High-Level Dialogue: CertiK Co-Founder Gu Ronghui: Under the Compliance Trend in the Web3 Industry, Hong Kong Becomes the Best Base for Web3 Entrepreneurship

Article Author: 0x9999in1

Source: MetaEra

Recently, the MetaEra Hong Kong section was launched with great fanfare, leading off with the series of events titled 'Celebration of Two Years of Hong Kong's New Crypto Policy.' An important part of this is the 'High-Level Dialogue: Influential Leaders in Hong Kong Web3.0.' The featured interviewee this time is CertiK co-founder Gu Ronghui.

Profile Introduction

Gu Ronghui, Professor of Computer Science at Columbia University and co-founder of CertiK. Member of the International Technical Advisory Committee of the Monetary Authority of Singapore (MAS) and member of the Hong Kong government's dedicated group for the development of the third generation internet (Web3.0). Gu Ronghui graduated from Tsinghua University and obtained a Ph.D. in Computer Science from Yale University in 2016. He is also an expert in operating systems, software security, and formal verification, and the main designer and developer of CertiKOS.

Key Insights

● I believe Hong Kong still stands as one of the best places for Web3 entrepreneurship. For the Chinese community, I think it may be the best entrepreneurial base, without a doubt.

● We believe that security needs to accompany the entire lifecycle of a project. We hope to accompany users from the early stages all the way to the launch, on-chain, listing, and into the mature operational phase.

● We do not wish for the industry or project parties to believe that passing CertiK's security audit means that the project has no security issues at all.

● Everything CertiK does is aimed at making all things open and transparent.

● Open and transparent information is indeed a double-edged sword for CertiK, but it is certainly a positive result for the industry.

● The three most important points of regulatory policy are control, visibility, and enforcement.

● The development of Web3 in Hong Kong has passed the initial honeymoon period and is now entering a painful phase.

● CertiK must engage in a 7*24 confrontation with hackers in this unfair battle, striving to ensure our win rate year after year.

Full Interview Text

MetaEra: CertiK settled in Hong Kong Cyberport last August. Can you share your personal experiences and provide guidance to those still observing the development of Web3 in Hong Kong?

Gu Ronghui: I remember that in January 2023, Hong Kong had already introduced some relevant policies, and at that time, I felt that everyone was in a wait-and-see state. CertiK received an invitation to come to Hong Kong and met with Secretary Chan Mo-Po, who expressed his views on Web3 financial policies, making me feel that the Hong Kong government has strong confidence in developing Web3.

It was from that time that we began to establish CertiK's presence in Hong Kong. During that period, the United States had a certain attitude towards Web3, with the SEC launching several lawsuits in succession, leading everyone to feel that the attitude and policies of the United States towards Web3 had become very unclear, thus many people shifted their gaze to Asia. The main financial centers in Asia are Singapore and Hong Kong. When I received the invitation from Hong Kong, I was actually in Singapore, serving as a member of the International Technical Advisory Committee of the Monetary Authority of Singapore (MAS). Moreover, because Singapore's sovereign fund Temasek invested in FTX, the collapse of FTX caused Singapore's policies on Web3 to become somewhat hesitant. I felt that Hong Kong seized this opportunity very well.

We have chosen to settle in Cyberport in Hong Kong, which provides ample support for Web3 entrepreneurs. They not only organize activities regularly but also support project incubations, etc. We have also exchanged a lot through this. Throughout the process, I have felt Hong Kong's unique position, coupled with the government's determination to develop Web3, makes us feel that this is a very good base for Web3 entrepreneurship.

If I were to give some advice to other Web3 practitioners, I think Hong Kong remains one of the best places for Web3 entrepreneurship. For the Chinese community, I believe it might be the best entrepreneurial base, without a doubt. First, it has policy support; second, it has Shenzhen backing it, which not only helps recruit talent in finance but also many quality programmers and developers; third, the increasing number of related enterprises allows for better networking with partners or clients. Additionally, if any entrepreneur wants to come to Hong Kong to start a business, I highly recommend contacting Cyberport at the earliest opportunity. Currently, CertiK is also collaborating with Cyberport to provide some security-related certifications and assist in applying for Cyberport's entrepreneurial support funds.

