New York — In the rapidly evolving Web3 landscape, blockchain security is crucial. This article explores CertiK's mission to strengthen the blockchain ecosystem, led by Ronghui Gu, CS professor at Columbia University and CEO and co-founder of CertiK in the US. Founded on the principle of using formal verification to improve the security of blockchain and smart contracts, CertiK has become a frontrunner in safeguarding Web3 applications.Korea IT Times analyzes CertiK's Q1 HACK3D report, revealing alarming trends in cryptocurrency theft and evolving security threats. The article examines cutting-edge solutions like zero-knowledge proofs and multi-party computation, offers guidance for blockchain developers, and discusses AI's dual role in security. As traditional financial institutions enter the blockchain space, we analyze the anticipated shift in security challenges and underscore the critical importance of proactive measures to protect users and maintain ecosystem integrity. This exploration aims to equip stakeholders with essential insights for navigating the complex world of blockchain security.--Ed.
Q: Please briefly introduce yourself and Certik's core mission.
A: As Co-Founder and CEO of CertiK and CSProfessor of Computer Science at Columbia University, my mission, and by extension CertiK's, is deeply rooted in strengthening the security of the Web3 ecosystem.
Established in 2018, CertiK was born out of our belief in formal verification technology to monitor and enhance the security of blockchain protocols and smart contracts, ensuring they operate securely and correctly. By integrating innovative solutions from academia and the industry, we enable Web3 applications to scale safely. To date, we’ve worked with more than 4,800 enterprise clients, protected digital assets worth more than $530 billion, and identified more than 115,000 code vulnerabilities.
Q: Certik recently released its Q1 hack3d report. What were the key findings?
A: Across Q1 2025, we saw roughly $1.66bn lost to crypto scammers. This was a massive 303% increase in the amount of crypto stolen compared to the last quarter, largely due to the catastrophic Bybit hack in late February, which saw roughly $1.4bn stolen from the exchange's funds. Similar to previous quarters, Ethereum was the main target for security incidents throughout Q1 2025, experiencing 93 separate security incidents leading to $1,540,843,886 in losses. Shockingly, we also discovered that only 0.38% of the crypto that was stolen was returned to users.
Q: Have there been any notable changes in the main targets of blockchain attacks, compared to earlier quarters?
A: Ultimately, we are seeing the same trends in Q1 2025 that we saw at the end of 2024. Ethereum-based projects are the main targets of hackers, with 93 security incidents in Q1 2025 and 99 incidents in Q4 2024. This is a running theme - throughout 2024, Ethereum-based projects experienced the highest number of security incidents and looking into 2025, this theme does not appear to be changing.
With the Bybit hack as well, there is another clear example of Ethereum-based projects being targeted by hackers, with the Ethereum-based Safe-Wallet being compromised, leading to significant losses. It appears that Ethereum is a prime target for hackers for several reasons: Ethereum hosts the majority of DeFi protocols, which often have billions of dollars locked in them, and many of the smart contracts that power the network have bugs.
Q: How is the blockchain security industry evolving in response to the increasing sophistication of attacks?
A: Nefarious actors are increasingly leveraging social engineering, AI, contract manipulation, and other sophisticated tactics to bypass even the most robust security measures. With the increasing adoption of digital assets and higher asset valuations on the rise, the industry must adapt to ensure the integrity of projects and the security of users.
The industry is responding by developing innovative technologies such as zero-knowledge proofs and on-chain security, which provide promising solutions to these escalating challenges. They allow for privacy-preserving transactions, transparent and auditable transaction tracing, the identification of attack vectors, and potential asset recovery. Multi-party computation (MPC) further strengthens key management by distributing private key control across multiple parties, eliminating a single point of failure and increasing the difficulty for attackers looking to gain unauthorized access to wallets. The ongoing development of these security technologies will be crucial in mitigating the effectiveness of hacking attempts and maintaining the integrity of decentralized ecosystems.
Q: What advice would you give to blockchain developers and project teams to protect their projects?
A: Prioritizing security from the outset should be non-negotiable. Integrating it into every phase of development, rather than treating it as an afterthought, allows for early detection of vulnerabilities, saving both time and resources in the long run. This proactive "security-first" approach is crucial for building resilient and trustworthy blockchain applications.
Additionally, partnering with blockchain security experts for thorough and unbiased audits offers invaluable perspectives on potential risks and weaknesses that might otherwise be overlooked by internal teams. These external evaluations provide a critical layer of scrutiny, helping to identify and mitigate vulnerabilities before they can be exploited, thus bolstering the overall security posture of the project and fostering greater user confidence.
Q: What role does AI have in blockchain security, good and bad?
A: AI has proven to be a valuable tool to CertiK, as we have made it an integral part of our strategy for maintaining the security of a blockchain system. Our teams use AI to analyze smart contracts for vulnerabilities and potential security flaws. Therefore, AI enables our team to perform thorough audits more quickly and efficiently than we could before but is not a replacement for our specialized team.
However, attackers can also use AI to aid their endeavors. It can enable advanced pattern recognition, identify code vulnerabilities, and overwhelm consensus mechanisms. As such, investing in robust security solutions is more important than ever as the use of AI becomes more widespread.
Q: What is formal verification and how does it help audit blockchains?
A: Formal verification is a method used to mathematically prove that a computer program is functioning as intended. It involves expressing the program’s properties as mathematical formulas and verifying them with automated tools.
Formal verification can be used across the technology industry to support hardware design, software engineering, cybersecurity, AI, and smart contract auditing, but it is not designed to replace manual auditing. For smart contracts specifically, formal verification leverages automated methods to assess contract logic and behaviors, while manual auditing adds a human expert review of code, design, and deployments to identify security risks. Together, they work to ensure stronger overall smart contract security.
Q: As more traditional financial institutions and enterprises enter the blockchain space, do you anticipate a shift in the types of security threats or the sophistication of attacks?
A: When the crypto and blockchain industries were in their infancy, attacks often targeted individual users or smaller projects through phishing scams, rug pulls, and wallet exploits. CertiK’s Q1 2025 Hack3d Report shows that these challenges persist. However, the entry of traditional institutions and large enterprises onto the scene brings a new layer of complexity to maintaining network integrity. This shift is driven by factors including increased value at stake, the unique security requirements of enterprise-level applications, regulatory requirements, and the integration of blockchain into traditional financial systems.
As most traditional institutions are accustomed to managing cyber threats, we expect malicious actors to increase the sophistication of their threats by expanding beyond general wallet vulnerabilities to instead target enterprise-specific weaknesses such as misconfigurations, custom smart contract flaws, and vulnerabilities in integration points with legacy systems.
저작권자 © Korea IT Times 무단전재 및 재배포 금지
Monica Younsoo Chung다른기사 보기
