Crypto Audit Giant Stumbles: Major Security Flaws Revealed

Crypto security audit firm CertiK has been busy lately. However, errors in previously audited projects have raised some eyebrows.

On April 26, CertiK founder and Columbia University professor Gu Ronghui spoke to Chinese media.

He told the outlet (translation) that “We [CertiK] has made blockchain security a niche almost on its own, which has attracted a lot of attention.”

He went on to boast that CertiK achieved a 70% share of the crypto security market. Furthermore, the cost of web3 security audits has been reduced by more than 90% by the firm, Ronghui added.

On April 24, the company released a Update on recently conducted crypto security audits.

Completed CertiK audits - Twitter/@CertiK
Completed CertiK audits | Twitter/@CertiK

Crypto security auditing firm CertiK is investigating Merlin

However, not everything is as rosy as it seems at the crypto security audit firm.

“On the same day this interview was published, the Merlin project, which Certik had just completed auditing, was stolen,” reported industry analyst Colin Wu.

On 26 April, CertiK became reported that it investigated an incident at the Merlin decentralized exchange.

It said initial findings point to a potential problem with private key management rather than an exploit as the root cause. However, the firm added in its own self-defense:

“While audits cannot prevent private key issues, we always highlight best practices for projects.”

As reported by BeInCrypto, Merlin DEX suffered a $1.82 million liquidity pool hack on April 26.

The zkSync-based DEX was exploited after an attack on the liquidity pool, draining funds in USDC which were then linked to Ethereum (ETH).

The Certik audit has come into question, but the firm said it highlighted centralization risks.

“In the audit report ‘Merlin DEX’, the risk of centralization is highlighted under the section ‘Decentralization effort’.”

However, these details were vague, according to DeFi researchers. “@DefiIgnas” pointed out that important information was omitted from the audit summary.

“When you read the audit, you mentioned that ‘the owner account may allow the hacker to take advantage of this authority.’ But the audit summary did not have this information.”

Audit not a guarantee

However, these audits do not prevent exploits, nor do they detect all vulnerabilities.

According to the Rekt database, which monitors DeFi exploits, rig withdrawals and thefts, there have been a total of 31 exploits on Certik-audited protocols.

Four of these have been in 2023, with the two largest, Orion Protocol and dForce, both losing over $3 million.

Utilization of CertiK-revised protocols - de.fi/rekt-database
Utilization of CertiK-revised protocols – de.fi/rekt database

However, it should also be noted that many of these exploited protocols have also been audited by other leading security firms. Certik has also previously warned of centralization problems on many exploited DeFi protocols.

Disclaimer

In accordance with the guidelines of the Trust Project, BeInCrypto is committed to objective, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify the facts independently and consult with a professional before making any decisions based on this content.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *