The CertiK Foundation — AMA Summary
“CertiK has one Mission; To deliver provable trust across all facets of blockchain”
On Wednesday, January 20th, the DuckDAO community had an AMA with Marco Calicchia, Connie Lam, and Aaron Leibowitz from the CertiK Foundation.
The mission of the CertiK Foundation is to empower people to trust in blockchain. By utilizing cutting-edge technologies and techniques to prove trustworthiness in the underlying systems, the CertiK Foundation aims to raise the standards of security and trustworthiness in the blockchain.
Founded by acclaimed computer science professors, the CertiK Foundation has leveraged its team’s breakthrough research to build the world’s premier, security-first blockchain, which relies on a native digital cryptographically-secured utility token, $CTK.
The CertiK Foundation has supported the development of a robust suite of technologies and tools to ensure that security and correctness are maintained throughout every phase of the blockchain lifecycle, from initial development to live usage.
The CertiK ecosystem is envisaged to provide end-to-end security solutions for blockchains, decentralized applications, and other mission-critical software applications.
CertiK ecosystem components integrate natively with CertiK Chain, however, the CertiK Foundation believes in cross-collaborative bridges with other blockchains, as security should not be a choice, but a necessity.
With breakthrough technologies and techniques for proving on-chain security and correctness, the CertiK Foundation aims to provide the infrastructure of provable trust for all.
CertiK Security Oracle
The CertiK Security Oracle retrieves a set of security scores from a decentralized network of security operators, who assess the reliability of source code and are rewarded in CTK, the native digital fuel of the CertiK Chain. The Security Oracle relays these assessments and combines them to create a real-time, on-chain aggregate score that can be used by anybody seeking to validate the security of the contract.
A decentralized pool of CTK is used to reimburse lost, stolen, or inaccessible assets from any blockchain. The amount that’s lost can be reimbursed by the members of the CertiKShield Pool.
CertiK QuickScan is a unified set of security tool chains that leverages automated technologies to check deployed smart contracts against a wide range of known vulnerabilities at scale. It produces accurate smart contract security scores, which indicate the risk potential for hacks and code malfunctions.
CertiKOS is the world’s first fully certified multi-core OS kernel assured to be safe, functionally correct, and hacker-resistant. The operating system incorporates Formal Verification to ensure that programs perform precisely as intended.
CertiK Virtual Machine (CVM)
The CertiK Virtual Machine (CVM) exposes smart contracts and blockchain security information to the VM code, enabling unprecedented ways to access, check, depend on, and even dynamically establish blockchain and smart contract security. The interaction of security and other blockchain semantics will result in safer, simpler, and more efficient VM code, which leads to new true killer apps for the blockchain world.
DeepSEA is a functional programming language that allows developers to handle extremely complex code while formally verifying through the Coq proof assistant. Originally designed for implementing systems software such as OS kernels, DeepSEA uses the same set of features that are used for encapsulating state inside a kernel for implementing smart contracts in the blockchain ecosystem.
- Website: https://certik.foundation/
- Documentation: https://docs.certik.foundation/certik-chain
- Telegram: https://t.me/certikfoundation
- Twitter: https://twitter.com/certikorg
- Github: https://github.com/certikfoundation
- Medium: https://medium.com/certik-foundation
- Discord: https://discord.gg/NcmCMSH
CertiK Foundation — Marco Calicchia — Business Development Director
CertiK Foundation — Connie Lam — Head of CertiKShield
CertiK Foundation — Aaron Leibowitz — Product Manager
DuckDAO — Limmy — DuckDAO community representative
Please note that the following summary has been edited for clarity.
Welcome everyone to another DuckDAO AMA.
We are joined today by Connie Lam, Marco Calicchia, and Aaron Leibowitz from the CertiK Foundation.
On behalf of the DuckDAO community, I’d like to welcome you to our channel :)
Hi! My name is Aaron Leibowitz, I’ve been in the blockchain space since 2013. I founded one of the first clubs in the Blockchain Education Network in 2014 (Tulane University). Since then I’ve worked across the industry — and have recently joined the CertiK Foundation team as a Product Manager. I’m very excited to be representing the CertiK Foundation in this AMA today!
