Certik AMA Transcript

BSC.NEWS hosts CERTIK, a leading decentralized security solution, offering comprehensive security audits. All questions were answered by @CertiKMarco @alebo95 @kozuelam

By
Kamran Iqbal
on
February 24, 2021
Category:
AMA

Cryptoshrimp5 (AMA host): First of all, on behalf of BSC News, we would like to welcome Certik Team to this AMA.


Aaron CertiK: Thank you for hosting us! Very excited to be here


Cryptoshrimp5 (AMA host): Alright Certik Team let’s get this AMA started!


Q1 Let’s start with an introduction for yourselves; what are your backgrounds/experiences both in the traditional and crypto spaces?


Aaron CertiK: I've been in the blockchain space since 2013. I founded one of the first clubs in the Blockchain Education Network at my university in 2014 and have worked across the space since. I held various roles at Circle, Dun & Bradstreet, and now CertiK mostly focused on the intersection of traditional product and DLT.


Marco | CertiK : I'm the Business Development Director for CertiKShield. I've been in crypto since 2016, when I started MaZee, community management company for ICOs, for 3 years, advised over 30 projects and worked closely with enterprise businesses to implement blockchain. I joined CertiK in December of 2020.


Connie@CertiK:  My career in blockchain started back in 2017 which saw me join the EtherDelta ICO. Prior to joining CertiK.

I initially joined CertiK as a Lead Software Engineer contributing to auditing and the development of DeepWallet. Right now, my role is Head of CertiKShield.


Q2 Please tell us about your project. I understand that certik covers audits and also insurance, how does it work?


Aaron CertiK:  So at a high level our product suite covers 3 different areas of security. We have our auditing for pre deployment code review and penetration testing. This includes testing both the code and the business logic. Then we have our Skynet solution which is an on chain monitoring system for smart contracts after they've been deployed and are in use. This system calculates security scores and then pushes those scores about smart contracts on chain through our security oracle. Finally we have our CertiKShield. Shield is a decentralized discretionary mutual - an insurance alternative for digital assets.


Marco | CertiK : Yes, indeed. I believe many are familiar with CertiK as a major auditing firm in the BSC and DeFi space. We;ve done over 450 audits and rapidly growing. We've pretty much booked out all of March. A lot of BSC member will have seen our name around the new projects coming up. Aside from the audit, we recently lauched the CertiKShield, which is a Decentralize Reimbursement pool, which allows the projects to protect up to 5 contracts by purchasing 21 day shields, currently we have $3M in the collateral pool, so they could protect up that amount. The insurance pool is a staked collateral pool, which is driven by the community and offers an APY Aaron has given you a bit of an overview. I guess we will all add our bits of knowledge :D I apologize for typos


Cryptoshrimp5 (AMA host): no worries we are keeping the AMA real, without typos they might think we are bots


Q3 Smart contract audits deals with known exploits, how are potential/novel exploits being accessed by Certik?  Are there any practical and simple tips you can give to the community when investing in projects?


Aaron CertiK: This question has two very different parts, lets break it out. For the idea of novel exploits i'll jump in for a second. Marco would you like to cover community tips?


Marco | CertiK : Yes, indeed we look at the function of the code, known exploits could be the typical migration code that many swap contracts have. We need to make sure that there's a timelock there to prevent the teams form migrating all the funds. Regarding forked contracts, as we do get a lot of this in the BSC projects, we look at the delta of the code. So not just the original code, but we analyze the differnt code and make sure there's not major flaws and or backdoors. All our audits include recommendations for the team to make changes in their code, before we deliver a final report. What we do not audit is the economic, and this is across the board. Theres' not many auditing companies that do have the experience. All our team are security experts. We do try to look for potential rugpulls. Regarding what investors should be looking out for is mainly when projects say they dont need to audit because it's a fork. I wouldn't want to invest in that projects.


Aaron CertiK: As I spoke about before - our auditing isn't just a manual code review to look for bugs. More than finding bugs our team works dilligently to test the business logic of the project. The critical bugs that we uncover mostly fall into 3 categories: Logic errors, Flash loan attacks, and rug pull vulnerability. We look at the projects business logic as a math problem and we analyze the mathematical model of the logic itself.

