Article author: 0x9999in1
Source: MetaEra
Recently, MetaEra Hong Kong Zone was launched, and the "Hong Kong Crypto New Policy Two-Year Anniversary Celebration" series of activities took the lead in the launch. An important part of it is "High-end Dialogue: Hong Kong Web3.0 Influential Leaders". The person interviewed in this issue is CertiK co-founder Gu Ronghui.
Introduction
Ronghui Gu is a professor of computer science at Columbia University and co-founder of CertiK. He is a member of the International Technology Advisory Committee of the Monetary Authority of Singapore (MAS) and a member of the Hong Kong Government's Third Generation Internet (Web3.0) Development Task Force. Ronghui Gu graduated from Tsinghua University with a bachelor's degree and received a Ph.D. in Computer Science from Yale University in 2016. Ronghui Gu is also an expert in operating systems, software security, and formal verification, and is the main designer and developer of CertiKOS.
Highlights
●I think Hong Kong is still one of the best places for Web3 startups. For Chinese people, I think it is undoubtedly the best startup base.
●We believe that security needs to accompany the entire life cycle of a project. We hope to accompany users from the early stages to going online, listing on the chain, listing coins, and then to mature operations.
●We do not want the industry or project owners to think that just because a project has passed CertiK’s security audit, it will have no security issues at all.
●Everything CertiK does is to make everything open and transparent.
●Open and transparent information is definitely a double-edged sword for CertiK, but it is definitely a positive result for the industry.
●The three most important points of regulatory policy are controllable, visible and enforceable.
●The development of Web3 in Hong Kong has passed its earliest honeymoon period and is now entering a period of pain.
● CertiK will have to fight against hackers 24/7 in this unfair confrontation, for years and months, to ensure our winning rate as much as possible.
Full Interview
MetaEra: CertiK settled in Hong Kong Cyberport in August last year. Can you talk about your own personal experience and provide relevant guidance and suggestions for practitioners and projects who are still watching the development of Hong Kong's Web3?
Gu Ronghui: I remember that in January 2023, Hong Kong had already introduced some relevant policies. At that time, I felt that everyone was in a wait-and-see state. CertiK received an invitation to come to Hong Kong and met with Secretary for Finance Paul Chan Mo-po. He expressed his views on Web3 financial policies, which made me feel that the Hong Kong government is very confident in the development of Web3.
It was from that time that we started to set up CertiK's company in Hong Kong. During that period, the United States' attitude towards Web3 was like this. The SEC launched more than a dozen lawsuits in succession. Everyone felt that the United States' attitude and policy towards Web3 had become very unclear, so many people turned their attention to Asia. The main financial centers in Asia are Singapore and Hong Kong. When I received the invitation from Hong Kong, I was actually in Singapore at the time. I was also a member of the International Technology Advisory Committee of the Monetary Authority of Singapore (MAS). In addition, because Singapore's sovereign fund Temasek Fund invested in FTX, after FTX collapsed, Singapore's policy on Web3 began to hesitate. I think Hong Kong has seized this opportunity very well.
We chose to settle in Cyberport in Hong Kong, which provides sufficient support for Web3 entrepreneurs. Not only does it organize activities regularly, but it also incubates projects, etc. We also communicated a lot. Throughout the process, I felt that Hong Kong has a unique position, and coupled with the Hong Kong government's determination to develop Web3, we feel that it is a very good base for Web3 entrepreneurship.
If I were to give some advice to other Web3 practitioners, I think Hong Kong is still one of the best places to start a Web3 business. For Chinese people, I think it is the best place to start a business. First, it has policy support; second, it is backed by Shenzhen, which can not only recruit financial talents, but also many high-quality programmers and developers; third, more and more related companies are entering, which also allows everyone to find partners or customers better. In addition, if there are entrepreneurs who want to start a business in Hong Kong, I strongly recommend that you contact Cyberport as soon as possible. CertiK is also cooperating with Cyberport and can provide some security certificates, which can help everyone apply for Cyberport's entrepreneurship support fund, etc.
In addition, Hong Kong’s financial regulators adopted CertiK’s suggestions and strengthened the stablecoin regulatory framework. This is a very good feeling! It is equivalent to the Hong Kong government being able to listen to professional suggestions, ideas and voices from all sectors of the industry, so as to improve its policies. I feel that among all local governments, the Hong Kong government has done the best in this regard.