Hey everyone, Connie here! My career in blockchain started back in 2017, which saw me join the EtherDelta ICO. Prior to joining CertiK, I worked for Comcast as a senior full-stack engineer on Comcast’s all-in-one advertising targeting platform for linear and digital TV, impacting 400+ agencies,
I initially joined CertiK as a Lead Software Engineer contributing to auditing and the development of DeepWallet. Right now, my role is Head of CertiKShield. Super excited to be here!
Hey!! I’m Marco Calicchia, Business Development lead at CertiK Foundation, focusing on Audit and Shields. I’ve been in the crypto space since 2016. Initially invested in Ethereum and then joined several ICOs as a Community Manager which led to starting a community management company, helping over 40 projects between 2017–2019. I’m very excited to be here to tell you more about CertiK Foundation! Thanks to DuckDao for having us.
It is a pleasure to have you guys here today! You all seem to be grizzled veterans of this space haha
I’m sure anyone advanced enough to be a part of DuckDao is too haha😊
Haha thanks :)
Ok — let’s dive right in!
CertiK has performed many audits of great blockchain projects — Where can we find the list of projects CertiK has audited? Could you explain to us the process of an audit?
One of the core tenets of blockchain technology is transparency; something which we carry into our work. All audited projects are available for review on our Security Leaderboard portal
CertiK’s Auditing goal is to review the Solidity implementation for its business model, study potential security vulnerabilities, its general design and architecture, and uncover bugs that could compromise the software in production.
The auditing process is conducted using a comprehensive examination utilizing Dynamic Analysis, Static Analysis and Manual review techniques. The auditing process pays special attention to the following considerations:
- Testing the smart contracts against both common and uncommon attack vectors
- Assessing the codebase to ensure compliance with current best practices and industry standards
- Ensuring contract logic meets the specifications and intentions of the client
- Cross-referencing contract structure and implementation against similar smart contracts produced by industry leaders
- Thorough line-by-line manual review of the entire codebase
So basically, it’s an ongoing and evolving process where you are constantly finding out about new exploits and how to change your processes to ensure that they are countered for all future projects that may request your services. I’ve been part of many conversations where people see a famous name next to an audit (Such as yourselves) and then rush headlong into a DeFi project — Can I ask how important you believe the manual testing aspect of the process is?
So this is a great question. The manual review is extremely important. Understanding the business logic and giving a thorough human review of the code is integral to a good audit.
Human review sets apart best in class auditors from the rest. Many recent exploits have focused on lapses in business logic — things which can’t be caught by automated code reviews.
“Many recent exploits have focused on lapses in business logic — things which can’t be caught by automated code reviews.”
In regards to the CertiK Security Oracles — do you guys compete directly with decentralized oracle networks like Chainlink or can you possibly work together / leverage each other’s strengths?
Let me shine a light on security oracles. You can think of security oracles as a collective knowledge of global security experts, who are incentivized to analyze and assess smart contracts source code, enabling the interrogation of security of the contracts.
In short, Chainlink is a decentralized oracle for pricing data and CertiK’s Security Oracle is for security insight.
Toyota can build electric cars for sure, but still, people prefer Tesla as it’s all-in electrical cars. CertiK is all-in security.
CertiK Foundation’s mission is to give people the power to trust in blockchain technology. By pushing forward the adoption of provably secure software, we encourage everyone to join us in raising the standards of security across the blockchain space.
Limmy (in response to Connie)
Just quickly in regards to this — do you work with any large professional service/audit firms when you source your security data? The likes of PwC, KPMG etc. or is it too early for these kinds of entities to get involved in this space?
Good question! In the past we have had a conversation with a big four consultancy, however their auditing arm wasn’t ready for the blockchain space at the time. These firms tend to focus on Consortium / private ledgers, while we focus on the decentralized world.
I think it’s just a matter of time though — especially when there is money to be made.
Personally, I believe in a first-mover advantage 🙂
Definitely. My friends in the Cybersecurity industry have only just started to look into this space!
Can you tell us about some of the key features of the CertiK Foundation that puts it ahead of its competitors? What is the keystone feature of your platform that gives you your competitive advantage?