Cryptoshrimp5 (AMA host): this is definitely better than just comparing the codes with the known ones!


Aaron CertiK: Staying ahead of attackers requires being just as much in the weeds of the logic as it does of the actual code review itself. as we've seen over the last year or so attacks have gone from being based on code errors to mostly being based on logic erros (see flash loans)


Marco | CertiK : I would advise the community as mentioned above, to stay away from projects that say their code is forked so shouldnt be audited. Or that CertiK audited the initial code. Because sometimes we only audit several contracts and not all libraries. So we cannot guarantee that the team hsa not created contracts which do some suspicious function


Aaron CertiK:  Anyone who says they shouldn't be audited I shouldn't be hodling


Cryptoshrimp5 (AMA host): now i think i will do that too


Q4 Back to the topic of insurance, what is the significance of insurance in the DeFi sector?


Aaron CertiK: Great question. In 2020 alone 2% of audited projects still faced attacks and over $300mm USD were lost / stolen. No auditor will tell you that auditing is a perfect solution - pre deployment code reviews just can't factor in every single potential interaction a contract might face in the wild. Auditing is still incredibly important - I can't imagine what that stat would be if no one got audits... but there needs to be something more. That's where CertiKShield comes in. Reimbursement protection in the case of asset theft or loss through a range of potentially covered scenarios. I'll let Marco finish so he doesn't have to keep editing as I steal his words haha


Cryptoshrimp5 (AMA host): haha thats good team work too


Marco | CertiK :Great question indeed. So yea, there's a lot of articles coming out where there's DeFI insurance mentioned as the next security layers. And i've been requested by several investors in BSC projects to open up pools for projects, as they do want to protect their funds. We've seen a growth in this and lately our PancakeSwap pool is sold out. It gives an addtional peace of mind for the projects, as during their early stages of development could come acorss loss of funds because their code doesn't function properly and it gives the community additinoal peace of mind, since they can now purchase protection, on their tokens. We will see more inquiries for this, as the audit doesn't guaranteee 100% security. Thanks @alebo95


Aaron CertiK: done from me - Marco covered nicely. Of course haha

Q5 Will there be a problem in cases where there is a large amount of claims?


Aaron CertiK: Not at all - all shields are always 100% collateralized. If we can't 100% collateralize a shield we don't sell the shield. This means that even if all shield holders submitted approved claims at the same time, everyone would be able to be paid out


Marco | CertiK : Ofcourse if there's a project that wants to protect $5M, we welcome them and the community to stake that amount in the collateral pool, to protect those funds. We can take their token as long as it's listed on Uniswap, we will convert it. CertiKShield runs on CTK


Aaron CertiK:Yep. But always we make sure the pool has enough funds before selling the shield.


Cryptoshrimp5 (AMA host):i see in that case we will not have a situation where the claim amount is over what has been lost


Aaron CertiK: You can only claim what you've lost. Even if your shield was for more than you lost - you don't get paid out except for your potential losses.


Marco | CertiK : We will always make sure there's enough funds in the collateral pool. And like Aaron mentioned above, we will not protect above what's offered


Cryptoshrimp5 (AMA host): thats also a good way to know that investors funds are safu, on top of getting their codes audited


Aaron CertiK: Agreed, layering auditing with on chain monitoring and shield is in my opinion a great way to handle safety precautions in the wild west of DeFi


Marco | CertiK : Indeed. I know BSC offers their own SAFU, but that's only for the project themselves, they do not have a wallet for the community to purchases like ours


Q6 now that we know from the investors point of view, How do projects owner themselves know if a project require DeFi insurance?


Marco | CertiK : That's a VERY GOOD question! Well we believe all projects require it, as we cannot guarantee that an audit will cover their loss of funds bc of their development, code injection, DDos. and we believe their community should be top of mind, so why not give them the ability to purhcase protection. All we ask is a small fee to open up the pool. It's like buying that additional protection on your new car. You neve know when you get a crack on your windshield, dings, or a puncture...so why not purchase it just to be safe


Aaron CertiK:  If you feel like you need a bit more detail on any of these let us know!


Marco | CertiK : Yea, if something requires additional explanation do feel free to ask


Cryptoshrimp5 (AMA host):for example if we have a really high tvl project, as a project owner i would want to protect my investors funds using the certikshielf, what is the procedure and how can the owner carry it out? besides opening a pool and stuff is there any other way to do it?


