As the Web3 ecosystem continues to mature and evolve, significantly more capital is flowing into the crypto-assets sector — which, in many cases, has provided opportunities for hackers to “profit” from this by exploiting vulnerabilities on-chain. This, according to an update from CertiK.
Unfortunately, blockchain adn web3 security firm CertiK pointed out that when projects are attacked, they tend to have fairly limited means of response, sometimes resorting to offering “bounties to incentivize hackers to return stolen funds, without pursuing further consequences.”
This is where security companies come in — they are able to audit code and act as “white hat hackers” to proactively identify security flaws in these projects.
CertiK claims that it stands as a key player in this space, with a valuation nearing $2 billion. In fact, passing a CertiK audit has reportedly become a community benchmark for “assessing emerging projects.”
But this raises an important and interesting question: Who monitors the monitors?
Professor Ronghui Gu, Co-Founder of CertiK, explained that there is no unified definition of a “white hat hacker,” and that there is generally a belief it refers to those who, with good intentions, “test, investigate, and/or fix security vulnerabilities or flaws by accessing computer systems.”
They added that such activities are conducted in ways that “avoid harm to individuals or the public. Information gained from these actions is primarily used to enhance the security of devices, machines, or online services, and protect users.”
At CertiK, they claim to adhere to strict internal white hat protocols. Since 2020, they’ve carried out “over 70 white hat operations, identifying critical vulnerabilities that earned the highest bounty to date on the Sui platform.”
Alongside their auditing work, CertiK has reported “over 4,000 security incidents in the Web3 community, and discovered more than 115,000 code vulnerabilities, safeguarding over $360 billion in digital assets.”
Professor Gu also shared in a blog post by CertiK that the blockchain security industry is currently “undergoing rapid development, with particular attention focused on managing the intersection of Web3 and Web2 risks.”
As blockchain tech further expands, so too do the “vulnerabilities and attack methods, affecting areas like DeFi, NFTs, and cross-chain interoperability.”
Looking ahead, Web3’s security challenges reportedly stem “not only from technical vulnerabilities, but also from common cybersecurity risks, such as data privacy protection, phishing attacks, and telecommunications fraud.”
Private key security remains one of the “primary challenges in the Web3 space.”
According to CertiK’s 2023 statistics, “nearly half of all financial losses in blockchain security incidents are due to private key leaks.”
Their Q3 2024 security report reveals that “private key leaks and phishing attacks continue to be the leading causes of financial loss.”
And as Web3 continues to evolve, many of its applications still rely “on Web2 infrastructure, such as cloud storage and DNS services, which makes them susceptible to attacks like DNS hijacking and phishing.”
According to the detailed blog post from CertiK, these hybrid attacks further complicate security management.”
In conclusion, CertiK believe there are key areas of focus for blockchain security:
- Decentralizing Infrastructure: To avoid reliance on Web2 infrastructure, Web3 must accelerate the construction and adoption of decentralized alternatives, particularly in authentication, data storage, and governance. CertiK will continue supporting this transition by offering technical solutions for bridging Web2 and Web3 security, and investing in high-potential projects through CertiK Ventures.
- Phishing Attacks: As phishing attacks become increasingly sophisticated — especially with AI-driven deepfake techniques — investment in smart protective mechanisms and user security education is critical.
CertiK remains committed to empowering Web3 participants with “enhanced defense mechanisms and heightened awareness.”
They have reportedly introduced free security tools like Token Scan and Wallet Scan for the community, and CertiK Quest, which “helps users better understand projects and gain security knowledge.”
Professor Gu further noted that as a security company in the Web3 space, transparency is crucial for “earning users’ trust.” They aim to be “supervised in a decentralized manner.”
They also stated that CertiK was one of the first in the industry to “make audit reports fully public to ensure transparency.”
Their Skynet platform allows community members, security institutions, and individual white hats to “review their audit reports and provide feedback when issues arise.”
Additionally, CertiK concluded that it “strictly” adheres to global Web3 regulatory standards and “undergoes third-party verification and oversight.”