Crypto Audit Giant Stumbles: Major Security Flaws Exposed

Crypto security audit firm CertiK has been busy recently. However, failures on previously audited projects have raised a few eyebrows.

On April 26, CertiK founder and professor at Columbia University, Gu Ronghui, spoke to Chinese media.

He told the outlet (translation) that “We [CertiK] have turned blockchain security into a track almost by ourselves, which has attracted a lot of attention.”

He went on to boast that CertiK achieved a 70% share of the crypto security market. Furthermore, the cost of web3 security audits has been reduced by more than 90% by the firm, Ronghui added.

On April 24, the company posted an update on recently completed crypto security audits.

Completed CertiK audits - Twitter/@CertiK
Completed CertiK Audits | Twitter/@CertiK

Crypto Security Audit Firm CertiK Investigates Merlin

However, not all is as rosy as it seems at the crypto security audit firm.

“On the same day that this interview was published, the project Merlin, which Certik had just completed auditing, was stolen,” reported industry analyst Colin Wu.

On April 26, CertiK reported that it was investigating an incident on the Merlin decentralized exchange.

It said that initial findings point to a potential private key management issue rather than an exploit as the root cause. However, in its own self-defense, the firm added:

“While audits cannot prevent private key issues, we always highlight best practices to projects.”

As reported by BeInCrypto, the Merlin DEX suffered a $1.82 million liquidity pool hack on April 26.

The zkSync-based DEX was exploited following an attack on its liquidity pool, depleting funds in USDC which were then bridged to Ethereum (ETH).

The Certik audit has come into question, but the firm stated it highlighted centralization risks.

“In the audit report ‘Merlin DEX,’ the centralization risk is highlighted under the section ‘Decentralization Efforts.’”

However, those details were vague, according to DeFi researchers. “@DefiIgnas” pointed out that vital information was omitted from the audit summary.

“Reading your audit, you mentioned that the ‘owner account may allow the hacker to take advantage of this authority.’ But the audit summary did not have this info.”

Audits Not a Guarantee

However, these audits do not prevent exploits, nor do they detect all vulnerabilities.

According to the Rekt Database, which monitors DeFi exploits, rug-pulls, and thefts, there have been a total of 31 exploits on Certik audited protocols.

Four of those have been in 2023, with the largest two, Orion Protocol and dForce, both losing over $3 million.

Exploits on CertiK audited protocols - de.fi/rekt-database
Exploits on CertiK audited protocols – de.fi/rekt-database

Nevertheless, it should also be noted that many of these exploited protocols have also been audited by other leading security firms. Certik has also previously warned over centralization issues on many exploited DeFi protocols.

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content.

Source: https://beincrypto.com/top-crypto-security-audit-firm-struggles-major-failures-raise-concerns/