900 enterprise clients, protecting more than $530 billion in digital assets and identifying over 115,000 code vulnerabilities.

Q: CertiK recently released the Hack3d: Q1 2025 Security Report. What are the key findings?

A: In the first quarter of 2025, losses from on-chain fraud incidents amounted to approximately $1.66 billion, a staggering 303% increase from the previous quarter. This was primarily due to the hacking incident at Bybit exchange at the end of February, where hackers stole around $1.4 billion. Similar to previous quarters, Ethereum remains the primary target of attacks, with three security incidents resulting in a total asset loss of $1.54 billion. Shockingly, we found that only 0.38% of stolen assets were successfully recovered in the first quarter.

Q: Have the main targets of blockchain attacks changed compared to previous quarters?

A: The trend in the first quarter of 2025 continued from late 2024, with Ethereum still being the hardest-hit area. There were 99 security incidents on Ethereum in the fourth quarter of 2024, compared to 93 in the first quarter. This is a continuing theme: throughout 2024, Ethereum-based projects experienced the most security incidents; looking ahead to 2025, this situation seems to persist.

The Bybit hacking incident is also a typical case: the Safe-Wallet wallet based on the Ethereum ecosystem was compromised, suffering significant losses. The reason Ethereum has become a focal point for attacks is due to its numerous DeFi protocols and the large scale of locked assets; on the other hand, many smart contracts on Ethereum contain vulnerabilities.

Q: How is the blockchain security industry responding to increasingly complex attack methods?

A: Attackers are increasingly using complex strategies such as social engineering, AI technology, and smart contract manipulation to bypass existing security mechanisms. As digital assets become widely used and valued, the industry must adapt to the new situation to ensure project integrity and user asset security.

The industry is actively addressing these challenges by promoting the development of innovative technologies, including zero-knowledge proofs (ZKP) and on-chain security, which provide promising solutions to increasingly severe security issues, enabling transaction auditability, attack traceability, and asset recovery while protecting privacy. Multi-party computation (MPC) further strengthens key management by distributing control of private keys among multiple participants, eliminating single points of failure and significantly increasing the difficulty for attackers to gain unauthorized access to wallets. As these security technologies continue to evolve, they will play a crucial role in resisting hacker attacks and maintaining the integrity of decentralized ecosystems.

Q: What security advice would you give to blockchain developers and project teams?

A: Prioritizing security from the very beginning should be an uncompromising principle. Integrating security into every stage of development, rather than as a remedial measure afterward, helps identify potential vulnerabilities early on, saving a significant amount of time and resources in the long run. This "security first" proactive strategy is crucial for building trustworthy Web3.0 applications. Incorporating security throughout the entire development process helps identify vulnerabilities early and saves costs for later fixes.

Additionally, seeking comprehensive and impartial third-party audits from blockchain security firms can provide an independent perspective to identify potential risks that internal teams may overlook. Such external assessments provide a critical review process that helps timely identify and fix vulnerabilities, thereby enhancing the overall security of the project and further increasing user trust.

Q: What role does AI play in blockchain security? Is it a positive influence or does it bring new risks?

A: AI is an important tool in CertiK's security system, and we have incorporated it into our core strategy for ensuring the security of blockchain systems. CertiK uses AI technology to analyze vulnerabilities and potential security flaws in smart contracts, helping us conduct comprehensive audits more efficiently than ever before, but it cannot replace human expert audit teams.

However, attackers can also leverage AI to enhance their attack methods. For example, AI can be used to identify code weaknesses, evade consensus mechanisms, and bypass defense systems. This means that the threshold for security countermeasures has been raised, and as AI applications become more widespread, the industry must invest in more robust security solutions.

Q: What is formal verification? How does it enhance the effectiveness of blockchain audits?

A: Formal verification is a method of proving that a computer program operates as intended through mathematical means. It expresses the properties of a program as mathematical formulas and uses automated tools to verify them.

This technology can be widely applied across various fields in the tech industry, including hardware design, software engineering, cybersecurity, AI, and smart contract auditing. However, it is important to emphasize that formal verification is not meant to replace human audits. For smart contracts, formal verification relies on automated methods to assess contract logic and behavior, while human audits involve security experts conducting comprehensive checks of code, design, and deployment to identify potential security risks. Both complement each other to enhance the overall security of smart contracts.

Q: As traditional financial institutions enter the blockchain space, do you think the types or complexities of security threats will change?

A: In the early stages of Web3.0 and the blockchain industry, attackers typically targeted individual users or small projects, employing methods such as phishing attacks, rug pulls, and wallet exploits. According to our Hack3d Q1 2025 report, these challenges still exist. However, with the entry of traditional institutions and large enterprises, the security risks to network integrity will enter a new phase. This shift is driven by the increase in project asset volumes, as well as the unique security needs and regulatory requirements of enterprise-level applications, and the deep integration of blockchain with traditional financial systems.

Given that most traditional institutions have experience in dealing with cyber threats, we expect malicious actors to also enhance the complexity of their attack methods, shifting from attacks on generic wallet vulnerabilities to more targeted enterprise-level weaknesses, such as configuration errors, custom smart contract vulnerabilities, and security flaws in integration interfaces with traditional systems.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。