On December 4, 2024, Bloomberg Businessweek published an exclusive interview with Professor Gu Ronghui, co-founder of CertiK. Bloomberg Businessweek is widely regarded as one of the most influential financial media outlets globally and is considered a must-read publication for business professionals and investors. It is known for its in-depth analysis and commentary, providing important information sources for investors and corporate decision-makers. The magazine's coverage spans over 120 countries and regions, with a global readership of over 4.7 million and a near one million global circulation, holding significant influence in the United States and Asia.

In this exclusive interview with Bloomberg Businessweek, Professor Gu provided a detailed interpretation of the main security challenges currently facing the Web3 field from the perspective of an industry expert. He also shared unique insights on the future development of the industry, drawing on CertiK's years of practical experience.

The following is the full report:

Q&A: Gu Ronghui, co-founder and CEO of CertiK

One of the keys to the large-scale development of blockchain relies on smart contracts, as they can execute automatically once preset conditions are met without the need for third-party involvement. However, hackers may also exploit this feature to launch attacks on vulnerabilities. The founding intention of blockchain security company CertiK is to ensure the maximum safety of smart contracts. Co-founder and CEO Gu Ronghui accepted an interview with Bloomberg Businessweek (Chinese version) to interpret the challenges faced in the Web3 security field. As a member of the Hong Kong Web3 Development Task Force, he also offered suggestions for the development of Web3 in Hong Kong.

You are a professor at Columbia University; what prompted you to co-found CertiK?

My research focus is on formal verification, using mathematical methods to prove the safety of software systems. Traditional security methods seek to identify potential vulnerabilities within the system, while we attempt to prove that the design, development, and implementation of the software comply with specifications, effectively exhausting all possibilities. This technology was previously considered difficult to apply to real complex systems until 2016 when we developed CertiKOS, the world's first fully formally verified multi-core operating system kernel.

At the same time, the blockchain was rocked by the attack on The DAO, leading to the loss of over 3.6 million Ethereum, raising awareness that the security challenges on the blockchain far exceed those on other computing platforms, as attacks can directly result in financial losses. Moreover, since smart contracts execute continuously after deployment, even if an attack is detected, it cannot be intercepted. Thus, everyone wishes to ensure the security of blockchain smart contracts as much as possible, which is the background under which we founded CertiK, providing multiple security solutions, including smart contract audits.

Some projects that have undergone CertiK audits have still encountered security issues, including smart contract audits. What challenges does the Web3 security field currently face?

Security is a holistic matter, like a house; you can make the security door incredibly strong, but if your electrical system is compromised, the intruder can still enter through a window. A common phenomenon is that many companies or project parties have limited security budgets, thinking that as long as one version of the code or even the core part of the code is audited for security, they can feel at ease. However, once the code is upgraded, or if there are new deployments, problems can still arise.

A major challenge currently facing the Web3 security field is the insufficient awareness of security within the market and industry. Furthermore, there is significant pressure due to the numerous innovations in blockchain, whether from security experts or the version upgrades of our internal tools. For us, this is almost a 24/7 war, as hackers do not take breaks.

Many people describe CertiK as one of the 'Big Four' in the Web3 security field. When facing a large volume of business, how do you balance the breadth and depth of audits, and why should the industry trust centralized companies like yours?

In the face of a huge business volume, what we have been doing is to promote the productization of security audits or code review. Many internal tools help us automatically generate audit reports, and security experts analyze and review all suspicious areas based on these, rather than examining the code line by line. Our principle is to err on the side of caution; in 2023, for example, we issued over 1,000 audit reports, with a real missed report rate of less than 1%. Regarding the issue of centralization, what we can do is to be as open and transparent as possible. CertiK has made all audit reports public since 2020. However, the published audit reports are not a 'seal' of a specific project; they merely tell everyone what tests we conducted and which codes we reviewed.

CertiK settled in Hong Kong last year; could you discuss the current business development or collaborations in Hong Kong? Additionally, as a member of the Hong Kong Third Generation Internet Development Task Force, what suggestions do you have regarding the actions and changes in Hong Kong’s development of virtual assets over the past two years?

CertiK is currently collaborating closely with Cyberport to provide Web3 security education to enterprises and professionals within the community through workshops and other formats. At the same time, many Web3 companies in Hong Kong are applying for regulatory licenses, and we also provide services such as security audits and security architecture design.

As a member of the task force, I believe Hong Kong’s attitude toward developing Web3 is positive and actions are swift. For example, regarding (virtual asset) exchange licenses and the approval of spot ETFs, each compliance framework involves a significant amount of work. However, at the execution level, the Hong Kong government may sometimes be too conservative. I also serve as a member of the International Technology Advisory Committee of the Monetary Authority of Singapore. For example, in the case of issuing tokenized bonds, there are clear differences between Hong Kong and Singapore. Singapore chose to issue on a public chain, with CertiK providing security audits throughout the process; while the Hong Kong government opted to deploy it on Goldman Sachs' private chain, indicating that the Hong Kong government still has too many concerns when implementing innovation, worrying about the potential negative impacts of risks. Although Singapore has become more conservative in dealing with Web3 due to the FTX incident, it remains bolder than Hong Kong regarding tokenized bonds and stablecoin licenses.