Exclusive Interview with CertiK Founder: With Hacker Attacks Surging by 300%, the Path Forward is Security-First
TechFlow Selected TechFlow Selected
Exclusive Interview with CertiK Founder: With Hacker Attacks Surging by 300%, the Path Forward is Security-First
CertiK CEO Explains Blockchain Security Threats and Defense in Detail.
Navigating Web3 tides with focused insightsBy Monica Younsoo Chung, Korea IT Times
On April 17, the prominent South Korean tech publication *Korea IT Times* released an exclusive interview with Professor Gu Ronghui, Co-Founder and CEO of CertiK. The in-depth conversation centered on CertiK’s Q1 2025 *HACK3D* Security Report, exploring the evolution of hacker tactics and innovative pathways in security defense technologies.
Gu emphasizes that security should be treated as a foundational principle—not an afterthought—and must be integrated into a project’s strategy from day one. "A proactive 'security-first' approach is essential for building trustworthy Web3.0 applications," he stated. Specifically, he advocates leveraging cutting-edge technologies such as formal verification, zero-knowledge proofs (ZKP), and multi-party computation (MPC) to comprehensively strengthen blockchain protocols and smart contracts. This vision lies at the heart of CertiK’s founding mission: to make the Web3.0 world more secure and trustworthy through rigorous formal verification techniques.
This steadfast commitment to security is not driven by short-term market trends but stems from Gu’s long-standing pursuit of technological ideals—from his doctoral research at Yale, where he contributed to developing CertiKOS, a system hailed by Google researchers as “unbreakable,” to today’s mission of safeguarding over $53 billion in digital assets. Throughout, he has remained dedicated to protecting the industry and enhancing trust.
Gu has consistently emphasized that security is not a competitive advantage, but a shared responsibility. He transforms academic breakthroughs from the lab into real-world security practices and embeds the ethos of collective accountability into industry collaboration. As a technology leader emerging from top-tier academia, he uses mathematically verifiable logic to counter the unpredictability of cyberattacks, anchoring the security framework of the Web3.0 era at the intersection of idealism and reality.
In the rapidly evolving Web3.0 landscape, blockchain security has become paramount. This article focuses on CertiK’s mission—led by its co-founder and Columbia University computer science professor—to comprehensively strengthen the security of the blockchain ecosystem. By advancing formal verification technology, CertiK has emerged as a leading force in Web3.0 security.
The *Korea IT Times* provides a deep dive into CertiK’s latest release, *Hack3d: 2025 Q1 Security Report*, uncovering emerging trends in digital asset theft and cybersecurity threats. It also examines frontier technologies like zero-knowledge proofs and multi-party computation, offering practical guidance for blockchain developers, while analyzing the dual role of AI in security. As traditional financial institutions increasingly enter the blockchain space, security challenges are intensifying, making proactive measures critical for protecting users and preserving ecosystem integrity. This article aims to deliver key insights for practitioners navigating the complex terrain of blockchain security.
Q: Could you briefly introduce yourself and CertiK’s core mission?
A: I am the Co-Founder and CEO of CertiK, as well as a professor at Columbia University. Both my work and CertiK’s mission are deeply rooted in strengthening the security of the Web3.0 ecosystem.
CertiK was founded in 2017 with the core belief that formal verification technology can continuously monitor and reinforce the security of blockchain protocols and smart contracts, ensuring their correct and secure operation. We integrate cutting-edge solutions from both academia and industry to help Web3.0 applications scale sustainably without compromising security. To date, we have served over 4,900 enterprise clients, protected more than $53 billion in digital assets, and identified over 115,000 code vulnerabilities.
Q: CertiK recently released the *Hack3d: 2025 Q1 Security Report*. What were the key findings?
A: In Q1 2025, losses from on-chain scams totaled approximately $1.66 billion—a staggering 303% increase from the previous quarter. This surge was largely due to the February hack of the Bybit exchange, in which hackers stole around $1.4 billion. As in prior quarters, Ethereum remained the primary attack target, accounting for $1.54 billion in losses across three major incidents. More alarming, only 0.38% of stolen assets were successfully recovered during the quarter.
Q: Has the main target of blockchain attacks shifted compared to previous quarters?