Additionally, the Hong Kong financial regulatory authorities have adopted CertiK's suggestions to strengthen the stablecoin regulatory framework, which is a very positive feeling! It means the Hong Kong government can listen to the professional suggestions, thoughts, and voices from various sectors of the industry to improve its policies. I feel that among various local governments, the Hong Kong government is doing the best in this regard.

MetaEra: Hong Kong has attracted many Web3 projects under the call of the new crypto policy. How do you think these projects view blockchain security? Do Chinese entrepreneurs have different views on crypto security compared to those in the Western world? Could you elaborate on that?

Gu Ronghui: We are in the Web3 security track, and we can also say that we are a leading company in the Web3 security space. First, security is crucial for most practitioners. If you ask any enterprise or founder whether project security is important, they will definitely say it is! But how to improve project security, and what aspects of security a project includes, and whether they are willing to pay for it, the answers are often vague and general. Therefore, everyone feels that security is important, but in practice, we still sense considerable resistance.

First, everyone feels there's no need, always under a sense of complacency, believing the project is secure and that it won't be attacked, which makes it easy to overlook project security. Second, regarding security, what exactly does blockchain security encompass? As a blockchain project party, what security protections should they implement? In fact, most project parties are not very clear about this. In the past, people may have heard more about code auditing, and part of CertiK's efforts has led to a consensus that projects should engage external agencies for independent third-party security audits after internal testing.

However, three to four years ago, it was not like this. In 2020, when DeFi was just starting, people gradually realized the importance of code auditing. During these years, some projects only conducted security audits on a portion of their code because the costs were high. Some projects even performed security audits on one version of their code but neglected audits on subsequent updated versions. This actually reflects a misconception: any change in code, even a few lines, can introduce new vulnerabilities and attack opportunities. This phenomenon still lacks consensus today; all project code and all versions should undergo security audits.

Taking a step further, code security auditing is just a small part of blockchain security. Overall blockchain security also includes private key management, the non-smart contract parts, and the security of interactions between smart contracts. For example, some projects also involve node security, such as whether wallets used by enterprises, whether multi-signature wallets or MPC wallets, are secure. In fact, what has been mentioned above exceeds the scope of code auditing, but the security of these parts is completely zero in terms of design and protection, which is almost like running naked. Under these circumstances, you will find that many attacks no longer solely exploit the security of smart contracts; we have collaborated with Cyberport to launch a security training program for entrepreneurs and business owners to provide security training. There will also be an examination component, and certificates will be issued. With this certificate, one can qualify for Cyberport's fund support. Because providing support funds can at least help avoid theft and loss.

MetaEra: Do Chinese entrepreneurs have different views on crypto security compared to those in the Western world? Could you elaborate on that?

Gu Ronghui: The overall view is still consistent! Before 2021, there wasn't much focus on security. After 2021, people began to pay more attention to security. However, there may be some subtle differences. Perhaps Western entrepreneurs have a slightly smaller sense of complacency regarding security, while entrepreneurs in the Eastern Chinese-speaking regions may have some complacency, thinking their projects are secure. Another slight difference is that when we point out some vulnerabilities in Western projects, they tend to be more open-minded. However, when encountering some projects in the Chinese-speaking regions, when you point out issues, they may have a defensive mindset, thinking their project has no issues, and the problems pointed out by CertiK may be detrimental to them. Of course, I must say this is an extreme minority case. But what I want to emphasize is that the purpose of security auditing is to help you find issues and fix them.

MetaEra: Recently, we have noticed that CertiK's slogan has changed. What considerations led to this upgrade? CertiK has launched free security tools like Token Scan and Wallet Scan for the community. As a security company, will CertiK focus more on C-end users?

Gu Ronghui: Let me first talk about the slogan. The previous slogan was 'Securing The Web3 World.' We just upgraded it, and the new slogan is 'Elevating Your Entire Web3 Journey.' This is quite a significant change.

I want to first talk about why I want to make such a change. CertiK has served 4,700 clients, identified 150,000 security vulnerabilities, and reported over 40 major vulnerabilities. We can say that we have made significant contributions to the community, but I feel that our output for the C-end and developer community has not been enough. Our feedback to the community has been insufficient in the past few years.

