On November 29, 2024, the authoritative media in the Web3 industry, Blockbeats, published an exclusive interview with Professor Gu Ronghui, the founder of CertiK, introducing the unique journey of CertiK from its inception to its growth and responding to current sensitive issues in the industry.
The following is the full text of the Blockbeats interview:
Exclusive interview with Professor Gu Ronghui, co-founder of CertiK:
'Where does CertiK go amidst the 'stamp-style audit' storm?'
In the crypto industry, security is the cornerstone of every project and platform. With the development of blockchain technology and the widespread application of digital assets, security issues have increasingly become a focal point of concern.
At the 2024 Singapore FinTech Festival (SFF), Professor Gu Ronghui, co-founder of CertiK and a computer science professor at Columbia University, delivered a keynote speech titled 'Beyond Code, Leading Trust.' In his speech, Professor Gu reviewed his academic journey and the leap from academic research to founding the Web3 security company CertiK, emphasizing the core concept that 'security is not only a competitive advantage but also a shared responsibility.'
Professor Gu Ronghui mentioned in his speech that the $2 million hacker attack on the DeFi protocol Merlin in April 2023 has brought profound warnings to the entire blockchain industry.
The Singapore FinTech Festival, as the top annual event in global financial technology, is jointly organized by the Monetary Authority of Singapore (MAS) and Elevandi. Seizing this opportunity, BlockBeats and CertiK co-founder Gu Ronghui had a conversation.
The academic origins and the birth of CertiK
In the Tsinghua campus of the 2010s, computer science gradually became a hot choice for elite students. However, unlike many students chasing popular research, Gu Ronghui chose a niche but deeply focused direction – formal verification. This field focuses on ensuring the correctness of software systems through mathematical proof, which is a core guarantee for infrastructure such as compilers and operating systems. Although formal verification started later in China, there has always been high demand, especially in ensuring system security and stability.
During his time at Tsinghua, Gu Ronghui studied under Professor Dong Yuan and was first introduced to formal verification technology. The research project he participated in, RA (Region-based Allocation), laid the theoretical foundation for him. The four years at Tsinghua sparked his strong interest in academic research and motivated him to pursue higher academic breakthroughs. After graduating from Tsinghua in 2012, Gu Ronghui chose to go to Yale University to continue his studies under the renowned scholar Professor Shao Zhong.
Yale's laboratory is not only the academic birthplace of Gu Ronghui but also the place where he first encountered the blockchain industry. In Professor Shao Zhong's laboratory, Gu Ronghui met the legendary figure of the crypto industry – Cat Wang. Before disappearing in 2013, Cat Wang had already created an empire of Bitcoin mining machines, and Gu Ronghui was an early witness of that historical period.
Specifically, Cat Wang is a doctoral student of Professor Shao Zhong, co-founder of CertiK, a student from the Yale University and University of Science and Technology of China joint laboratory, and also Gu Ronghui's senior and office mate in the Yale Computer Science Department 301 office. 'At that time, I was learning the XCAP framework (the work of CertiK's CTO, Dr. Ni Zhaozhong), and I couldn't understand many Coq codes. Whenever I had questions, I would go to ask Cat Wang. Back then at Yale, Cat Wang was preaching Bitcoin,' Gu Ronghui recalled.
However, Gu Ronghui does not have any insider information regarding Cat Wang's legendary disappearance. 'In 2013, when I returned to Suzhou (the location of the Yale University and University of Science and Technology of China laboratory), Cat Wang even treated me to a hot pot meal. That was the last time I saw him. We lost contact after he disappeared.'
Commercialization of academic innovation: From CertiKOS to CertiK
Gu Ronghui's research experience at Yale made him keenly aware of the potential of formal verification. In 2016, he and his team successfully developed CertiKOS, the world's first fully formally verified multi-core operating system kernel.
In addition, Gu Ronghui's team has also developed the first fully verified commercial cloud hypervisor system SeKVM; completed the verification work of the Confidential Computing Architecture (CCA) in collaboration with Arm, a result that will be applied to the next generation of ArmV9 chips; and completed the verification work of the HyperEnclave system in collaboration with Ant Group.
These achievements have not only attracted the attention of the academic community but also made Gu Ronghui see the broad application possibilities of formal verification technology in the real world. 'The success of CertiKOS made me realize that formal verification should not be confined to the laboratory; it can indeed provide strong security guarantees for the blockchain and Web3 fields,' Gu Ronghui said.
Therefore, Gu Ronghui and Professor Shao Zhong co-founded CertiK in January 2018. The company's name comes from 'CertiKOS,' meaning 'provably secure,' which has also become a symbol of the company's core philosophy. CertiK's goal is to bring the rigor of formal verification into the blockchain field, providing top-notch security guarantees for digital assets.
