As crypto goes mainstream, CertiK founder talks with CZ about how to survive in the crypto market

Author: Nancy, PANews

Bitcoin has broken through the $100,000 mark, ushering in an important historical moment. This is not only a milestone in price, but also a concentrated reflection of changes in market sentiment, capital flow and ecological structure, marking that the crypto industry has entered a new stage.

At this important moment, CertiK officially released a nearly 40-minute wonderful video, in which its co-founder Gu Ronghui and Binance founder CZ gathered in Abu Dhabi for a wonderful in-depth dialogue. The two leading figures in the crypto industry discussed the key factors behind the market transformation, including technological progress, changes in user needs, and the evolution of the global regulatory environment. They not only shared their unique insights into the future of the industry, but also deeply analyzed the security challenges and changing regulatory frameworks facing the current crypto world, providing deep insights into innovation, security, and compliance.

Through this video, we are able to witness how two industry leaders use their vision and experience to lead the industry towards a more mature, secure and compliant future.

 From left to right: CertiK co-founder Gu Ronghui, Binance founder CZ, Luna Media Corp CEO Nikita Sachdev

The crypto market has lost more than $2 billion this year, and the off-chain has become a security disaster area

The crypto market has entered the mainstream vision, which has not only greatly broadened the growth space for users and funds, but also put forward higher requirements for the security trust foundation. Judging from the scale of attacks, the crypto market is becoming a security disaster area. In the first half of 2024 alone, hacker attacks and phishing incidents have caused losses of US$2 billion, exceeding the total losses for the whole year of 2023. This also further highlights the importance of security agencies in the crypto field in network security and code auditing.

CZ and Gu Ronghui also emphasized the importance of encryption security in the interview, and mentioned the difficulties and challenges in the audit process, especially unforeseen threats, which are always a problem.

According to Gu Ronghui, the current attack mode has changed significantly compared with the past. Although more and more companies and projects have begun to pay attention to code audits and cooperate with external security companies such as CertiK, some smart contract attacks have been effectively curbed, but the amount of attacks this year has increased. Behind this, not only is it the result of attackers constantly upgrading their attack strategies, but also the weak links of the project parties in key management and internal personnel security, which further aggravates the risk of attacks.

He further pointed out that for most complex Web3 applications, they are to some extent a hybrid of Web3 and Web2 systems. Typically, the Web3 part is mainly composed of smart contracts, such as code deployed on various blockchains, while the Web2 part covers key management and other background services. Although more and more people are aware of the importance of code auditing for the Web3 part, the focus on the security of the Web2 part is still at a very early stage, and even many project parties do not pay enough attention to the security of the Web2 part. In some cases, they are reluctant to disclose the source code of the Web2 part, especially the part involving key management. This undoubtedly adds greater challenges to the overall security of the crypto market. It is worth noting that a single weak link may threaten the security of the entire system, which is the most worrying part.

At this point, CZ further added with his own experience that when most people talk about security, they usually think of system security, network security or smart contract audits, but in fact the scope of security is much broader, including employee safety, social engineering, and even the physical security of the office and the organizational structure design of the enterprise, which may affect the overall security. Security is far more than a simple code audit, it involves all levels of the entire enterprise and is a comprehensive and systematic challenge.

However, security audits of crypto projects in centralized systems are somewhat difficult for security agencies. "Generally speaking, most projects are reluctant to open the Web2-related content to external teams, such as key management systems, which also increases the difficulty of auditing. There is no gold standard for key management at present, but CertiK has been promoting the best practices in the industry and taking measures such as penetration testing to provide effective security protection for such problems, but the effect is still limited." Gu Ronghui said that if the project party can share these key codes under certain conditions, especially providing source code for white box testing instead of black box testing, then the system architecture will be analyzed more deeply, so as to discover and solve more potential security risks and significantly improve the overall security.

According to Gu Ronghui, as a senior security "gatekeeper", CertiK has established deep technical accumulation and strict auditing standards. In the past year alone, it has been publicly thanked by Apple many times for discovering vulnerabilities in the interaction between multiple systems and trusted environments, and was also selected into the "Hall of Fame" by Samsung.

Using new technologies to improve efficiency, cybersecurity is the common responsibility of all employees

As the size of the crypto market continues to grow, frequent security incidents such as hacker attacks and phishing attacks have also caused huge economic losses to project owners and investors. In particular, with the rise of new technologies such as artificial intelligence, while bringing more complex attack methods, it has also prompted security agencies to continuously improve their technical response capabilities and the flexibility of the audit system.

"Artificial intelligence was initially used mainly for customer support. At that time, we called it sparse matrices and recommendation engines. Now, artificial intelligence has developed into a language processing engine that can predict the next word. Artificial intelligence, like blockchain, is a technology field full of potential. But we are still in the early stages of exploring the potential of artificial intelligence. In the future, this technology may not only be weaponized for cyber attacks and enemy target analysis, but will also play a key role in defending against these attacks and be applied to many fields such as blockchain and biomedical research." In the era of changes brought about by emerging technologies, CZ emphasized the high attention paid to artificial intelligence.

However, dealing with the ever-evolving and escalating attack methods remains challenging. Even industry giants with strong technical capabilities and abundant resources find it difficult to remain immune.

"For example, key management is a vital part of centralized or decentralized exchanges, but it faces many complex challenges. For example, although the participation of multiple parties in key management can improve efficiency, information disclosure may bring greater risks; if dedicated and non-networked devices are used for key storage, potential threats still have to be faced when signing transactions. Therefore, how to effectively manage keys while ensuring transaction security has become a difficult problem that needs to be solved in the encryption field. Even if security audits can be conducted, potential threats such as computer virus infections still exist, and for some newly established or less well-known security companies, project parties prefer to keep the specific details of key management confidential." CZ raised the concerns and challenges of the project parties in the discussion.

