A Solana cybersecurity researcher mentioned that the agency does the naked minimal when auditing protocols.
Certik discovered a vulnerability in crypto alternate Kraken and proceeded to carry $3 million of the alternate’s funds hostage final week. As different of the blockchain safety agency’s shoppers come ahead, their experiences present the judgment lapse could haven’t been a one-off.
These crimson flags name into query one of the crucial well-known safety corporations within the area. Certik has raised greater than $140 million from enterprise capital corporations together with Sequoia Capital, Coinbase Ventures, and Tiger Administration Capital amongst others.
In line with the corporate, they’ve audited greater than 5,021 sensible contracts, and 685 “formally-verified” initiatives, in an area the place knowledgeable evaluation of sensible contract code is essential with $5.7 billions misplaced in exploit previously two years alone, as per knowledge from Web3 bug bounty agency ImmuneFi.
Certik didn’t reply to a number of requests for remark from The Defiant.
Did “Bare Minimum”
Three years ago, Matías Barrios was employed at Stacktical, a French company that made smart contracts on the Ethereum blockchain. Stacktical employed Certik to audit their code.
According to Barrios, who is currently an offensive security engineer for blockchain cybersecurity company Halborn and one of the foremost security experts on Solana, Certik did the bare minimum, and left their code without a deeper review.
“Instead of running three layers of audits, which includes static analyzers, manual review, and then testing, they only did the first,” he told The Defiant. The static analyzer, Barrios explained, is just an automated, “very basic,” review of the code.
Barrios alleged that this is Certik’s modus operandi.
“They go over the code through some automatic tooling, offer a very simple report, and leave it at that,” he said. According to Barrios, they never go through the manual review, which he considers the most important part of the process.
Aggregated data backs Barrios’s impression. Certik is the auditing firm whose clients have suffered the biggest losses in exploits, with $1.22 billion lost, according to data compiled by IntoTheBlock. Out of Certik-related exploits, the Venus exchange on the BNB chain suffered the biggest losses, due to price manipulation of the Venus token, which led to massive liquidations.
Merlin Post-Audit Hack
In April 2023, hackers drained $2 million from Zksync-based decentralized exchange Merlin, after it was audited by Certik.
“As a core auditor of the CamelotDEX contracts, I can say with 95% confidence that the said company did not audit these contracts,” wrote cybersecurity expert Charles Wang after the Merlin rug pull. “There is no possibility to miss this change. Zero.”
Merlin did not immediately reply to a request for comment from The Defiant.
After the Kraken exploit, founder of crypto insurance company Nexus Mutual Hugh Karp noted that Nexus Mutual stakers often price a protocol higher if it has been audited by CertiK than not at all.
“Feel like I can say this out loud now,” he wrote
Not White-Hat Hacking
Kraken’s Chief Security Officer, Nick Percoco, took to X on June 19 to call out that a cybersecurity firm that found a bug in their system, filed a bug bounty report, but later exploited the vulnerability to the tune of $3 million.
“This is not whitehat hacking,” exclaimed Percoco, “this is extortion.”
Hours later, Certik came forward as the company, countering allegations that Kraken was threatening their employees. Certik returned the funds a day later.
Michael Perklin, former CISO of Shapeshift, said “I’d never hire a security company that did this. Extortion is a bad look.”
Checks And Balances
Many in the crypto community were quick to label Certik’s behavior as nefarious, but some cybersecurity experts pushed back.
According to Tal Be’ery, co-founder and CTO of crypto wallet ZenGo, it’s hard to tell what happened but he points to a lack of accountability.
“From the corporate side it’s probably much more about checks and controls, and not about premeditated nefarious behavior,” he told The Defiant.
Be’ery added that his company had a good experience after working with Certik in the past. “I would say they are the most professional team I’ve worked with in this field,” he said.
However, Be’ery pointed out that his interaction with Certik was purely research-focused.
Malware Bot
Late last year, pseudonymous developer PopPunkOnChain alleged that a Discord link from security auditing firm Certik’s website connected to a bot and malware to drain wallet assets.
PopPunkOnChain has been critical of Certik since the Merlin exploit, saying that most of Certik’s audits are of tokens with just a few lines of code, and even that is because exchanges require projects an audit from a big-name firm to be listed.
“Terminate your agreements with these frauds,” he said.
Seal of Approval
Barrios agreed with PopPunkOnChain regarding Certik’s allegations that projects in their infancy need the firm’s approval.
“They are so widely used because so many companies simply need the ‘Certik seal of approval,’” he explained with frustration. “In our field it’s a pain that they are doing things poorly, and automated because it makes the rest of us [cybersecurity experts] look bad.”
Halborn’s Offensive Security Engineer added that Certik has so many contracts because the crypto industry doesn’t have “proper best practices.”
Jameson Lopp, CTO at crypto custodian Casa, mentioned that the Kraken incident is “not entirely above board with regard to what you’d expect from a professional whitehat attempting to follow best practices.”
“In general it sounds pretty fishy,” Lopp mentioned.
