Blockchain Security In The Web3 World | Mikhail, CertiK (DeFi Chat Ep 04)
DeFi Chat is a series of educational & informative interviews with world professionals in the Crypto / Blockchain / DeFi / Web3 communities. We aim to provide digestible content in multiple mediums such as video, audio (podcast), and written (blog) form!
Mikhail from CertiK has shared valuable insights about blockchain security solutions through the stories of recent attacks in the Web3 world.
Note: This transcript was automatically generated by artificial intelligence (AI) and therefore typos and grammatical errors may be present.
Lachlan: Hey everyone. Thank you for joining us today for a Defi Chat, Episode 4. We are here with Mikhail from CertiK. Mikhail is a Business Development and Strategic Partnership Manager, and we actually met at Consensus in Austin a few months back in June. Time goes by fast, and today we are gonna be going over Blockchain Security, what sort of recent attacks and what critical need is for security in this global interconnected domain.
Lachlan: Thanks for joining us today, do you mind telling us a little bit about yourself and your role?
Mikhail: Yeah, absolutely. Thanks for having me, Lachlan and the entire Stably team. Basically, I help projects avoid exploits and hacks. Here at CertiK network, we are trying to secure the Web3 world. And so essentially what we are doing is we are building security solutions that will help provide an end-to-end solution, and to solve all the issues that are currently happening in the space around exploits.
1:13–7:38: What is going on in the Web3 Industry?
Lachlan: Awesome, and so I guess what is going on right now with Web3 and the security acts? Cause you know, you hear about Rug Pulls going on, where projects are just a scam and the founders disappear with money. Is that similar to what you guys do? Like sort of what is going on with Web3 security issues at the current moment?
Mikhail: Well, the core of what we do is the smart contract assessment. That is where it all starts. And when we analyze the smart contracts, we find specific areas of concern. Some of these are intentional and some of these are not intentional. In terms of Rug Pulls, it is something that can be more intentional, and we are seeing a decrease overall in terms of Rug Pulls, but it may not necessarily be because the security in general is getting better.
Mikhail: It could also be the fact that the market is a little bit slower right now. But in general, what we do is we help projects be proactive and so we have certain security solutions to help them. Be proactive in terms of avoiding exploits and hacks, and then also we help them with their contingency plan.
Mikhail: That is something really important for a lot of these projects to have in place. We also want to help these projects have the confidence from the community because ultimately that’s the goal, right? To have the security audit, to have these solutions in place so that the users will utilize the platform. They play the game, they invest in that specific token, whatever the end goal.
Lachlan: Cool, I guess like one interesting thing that’s happened this year, it’s unfortunate that there’s been about 2 billion worth of bridge hacks. For those who have to aware bridges, sort of connect assets from one blockchain to another, but at the same time, there’ve been several significant hacks and breaches this year.
Lachlan: Are these bridges using companies like CertiK, etc to do this? Is that in line at all with your business? Because they are accounting for about 70% of all DeFi exploits?
Mikhail: I am not entirely sure in terms of the percentage, and I will certainly preface by saying that I am not an engineer. I am on the Business Development side, but we do see a lot of requests for having bridges be audited. Right now, it just seems to be a very big target for a lot of the hackers because a lot of funds are sitting there. And because of that interoperability factor and innovation just scaling very very rapidly. Here at CertiK, we are doing our best to stay ahead of that curve and keep up with all that amazing innovation.
Mikhail: Sometimes, when you have interoperability, you start introducing certain elements that create an opportunity for an attack.
Lachlan: Cause you also are sort of relying on the weakest security between two different blockchain, correct? With the Bridge for example.
Mikhail: Yeah. So you know, a development firm may not necessarily have all the expertise in terms of development for one chain versus another, right? You have all the EVM compatible chains, but you also have Solana, which is primarily built on Rust. You have NEAR, you have Algorand you have all these different chains that have all their own different requirements and specifications, and so making sure that you are completely perfect is very difficult.
Mikhail: And so a third party auditor is needed in order to ensure that there is a level of security.
Lachlan: Do you ever have instances, for example, where you give that audit, you give the stamp of approval, what not and there is just still a hack, that happened whether that is flash loan attack or another type in what sort of happens once there is an attack?