Aaron CertiK: All projects that are eligible for shields must have been audited. So first will come an audit. After the audit we will open a shield pool with the project on their token allowing them and their token holders to purchase protection.


Cryptoshrimp5 (AMA host): i see so its a stringent procedure that one cant cut any corners


Marco | CertiK : If a project has a high TVL and wants to protect as i mentioedn, $10M for a certain period, we will have to do a custom pool for them. As long as they can stake that amount, they will ahve that amount covered for them


Aaron CertiK: Exactly that. Unlike some other insurance alternatives we are a security native company. The reason that we can offer the same rate on all shields regardless of which token it's for is because we have audited and taken the time to feel confident in our ability to offer that shield


Marco | CertiK : Every project we open up a pool for, let's say $500k. We will add an additonal avaiable amount for the community to purchase


Cryptoshrimp5 (AMA host): thanks for the explanation too


Marco | CertiK : Projects shouldn't be cutting corners in this space. If they want your community to trust you


Q7 Who have done an audit with Certik so far? What is the difference between light audit and full audit?


Aaron CertiK: Well for a list of our audits please visit CertiK.org We have our security leaderboard right there on the front page which has all the info including links to the audit reports

Cryptoshrimp5 (AMA host): im sure its a long list since you guys are booked thru out march.. is there like any big names that you would have off the finger tip


Aaron CertiK: AAVE, Kava, Bancor, 1inch among many others


Cryptoshrimp5 (AMA host): wow big names for sure!


Marco | CertiK : We have several projects that need to still be listed in the onboarding section. We also have our audits listed beside each project we audit. The light audit, we also list with the score. The difference is that a light audit is just a report of finding that the project owners receive. But we list the score of the project and their security on the website, and we add the security oracle, which is running realtime to detect any vulnerable transactions. Most projects that receive the light audit is because they need something quick to show the community, but still plan to get a light audit


Aaron CertiK: still plan to get a full audit*


Marco | CertiK :Pancakeswap, and some big BSC names will join


Aaron CertiK: Yep I can't drop those names just yet but for sure some BSC favorits


Cryptoshrimp5 (AMA host):  so visiting the website will let us find out if the project that we wish to invest in has done a light or full audit? haha thot you would have slipped it out


Marco | CertiK : We've actually secured a partnership with BSC for audits, so we plan to be doing many more BSC projects. Yea, well the community is smart enough to know who those are, and I am sure the teams have hinted it


Aaron CertiK: Indeed the security leaderboard is our transparent window into the security of projects for all to see


Cryptoshrimp5 (AMA host):  ya and im sure they are proud of it, as its a first step of proofing that the project is SAFU


Q8 What have you been paying the most attention to in DeFi? Where do you think the development of DeFi will take us in the future?


Marco | CertiK : But yes, for proof of audit, i do get a lot of members reaching out to me directly to double check. and that's fine. Happy to provide approval


Aaron CertiK: Well that now is a big question haha. I'm going to speak personally for this answer - I've been interested in a lot of the robo advisor type yield farming protocols. I think that similarly to the traditional financial space ease of use / UX & UI are a serious issue to adoption, and DeFi has that most in the whole crypto space. Anything that makes this whole insane world we live / work in easier to understand and adopt for your average non techincal person is what i'm really looking at.


Marco | CertiK : I personally, having been working very close with the founders of projects to make sure they are serious in this space and lately also chatting with several investors to gather their feedback which helps me understand what's needed in the DeFi space. And so far it's very promising for both CertiK and the whole community, as there'a s lot of FUD going around, which is kind of flattening out as we get more projects to value security


Aaron CertiK: Increasing security awareness is extremely important to both of us, not just as members of the CertiK team but as people who want to see DeFi gain mass adoption. It's impossible for me to join any crypto conversation today without pivoting to security/


Cryptoshrimp5 (AMA host):  yes thats the biggest thing so far security and safety.


