A Solana cybersecurity researcher said that the firm does the bare minimum when auditing protocols.
Certik found a vulnerability in crypto exchange Kraken and proceeded to hold $3 million of the exchange’s funds hostage last week. As other of the blockchain security firm’s clients come forward, their experiences show the judgment lapse may have not been a one-off.
These red flags call into question one of the most well-known security firms in the space. Certik has raised more than $140 million from venture capital firms including Sequoia Capital, Coinbase Ventures, and Tiger Management Capital among others.
According to the company, they have audited more than 5,021 smart contracts, and 685 “formally-verified” projects, in a space where expert analysis of smart contract code is crucial with $5.7 billions lost in exploit in the past two years alone, as per data from Web3 bug bounty firm ImmuneFi.
Certik did not reply to multiple requests for comment from The Defiant.
Did “Bare Minimum”
Three years ago, Matías Barrios was employed at Stacktical, a French company that made smart contracts on the Ethereum blockchain. Stacktical employed Certik to audit their code.
According to Barrios, who is currently an offensive security engineer for blockchain cybersecurity company Halborn and one of the foremost security experts on Solana, Certik did the bare minimum, and left their code without a deeper review.
“Instead of running three layers of audits, which includes static analyzers, manual review, and then testing, they only did the first,” he told The Defiant. The static analyzer, Barrios explained, is just an automated, “very basic,” review of the code.
Barrios alleged that this is Certik’s modus operandi.
“They go over the code through some automatic tooling, offer a very simple report, and leave it at that,” he said. According to Barrios, they never go through the manual review, which he considers the most important part of the process.
Aggregated data backs Barrios’s impression. Certik is the auditing firm whose clients have suffered the biggest losses in exploits, with $1.22 billion lost, according to data compiled by IntoTheBlock. Out of Certik-related exploits, the Venus exchange on the BNB chain suffered the biggest losses, due to price manipulation of the Venus token, which led to massive liquidations.
Merlin Post-Audit Hack
In April 2023, hackers drained $2 million from Zksync-based decentralized exchange Merlin, after it was audited by Certik.
“As a core auditor of the CamelotDEX contracts, I can say with 95% confidence that the said company did not audit these contracts,” wrote cybersecurity expert Charles Wang after the Merlin rug pull. “There is no possibility to miss this change. Zero.”
Merlin did not immediately reply to a request for comment from The Defiant.
After the Kraken exploit, founder of crypto insurance company Nexus Mutual Hugh Karp noted that Nexus Mutual stakers often price a protocol higher if it has been audited by CertiK than not at all.
“Feel like I can say this out loud now,” he wrote
Not White-Hat Hacking
Kraken’s Chief Security Officer, Nick Percoco, took to X on June 19 to call out that a cybersecurity firm that found a bug in their system, filed a bug bounty report, but later exploited the vulnerability to the tune of $3 million.
“This is not whitehat hacking,” exclaimed Percoco, “this is extortion.”
Hours later, Certik came forward as the company, countering allegations that Kraken was threatening their employees. Certik returned the funds a day later.
Michael Perklin, former CISO of Shapeshift, said “I’d never hire a security company that did this. Extortion is a bad look.”
Checks And Balances
Many in the crypto community were quick to label Certik’s behavior as nefarious, but some cybersecurity experts pushed back.
According to Tal Be’ery, co-founder and CTO of crypto wallet ZenGo, it’s hard to tell what happened but he points to a lack of accountability.
“From the corporate side it’s probably much more about checks and controls, and not about premeditated nefarious behavior,” he told The Defiant.
Be’ery added that his company had a good experience after working with Certik in the past. “I would say they are the most professional team I’ve worked with in this field,” he said.
However, Be’ery pointed out that his interaction with Certik was purely research-focused.
Malware Bot
Late last year, pseudonymous developer PopPunkOnChain alleged that a Discord link from security auditing firm Certik’s website connected to a bot and malware to drain wallet assets.
PopPunkOnChain has been critical of Certik since the Merlin exploit, saying that most of Certik’s audits are of tokens with just a few lines of code, and even that is because exchanges require projects an audit from a big-name firm to be listed.
“Terminate your agreements with these frauds,” he said.
Seal of Approval
Barrios agreed with PopPunkOnChain regarding Certik’s allegations that projects in their infancy need the firm’s approval.
“They are so widely used because so many companies simply need the ‘Certik seal of approval,’” he explained with frustration. “In our field it’s a pain that they are doing things poorly, and automated because it makes the rest of us [cybersecurity experts] look bad.”
Halborn’s Offensive Security Engineer added that Certik has so many contracts because the crypto industry doesn’t have “proper best practices.”
Jameson Lopp, CTO at crypto custodian Casa, said that the Kraken incident is “not entirely above board with regard to what you’d expect from a professional whitehat attempting to follow best practices.”
“In general it sounds pretty fishy,” Lopp said.
Read More: thedefiant.io