Article Author: 0x9999in1

Source: MetaEra

Recently, the MetaEra Hong Kong section has been launched with great fanfare, leading the series of events for the "Two-Year Anniversary of Hong Kong's New Crypto Policy." An important part of this is the "High-End Dialogue: Influential Leaders in Hong Kong Web3.0," and the featured interviewee this time is Gu Ronghui, co-founder of CertiK.

# Introduction of the Person

Gu Ronghui, a professor in the Computer Science Department at Columbia University and co-founder of CertiK. He is a member of the International Technology Advisory Committee of the Monetary Authority of Singapore (MAS) and a member of the Hong Kong government's task force on the development of the third generation of the Internet (Web3.0). Gu Ronghui graduated from Tsinghua University with a bachelor's degree and obtained a Ph.D. in Computer Science from Yale University in 2016. He is also an expert in operating systems, software security, and formal verification, and is the main designer and developer of CertiKOS.

# Key Insights

● I believe Hong Kong is still one of the best places for Web3 entrepreneurship, and for the Chinese community, it may be the best entrepreneurial base without a doubt.

● We believe that security needs to accompany the entire lifecycle of a project. We hope to support users from the early stages all the way to launch, on-chain, and token issuance, and then to mature operations.

● We do not want the industry or project parties to think that a project is completely free of security issues just because it has passed CertiK's security audit.

● Everything CertiK does is to make everything open and transparent.

● Open and transparent information is definitely a double-edged sword for CertiK, but it is a positive outcome for the industry.

● The three most important points of regulatory policy are that it must be manageable, visible, and enforceable.

● The development of Web3 in Hong Kong has passed the initial honeymoon period and is now entering a period of growing pains.

● CertiK must confront hackers 24/7 in this unfair battle, year after year, to ensure our winning rate as much as possible.

# Full Interview

MetaEra: CertiK settled in Hong Kong's Cyberport last August. Can you share your personal feelings and provide guidance for those still observing the development of Web3 in Hong Kong?

Gu Ronghui: I remember in January 2023, Hong Kong had already introduced some relevant policies, and at that time, I felt everyone was in a wait-and-see state. CertiK received an invitation to come to Hong Kong and met with Secretary Chan Mo-po, who expressed his views on Web3 financial policies, making me feel that the Hong Kong government has strong confidence in developing Web3.

It was from that time that we began to establish CertiK's company in Hong Kong. During that period, the U.S. attitude towards Web3 was as follows: the SEC launched a series of lawsuits, leading everyone to feel that the U.S. attitude and policies towards Web3 had become very unclear, so many people turned their attention to Asia. The main financial centers in Asia are Singapore and Hong Kong. When I received the invitation from Hong Kong, I was actually in Singapore, also serving as a member of the International Technology Advisory Committee of the Monetary Authority of Singapore (MAS). Moreover, due to the investment by Singapore's sovereign fund Temasek in FTX, the collapse of FTX led to some hesitation in Singapore's policies regarding Web3, and I felt that Hong Kong seized this opportunity very well.

We chose to settle in Cyberport in Hong Kong, which provides substantial support for Web3 entrepreneurs. They not only regularly organize events but also offer project incubation, and we have communicated a lot through this. Throughout the process, I felt Hong Kong's unique position, combined with the government's determination to develop Web3, makes it a very good base for Web3 entrepreneurship.

If I were to give advice to other Web3 practitioners, I would say that Hong Kong is still one of the best places for Web3 entrepreneurship. For the Chinese community, I believe it is the best entrepreneurial base without a doubt. First, it has policy support; second, it is backed by Shenzhen, which allows for the recruitment of financial talents as well as many quality programmers and developers; third, the increasing number of related enterprises settling in Hong Kong also helps everyone find better partners or clients. Additionally, if entrepreneurs want to start a business in Hong Kong, I highly recommend contacting Cyberport as soon as possible. Currently, CertiK is also collaborating with Cyberport to provide some security-related certifications, which can help everyone apply for Cyberport's startup support fund.

