Korean media interviewed CertiK founder Gu Ronghui: Hacker attacks surged 300%, the way out of the predicament of security first

CertiK ｜2025-04-18 18:55

On April 17, Korea IT Times, a well-known Korean technology media, published an exclusive interview with Professor Gu Ronghui, co-founder of CertiK. Gu Ronghui said that security should be regarded as a basic principle rather than an afterthought, and should be integrated into the overall strategy from the beginning of the project.

On April 17, Korea IT Times, a well-known Korean technology media, published an exclusive interview with Professor Gu Ronghui, co-founder and CEO of CertiK. The two sides had an in-depth conversation on the iteration of hacker attack methods and the innovative path of security defense technology based on CertiK's first quarter "HACK3D" security report.

Gu Ronghui believes that security should be considered a basic principle rather than an afterthought, and should be integrated into the overall strategy from the beginning of the project. "A proactive strategy of 'security first' is essential for building the foundation of trusted Web3.0 applications." Specifically, he advocates the active use of cutting-edge technologies such as formal verification, zero-knowledge proof, and multi-party computing to comprehensively enhance the protection capabilities of blockchain protocols and smart contracts. This is also the original intention and vision of his founding of CertiK, that is, to make the Web3.0 world safer and more trustworthy through rigorous formal verification technology.

This commitment to security is not a product of short-term market trends, but rather stems from Gu Ronghui's long-term exploration and practice of technological ideals. From participating in the development of the CertiKOS system, which was praised by the Google team as "impeccable" during his doctoral studies at Yale, to building a security moat for more than US$530 billion in digital assets today, he has always been committed to protecting industry security and enhancing industry trust.

Gu Ronghui has repeatedly stated that security is not a competitive advantage, but a shared responsibility. He has transformed the academic achievements of the laboratory into security practices in the industry, and has also integrated the concept of "shared responsibility" into industry collaboration. This technical leader who graduated from a top college is using the verifiability of mathematical logic to combat the uncertainty of hacker attacks, anchoring the security coordinates of the Web3.0 era between technological ideals and reality.

The following is the full interview:

Exclusive Interview | Guarding the Frontier of Web3.0——CertiK CEO Explains Blockchain Security Threats and Defenses

In the rapidly developing Web3.0 space, blockchain security has become a top priority. This article focuses on CertiK’s mission, led by its co-founder, a professor of computer science at Columbia University, to comprehensively strengthen the security of the blockchain ecosystem. CertiK is committed to improving the security of blockchain and smart contracts through formal verification technology and has become an industry leader in Web3.0 security.

Korea IT Times takes an in-depth look at CertiK’s Hack3d: 2025 Q1 Security Report, revealing new trends in digital asset theft and security threats. The article also explores cutting-edge technologies such as zero-knowledge proofs and multi-party computing, provides practical advice to blockchain developers, and explores the dual role of AI in security. As traditional financial institutions gradually get involved in blockchain, security challenges are escalating, and proactive measures to protect users and maintain the integrity of the ecosystem are becoming critical. This article aims to provide practitioners with key insights to help them navigate the complex blockchain security landscape.

Q: Please briefly introduce yourself and CertiK’s core mission.

A: I am the co-founder and CEO of CertiK and a professor at Columbia University. My mission and that of CertiK are deeply rooted in strengthening the security of the Web3.0 ecosystem.

CertiK was founded in 2017. Its core concept is to use formal verification technology to continuously monitor and strengthen the security of blockchain protocols and smart contracts to ensure their safe and correct operation. We integrate cutting-edge solutions from academia and industry to help Web3.0 applications achieve sustainable expansion while ensuring security. To date, we have provided services to more than 4,900 corporate customers, cumulatively protected more than $530 billion in digital assets, and identified more than 115,000 code vulnerabilities.

Q: CertiK recently released the Hack3d: 2025 Q1 Security Report. What are the key findings?

A: In the first quarter of 2025, losses from on-chain fraud incidents were approximately $1.66 billion, a 303% increase from the previous quarter. This was mainly due to the Bybit exchange hack at the end of February, from which hackers stole approximately $1.4 billion. Similar to previous quarters, Ethereum was still the main target of attacks this quarter, with three security incidents resulting in a total loss of $1.54 billion in assets. Even more shocking is that we found that only 0.38% of the stolen assets were successfully recovered in the first quarter.

Q: Have the main targets of blockchain attacks changed compared to previous quarters?

A: The trend in Q1 2025 continued from the end of 2024, with Ethereum still being the hardest hit. There were 99 security incidents on Ethereum in Q4 2024, compared to 93 in Q1. This is a continuing theme: throughout 2024, Ethereum-based projects experienced the most security incidents, and looking ahead to 2025, this situation seems to be continuing.