MetaEra: Hong Kong has also attracted many Web3 projects to settle in under the call of the new encryption policy. How do you think these projects view blockchain security? Do entrepreneurs in the Chinese-speaking region have different views on encryption security than those in the Western world? Can you elaborate on this?
Gu Ronghui: We are in the Web3 security track, and we can also be said to be the leading company in the Web3 security track. First of all, security is important to most practitioners. If you ask any company or founder whether the security of the project is important, he will definitely say it is very important! But how to improve the security of the project, and what aspects does the security of the project include? Are you willing to pay for it? The answers are relatively vague and general, so everyone thinks that security is very important, but when it comes to implementation, we feel that the relevant resistance is still relatively large.
First, everyone thinks it is unnecessary. There is always a fluke mentality that the project is safe and will not be attacked, so it is easy to ignore the security of the project. Second, in terms of security, what does blockchain security include? As a blockchain project party, what aspects of security protection should he do? In fact, most project parties don’t know much. In the past, you may have heard more about code audits. Part of it is that CertiK’s efforts to advocate for code audits have reached a consensus, that is, after the project code is tested by internal personnel, an independent third-party security audit should be conducted by an external organization.
But it was not like this three or four years ago. When DeFi just started in 2020, everyone gradually realized the importance of code auditing. In the past few years, some projects only conduct security audits on part of the code because it is very expensive. Some projects even conduct security audits on this version of the code, but do not conduct security audits on the updated versions of the code. This is actually a misunderstanding. Any change to the code, even a few lines of code, may introduce new vulnerabilities and new attack opportunities. This phenomenon has not yet reached a consensus, that is, all the code and all versions of the project should be subject to security audits.
Going one step further, code security audit is only a small part of blockchain security. The entire blockchain security includes the management of private keys, the security of non-smart contract parts and smart contract interactions. For example, some projects also involve node security, such as the use of wallets by enterprises, whether it is a multi-signature wallet or an MPC wallet, whether these wallet solutions are safe. In fact, all of the above have exceeded the scope of code auditing, but for the security of these parts, many project parties have zero design and zero protection, almost running naked. In this case, you will find that many attacks no longer simply use the security of smart contracts to attack. We have launched a security training in cooperation with Cyberport to provide security training for entrepreneurs and entrepreneurs, and then we will have an exam session and issue a certificate. With this certificate, you will be eligible to apply for Cyberport's fund support. Because giving you the support funds can at least prevent theft and loss.
MetaEra: Do entrepreneurs in the Chinese-speaking world have different views on crypto security than those in the Western world? Can you elaborate on this?
Gu Ronghui: The overall view is still the same! Before 2021, people didn't pay so much attention to security. After 2021, people began to pay more attention to security. But there may be some subtle differences. It may be that Western entrepreneurs are slightly less lucky about security, while entrepreneurs in the Eastern Chinese-speaking region will have a certain degree of luck and feel that their projects have no security issues. Another slightly different point is that when we help Western projects point out some vulnerabilities, they are relatively open-minded. When you encounter some projects in the Chinese-speaking region, when you point out problems, they will have a resistance mentality. They think that there is no problem with the project, there is no problem with the code, and the problems pointed out by CertiK are actually detrimental to their projects. Of course, the situation I mentioned is also an extremely rare case. But I want to say that the purpose of security audits is to help you find problems and help you fix them.
MetaEra: Recently, we have seen that CertiK's slogan has changed. What are the considerations behind this upgrade? CertiK has launched security tools such as Token Scan and Wallet Scan for the community for free. As a security company, will CertiK devote more energy to C-end users?
Gu Ronghui: Let’s talk about the slogan first. Our previous slogan was “Securing The Web3 World”. We have just upgraded it and our slogan now is “Elevating Your Entire Web3 Journey”. This is a big change.
Let me first talk about why I want to make such a change. CertiK has served 4,700 customers, found 150,000 security vulnerabilities, and reported more than 40 major vulnerabilities. It can be said that we have made a very big contribution to the community. However, I think our output to the C-end, the developer community, etc. is not enough. We have not done enough in responding to the community's feedback in the past few years.