CertiK’s end-to-end security provides the only comprehensive security solution for blockchain projects. Audits provide protection pre-deployment and support with project listing on exchange, we are accepted on most majors exchanges and give additional security for the community.
We also offer a security oracle that provides dynamic monitoring with a scoring system which we list on our certik.foundation site, while contracts are running.
CertiKShield provides flexible coverage in case anything unexpected happens. CertiKShield’s coverage solution pools provide reimbursements for lost or stolen crypto assets on any blockchain network.
How do you keep decentralization within security certifiers? I read that a new security certifier can be voted in by other verifiers. Similarly, one can also be removed by the voting of security certifiers.
How did first security certifiers get chosen? Were they a part of CertiK foundation?
As you mentioned, on chain governance manages our security certifiers. This includes the vote in / vote out system that you mentioned.
The first security certifiers were chosen by the foundation based on the organization’s involvement and contribution to the foundation and the chain, as well as their potential future contributions.
When a member faces a loss through a malfunctioning contract, and wants a reimbursement, they have to submit a Claim Proposal.
If this member is non-technical, how can they put up a substantiated claim without having any knowledge of why this loss occurred? Won’t it result in an easy rejection of the claim?
Claim Proposals do not require details of how the losses occur — the Security Council is intended to conduct investigations to determine the sources. Instead, the ClaimProposal must demonstrate the evidence of loss.
For instance, the Claim Proposal may provide a blockchain explorer link that evidence crypto was transferred away from the Shielded address to a known hacker wallet.
Ok great — so as long as I can prove that something untoward has happened, then the service is available to me. Things like that go a long way towards the adoption that we all seek in this space.
Exactly that. Of course you need to have had an active CertiKShield during the time of the attack.
Fair enough — it pays to be prepared! 😁
Indeed! CertiKShield is a rather easy to use system. I strongly agree with you on the importance of this type of service being a catalyst to wider adoption.
Can you please elaborate more on the innovations of CertiKOS? Can you tell us who is using CertiKOS today, and outline where you think this technology will take us in the future?
So CertiKOS was originally developed at Yale University by our founders. It is the world’s first (and, to this day, only) general-purpose concurrent OS or hypervisor that has been formally and completely verified for its safety and correctness.
It has been put into use in academic, gov and commercial scenarios such as self-driving cars, drones, and certified proof checking. And, of course, it has been running CertiK Chain and will be able to serve other blockchains.
The methodologies behind CertiKOS, such as DeepSpec and Concurrent Certified Abstraction Layers, have been widely adopted to create many certified systems software, such as certified KVM hypervisor, certified CPU firmware, certified enclaves, certified file systems, etc. And, naturally, certified blockchain software
These are truly groundbreaking technologies that are going to cause a tectonic shift in the landscape of trustworthiness, security, and power for the world’s computing infrastructure.
I don’t want to get too technical, but anyone who is interested is welcome to reach out privately.
Thanks Connie. What impact has sharing your project on Binance’s private network had on the community? CTK vs CTK bep20 — how has the volume been in those two networks?
Creating interoperability with other protocols always brings greater exposure than remaining siloed. BEP 20 / Binance Smart Chain has been no different. BEP 20 allows us to have interoperability, flexibility, and even utility which may be more difficult to have in native CTK currently. We are constantly working to integrate with more communities.
Say what you want about CZ and Binance/CEXs… their network and reach is undeniable
Yes, their volume is important to the success of BSC projects
The open-source, transparent standard of blockchain has inadvertently created an environment that is susceptible to malicious exploitations of code.
Can you share critical bugs and vulnerabilities and what we should keep in mind when deploying code.
There are 3 categories of recent ‘critical errors’ that I would say are important to speak to. First off is a logic error, followed by a flash loan attack, and finally a rugpull. Logic errors are very important to watch for when deploying code, but the other two are more things to look out for when interacting with other DeFi projects.
Understanding a flash loan attack is important on both sides I suppose — relying on a single price oracle has proven to be a point of failure.
So We recommend when it comes to code deployment, project owners should pay particular attention to the following:
- Building projects with robust, widely adopted building templates and 3-party libraries, e.g. openzeppelin libraries
- Develop code with a local environment. The compiler version and unit tests must be checked and executed. Truffle and brownie frameworks are good choices in doing so.
