A computer scientist who looks for expensive flaws in cypto code

Updated: 03 January 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

Before some of the most explosive developments to affect the crypto industry last year, in the spring of 2022, an NFT artist by the name of Micah Johnson set out to hold a new auction of his drawings. Johnson is well-known in the crypto community for his depictions of the young Black child Aku, who aspires to be an astronaut. For the newest release, collectors formed a line. They spent $34 million on the NFTs on the auction day.

Then, depending on your perspective, tragedy (or comedy) struck. To handle the cryptocurrency auction, Johnson’s software team created “smart contract” programming, but it had a serious flaw. Johnson’s sales totaled $34 million, and they were all secured on the Ethereum blockchain. Johnson was unable to withdraw the money or give refunds to those who had placed bids on NFTs but lost their auctions. As they say, the virtual currency was “locked on chain,” frozen and unreachable.

Johnson might have regretted not hiring Ronghui Gu.

Gu is one of the cofounders of CertiK, the biggest smart-contract auditor in the volatile and erratic world of cryptocurrencies and Web3. Gu, a friendly and outgoing professor of computer science at Columbia University, oversees a group of more than 250 people who examine cryptographic code to check for errors.

The work of CertiK won’t stop you from losing money in the event that a cryptocurrency crashes. It also won’t prevent a cryptocurrency exchange from misusing your money. However, it might be able to stop a software flaw from causing irreparable harm. Some of the greatest names in the cryptocurrency industry, such as the Bored Ape Yacht Club and the Ronin Network, which manages a blockchain used in games, are among the company’s clientele. After losing hundreds of millions of dollars, clients occasionally turn to Gu in the hopes that he can prevent it from happening again.

Gu laughs and declares,

This is a really weird world.

Perfection is the only way

Contrary to conventional software, cryptographic code is far less forgiving. While Silicon Valley programmers typically strive to make their systems as bug-free as possible before they launch, the code can be modified if an issue or flaw is later discovered.

Many crypto initiatives make it impossible to do such. Smart contracts—computer code that controls the transactions—are used to run them. (For example, if you wanted to give an artist 1 ETH in exchange for an NFT, a smart contract could be programmed to send you the NFT token as soon as the money reached the artist’s wallet.) The problem is that you cannot edit smart-contract code after it has gone live on a blockchain. The whole purpose of blockchains is that you can’t edit anything that has been written to them, so if you find a fault, it’s too late. The code published on a blockchain is also publicly accessible, which makes it easier for black-hat hackers to examine and search for flaws to exploit.

There are an absurdly large number of hacks, and they are incredibly profitable. Over $320 million worth of cryptocurrency was stolen from the Wormhole network at the beginning of the year. The Ronin Network then suffered a crypto loss of more than $600 million.

Gu shakes his head, seemingly in shock, and exclaims, “The most expensive hack in history.” Although hackers are eating Web3, they claim that Web3 is eating the world.

Recent years have seen the emergence of a thriving industry of auditors, with Gu’s CertiK being the largest: the business, valued at $2 billion, claims to have completed 70% of all smart-contract audits. Additionally, it operates a system that keeps track of smart contracts and can instantly identify any hacks.

Not very terrible for someone who entered the field upside down. Gu didn’t start out with crypto; instead, he explored techniques to design code that acts in a way that can be predicted theoretically for his PhD in proven and verifiable software. However, this topic proved to be extremely useful to the harsh world of smart contracts; in 2018, he cofounded CertiK with his PhD advisor. Gu now lives in both the academic and the crypto worlds. He still teaches Columbia courses on compilers and the formal verification of system software, and manages several grad students (one of whom is researching compilers for quantum computing)—while also jetting around to Davos and Morgan Stanley events, clad in his habitual black shirt and black jacket as he attempts to convince crypto and financial bigwigs to take blockchain hacks seriously.

The collapse of the FTX exchange in November was just the most recent blow; cryptocurrency is infamous for experiencing boom-bust cycles. Gu, though, is confident that he will continue to be busy for some time. He claims that established businesses like banks and “a large search engine” are starting to introduce their own blockchain solutions and are hiring CertiK to keep everything under control. Blockchains will draw more and more hackers, including nation-state actors, if established enterprises start releasing more code onto them. He claims that