"Securing The Web3 World" was our most simple idea at the beginning, that is, we hope to protect the entire Web3 industry and the world. Then I would ask myself, where are our customers? Where is our community? In fact, this slogan does not reflect it very well. When our vision becomes very grand and becomes an industry or a world, it sometimes ignores specific communities, specific customers, and specific C-end users. So I added "Your Web3 Journey" to the new slogan. We really hope to put every individual and community in the industry into our thinking, making it more specific, rather than a macro world.
Second, many of our customers think that security is a one-time security audit before going online, and they regard it as a service at a certain point in time. However, we believe that security needs to accompany the entire life cycle of the project. We hope to accompany users from the early stages to going online, listing on the chain, listing coins, and then to mature operations.
Third, the slogan has been upgraded. We believe that security is not just about preventing attacks. Throughout the entire life cycle, we are empowering the project parties. CertiK now provides many services beyond the security field, which have already reached the pan-security field. In addition to the pan-security field, we also provide customers with "Design Review" consulting services. For example, for the TON public chain, we conducted code audits and formal verification for it in the early days. After it went online, we also helped TON with performance testing and community building, which actually went beyond the scope of the security field.
Therefore, in order to better define CertiK's mission and better define CertiK's products and services, we upgraded CertiK's slogan. The new slogan includes project parties, exchanges, wallets, and C-end users. Tools such as Token Scan and Wallet Scan are completely free, with the purpose of giving back to the community that supports us and then empowering our community.
MetaEra: Many startup Web3 projects will emphasize in their official PR that they have passed CertiK's security audit. It seems that "passing CertiK's security audit" has become an industry standard. So what do you think of some project owners promoting this aspect as the merits and advantages of their own projects? Users may be trained to have a fixed mindset that "a project that has passed CertiK's audit is a good project, and a project that has not passed CertiK's audit is not a good project." What do you think of this phenomenon?
Gu Ronghui: First of all, I am very happy to see that many projects use passing CertiK’s security audit as a plus point and promote it as a project advantage. This is definitely a recognition of our work, technology, and brand. In any case, it is a happy thing.
But I also want to point out the biggest misunderstanding. We don’t want the industry or project parties to think that after passing CertiK’s security audit, the project will have no security issues at all. We have always emphasized that these are two different things.
First of all, there is a big gap between CertiK’s security audit and the security of the project. Security audit and project security actually include many non-security audit parts.
Second, CertiK can often only obtain part of the code, or even part of a version of the code, for security audits, so there is no way to provide any guarantees for the entire code base.
Third, the work of Turing and other scientists shows that in theory, there is no universal way to ensure that a piece of code is 100% secure. So passing a security audit does not mean that the code is 100% secure. However, passing CertiK's security audit can show that the project party attaches importance to security, which requires the project party to spend time and money, or even delay the launch to improve the overall security of the project. In addition, passing CertiK's security audit can greatly improve the security of the project.
From these perspectives, passing CertiK’s security audit can indeed be an advantage for the project. However, we do not want to turn it into a fixed mindset, which may backfire on both the project and CertiK. So we are constantly explaining the facts. Thank you again for the recognition of the project and the industry.
MetaEra: CertiK encountered the Kraken incident this year. I believe everyone is familiar with the situation where both parties have their own opinions. So from the perspective of public relations crisis, what growth insights and actual impacts did this incident bring to CertiK?
Gu Ronghui: The popularity of this incident far exceeded our imagination. Several months have passed, and when we look back at this incident, there are several very obvious results.
First, Kraken had a serious vulnerability. CertiK discovered the vulnerability and quickly notified Kraken. Kraken fixed the vulnerability and ultimately did not cause any user losses. Kraken itself would admit that this may be the most serious exchange vulnerability in history. CertiK discovered and helped it fix the vulnerability. Judging from the results, this is a Big Win for the entire industry.
Second, if we were to go through it again, CertiK would still report to Kraken as soon as possible and help them avoid any possible user losses. Whether we repeat it 100 times or 1,000 times, this is what we will do.
However, when both parties have different opinions on the same issue, CertiK believes that there must be a better way to resolve it, rather than having a situation like before where both parties insisted on their own opinions.