Marco | CertiK : And I agree with Aaron, ease of use is definitely growing and education in the market, as more "experts" bring their knowledge to the newbies. As more people enter this space, there will be more knowledge spread by everyone. We just need to stick together, to try to remove scams, as that's still around, so right now for the community is just do your due dliligence, verify who you are speaking to


Q9 In regards to the CertiK Security Oracles - do you guys compete directly with decentralized oracle networks like Chainlink or can you possibly work together / leverage each other’s strengths


Marco | CertiK : Chainlink is a price oracle, Ours is a security oracle. So we do not. Our oracle is to monitor real time vulnerable transaction on chain, with security experts performing tasks. Regarding leveraging each other's strength. Maybe in the future, if we get more auditors focusing on the economic side of functions, we could add that into our audits. and make sure the integtaion with Chainlink is secured. But for now, we do not


Q10 does it mean that when a project has done an audit and obtain insurance with certik, the funds will be 99% safu ?


Aaron CertiK:  I don't like the idea of assigning any percentage to safety.


Marco | CertiK : 99.999%

I agree with Aaron, we cannot assign a percentage. as we cannot guarantee a project has decided to go a different direction. We can just provide that additional security, which projects are willing to invest in to make sure the community feels safer


Aaron CertiK: Everything in this space is on such a project to project basis that it's really difficult to give any hard number like that. However I would certainly say that the funds would be significantly safer than if some or none of those steps had been taken


Cryptoshrimp5 (AMA host): so its either totally safe or not safe


Aaron CertiK:  hahaha


Cryptoshrimp5 (AMA host): but im sure when a project is willing to go thru a certik audit and take up the shield, they have earned alot of trust from the investors!


Aaron CertiK: it's more like it's totally more safe or totally unsecured. Absolutely!


Marco | CertiK : As mentioned above in my previous comment. Put your money where your mouth is


Aaron CertiK:  The trust gained by caring about security is unparalelled by other steps i've seen


Marco | CertiK : I tell all projects we speak to, you have to spend money to make money...and that's kind of the situation right now. If the community feels safer, they will invest more. This is why we see a lot of When CertiK, when audit questions.


Cryptoshrimp5 (AMA host): yes thats why in most ama there would a question asking if the project is making any money... in a way it will let the public know that the project can use the money collected to make the project safer


Q11 what are the plans for certik in terms of short term and long term?


Aaron CertiK : First and foremost contine expanding our security footprint bringing our name brand trust to more projects throughout the DeFi space. As Marco mentioned we're working to secure the Binance Smart Chain.


Marco | CertiK : Our CEO mentioned this the other day. Long term is for us to become the place where investors come to check the security for projects, and short term is to make sure we achieve that longterm goal, by working closely with partners, projects and the community


Aaron CertiK: Another big point for us is increasing security awareness and accountability. Trying to get investors to demand security and accountability before 'apeing' into projects


Cryptoshrimp5 (AMA host): im sure all the projects that are upcoming will be lining up now to get a light audit and eventually a full audit and get on the certikshield


Aaron CertiK:  Assuming they take security seriously, I don't see why not!


Marco | CertiK : We sure hope we've done our part here


Q12 lastly do share any links that we can find out more or keep up to date with the happenings in Certik


Marco | CertiK : As Aaron mentioned, you can check certiK.org, or also our certikorg twitter channel. So do follow us as we do announce new audits all the time


Aaron CertiK: The security leaderboard also has links to our telegram, twitter, and blog. I'd say check all of those out.


Marco | CertiK : You can also ask me

Also check our https://t.me/certikfoundation


Cryptoshrimp5 (AMA host): Thank you Certik Team for coming over to BSC news AMA, I hope that all projects in BSC will at least get a light audit and work on making their projects safer in the future! You guys are awesome and you rocked the AMA!


Aaron CertiK:  Thank you so much for hosting us! Really enjoyed the AMA and some great Community questions as well!!


Marco | CertiK : CertiK is here to stay. We are very certain that with the help of the community, we will be able increase the security of every projects. You can be our leverage to get new BSC projects to get a proper audits, even when they are forked. we have global footprint so we have already expanded in all markets. And to finish it off, the success of projects you invest in lies with you voicing your concerns to make sure they are protected, and have your best interest. to finish it off DYOR and don't hesitate to keep asking the same questions..!!! Grazie! Thank you! And Loved every second of this!!!

Tags:
No items found.