“Securing The Web3 World” was our initially simple idea, which was to protect the entire Web3 industry and world. So I ask myself, where are our clients? Where is our community? In fact, this slogan did not reflect well. When our vision became grand, turning into an industry and a world, it sometimes overlooked specific communities, specific clients, and specific C-end users. Thus, in the new slogan, I added 'Your Web3 Journey,' as we sincerely hope to place each individual and community in the industry into our thoughts to make it more specific, rather than just a macro world.

Second, many of our clients think of security as a one-time audit before going live, treating it as a service tied to a specific moment. However, we believe that security needs to accompany the entire lifecycle of a project. We hope to accompany users from the early stages all the way through launch, on-chain, listing, and into mature operations.

Third, the upgrade of the slogan signifies that we believe security is not just about preventing attacks. Throughout the entire lifecycle, we are empowering the project parties. CertiK now also provides many services that extend beyond the scope of security, reaching into the broader security domain. Beyond the broad security domain, we also offer clients 'Design Review' consulting services. For example, for the TON public chain, we conducted code audits and formal verification early on, and after the launch, we helped TON with performance testing and community building. These have actually extended beyond the security domain.

Therefore, to better define CertiK's mission and product and service offerings, we upgraded CertiK's slogan. The new slogan encompasses project parties, exchanges, wallets, and C-end users. Tools like Token Scan and Wallet Scan are entirely free and aim to give back to our supportive community and empower our community.

MetaEra: Many startup Web3 projects emphasize in their official PR that they have passed CertiK's security audit, as if 'passing CertiK's security audit' has become an industry standard. What do you think about some project parties promoting this aspect as an advantage of their projects, potentially cultivating a fixed mindset among users that 'passing CertiK's audit means a good project, while not passing means a bad project'?

Gu Ronghui: First, I am very happy to see that many projects regard passing CertiK's security audit as a plus point for their projects and promote it as an advantage. This certainly recognizes our work, technology, and brand. Regardless, this is a happy thing.

But I also want to emphasize a major misconception: we do not wish for the industry or project parties to believe that passing CertiK's security audit means that the project has no security issues at all. We have always stressed that these are two separate matters.

First, there is a significant gap between CertiK's security audits and the actual security of projects, as security audits and project security actually include many non-audit aspects.

Second, CertiK often only receives partial code, or even just a version of partial code for security audits, and therefore cannot guarantee anything for the entire codebase.

Third, the work of Turing and other scientists indicates that theoretically, there is no universal method to guarantee that a piece of code is 100% secure. Thus, passing a security audit does not imply that the code is 100% secure. However, passing CertiK's security audit can indicate that the project party is serious about security, which requires time, financial cost, and potentially delaying the launch to enhance the overall security of the project. Furthermore, passing CertiK's security audit can significantly increase the project's security level.

From these perspectives, undergoing CertiK's security audit can indeed serve as an advantage for project parties. However, we do not wish to turn this into a fixed mindset, as this type of thinking may have a backlash effect on both the project parties and CertiK. Therefore, we are constantly clarifying the facts, and we are once again grateful for the recognition from project parties and the industry.

MetaEra: CertiK encountered the Kraken incident this year. I'm sure everyone is aware of the conflicting statements from both sides. From a public relations crisis perspective, what growth insights and tangible impacts has this event brought to CertiK?

Gu Ronghui: The intensity of this incident far exceeded our expectations. Several months have passed since the event, and looking back, there are several clear outcomes.

First, Kraken experienced a serious vulnerability. CertiK discovered the vulnerability and quickly notified Kraken, who then fixed the issue, ultimately preventing any loss to users. Kraken itself acknowledges that this might have been the most serious exchange vulnerability in history, and CertiK discovered and helped it resolve the issue. From the outcome, this is a Big Win for the entire industry.

Secondly, if we had to experience it all over again, CertiK would still report to Kraken at the earliest opportunity to help them avoid any potential user losses, whether it takes 100 times or 1000 times; this is something we would do.