Mikhail: In general, there is no audit that is a hundred percent hack proof, right? The whole purpose of an audit, it is a snapshot in time, right? What an auditing firm can do is use their expertise, depending on their reputation, how well they are in uncovering findings, they can use their expertise to take all those factors that they are aware of at that time and apply them into the smart contract assessment. Now a month later, you know a month from that point or six months down the line, there might be new attack vectors that are introduced. And that’s why it is so important to have a contingency plan and to work with a security firm that has those resources to be able to help these projects.
Lachlan: Yeah, so I guess just everything is developing so fast and there are new attack vectors. Do you guys sort of work continuously with different protocols and blockchains so every time they make some change or what not, you are still making sure that everything is good. How do you continue working with your clients down the road with things changing?
Mikhail: A lot of times, if a project has a new functionality, they are introducing, they are coming with a new version. They will reach out to us for another audit, and at the same time, our engineers are doing their part to make sure that they are keeping up with the latest news, latest exploits, if there are any new updates to the entire ecosystem, to make sure that we are aware of what those updates are and able to apply the smart contract assessment appropriately.
7:40–16:06: What are CertiK doing and how do they measure the project?
Lachlan: Cool! And do you guys do like boutines, like in other interesting ways to combat fraud as well? Because it is an interesting thing used in blockchain where you pay someone to hack you. For a million dollars if you find a code exploit, and smart contracts. Do you guys like to touch on bounties at all? How does that fit into you guys?
Mikhail: We certainly believe that the security solution that we provide is both proactive, reactive and community confidence. We usually like to have all three of those characteristics. In regards to the proactive, on the proactive front, definitely like the smart contract assessment, the penetration testing, as well as the bug bounty. Those are three definitely important.
Mikhail: After a project gets an audit, it is good to have a bug bounty in place, ensuring that moving forward that you stay protected.
Lachlan: Okay, that was proactive. I mean, this kind of good sideway so just go over how you guys actually assess the different risks and think of different things. There are a few different ways, so proactive, reactive, and community driven. Do you mind if we go over those?
Mikhail: Yeah, absolutely! The proactive, as I mentioned, is smart contract assessment, which will help the projects and cover any vulnerabilities within the smart contract code. But a lot of those vulnerabilities and attack vectors can pop up in areas outside of the smart contract. So the front end, the back end, you would need something like a penetration test, in order to test out the functionalities and then as I mentioned, the bug bounty program that is put in place and make sure that you stay protected moving forward.
Mikhail: And the reactive phase is more along the lines of the contingency plan, where we will monitor those smart contracts that have been deployed, and provide alerts, and typically the way this works is we will monitor what is happening on the chain.
Mikhail: If there is anything that is looking suspicious. We will notify the project of whatever it is that we are seeing. So that is the core of what we do, there are also some other elements to consider when evaluating a contingency plan, which is the security firm that I am working with.
Mikhail: So if I am a project, right? Question that I should ask myself is “Is the security firm that I am working with able to trace the flow of suspicious funds?” And depending on, it is a case by case basis right? But there should be resources in place to be able to support the project and be able to trace those funds. So that is the reactive phase.
Mikhail: Then the third part is the community confidence where we have certain things that will help the community and their confidence within the project. And that includes the leaderboard, that includes having a trust score, the overall community sentiment score, which is all designed to again, just have that level of transparency. We also have a KYC team, so we will KYC the project founders to provide that extra level of transparency, cause a lot of times the code base can be fine but if the founders, if somebody on the team has bad intentions, then a KYC should be able to uncover is there any kind of history of criminal background.
Mikhail: And then the contract verification badge, lets us understand is the smart contract assessment, the code base that we have reviewed, does it match that contract that we are reviewing on chain? So, a lot of things that we put in place to ensure that the community has confidence in the project.
Lachlan: Cool! Yeah, thanks for the overview and the sort of different measures you guys take. It actually raises a question for me is that a lot of the attacks that have been happening in blockchain are actually like web2, like social engineering etc, where you are getting users to share funds. I think in the Harmony Bridge hack actually, basically a group in North Korea, it is believed that created a fake company and interviewed a senior engineering manager at Harmony other several rounds, and in the end gave him a very lucrative job offer that was sent as a PDF that had a virus with his keys kept on this computer in a hot wallet. And so subsequently hacked.