In response to this situation, Gu Ronghui put forward specific suggestions, which may provide some guidance for crypto entrepreneurs and practitioners. He gave an example, "For example, in the field of private key management, device virus infection is a serious security issue. For this reason, it is particularly important to build a hardware-based trusted execution environment (TEE), such as a security module for storing fingerprint or facial information, which can ensure the security of private information even if the device is infected. Even if the device is hacked, as long as the information stored in the trusted execution environment is properly managed and interacted, the information can still be protected from external threats."

Gu Ronghui further pointed out that cybersecurity is not just a competitive advantage for a certain team, but a shared responsibility that involves multiple levels and links, and requires the collaboration of all parties, including users, project owners, developers, security companies, and even law enforcement agencies. For project owners, his suggestion is that security assessments should be conducted throughout the entire project life cycle, taking an end-to-end approach to conduct continuous security checks, rather than just staying at the audit of a certain version. Many project parties may think that they can rest assured after a certain version has been fully audited, and no longer conduct assessments even if there are some minor changes in the future. This approach is wrong. Cybersecurity is a continuous evolutionary process. As projects change and external threats continue to escalate, we must always be vigilant and conduct regular assessments and updates. Through the cooperation of all parties, although it is still impossible to guarantee 100% security, at least potential threats and vulnerabilities can be minimized. CertiK is also developing more services to try to cover a longer life cycle and provide more comprehensive protection for customers' systems.

From the discussion between the two leaders, although no security auditing agency can provide absolute guarantees, the introduction of new technologies can indeed significantly improve response capabilities and efficiency. However, for the project parties, the most fundamental thing is to actively participate and conduct in-depth research on their own systems to ensure that they can effectively respond to various potential risks and make adequate protection preparations.

 Note: Gu Ronghui and CZ

From ecosystem construction to user education, helping cryptocurrencies move towards mainstream adoption

"The United States is the main driving force behind this bull market. Institutional investors are accelerating into the market. Products such as BlackRock's Bitcoin ETF have attracted tens of billions of dollars in funds within months of approval. Coupled with the election of Trump, he himself is very supportive of cryptocurrencies. As the world's leading market, other countries will inevitably follow in the footsteps of the United States, which will trigger a global competition. In addition, emerging use cases such as MEME coins are also driving market development." CZ reviewed the factors that led to the rise of this bull market in the interview.

This also means that cryptocurrencies are accelerating towards the mainstream, which will not only bring more liquidity to the market, but also promote more professional price discovery mechanisms. Of course, under this trend, the global competition for the construction of the encryption field is becoming more and more fierce.

CZ also pointed out in the conversation that the regulatory policies of various countries in the field of encryption are showing an extremely fierce competition. From Japan, Singapore to Hong Kong in Asia, and the UAE and Bahrain in the Middle East, all countries are striving to establish themselves as the global cryptocurrency center. The supportive attitude of the new US government towards cryptocurrency has added new variables to this competition.

As compliance is the general trend, CertiK is actively working with global regulators. For example, Gu Ronghui serves as a member of the Monetary Authority of Singapore (MAS) and the Hong Kong Web3 Development Task Force, and provides advice and feedback for the formulation of regulatory frameworks. For example, in the draft stablecoin compliance framework recently released by Hong Kong, two of the suggestions were provided and adopted by CertiK. At the same time, CertiK also provides stablecoin-related security audits and compliance services to many well-known companies, including Paxos, Singapore's first licensed stablecoin issuer, Paypal and other large financial institutions.

At the same time, in this context, only by actively participating in the construction of the encryption ecosystem can we better occupy a place in the future market competition, which has always been the focus of CertiK. CertiK launched CertiK Ventures this year, focusing on the growth of the Web3 ecosystem, aiming to inject vitality into the community during the market downturn. Gu Ronghui revealed that the core strategy of CertiK Ventures is to invest in early-stage Web3 projects, such as SEI Network, WeMix, Kaia and other ecosystems, while also looking at companies that can strengthen network security capabilities, including developer tools, on-chain monitoring systems and testing frameworks. In addition, CertiK also cooperates with many large companies in traditional industries to help these companies actively learn and understand Web3 and explore the possibility of doing business in this field. But Gu Ronghui also believes that this transformation is a gradual process that requires the joint efforts of all members of the entire industry.

As cryptocurrency becomes more and more popular, user education is undoubtedly one of the key links in the development of the industry. As CZ mentioned in the conversation, the imbalance of educational resources around the world, especially the illiteracy problem in developing countries, is a huge obstacle to people entering the crypto world. But now, through devices and applications, children who lack educational resources can be provided with high-quality learning content, such as the "learn while earning" model, which can fundamentally change their destiny. To promote this process, CZ also launched the education platform Giggle Academy, which not only invests in fields such as Web3 blockchain, artificial intelligence and biotechnology, but also regards education as an important way to change the future.

Gu Ronghui also expressed a strong desire to promote education and provided security education advice to investors who are new to the market. He said that the spirit of decentralization is at the core of blockchain and smart contract design, but this also brings challenges of trust. Many retail users do not fully understand how smart contracts or blockchains work, so they are more likely to trust centralized companies rather than the code itself. In this regard, Gu Ronghui emphasized that investors should not simply rely on audit reports from security agencies such as CertiK as a "safety seal", but should pay more attention to the transparency and public information of the project. To this end, CertiK has also developed the Skynet platform, which allows users to more easily access and understand this data, thereby helping them to better conduct due diligence.

In addition to risk assessment, CZ also reminded investors to set the “right size” of investment according to their risk tolerance to avoid facing greater financial pressure due to over-investment.