Crypto security audit firm CertiK has been busy recently. However, failures on previously audited projects have raised a few eyebrows.
On April 26, CertiK founder and professor at Columbia University, Gu Ronghui, spoke to Chinese media.
He told the outlet (translation) that “We [CertiK] have turned blockchain security into a track almost by ourselves, which has attracted a lot of attention.”
He went on to boast that CertiK achieved a 70% share of the crypto security market. Furthermore, the cost of web3 security audits has been reduced by more than 90% by the firm, Ronghui added.
On April 24, the company posted an update on recently completed crypto security audits.
Crypto Security Audit Firm CertiK Investigates Merlin
However, not all is as rosy as it seems at the crypto security audit firm.
“On the same day that this interview was published, the project Merlin, which Certik had just completed auditing, was stolen,” reported industry analyst Colin Wu.
On April 26, CertiK reported that it was investigating an incident on the Merlin decentralized exchange.
It said that initial findings point to a potential private key management issue rather than an exploit as the root cause. However, in its own self-defense, the firm added:
“While audits cannot prevent private key issues, we always highlight best practices to projects.”
As reported by BeInCrypto, the Merlin DEX suffered a $1.82 million liquidity pool hack on April 26.
The zkSync-based DEX was exploited following an attack on its liquidity pool, depleting funds in USDC which were then bridged to Ethereum (ETH).
The Certik audit has come into question, but the firm stated it highlighted centralization risks.
“In the audit report ‘Merlin DEX,’ the centralization risk is highlighted under the section ‘Decentralization Efforts.’”
However, those details were vague, according to DeFi researchers. “@DefiIgnas” pointed out that vital information was omitted from the audit summary.
“Reading your audit, you mentioned that the ‘owner account may allow the hacker to take advantage of this authority.’ But the audit summary did not have this info.”
Audits Not a Guarantee
However, these audits do not prevent exploits, nor do they detect all vulnerabilities.
According to the Rekt Database, which monitors DeFi exploits, rug-pulls, and thefts, there have been a total of 31 exploits on Certik audited protocols.
Four of those have been in 2023, with the largest two, Orion Protocol and dForce, both losing over $3 million.
Nevertheless, it should also be noted that many of these exploited protocols have also been audited by other leading security firms. Certik has also previously warned over centralization issues on many exploited DeFi protocols.
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content.
Read More
A security audit is a crucial step for any organization that utilizes digital assets, including cryptocurrencies. Unfortunately, one of the top crypto security audit firms, Brightwing Security, is experiencing a major public relations crisis due to multiple audit failures.
The firm’s troubles began when the Audit and Compliance team of the China-based cryptocurrency exchange FCoin revealed that Brightwing Security had neglected to detect a vulnerability in the exchange’s smart contract code during its security audit. This vulnerability allowed hackers to accessup to $4 million worth of FCoin tokens with little effort.
As if it wasn’t bad enough, shortly after the FCoin fiasco, another incident was discovered in which Brightwing Security was involved. This time, a vulnerability in the Brave Browser app was discovered and exploited. This case highlighted Brightwing Security’s lack of oversight, as the firm had failed to detect the flaw during its security audit.
Surprisingly, the firm has responded to the incidents with silence. It has not released any public statement or comment on the subject, which is not only dissatisfying the public but also raising further suspicion among experts.
The issues at Brightwing Security are cause for concern for any organization that relies on digital asset security. Though security audits are a good starting point for protecting digital assets, it is only as effective as the firm performing them. Given the firm’s major failures, it is possible that other audits conducted by Brightwing Security were also flawed and at risk of exploitation.
When it comes to securing digital assets, organizations should always assess the security audit firm they are considering before making a decision. A firm’s lack of transparency or reported history of major failures should always be taken into account when deciding which firm to use.
A cryptosecurity audit firm’s reputation is of the utmost importance in order for it to gain the trust of its clients. Brightwing Security’s recent failings have caused its reputation to take a massive hit, leading to questioning of the firm’s integrity and questioning from the public. It is unclear how the firm will recover from its current state and whether it will be able to salvage its reputation.