Lachlan: Is that something you guys would actually be able to help with or like what sort of the human element of these attacks? How does that fit into CertiK? Or are you guys strictly smart code?
Mikhail: So, you know, the core of what we do is a smart contract assessment, but as I mentioned, we’re building out all these other security solutions to provide that full end-to-end security package.
Mikhail: But you are absolutely right in regards to what is happening, especially in these communities like Discord. There are a lot of instances where a user may mistakenly click on a link. And that is a concern. I think right now a lot of the security auditing firms are trying to figure out what are the best ways to protect the community.
Mikhail: I can tell you that one of the things that we are developing and have developed is called an Emblem, which is essentially a CertiK logo that will go into the top right corner, and it is a little bit of code that is embedded into the client’s site. And what it does is, it acts as a link to their CertiK leaderboard profile, but it is also something that cannot be replicated, right?
Mikhail: In terms of fishing attempts, the fishing attack that occurs, this is one of the ways that side cases produce, like an indirect way of us being able to solve this problem. Any kind of site that is trying to impersonate the real site would have to contact us in order to get access to that code.
Mikhail: Well, if they do that, we can certainly report that to the client and let them know “Hey, just so you know, you have this site here that is trying to impersonate you”. And that is one of the ways that we are working on trying to eliminate the fishing attacks that are happening on the community level.
Lachlan: Wow, that is super interesting! Also, I think of it like another thing, I don’t know if this ties indirectly with you, but when I joined a Telegram group this morning, it required me to answer a question confirming that “I know that admins will never DM me”. It did not let me join until I sort of acknowledged that.
Lachlan: So I guess kind of educating people or at least having their sort of express acknowledgement of these things will also help as well, I hope. Because it is a huge issue right now like “DeFi, all the hacks and a big problem to address before DeFi adoption can grow a lot more”.
Mikhail: For sure!
Lachlan: Yeah, cause a lot of the countries that actually get hacked, etc. A lot of the users are from developing nations, which is why a lot of them are the people who need DeFi the most and they are the ones that are sort of subject to these hacks a lot of time, which is unfortunate.
16:09–18:51: What are the critical needs for security in this global interconnected domain?
Lachlan: In the event of an attack or hack, you said you guys are reactive and you work with them. How does that sort of tie in? Would insurers get involved? Would you work with law enforcement? What active role do you play after an attack?
Mikhail: Our team has extensive background and experience in working with local authorities. So that is one of the benefits of working with CertiK. This is like a worst case scenario, something was to happen and you are in good hands in a sense that we have the team, and we have the talent to be able to trace the flow of those funds. And then also we can get the local authorities involved in making sure there is a resolution to the case.
Lachlan: Because it is interesting how they are following the funds. For example, a lot of friends and family of mine, ask me “Isn’t blockchain a lot more sketchy, like for money laundering, etc”. But in reality, tornado cash just got banned.
Lachlan: I saw statistics saying that 5% of cash transactions are fraudulent. Whereas 0.25% of blockchain ones are, who knows how accurate that is. But at least with blockchain, if there’s a hack, like with the Harmony Bridge, you can see where all the funds went, and then law enforcement can track these for the most part. To a greater extent than if it’s cash, being transported across the country.
Lachlan: I think that companies like yours and blockchain analytics companies will benefit a lot in the future, from working with law enforcement and sort of reducing fraud, money laundering, Whatnot, hacks,… Cool space to be into.
Mikhail: Yeah, and I think that as we move forward, that will only increase in terms of the relationship between the government and security firms. Because the more common this becomes, the more the government will try to get involved and apply certain regulations. So I think there is going to be a close relationship moving forward between Web3 security companies and some of these government agencies.
18:53–23:03: Future of blockchain security
Lachlan: And I guess it leads me to think: “What do you see in the future for CertiK, for Blockchain security? What sort of trends do you expect in the future? What should we keep in mind?”
