Anticipating attackers’ predictions, CertiK launches mobile defense battle

Original - Odaily

Author - Husband How

Editor - Hao Fangzhou

Recently, a piece of news has attracted attention in the Web3 industry: a company namedCertiKA security auditing company discovered Apples security vulnerabilities on the mobile side and received public thanks from Apple.

According to information on Apples official security update page, the vulnerabilities discovered by CertiK affect the kernel, GPU driver, and ProRes driver and allow an application to execute arbitrary code with kernel privileges. In other words, users may lose their wallet private keys saved in their mobile phones. What this means for Web3 users is very scary to think about.

Apple immediately said it had addressed the vulnerabilities through improved memory handling.

It is reported that CertiK has previously discovered security vulnerabilities in the mobile terminals of South Koreas Samsung Group.

CertiK is a well-known head security organization in the Web3 industry, but few people know it in the Web2 world. Web2 giants such as Apple and Samsung suddenly appear together with CertiKs name. People cant help but wonder whether this predicts the two sides of Web2 and Web3. Breaking the wall between the worlds, a new scenario to jointly improve system security?

Judging from the history of technological application development, user operating habits will inevitably migrate from the computer to the mobile terminal. This is the case in the Web2 era, and Web3 will also follow this pattern in the future.

From a security audit perspective, network security has no boundaries, and the security of Web2 and Web3 is the same. Although the two have different focuses in subdivisions, users of decentralized product services and the protocols behind them still rely heavily on centralized equipment and systems. The risk prevention and control of Web2 also constitutes the security bottom line of Web3 applications.

As CertiK founder and CEO Gu Ronghui said: If a huge growth in Web3 users is expected in the future, users Web3 applications will definitely be accessed from mobile Dapps.

Attack and defense are complex and risks spread

With the rapid development of Web3, malicious attacks have become more frequent. according toDefiLlama data display, the total value of cryptocurrency stolen has exceeded $7 billion.

According to the incident object, Web3 risks can be roughly divided into the following three types:

● Security issues of the project’s own mechanism: Security risks caused by vulnerabilities in its own mechanisms such as smart contracts, 51% attacks, transaction malleability attacks, double-spending attacks, and spam transaction attacks. A serious case that is still fresh in the minds of insiders is: a potential vulnerability in the Curve Vyper compiler led to multiple Curve liquidity pools being attacked, superimposing the founder’s unhealthy lending positions, thus triggering a series of liquidation crises.

● Ecosystem security issues: Attacks by external factors such as exchange theft, thunderstorms, website data leakage, off-site manipulation, denial of service attacks, transaction address tampering, and mining pool attacks. Recent cases include: US$70 million was stolen from the hot wallet of the crypto exchange CoinEx in September.

● Client security issues: Such as account theft, wallet theft, fraud, as well as self-generated problems such as user phishing and private key storage issues. On October 12, former Alameda engineer Adi (e/acc) disclosed on the X platform that an Alameda trader clicked on a phishing link while conducting DeFi operations, causing Alameda to lose more than $100 million.

In the above case, we will find that security risks in Web2 can easily have a major impact on Web3, and the discussion cannot be completely separated.

In fact, the previous upgrades of the commonly used Chrome browser include the work of troubleshooting various vulnerabilities. Once extensions such as Web3 wallets do not keep up with the iteration of the mother, they are vulnerable to attacks.

At the beginning of the article, CertiK discovered multiple mobile vulnerabilities in Apple systems; malware such as MacStealer, ShadowVault, AMOS, and Realst attacked popular encryption wallets and stole keychain databases; SeaFlower distributed encrypted wallet application versions with backdoors to Stealing the mnemonic phrase; CookieMiner malware can access iTunes backups containing text messages, obtaining the information needed to bypass two-factor authentication, thereby accessing the victims crypto wallet and stealing cryptocurrency.

There are always people who better than you

As Web3 security risks become increasingly serious, security has become the cornerstone of the sustainable development of project parties. In addition to improving their own risk awareness, choosing a reliable security audit company has also become a standard requirement for projects. The external audit report not only hands over project security to more specialized roles in the market, but the endorsement from a top security audit company also constitutes a gold medal in the projects promotion to users.

In this context, Web3 security auditing companies have developed rapidly since the last bull market, and companies such as CertiK, Paidun and SlowMist have gradually entered everyones field of vision.Web3 Security Audit Companys business has also gradually expanded, and it controls risks for the project side throughout the entire process from contract development to post-monitoring.