MetaEra: As the "sword bearers of the industry", blockchain security agencies and blockchain rating agencies will face a problem: how to ensure their professionalism and treat every Web3 project fairly? How does CertiK effectively deal with this?
Gu Ronghui: This question has been bothering us since 2020, and we have been thinking about it. Before decentralization, we would put our money in Amazon, Alibaba, and Tencent, based on our trust in these big companies, but we think these big companies are centralized institutions, and we want to decentralize. But after decentralization, ordinary users can't understand the code. CertiK stood up and told everyone that the code is safe and they can trust CertiK, but will CertiK become a center at this time?
To be honest, CertiK has been involved in a lot of controversy in the industry over the past two years, and we will not shy away from it. Why are there so many controversies? Why do so many people criticize us? Maybe it’s because everyone thinks CertiK has become centralized, and CertiK will be questioned whether it is reasonable and fair.
We are also thinking about these issues. One of the reports said that CertiK has turned blockchain security into a track by itself. We are thinking: What should we do with such a heavy responsibility? The choice CertiK made at the time was to make all security audit reports public and upload them to our own website, but these reports were too professional and many users still couldn't understand them. We then refined these reports into Skynet data and provided a visualization mode for everyone to view. Everything CertiK is doing is to make everything open and transparent.
At the time, this decision was strongly opposed by the company, its partners, and even our investment institutions. Because CertiK has made all security audit reports public, whenever a security incident occurs, everyone will think that the security issue is related to CertiK. But so far, no other security company dares to make all the information public, because once it is public, it will be exposed and there will be no way to escape or hide from any problems.
Public and transparent information is definitely a double-edged sword for CertiK, but it is definitely a positive result for the industry. Our principle is that even if it is a double-edged sword for CertiK, it is positive for the industry, and CertiK will unswervingly implement it. From 2020 to now, CertiK has always maintained its original intention. Even if there are problems with the project party, CertiK will be criticized, and we will bear all the negative impacts. Every day to this day, we will publish our security incident reports on the website.
MetaEra: As countries and regions introduce policies and regulations on virtual assets, security issues are becoming more important to law enforcement agencies and governments. Which regions and countries has CertiK already cooperated with? What are the main security issues in the Web3 field in the future?
Gu Ronghui: Let me first talk about cooperation in various aspects.
First, I am a member of the Hong Kong government's third-generation Internet (Web3.0) development task force, and CertiK's Chief Security Officer Professor Li Kang is also a member of the group. For example, the "Consultation Conclusion - Legislative Proposals for Implementing a Stablecoin Issuer Regulatory Regime in Hong Kong" jointly issued by the Hong Kong Treasury Bureau (Financial Services and the Treasury Bureau) and the HKMA (Hong Kong Monetary Authority), CertiK also made two suggestions. In Singapore, I am also a member of the International Technology Advisory Committee of the Monetary Authority of Singapore (MAS), and I am the only one from the Web3 industry among the 11 members.
In addition, CertiK participated in the drafting of the compliance policy for the Japanese yen stablecoin, and provided advice to the Japanese Financial Services Agency (FSA) on contract compliance and hacker monitoring. It is also jointly drafting policy documents related to Metaverse and Web3 with the Malaysia Digital Economy Corporation (MDEC). In South Korea, CertiK signed an MOU with the Seoul and Busan city governments to carry out relevant cooperation.
The above are some of the collaborations that CertiK has conducted with governments in Asia to help them draft compliance policy documents related to compliance.
Starting from 2023, the trend of the entire Web3 industry, including Asia and the United States, is compliance, such as the mainstream narrative of spot ETF passing. The benefit of compliance is to allow more users to participate, and more users from traditional industries can participate.
The policies of various governments still start with stablecoins. CertiK strives to promote the development of local policies in this process and help governments better understand Web3. Because many times, lack of understanding will lead to fear. Helping the government understand will allow them to slowly accept Web3. This is a role played by CertiK.
The three most important points of regulatory policies are controllability, visibility, and enforcement. So once governments start talking about compliance, they immediately have to talk about safety. If the safety problem is not solved, there will be a situation where it is invisible and uncontrollable. So now more and more attention is paid to on-chain transactions, and this is one of the reasons.