Mikhail: Great question! Last year, one of the most common findings was around centralization and that can be alleviated using time lock, using a multisignature wallet, renouncing privileges to let’s say a DAO. But with every single solution, there may be other areas of opportunity for a lot of the hackers. This is just my opinion, not speaking on behalf of CeriK, but I think maybe something around governance which we have kind of seen a little bit. In terms of finding it easy to exploit the voting system, it is something to be mindful of moving forward, as we try to steer away from the centralization findings and try to decentralize a lot of these functionalities within smart contracts.
Lachlan: Well, government like Proof of stake, the more that you have stake, the more likely you are to be a validator or the more sway that you have in voting and governance on a proposal. That would be more of an issue for an emerging blockchain or a protocol, for example, correct?
Lachlan: Where someone could just buy a hundred thousand dollars worth of tokens and then make a malicious decision, would that still be an issue for a more developed project as well? Sorry, who do you have in mind that is suffering from these governance issues?
Mikhail: Well, the types of projects that are coming to us for an audit are typically the smaller projects. But I don’t really know on the technical level in terms of what actually would’ve happened. But based on who we are seeing to get an audit, especially during the bull market run, there were a lot of the smaller projects that were coming in and a lot of them were popping up with these centralization findings, and they were the ones that were trying to resolve these findings.
Mikhail: So I would imagine that they would be the ones that are trying to alleviate that and the entire governance issue would be for them. But I don’t think that they are necessarily limited, I think that is more about how the smart contracts are built versus the size of the project, if that makes sense.
Lachlan: Awesome. So you guys work with a lot of smaller projects then, for anyone watching or in general, what type of people and projects could benefit from?
Mikhail: Really anybody that takes their security seriously. You know, if you have a project in Web3 and you need to protect the assets of the users. Then, that is definitely something to consider.
Mikhail: There’s a lot of different auditors out there and everyone kind of offers their own benefits. To speak, one of the things that we take pride in is the fact that we provide the full end to end security solution is the fact that we have a large bandwidth. And also, our ability to scale.
Mikhail: If you need to take a quick turnaround, we are very good about that. If, let’s say you are a partner or you are wanting to partner with a security company with a Web3 security firm, and you have got projects on Solana, on Algorand, whatever the case, we are able to accommodate all of those chains. That is the biggest advantage of working with CertiK.
23:05 — Ending
Lachlan: Awesome! I think we are sort of running out of time, thanks so much for joining today and giving an overview of what you guys do, and what is going on in the industry and why it is important for companies to have smart project audit firms such as CertiK. Is there anything else that you would like to add?
Mikhail: Yeah, definitely check out CertiK.com. Check out the leaderboard, we’ve got a leaderboard full of security scores. You can do all of the research there to make decisions in terms of your investment. You can take a look at our resources tab and be able to follow along with all the different updates that we have.
Mikhail: We post a lot of statistics, we are up to 2.3 billion now in terms of overall hacks. So a lot of useful information is in there. And if anybody in your audience has any questions about an audit feel free to send a DM on Twitter at @yerganjiev.
Lachlan: Awesome. Thanks so much and thank you everyone for joining us today!
Lachlan: Reach out to Mikhail, if you are interested in smart contract audits or learning more about what is going on. CertiK is definitely one of the leaders out there. We met in Consensus — Austin, and met a lot of other companies that use CertiK as well, including Stably and they only have great things to say about.
Lachlan: Appreciate it and take care Mikhail for the time!
Mikhail: You are welcome, Lachlan.
— — — — —
Want the latest news and updates? Join our Discord!
Follow us on social media:
Website | Twitter | Linkedin | Facebook | Updates & Announcements
Exchanges or Market Makers: firstname.lastname@example.org
Investors: Kory Hoang, CEO — email@example.com
RISK DISCLAIMER: Nothing contained herein shall be considered financial advice or recommendation to buy or sell any security, commodity, cryptocurrency, digital asset, or any other financial instrument or asset. Cryptocurrencies, digital assets, and investing have many risks, including risk of losses beyond principal investment or purchase amount. Past performance is not indicative of future results. You should be aware of all the risks associated with cryptocurrency and digital asset investing, purchasing, and transacting and seek advice from an independent licensed financial advisor. For our full disclaimer, visit: https://www.stably.io/disclaimer/