Taking CertiK as an example, it provides project parties and individuals with full-process security protection components, including Web3 security audits and penetration testing to discover and resolve risk hazards; Skylnsights, KYC due diligence, emergency incident response and bug bounty programs and other measures , maintain the security of the encryption ecosystem; and provide services such as Skynet system and consulting services to build an integrated Web3 security analysis platform to help users avoid risks and enhance security risk awareness.

In the face of increasingly rampant malicious activities on the mobile terminal, CertiK has also taken certain measures to develop Web3 wallets for iOS systems.On iOS, developers can adopt the following security practices to protect wallet applications: Leverage iOS security features, hardware-based security mechanisms, and frameworks such as App Attestation; Follow secure coding guidelines, including encrypted storage and transmission, input validation, and defensibility Programming; implement two-factor authentication and biometrics; regularly update and patch applications; conduct security audits and vulnerability scans.

It can be seen that CertiK is advancing with the times and constantly discovers Web3 security risks in advance to deal with Web3 malicious incidents that have not yet occurred.

Safe in the world, practice inner strength quietly

As an emerging industry, Web3 is facing the intrusion of many jackals and tigers, and the requirements for the capabilities of security audit companies are getting higher and higher. During the last bull market, the number of projects grew exponentially, and there were very few third-party companies capable of shouldering the heavy responsibility of Web3 security.

Trust is the most important consideration for project parties and encryption companies when choosing Web3 security auditing companies.

Dismantling the source of trust is inseparable from the business strength, comprehensive product coverage, service depth, and long-term reputation in the industry of third-party security agencies.

According to the official website, since its establishment in 2018, CertiK has cooperated with more than 4,100 enterprise customers, discovered nearly 70,000 blockchain code-related vulnerabilities, and directly or indirectly protected more than $360 billion in digital assets.

Since 2021, CertiKs business has grown rapidly, achieving nearly 13 times revenue growth, 3320 times profit growth, and 4 times the number of employees. Although it has experienced a bear market, the companys business has demonstrated strong anti-cyclicality in a violently turbulent market environment.

Reflected in market share, CoinMarketCap data shows that CertiK’s market share exceeds 70% among blockchain projects that use third-party security audits.

In terms of team background, the two founders are professors at Yale University and Columbia University. Among them, Gu Ronghui won the Amazon Research Award, OSDI Jay Lepreau Best Paper Award, SOSP Best Paper Award, and CACM for his contributions in the field of system security. (International Computer Society) Research Highlights Award, VMware System Research Award and many other awards. At the same time, Gu Ronghui is also a member of the International Technical Advisory Committee of the Monetary Authority of Singapore and a member of the Hong Kong Web 3.0 Development Task Force.

In terms of financing background, CertiK has been recognized by Web3 majors such as Binance and Coinbase, and has also been supported by traditional institutions such as Goldman Sachs, Sequoia Capital, and Tiger Global. It has become a Web3 security audit company valued at US$2 billion. .

By this year, CertiK was not only satisfied with occupying the top spot in the stock market, but also frequently helped technology giants such as Apple and Samsung improve the security of terminal systems. With its vision for future development, CertiK has expanded its business coverage to the mobile terminal, the breakthrough point for the large-scale adoption of Web3.

Protect the industry and be the first to deploy

When industry giant CertiK began to lay out mobile security protection, it was not only business expansion, but also the founders judgment on the new trend of Web3.Gu Ronghui told Odaily that competition in the security audit industry is becoming increasingly fierce, and CertiK needs to launch products with differentiated competitive advantages in order to seize the opportunity and serve a broader market in the future.

After experiencing the last round of bull market, the basic supporting facilities of Web3 have become more and more complete. As a result, more builders have emerged in this round of bear market, and they are focusing more on the application layer.The main tone of Web3 has also shifted from the ecological battle in the stock market to the application battle with large-scale adoption as the core.

From the perspective of Web3 itself, Dapps adopted on a large scale are composable and complex within the product. More cross-ecologies, cross-protocols, cross-layers, and cross-domains bring risks that are more difficult to prevent.

From the perspective of Web2, the mobile terminal currently relies on system service providers such as Apple and Android. Web2 systemic risks are likely to cause greater risks to Web3 projects and users on the mobile terminal.

The battle between light and darkness is here. Whether it is the system risk of Web2 terminals or the black box of Web3 applications, they are all hidden security risks.However, CertiK, which adheres to the principle of guarding the Web3 world, has been focusing on Web3 mobile applications for a long time. The security cordon of mobile terminals has been deployed first and has won recognition from the mainstream market. This may open up the development of security audit companies in the Web3 field. Prologue to competition.