Conversation with ScaleBit: Fun Stories from Web3 Security Audits
TechFlow Selected TechFlow Selected
Conversation with ScaleBit: Fun Stories from Web3 Security Audits
Web3 security and code auditing might be more interesting than you think.
Navigating Web3 tides with focused insightsInterviewers: Faust, Wuyue, Geeker Web3
Interviewee: Luis, ScaleBit
Editors: Faust, Jomosis
On July 1st, Geeker Web3 invited Luis, co-founder of the Web3 security auditing firm ScaleBit, to discuss various aspects of code audits and Web3 security. The conversation spanned both business and technical angles, covering topics such as code auditing, Web3 security, ZK, AI, and the Bitcoin ecosystem. Key discussion points included:
-
Why ScaleBit initially chose the Web3 security field and focused on the MOVE ecosystem;
-
The commercial logic of the code audit industry and customer segmentation;
-
Differences and connections between Web3 and Web2 security;
-
The complexity of ZK circuit auditing and what efforts ScaleBit has made in this area;
-
Views on the Bitcoin ecosystem and Layer2 from operational and technical perspectives;
-
The impact and utility of AI tools like ChatGPT on the code audit industry.
This article is a transcript of that interview, approximately 7,000 words long. Luis shares his personal experiences and provides detailed insights into the Web3 security industry. For those unfamiliar with Web3 security and code auditing, this piece offers an excellent opportunity to understand audit firms—highly recommended for reading, saving, and sharing.
1. Faust: My first question is about your entrepreneurial direction. Why did ScaleBit choose the Web3 security space at its inception?
Luis: We were drawn to the Web3 security sector primarily for the following reasons:
First, many of our team members entered the blockchain space early from Silicon Valley and wanted to identify long-term, stable user demands. Code auditing is a fundamental and sustainable niche, so we chose this path, aiming ultimately to become a security company respected across the industry.
Second, we believe Web3 security is still in its very early stages, yet security issues in Web3 are far more critical than in traditional internet security because they directly involve financial assets. This makes Web3 security inherently more valuable.
Although some believe the ceiling for contract auditing is limited, Web3 security extends beyond just smart contract audits. New services and evolving needs continue to emerge, making this sector highly promising.
Third, our team’s background strongly intersects with code auditing and blockchain security. We have deep roots in the security industry—I was a founding member of another blockchain security company, and our chief scientist Professor Chen Ting has long been researching blockchain security, bringing substantial expertise to Web3 security. Other team members come from backgrounds in exchange security, formal verification, and static analysis.
For these reasons, we ultimately chose the Web3 security path.
2. Faust: I heard ScaleBit was originally called MoveBit and later rebranded to ScaleBit. Could you explain why you initially chose the Move ecosystem and why you changed the name?
Luis: That was essentially a brand upgrade. Our parent brand is BitsLab — MoveBit, ScaleBit, and TonBit are all sub-brands under it. It's a multi-brand strategy. We’ve expanded from the Move ecosystem into other ecosystems, with an overall focus on emerging ecosystems for security and infrastructure.
As for why we initially chose the Move ecosystem, there’s a small story: around 2022, when we were entering the security auditing space, we spent three months researching the best niche to specialize in. At the time, we realized that becoming a full-service security company would make it hard to compete with existing players, so we needed to pick a specific niche.
We considered several options—Move, ZK, or even creating a vertical audit brand focused on GameFi or similar sectors. Our strategy was to break through via a single point, and after weighing multiple factors, we settled on the Move ecosystem.
Back then we were only seven or eight people, but we achieved strong success within the Move ecosystem. We audited around 80–90% of the top 20 TVL projects in Move, including core components like MoveVM and the Aptos Framework, uncovering numerous foundational chain vulnerabilities. Thus, we hold a dominant market share in the Move niche.
We still accept code audit work in the Move ecosystem, which currently accounts for about 50% of our revenue and 40% of our workload. Since most clients in the Move ecosystem are international, these projects command higher pricing.
Currently, TonBit focuses on auditing projects in the TON ecosystem, while ScaleBit handles BTC Layer2, ZK, and other emerging ecosystems. Overall, BitsLab targets nascent ecosystems with mass adoption potential.
