Cryptocurrency’s surge from internet niche to financial revolution accelerated quickly in recent years. Bitcoin’s (BTC-USD) growth from $1,000 in 2017 to its all-time high of over $65,000 in 2021 proves that much. But even more important than price growth is the growth in active crypto traders over the last two years. More people are recognizing the potential of blockchain technology, and early adopters are entrenching themselves in the space to brace for the future. Yet as this growth continues, investors often overlook safety concerns, instead focusing on the prospect of big gains and “free money.”

The FOMO economy frequently puts blinders over the eyes of investors. The crypto market, full of technical knowledge and jargon, obfuscates the value of an investment even more. NFTs, ZK roll-ups, DEXs and CEXs, PoW and PoS, layer-1 and layer-2 — the list is indefinite. This overwhelming terminology can make it hard for the layman to parse through a project’s security features for any red flags. 

But there is a way to outsource the research that goes into crypto investing. Crypto audits — assessments of blockchain projects’ code for bugs — are building momentum as ways to satiate the worries investors have while helping teams build legitimacy. Several firms are establishing themselves as faces you can trust within the industry. They aim to help investors better understand the risks of a given project while also being the first to let them know when something is going wrong.

Ronghui Gu is a professor of computer science at Columbia University and the co-founder of crypto security firm CertiK. Gu is one of the foremost experts on this burgeoning industry, now four years into the CertiK project. And, he’s one of the most well-equipped to explain why the practice of crypto auditing is so deeply important.

A Blockchain Full of Bugs

Anybody who uses a piece of software regularly can agree that bugs can make using that software more difficult. Even some of the largest developers in the world run into coding mishaps that degrade the user experience. In fact, between July 2020 and July 2021, Microsoft (NASDAQ:MSFT) gave out over $13 million through its Bug Bounty program, in which users find Microsoft code bugs and receive rewards.

When he founded CertiK, Gu was already fully aware of the inherent bugginess of software. “People [in the software development industry] say, ‘in code we trust,’” he says. “But, code itself is buggy — it’s not trustworthy. One single line of buggy code can lead to millions of dollars of financial loss.”

Crypto is no different. Each project, each wallet, each exchange — everything is crafted by developers. There are countless opportunities from the buying process to the storing process for a bug to make things go awry.

In fact, Gu argues that crypto is more susceptible to bugs, being at the forefront of the Web 3.0 movement. “Web 3.0 and the blockchain industry, these decentralized applications, are quite different from applications in previous platforms,” he says. 

Web 3.0 seeks to decentralize the internet, putting the power of governance in the hands of the users. But this new iteration of the internet has software developers thinking about code differently. With the present-day Web 2.0, Gu explains, cybersecurity companies can be proactive with their software. They can deploy their product, find bugs, patch them and resume operations. 

Unfortunately for the blockchain-based applications of Web 3.0, though, there are no opportunities to edit code after it has been published, due to the immutability of blockchains. Changing anything on-chain would require changing data on every subsequent block of information — an impossible effort. This is the drawback of having verified, permanent data stored on such a neatly organized database. As such, it’s important for developers to get their code exactly right before publishing to the chain.

“When you have smart transactions and blockchain system code, once you deploy them … it is very hard and sometimes even impossible to make changes to this code,” Gu says. “It’s like a real-world contract where, after you sign it, even later, you find loopholes. It’s very hard to make changes.”

Crypto Audits Can Fix the Unalterable

Gu’s solution to this takes an entirely new approach to cybersecurity. Since blockchain code is largely unalterable after deployment, CertiK uses audits to help blockchain developers find issues before they arise. 

The CertiK team uses a dual process of formal and manual verification to conduct audits of projects. The first of these — the formal verification process — uses CertiK’s own BNB Chain security oracle, which automatically scans the smart contracts and reports errors. The manual process, then, involves CertiK team members combing through the project’s contract by hand, diligently and accurately seeking out syntax errors and other key details that could be concerning.

At the end of these verification processes, CertiK sends a detailed audit report to the developers of the project. This report covers all key issues found during the audit, along with expert advice on how to mend the errors. CertiK classifies each issue on a scale of minor to critical.

Another interesting aspect of the audit process is that CertiK shares its findings not only with developers but with the public as well. Gu says the purpose of this is to be totally objective and transparent about all of the issues with a project. “Auditing reports are actually pretty objective stuff in the sense that it’s not a certificate,” he says. “We hope that the users, the customers, can read our report rather than saying, ‘Oh, it’s audited by CertiK.’”

