16B data leak shows centralization’s perils
“This leak of 16 billion credentials represents the complete collapse of centralized security frameworks, and it’s no surprise. It’s simply an inevitable consequence of putting trust in security systems that are vulnerable to single points of failure in a world that is increasingly digital.
“Hackers gaining access to 30 datasets – everything from Apple and Google accounts to government services – will undoubtedly have devastating consequences. But this isn’t the first such leak, and it certainly won’t be the last.
“It doesn’t just put individuals at risk, but also any company still reliant on traditional password-based security. The CEOs of these companies should be terrified – and they should be looking to transition to decentralized, blockchain-based solutions to protect their businesses from future attacks.
“This massive breach, and many others before it, simply wouldn’t have been possible in a distributed, consensus-based system. Relying on legacy security and seeing it fail again and again is the very definition of madness.”
– David Carvalho, founder and CEO of decentralized post-quantum infrastructure Naoris Protocol
Security complacency costs billion$$
“May’s losses may be 40% down, but there is nothing to celebrate. In Q1 alone, crypto losses hit $1.63 billion – two-thirds of last year’s total of $2.36 billion. And if things continue on this trajectory, 2025 could be another record year for losses due to hacks and exploits.
“The simple fact is that the state of cybersecurity in Web3 is dire, and it’s only getting worse. Even the largest crypto firms are unprepared for increasingly sophisticated attacks, many of which now rely on complex social engineering, AI, and other advanced tools.
“The larger the crypto firm, the bigger the target on its back – just look at the $1.4 billion Bybit hack, the biggest in history. That’s why every dApp, blockchain, exchange, or any other protocol must put cybersecurity above all else – customer acquisition, marketing, even UX.
“Because if they aren’t even ready for legacy attacks, what about emerging threats like quantum computing? When ‘Q-Day’ arrives, any crypto asset transferred on a blockchain will be at risk, and the timeline for this has just shrunk substantially.
The thing is, the solutions to future-proof Web3 projects already exist, both for quantum computing and other emerging and evolving attack vectors. What’s missing is the drive to integrate these solutions and prepare for the future, instead of simply being reactive in the present. And that complacency will cost many projects dearly.”
– Carvalho
Challenges of Web3 security and the limitations of traditional audits
“As CertiK has emphasized, static code verification, even at a high standard, is only one layer of a broader security model. It’s necessary but fundamentally insufficient for trust. Many risks arise after an audit. Upgradeable contracts can introduce new attack surfaces, and changes in governance or admin privileges controlled by external accounts can invalidate prior assumptions. Risks from oracles, cross-chain bridges, liquidity shifts, and composability go beyond what static analysis can catch. Simply put, ‘audited’ does not mean ‘secure.'”
– Jason Jiang, chief business officer, CertiK
Broader industry landscape and the Web3 trust equation
“In crypto, one year is equivalent to eight in traditional industries. A protocol that runs securely for six years earns the equivalent of half a century’s worth of trust. Trust in Web3 isn’t just about code, it’s about code plus conduct, culture, and compliance. Well-funded bug bounty programs are critical, with their scope, response times, and payout speed reflecting a project’s commitment to openness. When incidents happen, projects must publish detailed, technically rigorous postmortems to identify root causes, acknowledge failures, and outline corrective measures.”
“At CertiK, we’re driving a shift from a static ‘audit-as-security’ model to a dynamic ‘security-as-a-service’ paradigm. We’re committed to delivering trustworthy, secure, and transparent foundations for Web3 builders. Our approach includes pushing for on-chain audit attestations, leveraging real-time security monitoring and risk scoring via platforms like Skynet, embedding continuous verification throughout the software development lifecycle, and developing AI-assisted auditing for scalable, human-machine collaborative security.”
– Jiang