3. Faust: Let’s talk about ZK. ZK-related auditing is notoriously difficult. Vitalik previously noted that circuits in systems like zkEVM are so complex that even with functional testing or audits, bugs can’t be fully ruled out. Can you elaborate based on your experience?
Luis: ZK-related auditing covers multiple areas, mainly circuit auditing, source language auditing, and general computation auditing. Let me start with circuit auditing.
A major challenge in circuit auditing is that circuit code is much less readable than traditional programming languages. Additionally, the circuit language ecosystem is fragmented—with perhaps over a dozen different circuit languages and frameworks, such as Circom, Halo2, Artwork, Bellman, etc., meaning there’s no unified standard for writing circuits.
Clearly, it’s nearly impossible for any security firm to master all circuit languages simultaneously. Therefore, we selectively entered the ZK space. So far, we’ve done two main things: First, we co-organized the ZK Security Capture-the-Flag (zkCTF) competition with Scroll, EthStorage, and Dr. Guo Yu from Anbi Lab. This event takes place annually and aims to cultivate more ZK security talent.
Second, we developed a vulnerability detection tool called zkScanner, which uses formal methods and static analysis to scan for vulnerabilities in ZK circuits. zkScanner performs initial scans to identify suspicious areas, which are then verified manually—serving as a supplement to human auditing. While automated tools cannot yet replace human auditors entirely, they’re effective at detecting subtle constraint issues.
Wuyue: Is this automated auditing tool similar to static analyzers for ERC-20 tokens?
Luis: It’s somewhat similar, but not quite. They share a similar workflow: scanning static code and identifying vulnerabilities. However, circuit errors fall into two main categories: Under-Constraining and Over-Constraining. Traditional lexical analysis often fails to catch these.
Wuyue: The term "constraint" feels abstract. Could you give an example?
Luis: Let me explain indirectly. Fundamentally, circuits are more mathematically oriented than smart contract languages, eventually being converted into R1CS—a pure polynomial representation. As such, many common software bugs don’t appear in circuits.
Circuits themselves “don’t fail”—each circuit must use correct inputs and outputs to generate a valid proof. If there’s an error, the circuit won’t compile. This ensures computational correctness. But mere correctness isn't enough—the circuit must be correct under all possible conditions, which brings us back to the two constraint problems.
If a circuit is Over-Constrained, certain valid inputs will fail to pass. If Under-Constrained, invalid inputs may pass as valid—both are critical flaws.
Wuyue: So these issues aren’t caught by compilers—they stem from flawed design assumptions earlier in the process?
Luis: Exactly. These aren’t purely syntactic issues; they involve developer intent and cryptographic best practices. Typically, such problems require formal tools like SMT solvers to detect.
4. Faust: From a business perspective, how do you view ZK-related auditing services?
Luis: ZK-related auditing is worth long-term attention. We’ve consistently built expertise in this area. Our move into Bitcoin ecosystem auditing also stemmed from recognizing strong synergies between Bitcoin and ZK, while Ethereum’s ZK Layer2 narrative has cooled, and the next wave of ZK innovation hasn’t arrived yet—perhaps tied to FHE.
Our entry into ZK auditing wasn’t particularly early or late—we’re in a phase of sustained observation and accumulation. Business-wise, we continue focusing on two initiatives: zkCTF and zkScanner, the ZK circuit vulnerability detection tool mentioned earlier.
Wuyue: Can you briefly introduce the zkCTF event?
Luis: It’s a CTF (Capture-the-Flag) competition we initiated focused on ZK security, held annually. We invite top-tier security researchers and ZK experts to participate. We collaborate with Scroll, EthStorage, and Dr. Guo Yu from Anbi Lab to design challenges, supported by organizations like Ingonyama, zkMove, and HashKey.
Participants come from around the world and are highly skilled, including teams and individuals from:
OpenZeppelin, Offside, Salus, Amber Group, Sec3, as well as PhD students specializing in security and ZK from Georgia Tech and UC Berkeley.
5. Faust: I’d like to hear your thoughts on the Bitcoin ecosystem. I heard you’ve audited over 30 Bitcoin-based projects. What’s your take on Bitcoin Layer2 solutions?