This has led to a unique way in which CertiK engages with individual users in addition to developers themselves. Audited status is no longer just a badge of approval, it means giving investors a full look under the hood to see if developers are leaving loose ends untied or bringing a quality product to the table. By making the audits public, CertiK gives investors the responsibility to look at its work — to weigh a project’s issues at hand before investing.

CertiK Audits Emphasize Transparency and Protecting the User

Transparency is a huge component of the CertiK model. The company wants to do a good job keeping projects safe, so it seeks out vulnerabilities in their code. But Gu knows that the company can’t wash its hands of responsibility after the audit.

“Previously, no security firms released their auditing reports. They follow the way Web 2.0 security firms [operate]; ‘Our customers are these blockchain projects, we deliver the report to this company, and our job is done.’ With Web3, things are totally different and [we] actually want to protect the community.”

Another step the company is taking to keep investors safe is through its new technology, Skynet. Skynet is an on-chain security-monitoring tool that actively tracks the safety of a project. The tool then ranks projects being monitored on the CertiK Security Leaderboard. As of today, Terra (LUNA-USD), Shiba Inu’s (SHIB-USD) ShibaSwap DEX and Polygon (MATIC-USD) top the list.

Here, users can view real-time changes to a project’s ability to withstand a cyberattack. CertiK can also quickly notify developers of any changes that might resemble a hack. Moreover, investors can keep tabs on their investments’ security measures through the leaderboard, making it a great tool for holding developers to a high standard. And according to Gu, the project serves as an eagle-eyed watchdog for any sign of a hack.

“Right now, there are more than 500 Web3 and blockchain companies that have subscribed to Skynet, and they will get all this security information and this data for their projects,” Gu says. “Some projects don’t notice that they did get hacked until several hours after the hack happened. [With Skynet,] we want to make that window as short as several seconds before they get alerted.”

Serving Small Developers and Investors First

Gu emphasizes that CertiK is not in it for a profit; rather, it’s a passion project that seeks to bring cybersecurity to all blockchain projects that need it. Because of this, Gu says that CertiK doesn’t limit itself to serving only the top projects.

“Our goal is not to become the premium security service firm,” he says. “Most [blockchain and Web 3.0] innovations actually are created by average developers, not by big platforms. And then they should have the privilege to work with the best security firm to make sure that their projects are legit, their projects are secure, and they can grow.”

One shining example of this ethos is in the metaverse player Sandbox (SAND-USD). “We first served them in the year of 2019,” Gu says. “They were not a big company. We served them for two years, and now they are huge, and we have done more than six audits for them.” Indeed, since 2019, Sandbox’s market capitalization has grown from just a few million dollars to nearly $4 billion today.

Beyond helping smaller projects, CertiK also strives to help investors stay safe from projects built with bad intentions. Rug pulls and pump-and-dump scams are rampant in the crypto market, and Gu realizes that. As such, CertiK has begun issuing rug pull alerts on social media. When a project is flagged as suspicious, the team conducts its own deep dive to look for red flags in the code, like functions that could be used by developers to steal funds and make a quick getaway.

Gu’s perception of his company is quite altruistic. He emphasizes that CertiK’s offerings stem from the fact it wants to protect the community.

But even more noteworthy than Gu’s words are the company’s actions; CertiK does not investigate potential rug pull operations because there is revenue in it. The company does this solely to keep the community safe from bad actors. While Gu says CertiK’s employees are not motivated by profit, the company shows an aptitude for earning nonetheless. In the last year alone, the company has grown its revenue by 300%.

Defending Against a New Era of Crypto Hacks

Regardless of the motives of CertiK and how they may contrast with competitors, Gu makes one thing quite clear. Crypto audits and other forms of blockchain cybersecurity will most assuredly only grow in importance as time progresses.

This much is made obvious by the multiple government efforts to broaden cybersecurity task forces to include the blockchain. Take, for example, the Department of Justice’s crypto task force founded in October 2021, or the FBI task force it announced in February.

These task forces formed in the wake of ongoing crypto hacks and scams. However, Gu says that these government bodies should be using CertiK and other crypto cybersecurity outfits in order to rebuild the softening trust that these bad actions cause. 

“I hope that we can be the go-to person for all these things in this industry,” he says. “We are willing to help the FBI, all these institutes, all these platforms. We are willing to help this community with whatever we can provide.”