- Code should be well and thoroughly tested and commented before any deployment. This will increase the quality of the code.
- Deploy code on testnet first with Remix, truffle, or other widely adopted deployment environments.
- Check out testnet deployment with extreme caution before migrating your code to mainnet.
The rugpull “attack” I think is an interesting point here. I mean, if I was intending to rugpull, I am unlikely to call you guys up and ask for an audit right? Lol.
Scammers are becoming more sophisticated, so while I’d tend to agree with your logic I wouldn’t put my $ on it.
😂 No definitely not. This space is sometimes quite frightening.
The ‘be your own bank’ / decentralization movement comes with its own perils.
I sweat profusely every time I reach for my ledger
Hahaha. It’s fair, but also remember when the government of Cyprus took money out of citizens savings accounts?
Wow. I did not know that happened. I think we are getting a little sidetracked here now though lol
This brings us to our latest curated question:
Smart contract audits primarily deal with known exploits, so how do you assess the risks of potential/novel exploits? Are there any practical and simple tips you can give to the community or advise of warning signs to look out for when investing in projects?
Regarding risk exploits, some of the important factors to consider are things like:
- Team Background
- Code Quality
- Is formal verification adopted in testing the project
- Does the project rely on price oracle feeds to determine token price
- The quality, design and implementation of the economic model of the project.
To add on to what Marco said about Do Your Own Research.
Some things to look out for:
- Do contract owners have dangerous privileges (minting, burning, transfers)?
- Check of the project allows modification of the address of delegated contracts
- Do a quick background check on the owner — see what you can find about their addresses on chain, in writing, etc.
- Is the liquidity of the project safely locked away for a set amount of time?
- Where did the initial funds of the project come from?
Some really good tips. People should really get into the habit of taking that extra step, especially in a bull market!
Check out CertiK Foundation for any information updates. The main reason that we launched CertiKShield is because like any good auditor we know that audits are not 100% foolproof. Purchasing reimbursement protection on your digital assets as well as encouraging projects to engage in security audits and security oracle monitoring are the only way I know to help give end to end security.
Fantastic, thanks Aaron.
Ok we’ll now open the chat for those that have any further questions they wish to ask the team. Thank you for the answers you’ve given to our community so far.
To our community:
Please keep the questions nice and concise — don’t throw a wall of text at our guest(s) please! I’ll close it up again when we get a good number to choose from.
Duck (User @feranno)
As you know, the bZx project was hacked and investors suffered a great deal of damage. Certik audited this project in September. So why haven’t you detected the vulnerability? Do you have any flaws in this incident?
Audits are not a perfect solution, but it helps to improve the code quality before launch. In fact 2% of audited projects still face hacks. This is why we’ve launched Security oracle, and CertiKShield. The combination of these three products form a multi-layered security in auditing and constant monitoring stack, and ultimately backed by CertiK Protection Coverage.
Duck (User @S4dew4)
Oracle networks are generally used with centralized bottlenecks. Does your decentralized Oracle network contain centralized bottlenecks or do you not use this for the operation of your network?
This is a great question — as we spoke about above on chain governance combined with strong and separated security engineers allow us to avoid what could otherwise be centralized bottlenecks
Duck (User @Idee01)
CertiK is the only insurance project on Binance Smart Chain. How would you evaluate the contribution of Binance Ecosystem to the development of the project? Can CertiK be the world’s top audit company with the necessary support?
Our aim is definitely to be the top in the space, and having the backing of binance labs gives the upper edge for the ecosystem and the development of our project.
Duck (User @Zidan30)
What is your strategy for expanding your Network, Community, Partnership, etc.? How will your team ensure that CertiK Foundation remains the top platform and keeps pace with your competitors, in the next 2.3 to 5 years and beyond? What is your long term vision for the $CTK project?
We are currently investing a lot of our time to build out our decentralized community, pool, partnerships with leading projects and services. Our aim is to definitely remain on par with our competitors. We plan to deliver strong decentralized solutions to help increase security for our projects
Duck (User @QuyenCao93)
Why do you think that $CTK token is necessary for your project? What is the main role of $CTK in your project? What are the benefits of holding $CTK in long-term?