Moreover, the Hong Kong financial regulatory authorities have adopted CertiK's suggestions to strengthen the regulatory framework for stablecoins, which is a very positive feeling! It means that the Hong Kong government can listen to the professional advice, ideas, and voices from various sectors of the industry to improve its policies. I feel that among various governments, the Hong Kong government has done the best in this regard.

MetaEra: Under the call of the new crypto policy, Hong Kong has attracted many Web3 projects. How do you think these projects view blockchain security? Do Chinese entrepreneurs have a different perspective on crypto security compared to the Western world? Could you elaborate?

Gu Ronghui: We are in the Web3 security sector, and we can say we are one of the leading companies in this field. First of all, for most practitioners, if you ask any company or founder whether project security is important, they will definitely say it is very important! However, how to improve project security, what aspects security includes, and whether they are willing to pay for it are all rather vague and general answers. So everyone feels that security is important, but in practice, we still feel considerable resistance.

First, many people feel there is no need for security; there is always a sense of complacency, believing that the project is secure and will not be attacked, which easily leads to neglecting project security. Second, regarding security, what exactly does blockchain security encompass? As a blockchain project party, what aspects of security protection should they undertake? In fact, most project parties do not fully understand this. In the past, people might have heard more about code audits, and part of CertiK's efforts has led to a consensus that after internal personnel test the project code, it should seek independent third-party security audits.

However, this was not the case three or four years ago. In 2020, when DeFi was just starting, people gradually realized the importance of code audits. Over the years, some projects only conduct security audits on part of their code because the costs are high, and some projects might audit one version of the code but not audit subsequent updated versions. This is a misconception; any change in the code, even a few lines, can introduce new vulnerabilities and new attack opportunities. This phenomenon still lacks consensus today, where all project code and all versions should undergo security audits.

Taking a step further, code security audits are just a small part of blockchain security. Overall blockchain security includes private key management, security of non-smart contract parts, and the security of interactions with smart contracts. For example, some projects also involve node security, such as whether enterprise wallets, whether multi-signature wallets or MPC wallets, are secure. In fact, the aforementioned aspects exceed the scope of code audits, but many project parties have zero design and zero protection in these areas, almost akin to running naked. In this situation, you will find that many attacks no longer solely exploit the security of smart contracts. We have collaborated with Cyberport to launch a security training program for entrepreneurs and business owners, which includes an examination segment and certification. With this certificate, they can qualify to apply for Cyberport's fund support, as providing funding can at least help avoid theft and loss.

MetaEra: Do Chinese entrepreneurs have a different perspective on crypto security compared to the Western world? Could you elaborate?

Gu Ronghui: The overall perspective is still consistent! Before 2021, there was not much focus on security, but after 2021, people began to pay more attention to security. However, there may be some subtle differences; Western entrepreneurs may have a slightly smaller sense of complacency regarding security, while Eastern Chinese entrepreneurs may have a certain degree of complacency, believing that their projects have no security issues. Additionally, a slight difference is that when we point out vulnerabilities in Western projects, they tend to have a more open attitude. In the Chinese-speaking region, when you point out issues in some projects, they may have a resistant mindset, believing that their project has no issues, and the problems pointed out by CertiK are detrimental to their projects. Of course, the situations I mentioned are also very rare cases. But I want to emphasize that the purpose of security audits is to help you find problems and fix them.

MetaEra: Recently, we noticed that CertiK's slogan has changed. What considerations led to this upgrade? CertiK has also launched free security tools like Token Scan and Wallet Scan for the community. As a security company, will CertiK focus more on end-users?

Gu Ronghui: Let's first talk about the slogan. The previous slogan was "Securing The Web3 World," and we have just upgraded it to "Elevating Your Entire Web3 Journey." This is quite a significant change.

I want to explain why I wanted to make this change. CertiK has served 4,700 clients, identified 150,000 security vulnerabilities, and reported over 40 major vulnerabilities. We can say that we have made a significant contribution to the community, but I feel that our output towards the end-users and the developer community has been insufficient. Our feedback to the community has been lacking in the past few years.