With the support of Professor Shao Zhong and several alumni from Tsinghua and Yale, CertiK formed a 'luxurious' startup team. The team members not only have outstanding academic backgrounds but also rich industry experience. Co-founder Professor Shao Zhong, a student from the Young Scholars Program at the University of Science and Technology of China, is not only the head of the computer science department at Yale University but also a Princeton PhD and a world-class academic authority; Dr. Ni Zhaozhong, the CTO, is also Gu Ronghui's senior from Tsinghua and Yale, having served as the head coach of the International Olympiad in Informatics and guided students to win gold medals multiple times. Many executives and technical backbones in the team also come from Tsinghua and have won numerous awards in informatics competitions and the computer field. This deep academic foundation and technical strength have made CertiK stand out in the industry since its inception.
Within just two months of its founding, CertiK secured $3.5 million in seed funding led by Lightspeed Venture Partners. The company developed rapidly, continuously attracting capital: in June 2020, IDG Capital led a $7 million Series A funding; between 2021 and 2022, CertiK completed four rounds of financing, with its total valuation soaring to $2 billion. According to public information, as of December 2021, CertiK achieved a twentyfold revenue increase and quadrupled its employee count.
Despite rapid development, fast financing, and large amounts, CertiK has always maintained restraint. 'During 2021 and 2022, many investment institutions indeed approached us hoping to invest, and we did refuse a large portion. Because CertiK's cash flow has always been healthy, we prefer to receive strategic investments that can assist us in business rather than merely financial investments, so we selectively accept investments,' Gu Ronghui recalled.
From product innovation to industry impact: The rise of CertiK
To become an industry unicorn, it certainly requires not only a luxurious team but also robust product innovation.
In its development, CertiK continuously launches innovative products to meet the ever-changing needs of the blockchain industry. Among them, the CertiK Skynet for Community launched in 2022 is a project security information search engine designed for Web3 users. This platform provides security ratings for ordinary users, helping them better assess project risks and laying the foundation for promoting security awareness in the industry.
In 2023, CertiK further launched SkyInsights, a real-time monitoring tool tailored for project parties. SkyInsights is not only efficient but also cost-effective, assisting project parties in maintaining security and compliance in a rapidly changing market. This tool quickly became a powerful asset for project teams to ensure safe operations in the complex Web3 environment.
In 2024, CertiK upgraded its product matrix again and launched two influential new projects. CertiK Quest, in the form of Q&A and knowledge cards, educates users about Web3-related security knowledge and cultivates broader security awareness in the industry; at the same time, CertiK Ventures announced a $45 million investment plan aimed at supporting high-potential emerging projects in the Web3 field through funding, technology, and talent support. This strategic layout not only enhances CertiK's influence in the industry but also solidifies its position as a leader in the security field.
Additionally, CertiK has upgraded its product line and introduced the concept of 'full lifecycle security solutions.' This solution covers every growth stage of a project from inception to success, embedding security deeply into every aspect of the Web3 ecosystem, complemented by the new slogan: 'Elevating Your Entire Web3 Journey.' CertiK focuses its security services on more specific targets, such as project parties, trading platforms, wallets, and end users, ensuring comprehensive security through customized solutions.
'Many projects believe that security is a one-time audit before going live, treating it as a time-bound service, but security needs to accompany the entire project lifecycle. We hope to accompany users from the early stages all the way to launch, chain, and coin issuance, and then into the mature operation phase.'
CertiK's security engine is a core manifestation of its technological competitiveness. This engine relies on advanced formal verification, automated scanning, and deep specification analysis technologies to help security experts efficiently identify potential issues in the code. Professor Gu Ronghui describes it as 'an intelligent assistant for security experts,' similar to the role of ChatGPT in text processing.
The model data of this engine comes from CertiK's accumulated audit experience and knowledge base over the years, covering code samples from 4,700 clients, 150,000 security vulnerabilities, and detailed reports on more than 40 major vulnerabilities. This data provides the engine with powerful analytical capabilities, enabling it to quickly identify potential risks in smart contracts and blockchain applications.
Taking the TON public chain as an example, CertiK not only provided code auditing and formal verification but also assisted in performance testing and community building after launch. This comprehensive support has surpassed traditional security fields, further providing project parties with multidimensional value-added services. This also reflects CertiK's transformation from a single service provider to a 'security partner' role.
In addition, with the increasing popularity of the blockchain industry, CertiK has gradually shifted its focus from B2B (business-to-business) to B2C (business-to-consumer). In 2024, CertiK launched free community security tools Token Scan and Wallet Scan, providing ordinary users with simple and easy-to-use security detection services. The launch of these tools not only lowers the threshold for using security technology but also allows more people to participate in building the Web3 security ecosystem.