Luis: The 30+ Bitcoin ecosystem projects include Layer2s and applications built on them, such as UniSat, Arch Network, Merlin Chain, RGB++, B² Network, and inscription-related projects like Liquidium. Many others are DeFi protocols within Layer2 ecosystems.
Regarding Bitcoin Layer2, I agree with Kevin He, co-founder of Bitlayer, who suggested competition among Bitcoin Layer2s will unfold in three phases: first competing on TVL, then attracting developers, and finally differentiating on technical architecture. I think we're just exiting phase one and entering the stage where developer acquisition and ecosystem building begin.
Faust: When auditing Bitcoin ecosystem projects, what layers or criteria do you focus on?
Luis: For Bitcoin Layer2s, we examine multiple dimensions—for instance, auditing scripts on the Bitcoin chain itself, or contracts deployed on the Layer2. Some targets are cross-chain bridges or base-layer components. Some Layer2s don’t use EVM, so each layer requires tailored auditing.
We assess the attack surface in the project’s code, checking for vulnerabilities across multiple vectors. This is complex because Bitcoin Layer2s resemble public blockchains. We evaluate the same risks as with any public chain: double-spending, eclipse attacks, Sybil attacks, external dependency risks, centralization issues, man-in-the-middle attacks, etc. Going deeper would require a dedicated session.
ScaleBit’s blockchain auditing capabilities are at least top-tier in Asia. Our team has uncovered vulnerabilities in prominent chains like Sui, OKX Chain, GalaChain, and Nervos. Recently, we found a High and a Low severity vulnerability in Babylon’s public audit contest.
6. Faust: Based on your auditing experience, are cross-chain bridges the most vulnerable? Since many bridges are essentially extensions of DeFi, they seem just as prone to attacks as DeFi protocols. What’s your view?
Luis: In terms of frequency, DeFi-related exploits happen most often. But in terms of financial loss, bridge hacks cause the largest damages—when they fail, it’s catastrophic. When I say DeFi, I mostly mean contract-level vulnerabilities—any flaw in a DeFi protocol’s contract can lead to exploitation, with few mitigation options afterward.
Cross-chain bridges are indeed the most vulnerable due to the large capital they handle and their frequent reliance on multisig setups, which are easy targets.
7. Faust: How significant is the impact—or assistance—of LLM tools like ChatGPT on code auditing work?
Luis: The help is substantial, but mostly auxiliary. Auditors sometimes use ChatGPT to quickly understand unfamiliar code segments—though this is just a starting point. Final judgments still depend on human expertise.
Another use case is writing and polishing documentation and audit reports, especially in English. Non-native speakers often use ChatGPT to refine their writing—this helps significantly.
From an auditing standpoint, we’re also training specialized LLMs using open-source models internally. Currently, they remain supplementary. They may boost efficiency by about 20%, but AI cannot fully replace auditors yet, and we’re far from reducing headcount significantly.
LLMs still have two clear weaknesses: false negatives and false positives. While we can use them for vulnerability discovery, high false positive rates create noise and waste time. We’re closely watching AI advancements, especially whether high-efficiency vulnerability detection tools can emerge at scale. This remains cutting-edge—everyone’s exploring, but no one has cracked it yet.
Wuyue: Do you see AI-driven automated code auditing as a future focus? AI can read code nearly instantly and explore vastly more states and patterns than humans—an obvious advantage. If a security firm deeply invests here, training specialized AI to outperform competitors, what’s your take?
Luis: We’re actively tracking this. Consider two perspectives:
First, if AI-powered automated auditing truly becomes viable, then:
In theory, LLMs could eliminate the entire code auditing industry, because if everyone uses LLMs to generate code and those LLMs guarantee bug-free output, auditing becomes unnecessary. At that point, it wouldn’t just displace auditors—it would displace developers too. Achieving this, however, is extremely difficult.
If LLMs could replace auditors, they’d have an even harder time replacing developers. Writing functional code is easier than writing perfectly secure code. Therefore, I believe AI replacing auditors is harder than replacing programmers.