"Securing The Web3 World" was our initial simple idea; we hoped to protect the entire Web3 industry and world. However, I would ask myself, where are our clients? Where is our community? In fact, this slogan did not reflect that well. When our vision became grand, turning into an industry or a world, it sometimes overlooked specific communities, specific clients, and specific end-users. Therefore, in the new slogan, I added "Your Web3 Journey," as we very much hope to incorporate individuals and communities from the industry into our thinking, making it more specific rather than just a macro world.

Secondly, many of our clients view security as a one-time service before going live, treating it as a point-in-time service. However, we believe that security needs to accompany the entire lifecycle of a project. We hope to support users from the early stages all the way to launch, on-chain, and token issuance, and then to mature operations.

Thirdly, the upgrade of the slogan reflects our belief that security is not just about preventing attacks. Throughout the lifecycle, we empower project parties, and CertiK now also provides many services that extend beyond the security domain, reaching into the broader security field. Beyond the broader security domain, we also offer "Design Review" consulting services to clients. For example, for the TON blockchain, we conducted code audits and formal verification in the early stages, and after going live, we also assisted TON with performance testing and community building, which have already exceeded the scope of security.

Therefore, to better define CertiK's mission and products and services, we upgraded CertiK's slogan. The new slogan encompasses project parties, exchanges, wallets, and end-users. Tools like Token Scan and Wallet Scan are completely free, aimed at giving back to our supportive community and empowering them.

MetaEra: Many startup Web3 projects emphasize in their official PR that they have passed CertiK's security audit, as if "passing CertiK's security audit" has become an industry standard. What do you think about this phenomenon, where some project parties promote this aspect as an advantage, potentially leading users to develop a fixed mindset that "projects that pass CertiK audits are good projects, while those that do not are not"?

Gu Ronghui: First of all, I am very happy to see many projects using passing CertiK's security audit as a plus point for their projects and promoting it as an advantage. This is definitely a recognition of our work, technology, and brand, and it is a happy thing regardless.

However, I also want to point out a major misconception. We do not want the industry or project parties to think that passing CertiK's security audit means that the project is completely free of security issues. We have always emphasized that these are two separate matters.

First, there is a significant gap between CertiK's security audit and the security of the project. Security audits and project security actually include many non-security audit components.

Second, CertiK often only has access to part of the code, or even just a version of part of the code for security audits, so it cannot guarantee the entire codebase.

Third, Turing and other scientists' work shows that theoretically, there is no universal method to guarantee that a piece of code is 100% secure. Therefore, passing a security audit does not mean the code is 100% secure. However, passing CertiK's security audit can indicate that the project party values security, which requires the project party to invest time, money, and even delays in launching to enhance the overall security of the project. Additionally, passing CertiK's security audit can greatly improve the project's security level.

From these perspectives, passing CertiK's security audit can indeed be seen as an advantage for project parties. However, we do not want it to become a fixed mindset, as this mindset could have adverse effects on both project parties and CertiK. Therefore, we are continuously clarifying what the facts are, and we thank the project parties and the industry for their recognition of us.

MetaEra: CertiK encountered the Kraken incident this year, and everyone is aware of the conflicting statements from both sides. From a public relations crisis perspective, what growth insights and actual impacts has this incident brought to CertiK?

Gu Ronghui: The heat of this incident far exceeded our expectations. A few months have passed since the event, and looking back, there are several obvious outcomes.

First, Kraken experienced a serious vulnerability, and CertiK discovered the vulnerability and quickly notified Kraken, which fixed the issue, ultimately preventing any user losses. Kraken itself would acknowledge that this might be the most severe exchange vulnerability in history, and CertiK discovered and helped them fix it. From the outcome, this is a big win for the entire industry.

Second, if we were to experience this again, CertiK would still report to Kraken immediately, helping them avoid any potential user losses. Whether repeated 100 times or 1,000 times, this is what we would do.

However, when both sides have different views on the same issue, CertiK believes there must be a better way to resolve it, rather than ending up in a situation where both sides hold conflicting statements.

