Computer scientist hunts for costly bugs in crypto code
Johnson may wish he had hired Ronghui Gu.
Gu is the co-founder of CertiK, the largest smart contract audit firm in the volatile and unpredictable Web3 and crypto world. A likable and talkative computer science professor at Columbia University, Gu leads a team of more than 250 people who study cryptocurrency code to try to make sure it isn’t full of bugs.
CertiK’s work won’t stop you from losing money when cryptos crash. It also won’t stop a cryptocurrency exchange from inappropriately using your funds. But it can help prevent an overlooked software issue from causing irreparable damage. The company’s customers include some of the cryptocurrency’s biggest players, such as the Bored Ape Yacht Club and the Ronin Network, which operates a blockchain used in the game. Customers sometimes come to Gu after they’ve lost hundreds of millions of dollars—hopefully he can make sure it doesn’t happen again.
“This is a real wild world,” Gu said with a laugh.
Cryptocurrency code is much harder to forgive than traditional software. Silicon Valley engineers often try to make their programs as bug-free as possible before they ship, but if problems or bugs are discovered later, the code can be updated.
That is not possible with many crypto projects. They run on smart contracts—the computer code that governs transactions. (Let’s say you want to pay an artist 1 ETH for an NFT; a smart contract can be coded to automatically send you NFT tokens once the money reaches the artist’s wallet.) The point is, one Once the smart contract code is on a blockchain, you cannot update it. If you discover a bug, it’s too late: the whole point of blockchains is that you can’t change what’s been written to them. Worse, the code is stored on a publicly visible blockchain—so black hat hackers can study it freely and look for bugs to exploit.
The number of hacks increases rapidly and they are extremely lucrative. Early last year, the Wormhole network stole more than $320 million in cryptocurrency. After that, the Ronin Network lost up to $600 million in crypto.