CTK is used for auditing purchases, staking, governance, and any other on chain activities. A longer answer to this can be found in our white paper. If you’d like a more detailed answer feel free to reach out after this.
Duck (User @Prettyboy7)
Staking is the new trend. What staking options are available for $CTK token? Are there any incentives for staking? What are the various ways to earn tokens, and are there any limits to the amount of $CTK I can earn?
We currently allow staking CTK in our deepwallet, which we would love for you all to check out. Our staking allows our community to stake any amount of CTK and receive an APY from the Communal pool. The currently APY is around 14.2%
Staking to the CTK collateral pool yields a strong APY (it is a dynamic not static APY so go ahead and check out our deepwallet to see the current yield). Collateral providers (stakers to the collateral pool) are necessary for CertiKShield to reimburse in the case of an approved claim.
Duck (User @ineed688btc)
As we know, every successful project has a few stories behind the scenes, what’s the story behind CertiK Foundation success? What was that vision when it first emerged as an idea? Are there any special prototypes or upcoming CertiK Foundation updates that you want to show/share with us?
I can’t share any special updates yet, but please keep up with our project via twitter in order to be there when we do!
Duck (User @jlaudybell)
Where do you see CertiK Foundation actually being used by the community & solving real-world problems? What other types of strategies do you employ to attract traders from their preferred platform to the CertiK Foundation platform? Do users need to undergo KYC before they can use the CertiK service?
We currently do not have KyC, to allow a smoother registration process. CertiK’s aim is to be positioned as the leader in providing peace of mind and security to both the project owners and token holders looking.
Duck (User @kartika84)
What are the current problems facing smart contract development on the blockchain, and how will Certik solve these problems? What is the difference between dual-node and cross-chain? What makes you stand out from the crowd — there are many competitors in the market who are dealing with security issues.
CertiK is offering multiple solutions to different security issues. For example when talking about smart contract issues I would point to DeepSEA which is a provable security language.
The Cross-chain part is a good question. We are currently working on some interoperability security solutions for the space.
Duck (User @Idee01)
CertiKShield offers reimbursement for loss of funds through hack or exploit. Where does the reimbursement funds come from? In your opinion, Why do some projects fail to invest in the highest security standards and what can be done to rectify this?
Great question! The funds come from the community that stake into the pool, and currently we are also onboarding projects to stake into the collateral pool. As they receive an APY, it incentivizes them to keep staking. A lot of projects in the DeFi and overall the space are filled with risk takers, but we do feel that it’s become more educated and as such invest in security to protect themselves and their communities. products like CertiKShield and other coverage solutions can be a great place for them to look at.
Duck (User @aksakayak)
Could you give some more information about CertiKShield? How does the system work, what is required to be included in the system?
Absolutely — CertiKShield is a decentralized pool of on chain funds for the reimbursement of lost or stolen assets. On our blog we have recently posted a full explanation of how CertiKShield works. I would check that out and then open up a DeepWallet account. You’ll be able to play around with the system. If at that point you have any further questions feel free to reach out to me!
Duck (User @foodynow)
It’s easy to make a token but it’s really hard to make this token valuable? So what’s your strategy to make your token more valuable and what’s your plan to maintain token price and supply?
We rely on the community to believe in the products we are delivering in the market and we will be working with partners and will be looking to list in more exchanges to keep the volume growing and availability of our token in the market
Our pipeline is strong!
Duck (User @QuyenCao93)
What important milestones does CertiK aim to achieve by the end of this year and in the future? How will it help you and how will CertiK be successful in 2021 and beyond?
Keep growing our collateral pool, onboard more projects to offer their community coverage, onboarding awesome partners, doing more AMAs (because we love this!) and maybe you guys can join our channels and give us some feedback on our products and keeping us growing. We love our community and we look forward to growing it more!
Thank you all so much for your time today Connie, Aaron, and Marco. The work that you guys do is so essential to everyone who is in the crypto space. If anyone is not already there, please check out the CertiK Foundation TG channel and website.
Find Out More About DuckDAO🐥
DuckDAO is a community-backed digital asset incubator that provides promising early-stage crypto startups with the expertise, financial resources, and marketing power needed to fast track their progress on the path to success.
Who will win? One VC or ten thousand ducks?