MetaEra: What are the main security issues in the Web3 field in the future?
Gu Ronghui: I think there are four aspects:
First, code security;
Second, the security of projects outside of the code, such as the interaction with smart contracts;
Third, private key management;
Fourth, counterparty risk, such as whether your transaction is secure, whether the interactive assets will be stolen, etc.
Currently, we can see two trends: first, traditional banks are entering the Web3 industry, and their security issues will become more prominent; second, retail investors are just entering the Web3 industry, and they are unable to keep their wallet private keys well and cannot judge whether a project or a smart contract is safe. The "Your" in our new slogan is intended to include these two groups who don't know much about Web3 security, and help them better ensure security.
MetaEra: Looking at the world, focusing on Hong Kong. CertiK is also making suggestions for the development of Web3 in Hong Kong. The Hong Kong Treasury Department and the Hong Kong Monetary Authority have adopted CertiK's suggestions in the stablecoin regulatory legislation proposals. In your opinion, what stage has the development of Web3 in Hong Kong reached?
Gu Ronghui: The development of Web3 in Hong Kong has passed the earliest honeymoon period and is now entering the pain period. We have seen the determination of the Hong Kong government in the early stage, including the speech of Secretary for Development Paul Chan and the support of successive policies. In the process of formulating policies, the Hong Kong government communicated with the industry and listened to industry suggestions extensively. The policy is attractive, which also attracted many companies to Hong Kong. This is what I call the honeymoon period.
After the honeymoon period, companies need to start developing their business and exploring the market. Entering such a stage is challenging in itself. The company needs actual users and markets, which is a road full of challenges and difficulties.
MetaEra: Professor Gu, you have gone from campus to society, and you have also founded a security company focusing on blockchain security. What was the opportunity for this transition (leaving campus and starting a Web3 business)? In addition, what was your original intention for founding CertiK? Has it changed since then?
Gu Ronghui: Let me talk about the process of founding CertiK. CertiK is named after CertiKOS. In 2016, I worked with Professor Shao Zhong, another founder of CertiK, to develop CertiKOS, the world's first fully formally verified, hacker-proof, and attack-proof operating system kernel. It was a technological breakthrough at the time and received a great response in the industry. I also got a teaching position at Columbia University based on this research result.
First, let's talk about formal verification, which uses mathematical methods to prove the security of a piece of code. It can achieve the highest security standards currently available, but it is also very costly and takes a long time, so it can only be applied in very core and critical areas before, and it is difficult to apply it on a large scale. In 2016, we completed the verification work of CertiKOS, which also proved that formal verification has reached the application stage.
Another incident happened in 2016. The DAO on Ethereum was attacked, which is considered one of the largest security attacks. Everyone views blockchain security as very challenging because there are vulnerabilities in the code. Once a hacker attacks, no one can stop these transactions. So everyone hopes that the code is as secure as possible, because the assets behind the code may be tens of millions or even hundreds of millions of dollars. Under such an opportunity, our own technology and market demand have a good fit, and CertiK came into being. CertiK hopes to apply formal verification to smart contract audits and improve the security of the entire industry project code. This is the original intention of our establishment.
The development process is very challenging, and the biggest challenge we are facing is still the public's perception of security. From 2017 to 2020, everyone thought that security was important, but no one was willing to do anything for security, and no one was willing to spend time and energy on security work. By 2020, industry practitioners believe that at least smart contract audits are necessary, and there are many other security issues that have not received sufficient attention.
In addition, the Web3 industry is developing very rapidly, and the speed of technological updates and iterations is also very fast. New terms, new concepts, and new technologies emerge every month. When new technologies emerge, security issues will become prominent. CertiK currently occupies a relatively high market share and needs to cover all technology stacks and all ecosystems. This process is quite tiring.
In addition, during the development of CertiK, we have to face many non-technical problems and even some disputes. Including our opponents - hackers. Hackers may go to the weakest company in the industry to attack. If CertiK is regarded as a bodyguard, CertiK needs to protect 4,700 customers at the same time, but we have no idea where the hackers will start. To be honest, this offense and defense are not equal. However, we have to fight against hackers 24/7 in this unfair confrontation, and fight for years to ensure our winning rate as much as possible. This work is very challenging, but our original intention has not changed.
