- Blockbasis
- Posts
- CertiK: White Hat vs Gray Hat
CertiK: White Hat vs Gray Hat
Exploring the Controversial Transformation of CertiK from Trusted Guardian to Questionable Actor in Blockchain Auditing, Uncovering Issues of Ethical Conduct, Quality Assurance, and Market Influence
Blockbasis
June 30, 2024
TL;DR
In the aftermath of controversies surrounding CertiK, once hailed for blockchain security, revelations of unethical practices and subpar audits have surfaced. Accusations include front-running bug bounties and inadequate security reviews, raising doubts about their industry-leading status. The implications challenge trust in blockchain security firms and call for reevaluating auditing standards.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
Crypto security firm CertiK has been embroiled in controversy recently.
The firm faced significant backlash after exploiting a vulnerability on Kraken, siphoning $3 million from the platform under the guise of "research."
Although CertiK returned the funds following the criticism, the incident had already caused considerable damage.
Since the initial story broke, security researcher Tayvano has uncovered a network of suspicious activities linked to the incident.
But, erhm, these are the withdrawers that sent funds back to Kraken today, about an hour after the storm started.
And the same Kraken deposit address Certik themselves posted in their initial post regarding deposit txns.
So this is them. Thru and thru. And I have no idea how to… x.com/i/web/status/1…
— Tay 💖 (@tayvano_)
11:53 PM • Jun 19, 2024
The controversy surrounding the recent Kraken exploit remains unresolved, and new allegations continue to emerge.
Accusations range from front-running bug bounties to conducting superficial audits, putting CertiK's reputation under intense scrutiny by security researchers.
Each new accusation forces the industry to confront a troubling reality.
What happens when entities tasked with protecting the ecosystem are perceived as threats?
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
In the high-stakes world of blockchain security, trust is paramount. But what unfolds when the very guardians of this trust are questioned?
CertiK, despite its significant presence in the crypto security domain, has been met with growing skepticism from security researchers.
The Kraken incident was not merely a singular misjudgment; it served as the catalyst for a torrent of long-held doubts and criticisms to surface.
As the situation unfolds, a series of troubling allegations have come to light, casting a shadow over CertiK's practices and ethical standards.
Exploring Ethical Dilemmas: Bug Bounty Front-Running
Central to the controversy engulfing CertiK is OpenBounty, a bug bounty platform developed by Shentu Chain, formerly known as CertiK Chain.
CertiK initially established CertiK Chain, which was rebranded to Shentu Chain in 2021.
Although CertiK and the Shentu Foundation are now formally distinct entities, their intertwined histories and ongoing connections raise significant concerns about potential conflicts of interest.
What started as a seemingly straightforward bug bounty aggregator has now become the epicenter of serious ethical misconduct allegations.
Security researcher h0wlu first brought attention to these troubling practices within OpenBounty’s operations.
"I created a test account on their platform to check it out, thinking maybe it's just an aggregator, but no. They have submission forms for all these programs and the findings are sent to their API servers," h0wlu reported.
This discovery immediately raised suspicions. OpenBounty was not just collecting bug bounty data from various sources; it was actively seeking vulnerability reports for programs hosted on other platforms like ImmuneFi, and even for independently hosted programs such as Uniswap and Ethereum.
I saw that they list a lot of bug bounty programs from other platforms e.g. @arbitrum hosted on @immunefi or self-hosted programs like @Uniswap or @ethereum - more here openbounty.shentu.technology 2/6
— h0wl (@h0wlu)
9:36 PM • Jun 25, 2024
Uniswap, for example, clearly states in their Bug Bounty program rules that bugs must be reported directly to them, not via third parties.
The implications of CertiK’s practices are severe. By funneling vulnerability reports through their own servers before they reach the affected protocols, CertiK could gain early knowledge of critical security flaws.
This information imbalance could potentially be exploited for financial gain or to pressure projects into using CertiK's services.