Second, AI won’t immediately disrupt security auditing but will first achieve breakthroughs in specific areas. For example, AI might not find every bug, but it could uncover certain classes of vulnerabilities that human auditors might miss. These are precisely the use cases we’re focusing on.
8. Faust: One more question about auditing itself. What does your actual audit workflow involve? It’s not just issuing a certificate, right? Do you also help optimize the project’s code during review?
Luis: It depends on client needs. Sometimes we help optimize original code—like reducing gas costs for certain DeFi operations.
As for the audit process, let me outline it: We conduct at least two independent rounds—initial audit and re-audit. During the initial round, one team conducts the audit, and the client revises the code accordingly. Then a second, separate team performs the re-audit. The goal is to ensure at least two teams cross-review the code.
What sets us apart from other firms? ScaleBit excels at auditing innovative projects. We prefer hiring auditors with CTF (Capture-the-Flag) backgrounds—their learning ability and understanding of attack vectors are exceptional.
Additionally, unlike many firms, we follow a premium auditing model. If we miss a Major or higher severity vulnerability, we refund 30–50% of the fee. Few other audit companies dare to make such a commitment.
9. Faust: Some argue that security audits rely heavily on brand reputation—like Wall Street rating agencies—where the Matthew effect is strong. Established players like SlowMist enjoy first-mover advantages and deep moats, making it hard for newcomers to compete. What’s your take?
Luis: I partially agree, but context matters. We categorize audit clients into three tiers: low, medium, and high. Scam projects are the lowest tier. Mid-tier includes solid but non-star teams. Top-tier consists of star teams with strong funding.
Let’s start with top-tier clients. They typically engage 2–3 audit firms and care deeply about audit quality. They may approach globally renowned firms first, but those top firms often have heavy workloads and can’t prioritize every request. So many star teams also bring in lesser-known but technically strong firms for additional scrutiny.
These top-tier clients are ideal for audit firms—they’re well-funded and quality-focused. They usually hire multiple auditors, so as long as your skills are strong, you can access this segment. They’re one of our primary customer groups.
The second tier—mid-sized clients—are quality-conscious but budget-constrained, though they have growth potential. They’d prefer elite audit firms but may not afford them.
Truly “top-tier” security firms—on par with OpenZeppelin or Trail of Bits—are at most 4–5 globally. Everyone knows they’re elite, but their prices are 3–10x higher than average.
Mid-tier clients may not get responses from top firms. So instead of spending their entire budget on one elite auditor, they’d rather distribute it across multiple high-quality firms—even hiring several. This group forms our largest client base, and we aim to grow with them.
The last group—low-tier scam projects—simply go with whoever is cheapest or pays for a big-name audit report.
So regarding your point, there’s truth to it. Firms with strong track records and reputations benefit from the Matthew effect. Yet some established firms, despite their fame, have suffered major failures recently.
However, emerging audit firms must differentiate themselves. Our strategy is to break through in a niche:
Enter a specific segment and dominate it. For example, we’ve achieved over 50% coverage in the Bitcoin Layer2 ecosystem and over 80% in Move. Even top firms like OpenZeppelin may struggle to compete with us in these niches. So the so-called “Matthew effect” depends heavily on context.
10. Faust: From your personal perspective, what’s the biggest difference between Web2 and Web3 security? Feel free to draw from your own experiences.
Luis: First, Web3 security is in a very early developmental stage, yet its market potential far exceeds Web2 security due to stronger security requirements in Web3.
Let me share a joke: A Chinese executive in Silicon Valley’s security scene once reached VP level at a public tech company. He said security roles in Silicon Valley are dominated by Chinese and Jewish communities. Why are Chinese so prominent in security? Because security is a role with zero visibility until something breaks—then you’re blamed. Indians and white Americans tend to avoid such roles, so Chinese professionals step in—this describes Web2 security.
But Web3 security is different—blockchain deals directly with money, so the visibility of security work is orders of magnitude higher. In this space, many “security practitioners” can monetize directly. Some joke that the most successful transition from Web2 to Web3 has been hackers.
Technically speaking, Web3 security includes elements of Web2 security and reuses many of its techniques. Many systems—especially DeFi apps—have servers and APIs requiring traditional penetration testing, DoS protection, etc., all part of Web2 security.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@godrealmx