MetaEra: As "industry swordsmen," blockchain security agencies and blockchain rating agencies face a challenge: how to ensure their professionalism treats every Web3 project fairly? How does CertiK effectively handle this?

Gu Ronghui: This issue has been troubling us since 2020, and we have been thinking about it. Before decentralization, we would put our money in Amazon, Alibaba, or Tencent based on our trust in these large companies. However, we feel that these large companies are centralized institutions, and we want to pursue decentralization. But after decentralization, ordinary users cannot understand code, and CertiK stands up to tell everyone that this code is secure, and you can trust CertiK. But at this point, will CertiK become a center?

To be honest, CertiK has faced a lot of controversy in the industry over the past two years, and we do not shy away from it. Why is there so much controversy? Why are so many people criticizing us? Perhaps it is because people feel that CertiK has become centralized, and CertiK is questioned about whether it is reasonable and fair.

We have also been thinking about these issues. One report stated that CertiK has single-handedly turned blockchain security into a sector. We thought: with such a heavy responsibility, what should we do? CertiK's choice at that time was to make all security audit reports public and upload them to our website. However, these reports were too technical, and many users still could not understand them. We then distilled these reports into Skynet data, providing a visual mode for everyone to view. Everything CertiK does is to make everything open and transparent.

This decision faced strong opposition at the time, both internally and from partners, and even from our investors. Because once CertiK made all security audit reports public, whenever a security incident occurred, everyone would think that the security issue was related to CertiK. However, to date, no other security company dares to disclose all information, because once disclosed, they would have nowhere to hide, and any problems would be unavoidable.

Open and transparent information is definitely a double-edged sword for CertiK, but it is a positive outcome for the industry. Our principle is that even if it is a double-edged sword for CertiK, it is positive for the industry, and CertiK will steadfastly implement it. From 2020 to now, CertiK has maintained its original intention, even if project parties encounter problems and CertiK is criticized, we bear all the negative impacts. Every day, we continue to publish our security incident reports on our website.

MetaEra: As countries and regions introduce relevant policies and regulations for virtual assets, security issues are increasingly emphasized by law enforcement agencies and governments. Which regions and countries has CertiK already collaborated with? What are the main security issues in the Web3 field in the future?

Gu Ronghui: Let me first talk about the various collaborations.

First, I am a member of the Hong Kong government's task force on the development of the third generation of the Internet (Web3.0), and CertiK's Chief Security Officer, Professor Li Kang, is also a member. For example, the Hong Kong Treasury and the Monetary Authority of Hong Kong led the release of the "Consultation Summary - Legislative Proposals for Implementing a Regulatory Framework for Stablecoin Issuers in Hong Kong," and CertiK also made two recommendations. I am also a member of the International Technology Advisory Committee of the Monetary Authority of Singapore (MAS), and I am the only member from the Web3 industry among the 11 members.

In addition, CertiK participated in drafting compliance policies for yen stablecoins and provided advice to the Financial Services Agency (FSA) of Japan on contract compliance and hacker monitoring; we are also jointly drafting policy documents related to the Metaverse and Web3 with the Malaysia Digital Economy Corporation (MDEC); in South Korea, CertiK signed an MOU with the governments of Seoul and Busan to initiate relevant cooperation.

The above are some collaborations between CertiK and various governments in Asia to help them draft compliance-related policy documents.

Starting from 2023, the trend in the entire Web3 industry, including the Asia region and the United States, is compliance, such as the approval of spot ETFs and other mainstream narratives. The benefit of compliance is to allow more users to participate, enabling more traditional industry users to join in.

The policies of various governments still start with stablecoins. CertiK is working hard to promote the development of policies in various regions, helping governments better understand Web3. Because often, misunderstanding can lead to fear, helping governments understand will gradually lead them to accept Web3, which is a role CertiK plays.

The three most important points of regulatory policy are that it must be manageable, visible, and enforceable. Therefore, once governments start discussing compliance, they immediately need to discuss security. Because if security issues are not resolved, there will be situations where things are invisible and unmanageable. This is one reason why on-chain transactions are becoming increasingly important.

MetaEra: What are the main security issues in the Web3 field in the future?