CertiK hopes to empower end users with stronger security awareness and prevention capabilities through these tools. Gu Ronghui candidly stated, 'CertiK has served 4,700 clients, found 150,000 security vulnerabilities, and reported more than 40 major vulnerabilities. We have made a significant contribution to the community, but we still have not done enough for end users and the developer community.' In the future, CertiK plans to launch more free security tools to give back to community support and promote healthy industry development.
Clarification and response: Misunderstanding of 'stamp-style audits'
In a rapidly evolving technology field with complex and changing security needs, controversies are inevitable. From criticism of 'stamp-style' audits to public skepticism after issues arise with certain projects, CertiK has undergone multiple tests from the public and the industry. How to confront these issues, reveal the underlying reasons, and contribute more significantly to the industry's development has become an unavoidable mission for CertiK.
Security audits, in essence, are professional assessments of the code's security at a specific point in time, rather than comprehensive protection over the entire project lifecycle. As a provider of auditing services, CertiK faces several practical challenges:
Limitations of code range: Many project parties only provide part of the code or the testing version of the code when submitting for auditing. This means that audits can only assess risks based on this content and cannot cover the entire project's codebase. After the project goes live, if the code changes without being audited, it may lead to security risks.
Changes after auditing: Some project parties modify the code or add new features to launch quickly after auditing, but these changes have not undergone security audits. Such 'subsequent changes' are often the main cause of security incidents, rather than oversights in the initial audit.
Cost and resources: Comprehensive and in-depth security audits are costly, and not every project can afford them. Even for well-known projects, budget constraints may lead them to choose partial audits rather than full code coverage, further increasing potential risks.
The disconnect between auditing and execution: Even if CertiK provides detailed risk recommendations and optimization plans, the final implementation still rests with the project party. However, some project parties do not fully implement the audit recommendations or rectification plans, which also becomes another significant reason for security issues to occur.
In response to doubts, CertiK has also provided its own responses. For example, since 2020, CertiK has made all audit reports public for user and community oversight. The decision to publicly release audit reports faced widespread opposition at the time, whether from within the company, partners, or even investment institutions.
'Because once made public, when any security incident occurs, everyone will associate it with CertiK. No other security company dares to disclose all audit information because it means being completely exposed to problems. For CertiK, publicly transparent information is a double-edged sword, but for the industry, it is a positive drive,' Gu Ronghui explained.
'We insist that even if this choice brings challenges to CertiK, as long as it benefits the industry, CertiK will firmly execute it. Since 2020, CertiK has always maintained its original intention. Even when project parties encounter problems, CertiK has borne the negative impact that follows. To this day, we continue to publicly release reports on our website,' Gu Ronghui stated.
In addition, to address these issues, CertiK launched the CertiK Skynet leaderboard and security rating system to enhance the transparency and authenticity of audit reports. By using leaderboards and project information pages to ensure the accessibility and authenticity of audit reports, the risk of tampering or forgery is avoided. CertiK's security rating system comprehensively considers various dimensions such as on-chain data, GitHub repositories, audit information, and community status, providing users with more comprehensive project security information.
On the other hand, CertiK has also launched the Quest feature, a Q&A reward mechanism aimed at showcasing more technical details and security knowledge to the community. This helps users gain a deeper understanding of security-related information about projects and comprehend the role of security.
The Web3 security field has never offered a 'perfect safety' guarantee, but rather a dynamic balance between technology and risk. In this process, CertiK must face both the limitations of technology and project execution issues while also bearing the pressure of public skepticism.
Responsibility in crisis
In the world of Web3, the boundaries of hacker behavior are even more blurred than in the traditional internet. There are many gray areas between the traditional notions of 'black hats' and 'white hats.' For example, some hackers claim to expose vulnerabilities for 'public interest,' but their actions may not comply with existing laws and regulations. This complexity brings more challenges to security companies.
Since 2020, CertiK has conducted over 70 white hat operations, discovering and fixing tens of thousands of security vulnerabilities while strictly adhering to the white hat code of conduct and ensuring no harm to users or the public interest. For instance, CertiK received the highest bug bounty from the Sui project for discovering critical vulnerabilities. CertiK possesses industry-leading on-chain real-time attack monitoring and early warning capabilities and focuses on tracking the flow of funds related to Lazarus Group cases, providing valuable security protection experience for the industry.
However, CertiK is also well aware that relying solely on technical means is insufficient to comprehensively solve the problem. The security issues in Web3 exist not only on a technical level but also involve the complex interactions of human nature and trust.
For instance, in the Merlin incident, the mastermind was not a code vulnerability but rather malicious behavior from internal personnel. CertiK has further improved its mechanism for preventing internal threats through rigorous background checks and real-time monitoring.