A: The trend in Q1 2025 continues from late 2024, with Ethereum remaining the most heavily targeted network. There were 99 security incidents on Ethereum in Q4 2024, slightly down to 93 in Q1 2025. This has been a consistent pattern: throughout 2024, Ethereum-based projects experienced the highest number of security breaches, and this trend appears to persist into 2025.
The Bybit hack exemplifies this risk: the breach occurred via the Safe-Wallet, an Ethereum-based wallet, resulting in massive losses. Ethereum remains a prime target due to its large number of DeFi protocols and vast amounts of locked assets. Additionally, many smart contracts on Ethereum still contain exploitable vulnerabilities.
Q: How is the blockchain security industry responding to increasingly sophisticated attack methods?
A: Attackers are increasingly employing complex strategies—including social engineering, AI-powered tools, and smart contract manipulation—to bypass existing defenses. As digital assets gain wider adoption and higher valuations, the industry must adapt to ensure the integrity of projects and the safety of user funds.
The industry is actively rising to the challenge by advancing innovative technologies such as zero-knowledge proofs (ZKP) and on-chain security frameworks. These offer promising solutions to pressing security issues, enabling transaction auditability, attack traceability, and potential asset recovery—all while preserving privacy. Multi-party computation (MPC) further strengthens key management by distributing private key control among multiple parties, eliminating single points of failure and significantly increasing the difficulty for attackers to gain unauthorized access to wallets. As these technologies evolve, they will play a crucial role in defending against cyberattacks and maintaining the integrity of decentralized ecosystems.
Q: What security recommendations would you give to blockchain developers and project teams?
A: Prioritizing security from the outset should be a non-negotiable principle. Integrating security throughout every stage of development—not just as a post-hoc fix—helps identify potential vulnerabilities early, saving significant time and resources in the long run. This proactive “security-first” strategy is fundamental to building trustworthy Web3.0 applications. Embedding security into the entire development lifecycle enables earlier detection of flaws and reduces the cost of remediation later.
In addition, engaging blockchain security firms for comprehensive, impartial third-party audits provides an independent perspective that may uncover risks overlooked by internal teams. Such external evaluations serve as a critical checkpoint, helping to promptly identify and patch vulnerabilities, thereby enhancing overall project security and further building user trust.
Q: What role does AI play in blockchain security—is it beneficial or does it introduce new risks?
A: AI is a vital tool within CertiK’s security framework and has become a core component of our strategy for securing blockchain systems. At CertiK, we use AI to analyze vulnerabilities and potential security flaws in smart contracts, enabling us to conduct comprehensive audits more efficiently than ever before. However, it does not replace human expert auditors.
At the same time, attackers can also leverage AI to enhance their offensive capabilities—for example, using AI to detect code weaknesses, circumvent consensus mechanisms, or evade defensive systems. This raises the bar for security, and as AI becomes more widespread, the industry must invest in even stronger security solutions to stay ahead.
Q: What is formal verification, and how does it improve blockchain auditing?
A: Formal verification is a method that uses mathematical techniques to prove that a computer program behaves as intended. It involves expressing the properties of a program as mathematical formulas and then verifying them using automated tools.
This technique can be applied across various domains in the tech industry, including hardware design, software engineering, cybersecurity, AI, and especially smart contract auditing. That said, formal verification is not meant to replace manual audits. For smart contracts, formal verification relies on automated methods to assess logic and behavior, while manual audits involve security experts conducting thorough reviews of code, design, and deployment to identify potential risks. The two approaches complement each other, jointly enhancing the overall security of smart contracts.
Q: As traditional financial institutions enter the blockchain space, do you expect changes in the type or complexity of security threats?
A: In the early days of Web3.0 and blockchain, attackers typically targeted individual users or small projects using tactics like phishing, rug pulls, and wallet exploits. According to our *Hack3d Q1 2025 Report*, these threats remain prevalent. However, with the entry of traditional institutions and large enterprises, the nature of cybersecurity risks is entering a new phase. This shift is driven not only by larger asset volumes but also by unique enterprise-level security needs, regulatory requirements, and the deep integration of blockchain with legacy financial systems.
Given that most traditional institutions already possess experience in countering cyber threats, we anticipate that malicious actors will elevate the sophistication of their attacks—shifting from generic wallet exploits to more targeted enterprise-level vulnerabilities, such as misconfigurations, custom smart contract flaws, and security gaps in interfaces integrating with legacy systems.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