However, when facing the same situation, if both sides have different opinions, CertiK believes there is definitely a better way to resolve it, rather than ending up in a situation where both sides hold firm to their positions.

MetaEra: As 'industry swordbearers,' blockchain security agencies and blockchain rating agencies face a challenge: how to ensure their professionalism is applied fairly to every Web3 project? How does CertiK effectively handle this?

Gu Ronghui: This issue has been troubling us since 2020, and we have been thinking about it continuously. Before decentralization, we would place our money with Amazon, Alibaba, Tencent based on our trust in these large companies, believing that they were centralized institutions. However, after decentralization, ordinary users cannot understand code. CertiK stands up to tell everyone that this code is secure and that they can trust CertiK. But at that moment, could CertiK become a center?

To be honest, CertiK has faced a lot of controversy in the industry over the past two years, and we will not shy away from it. Why is there so much controversy? Why are so many people criticizing us? Perhaps it is because people feel that CertiK has become centralized, and CertiK is questioned regarding whether it is doing its work reasonably and fairly.

We are also pondering these issues. One report stated that CertiK has single-handedly transformed blockchain security into a competitive field. We ask ourselves: given such a heavy responsibility, what should we do? CertiK's choice at that time was to publicly release all security audit reports on our website. However, these reports were too technical for many users to understand, so we distilled these reports into Skynet data, providing visual formats for everyone to view. Everything CertiK does is aimed at making all things open and transparent.

This decision was met with strong opposition at the time, both internally within the company and from partners, even our investors. Because CertiK publicly released all security audit reports, whenever a security incident occurred, people would associate the security issue with CertiK. However, to date, no other security company has dared to publish all information, for once it is made public, they have nowhere to hide and cannot evade any issues.

Open and transparent information is indeed a double-edged sword for CertiK, but it is definitely a positive outcome for the industry. Our principle is that even if it is a double-edged sword for CertiK, if it is positive for the industry, CertiK will steadfastly execute it. From 2020 to now, CertiK has maintained its original intention, even if project parties have encountered issues and CertiK has been criticized, we have borne all the negative impacts. To this day, we publish our security incident reports on our website.

MetaEra: As countries and regions implement policies and regulations related to virtual assets, security issues are increasingly emphasized by law enforcement agencies and governments. Which regions and countries has CertiK established relevant collaborations with? What are the main security concerns in the future of the Web3 field?

Gu Ronghui: Let me first talk about collaborations from various aspects.

Firstly, I am a member of the Hong Kong government's dedicated group for the development of the third generation internet (Web3.0). CertiK's Chief Security Officer, Professor Li Kang, is also a group member. For instance, CertiK has made two suggestions in the consultation summary published by the Hong Kong Treasury (Financial Services and the Treasury Bureau) and the Monetary Authority regarding the legislative suggestions for implementing a regulatory framework for stablecoin issuers. I am also a member of the International Technical Advisory Committee for the Monetary Authority of Singapore (MAS), and I am the only member from the Web3 industry among the 11 members.

Additionally, CertiK has participated in drafting compliance policies for the Japanese yen stablecoin and has provided the Financial Services Agency (FSA) of Japan with advice on contract compliance and hacker monitoring. We have also collaborated with the Malaysia Digital Economy Corporation (MDEC) to jointly draft policy documents related to the Metaverse and Web3. In South Korea, CertiK has signed MOUs with the governments of Seoul and Busan to launch related cooperation.

The above is some of the cooperation between CertiK and various governments in Asia, helping them draft compliance-related policy documents.

Starting in 2023, the trend in the Web3 industry across Asia and the United States is compliance, such as the approval of spot ETFs and other mainstream narratives. The benefit of compliance is to allow more users to participate, enabling more traditional industry users to get involved.

The policies of governments around the world first start with stablecoins. CertiK is actively promoting the development of policies in various regions, helping government levels better understand Web3. Because often misunderstanding leads to fear, helping the government understand will allow it to slowly accept Web3, which is a role CertiK plays.

The three most important points of regulatory policy are control, visibility, and enforcement. Therefore, once governments start discussing compliance, they immediately have to talk about security. Because if security issues are not resolved, a situation will arise where it cannot be controlled or seen. This is one reason why on-chain transactions are becoming increasingly important.