The Bybit hack is also a typical case: the Safe-Wallet wallet based on the Ethereum ecosystem was hacked and suffered heavy losses. The reason why Ethereum has become the focus of attacks is that it has many DeFi protocols and a huge amount of locked assets; on the other hand, many of the many smart contracts on Ethereum have vulnerabilities.

Q: How does the blockchain security industry respond to increasingly sophisticated attack methods?

A: Attackers are increasingly using complex strategies such as social engineering, AI technology, and smart contract manipulation to bypass existing security protection mechanisms. With the widespread application and increased valuation of digital assets, the industry must adapt to the new situation to ensure project integrity and user asset security.

The industry is actively responding to challenges and promoting the development of innovative technologies such as zero-knowledge proofs (ZKP) and on-chain security, which provide promising solutions to increasingly severe security issues, while protecting privacy and making transactions auditable, attack traceable, and asset recoverable. Multi-party computing (MPC) further strengthens key management by distributing control of private keys to multiple parties, thereby eliminating the risk of single points of failure and significantly increasing the difficulty for attackers to access wallets without authorization. As these security technologies continue to evolve, they will play a vital role in resisting hacker attacks and maintaining the integrity of the decentralized ecosystem.

Q: What security advice would you give to blockchain developers and project teams?

A: Prioritizing security from the beginning should be a non-negotiable principle. Integrating security into every stage of development, rather than remediating it after the fact, helps to detect potential vulnerabilities early, which can save a lot of time and resources in the long run. This proactive "security first" strategy is essential to building the foundation of trusted Web3.0 applications. Integrating security into the entire development process helps to detect vulnerabilities in advance and save the cost of later repairs.

In addition, seeking a comprehensive and impartial third-party audit from a blockchain security agency can also provide an independent perspective to identify potential risks that the internal team may have overlooked. This type of external assessment provides a critical review link that helps to identify and fix vulnerabilities in a timely manner, thereby enhancing the overall security of the project and further enhancing user trust.

Q: What role does AI play in blockchain security? Is it a positive influence or does it bring new risks?

A: AI is an important tool in CertiK’s security system and we have incorporated it into one of our core strategies to ensure the security of blockchain systems. CertiK uses AI technology to analyze vulnerabilities and potential security flaws in smart contracts, helping us complete comprehensive audits more efficiently than before, but it cannot replace a human expert audit team.

However, attackers can also use AI to strengthen their attack methods. For example, AI can be used to identify code weaknesses, circumvent consensus mechanisms, and defend systems. This means that the threshold for security confrontation has been raised. As AI applications become more popular, the industry must invest in more powerful security solutions.

Q: What is formal verification? How can it improve the effectiveness of blockchain audits?

A: Formal verification is a method of mathematically proving that a computer program runs as expected. It expresses the properties of the program as mathematical formulas and verifies them with the help of automated tools.

This technology can be widely used in various fields of the technology industry, including hardware design, software engineering, network security, AI, and smart contract auditing. However, it should be emphasized that formal verification is not used to replace manual auditing. For smart contracts, formal verification relies on automated methods to evaluate contract logic and behavior, while manual auditing is done by security experts to conduct a comprehensive inspection of the code, design, and deployment to identify potential security risks. The two complement each other and jointly improve the overall security of smart contracts.

Q: As traditional financial institutions enter the blockchain race, do you think the types or sophistication of security threats will change?

A: In the early stages of Web3.0 and the blockchain industry, attackers often targeted individual users or small projects, using methods such as phishing attacks, RugPull, and wallet vulnerability exploits. According to our Hack3d Report for the First Quarter of 2025, these challenges still exist. However, with the participation of traditional institutions and large enterprises, the security risks of network integrity will also enter a new stage. Behind this transformation, there is not only the increase in the size of project assets, but also the unique security needs and regulatory requirements of enterprise-level applications, as well as the deep integration of blockchain and the traditional financial system.

Given that most traditional institutions have experience in dealing with cyber threats, we expect malicious actors to increase the sophistication of their attacks, moving away from traditional attacks on general wallet vulnerabilities to more targeted enterprise-level weaknesses such as configuration errors, custom smart contract vulnerabilities, and security flaws in interfaces that integrate with traditional systems.

Author ：CertiK
This article reflects the opinions of PANews's columnist and does not represent the stance of PANews. PANews does not assume legal responsibility. The article and opinions do not constitute investment advice.
Image Source ： CertiK If there is any infringement, please contact the author to remove it.