Furthermore, CertiK had reported a vulnerability to another trading platform that allowed any specified exchange price, and this warning was almost provided as a free service. If this vulnerability had not been discovered, the trading platform might have faced a survival crisis. Professor Gu Ronghui stated in an interview, 'Many times, our work is not seen by the outside world, but it is these invisible efforts that prevent many potential significant losses.'
In the security battlefield of Web3, the attack methods of hacker organizations are becoming increasingly complex, with the Lazarus group being a typical representative. This organization has created numerous security incidents globally through its sophisticated social engineering attacks, supply chain attacks, and by posing as developers to implant vulnerabilities.
CertiK not only technically confronts the Lazarus group but also continuously monitors the flow of their involved funds through fund tracking and anti-money laundering tools. In 2022, the mastermind behind the Merlin incident was confirmed by the United Nations to be associated with the Lazarus group, and CertiK's investigation in this incident was regarded as a model of 'zero-distance confrontation' with hackers. This also prompted CertiK to comprehensively upgrade its capabilities in fund tracking, vulnerability scanning, and KYC (Know Your Customer).
'The Web3 security industry requires 24/7 high vigilance, constantly facing off against hackers and engaging in a battle of wits to defend the interests of clients and the community. Although this war may never be completely resolved, this very characteristic instills a strong sense of mission in CertiK. We will adhere to our original intention and continuously protect Web3 security,' CertiK stated.
The original intention remains unchanged, CertiK will lead blockchain security and compliance, jointly building a new future for the Web3 ecosystem.
In the future, committed to promoting the blockchain industry positively and upholding the white hat spirit, CertiK will continue to maintain its status as a unicorn in the blockchain industry while actively taking on new responsibilities and roles. Currently, CertiK has established partnerships with regulatory agencies in five countries and regions, playing an important role in policy formulation and compliance support.
Professor Gu Ronghui, as a member of the International Technical Advisory Committee of the Monetary Authority of Singapore (MAS), has participated in discussions on several important frameworks. He was also invited to become a member of the Hong Kong Web3 Development Task Force to assist in the formation of digital asset management rules.
At the Singapore FinTech Festival, Professor Gu Ronghui shared his views as a keynote speaker. He stated, 'The core of regulation lies in being 'manageable, visible, and executable.' In today's increasingly complex on-chain transactions, security issues have become one of the key pillars of regulation.'
CertiK's government collaborations are extensive and deep. For example, CertiK provided professional opinions for the joint issuance of a regulatory framework for stablecoins by the Hong Kong Monetary Authority and the Treasury; participated in drafting compliance policies for the Japanese Financial Services Agency regarding yen-backed stablecoins; collaborated with the Malaysian Digital Economy Corporation to develop policy documents for the Metaverse and Web3; and signed memoranda of cooperation with the governments of Seoul and Busan in South Korea to provide technical support for blockchain security and risk prevention. These efforts not only solidify CertiK's leading position in the industry but also demonstrate its profound sense of responsibility for industry development.
At the same time, CertiK announced the launch of its venture capital department, CertiK Ventures, with a $45 million investment plan aimed at supporting high-potential emerging projects in the Web3 ecosystem. This plan is not only a commitment to the future of the industry but also a significant step in CertiK's transformation from a technology provider to an ecosystem promoter.
CertiK Ventures focuses its investments on security and infrastructure-related projects, particularly those with sustainable and scalable business models. CertiK aims to help these projects stand out in the rapidly evolving landscape through funding and technical support and build long-term technical partnerships. CertiK Ventures plans to start allocating funds in the fourth quarter of 2024, continuing until the end of 2025, to provide comprehensive growth support for more projects.
In addition to government collaboration and the establishment of the VC department, CertiK also revealed its latest plan – the '21 Plan,' aiming to achieve listing standards within 21 months, with client experience management (Client Insights First) as the core strategy. By deeply exploring customer needs, CertiK is committed to developing a product optimization and service enhancement system guided by customer feedback.
Under the guidance of this plan, CertiK launched a full lifecycle security solution. This solution covers the entire growth process of projects, from the conceptual stage to post-launch, from initial design reviews to code audits, and then to community management and performance optimization after going live. CertiK has expanded its security services from defense to support, enabling Web3 project parties to achieve continuous innovation based on a secure foundation.
CertiK's outlook for the future also extends beyond traditional security fields. In the context of Web3 gradually becoming mainstream, CertiK plans to expand its service scope to more traditional enterprises, helping them smoothly enter the blockchain ecosystem. In the face of alternating industry bull and bear markets, CertiK has laid the foundation for sustainable growth by optimizing team structure and strengthening technical capabilities.