Gu Ronghui: I believe there are four main aspects:

First, code security;

Second, project security outside of code, such as interactions with smart contracts;

Third, private key management;

Fourth, counterparty risk, such as whether your transactions are secure and whether interacting assets could be stolen, etc.

Currently, we can see two trends: first, traditional banks entering the Web3 industry, which will highlight their security issues; second, retail newcomers entering the Web3 industry, who may not be able to manage their wallet private keys well or judge whether a project or smart contract is secure. The "Your" in our new slogan aims to include these two groups who have limited understanding of Web3 security, helping them better ensure security.

MetaEra: Looking globally and focusing on Hong Kong, CertiK is also strategizing for the development of Web3 in Hong Kong. The stablecoin regulatory legislative proposals released by the Hong Kong Treasury and the Monetary Authority have adopted CertiK's suggestions. In your observation, what stage has Hong Kong's Web3 development reached?

Gu Ronghui: The development of Web3 in Hong Kong has passed the initial honeymoon period and is now entering a period of growing pains. We have seen the early determination of the Hong Kong government, including Secretary Chan Mo-po's speeches and the ongoing support of policies. During the policy formulation process, the government has engaged with the industry and widely listened to industry suggestions. The policies are attractive, which has brought many enterprises to Hong Kong, and this is what I refer to as the honeymoon period.

After the honeymoon period, enterprises need to start developing their businesses and markets, and entering this stage itself is challenging. Companies need actual users and markets, which is inherently a path filled with challenges and difficulties.

MetaEra: Professor Gu, you transitioned from campus to society and also founded a security company focused on blockchain security. What was the opportunity for this transformation (stepping out of campus and starting a Web3 business)? Additionally, what was the original intention behind founding CertiK? Has it changed since then?

Gu Ronghui: Let me talk about the founding process of CertiK. The name CertiK comes from CertiKOS. In 2016, I, along with another co-founder of CertiK, Professor Shao Zhong, developed CertiKOS, which is the world's first comprehensive formal verification operating system kernel designed to prevent hacking and attacks. At that time, it was a technological breakthrough and received significant attention in the industry. I also secured a faculty position at Columbia University based on this research achievement.

First, let's talk about formal verification. It is a mathematical method used to prove the security of a piece of code. It can achieve the highest security standards currently available, but it is also costly and time-consuming, so it was previously only applicable in very core and critical areas, making it difficult for large-scale application. In 2016, we completed the verification work for CertiKOS, proving that formal verification had reached the application stage.

In 2016, another significant event occurred: the DAO on Ethereum was attacked, which is considered one of the largest security incidents. People view blockchain security as very challenging because if there are vulnerabilities in the code and hackers attack, no one can stop those transactions. Therefore, everyone hopes that the code is as secure as possible, as the assets involved could be worth millions or even billions of dollars. Under this opportunity, our technology and market demand aligned well, leading to the birth of CertiK. CertiK aims to apply formal verification to smart contract auditing to enhance the security of project code in the entire industry, which is our original intention.

The development process has been very challenging. The biggest challenge we currently face is the public's understanding of security. From 2017 to 2020, everyone thought security was important, but no one was willing to do anything for security or invest time and effort into security work. By 2020, industry practitioners recognized that at least smart contract auditing was necessary, but many other security issues still did not receive adequate attention.

Additionally, the Web3 industry is developing rapidly, with technology evolving quickly, and new terms, concepts, and technologies emerging every month. When new technologies appear, security issues become prominent. CertiK currently occupies a high market share and needs to cover all technology stacks and ecosystems, which is quite exhausting.

Furthermore, as CertiK develops, we also face many non-technical issues and even some controversies. This includes our adversaries—the hackers—who may target the weakest company in the industry. If CertiK is seen as a bodyguard, it needs to protect 4,700 clients simultaneously without knowing where hackers will strike. To be honest, this offense-defense situation is unequal. However, we must confront hackers 24/7 in this unfair battle, year after year, to ensure our winning rate as much as possible. This work is very challenging, but our original intention has never changed.