Heightening the suspicion, h0wlu discovered that OpenBounty’s API is hosted on a subdomain associated with "CertiK," reinforcing the connection between the two entities.
PopPunk, co-founder of Gaslite and a vocal critic of CertiK, highlighted this issue, stating, "OpenBounty... seems to be front-running bug bounty reports. It's even more concerning that their website directs reports to a domain linked with CertiK when you submit a bounty.”
The CertiK rabbithole seems to go deeper and deeper.
OpenBounty, a bug bounty platform "incubated" by Shentu (the new name of Certik Chain), appears to be attempting to front run bug bounty reports.
This is a direct violation of many large protocol's bug bounty terms (including… x.com/i/web/status/1…
— Pop Punk (@PopPunkOnChain)
10:05 PM • Jun 25, 2024
Not only is this practice ethically questionable, but it also potentially breaches the terms of service of numerous major protocols' bug bounty programs.
The controversy escalated when, in light of these disclosures, CertiK seemed to initiate a cover-up.
According to PopPunkOnChain, "CertiK is now scrubbing blog posts about OpenBounty and changed their API to a non-CertiK domain."
If substantiated, these accusations would severely undermine CertiK's credibility as a security firm.
The notion that a trusted auditor might exploit its position for financial gain or to secure an unfair competitive advantage raises significant concerns regarding the integrity and security of individual blockchain projects and, more broadly, the entire ecosystem.
Questionable Audit Standards: A Pattern of Negligence?
Accusations against CertiK go beyond the OpenBounty controversy.
Former clients and security researchers have raised concerns about inadequate auditing practices, suggesting that the firm prioritizes quantity over quality.
Matías Barrios, an offensive security engineer at Halborn, claims that CertiK often does "the bare minimum" during audits.
"Instead of running three layers of audits, which includes static analyzers, manual review, and then testing, they only did the first," Barrios shared with The Defiant.
According to Barrios, this approach is standard practice for CertiK: "They scan the code with automated tools, produce a basic report, and consider the job done."
The April 2023 hack of Merlin, a Zksync-based DEX, where $1.8 million was stolen after a CertiK audit, serves as a glaring example of the potential repercussions of insufficient security assessments.
The $1.8 million Merlin hack exposed an exploit that CertiK had supposedly addressed in their audit, casting doubt on the thoroughness of their security assessments.
Critics argue that CertiK's market dominance stems more from its brand recognition than the quality of its services.
"They are so widely used because so many companies simply need the 'CertiK seal of approval," Barrios noted.
This reliance on CertiK's reputation, rather than the substance of their audits, raises significant concerns about security practices within the crypto industry.
The CertiK controversy serves as a stark reminder that even watchdogs need oversight in the blockchain world.
Looking ahead, one pressing question remains: who watches the watchers?
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
“You were put here to protect us. But who protects us from you?” - KRS-One
The allegations against CertiK present a troubling portrayal of a firm that may have deviated from its core mission of safeguarding the blockchain ecosystem.
If substantiated, these practices signify more than ethical lapses; they represent a profound betrayal of the trust placed in security auditors.
Furthermore, CertiK appears slow to address many of these accusations.
Are their priorities truly in line with safeguarding, or are they solely focused on financial gain?
The potential for a trusted auditor to misuse its authority for profit or competitive edge poses a significant threat to the entire blockchain ecosystem.
How did one firm establish such dominance in protocol audits?
They've become synonymous with reliability in the industry, yet many renowned brands have faltered when trust was compromised.
Perhaps "Audited by CertiK" will start to carry a cautionary connotation.
Maybe it’s time to categorize auditors themselves using a severity scale.
Where would CertiK stand on this scale?
Join the live session: automate compliance & streamline security reviews
Whether you’re starting or scaling your company’s security program, demonstrating top-notch security practices and establishing trust is more important than ever.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money — while helping you build customer trust.
And, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.