MetaEra: What are the main security issues in the Web3 field in the future?

Gu Ronghui: I think there are four aspects:

First, code security;

Second, project security beyond code, such as interaction with smart contracts;

Third, private key management;

Fourth, counterparty risk, such as whether your transactions are secure, whether interactive assets could be stolen, etc.

Currently, we can see two trends: first, traditional banks entering the Web3 industry, where their security issues will become more prominent; second, retail users just entering the Web3 industry who cannot properly safeguard their wallet private keys and struggle to determine whether a project or smart contract is secure. The 'Your' in our new slogan is intended to encompass these two groups with limited knowledge of Web3 security, helping them to better ensure safety.

MetaEra: Looking globally and focusing on Hong Kong. CertiK is also contributing ideas for the development of Web3 in Hong Kong. The Hong Kong Treasury and the Monetary Authority's legislative proposals for stablecoin regulation have adopted CertiK's suggestions. In your observation, what stage has Hong Kong's Web3 development reached?

Gu Ronghui: The development of Web3 in Hong Kong has passed the initial honeymoon period and is now entering a painful phase. We have seen the government's early determination, including Secretary Chan Mo-Po's speeches and the successive policy support. In the policy-making process, the government has communicated with the industry and widely solicited industry suggestions. The attractiveness of the policies has also brought many enterprises to Hong Kong, which is what I mean by the honeymoon period.

After the honeymoon period, enterprises must begin to develop their business and market, which itself is a challenging phase. Companies need actual users and markets, and this is inherently a challenging and difficult road.

MetaEra: Professor Gu, you transitioned from campus to society and founded a security company focused on blockchain security. What was the opportunity for this shift (stepping out of campus, starting a Web3 venture)? Additionally, what was the original intention behind founding CertiK? Has it changed since then?

Gu Ronghui: Let me talk about the process of founding CertiK. The name CertiK comes from CertiKOS. In 2016, I developed CertiKOS together with another founder of CertiK, Professor Shao Zhong. This was the world's first comprehensive formal verification operating system kernel designed to prevent hacking and attacks. At that time, it was a technological breakthrough that garnered significant attention in the industry, and I also secured a faculty position at Columbia University based on this research achievement.

First, let me talk about formal verification, which is the mathematical method used to prove the security of a piece of code. It can achieve the highest security standards currently, but the costs are high, and it takes a long time, so it was previously only applicable in very core and critical areas, making it difficult for large-scale application. In 2016, we completed the verification work of CertiKOS, proving that formal verification had reached the application stage.

In 2016, an event occurred where the DAO on Ethereum was attacked, which is considered one of the largest security breach incidents. Everyone finds blockchain security to be very challenging because vulnerabilities may arise in the code. Once an attack occurs, no one can stop these transactions. Therefore, everyone hopes that the code is as secure as possible, as it may involve assets worth millions or even hundreds of millions of dollars behind it. In this context, we found a good match between our own technology and market demands, and CertiK was born. CertiK hopes to apply formal verification to smart contract auditing, enhancing the security of project code in the entire industry, which is the original intention of our establishment.

The development process is very challenging, and the biggest challenge we currently face is the public's understanding of security. From 2017 to 2020, everyone thought security was important, but no one was willing to do anything about it, unwilling to invest time and effort into security work. By 2020, industry practitioners began to recognize that at least auditing smart contracts was necessary, but many other security issues had not received adequate attention.

Moreover, the Web3 industry is developing rapidly, with technology evolving quickly. Every month, new terms, concepts, and technologies emerge. When new technologies appear, security issues become prominent. CertiK currently occupies a significant market share and needs to cover all technology stacks and ecosystems, which is quite exhausting.

Additionally, in the process of development, CertiK has to face many non-technical issues and even some controversies. Including our opponents—hackers, who may target the weakest company in the industry. If CertiK is seen as a bodyguard, it needs to protect 4,700 clients simultaneously without knowing where hackers will strike. To be honest, this offense and defense are unequal. However, we must engage in a 7*24 confrontation with hackers in this unfair battle, striving to ensure our win rate. This work is very challenging, but our original intention has not changed.