From White Hat to Gray Area

Crypto security firm CertiK has been stirring up a hornet's nest lately.

CertiK faced backlash when it exploited a vulnerability on Kraken, siphoning $3 million from the platform in the name of "research."

The firm returned the funds after receiving criticism but the damage was already done.

Since the initial Rekt News story, security researcher Tayvano has uncovered a web of suspicious activities surrounding the incident.

The dust hasn’t even settled around the controversy surrounding the recent Kraken exploit and already new allegations are swirling.

From accusations of front-running bug bounties to performing superficial audits, CertiK's reputation is being put under the microscope by security researchers.

With each new accusation, the industry is forced to confront an uncomfortable truth.

What happens when the very entities entrusted with safeguarding the ecosystem are seen as a threat?

Credit: The Defiant, h0wl, PopPunk, Tayvano

In the high-stakes world of blockchain security, trust is everything. But what happens when the guardians themselves come under scrutiny?

CertiK, despite its large position in the crypto security landscape, has been viewed with skepticism by security researchers.

The recent Kraken incident wasn't just an isolated misstep, it was the match that ignited a powder keg of long-simmering concerns and criticisms.

As the dust settles, a series of alarming allegations have emerged, painting a troubling picture of CertiK's practices and ethics.

Front-Running Bug Bounties: A Breach of Trust

At the heart of the storm surrounding CertiK is OpenBounty, a bug bounty platform incubated by Shentu Chain, formerly known as CertiK Chain.

CertiK originally founded CertiK Chain, which rebranded as Shentu Chain in 2021.

While CertiK and the Shentu Foundation are now ostensibly separate, their shared history and ongoing connections raise questions about potential conflicts of interest.

What initially appeared to be a straightforward bug bounty aggregator has become the focal point of serious allegations of ethical misconduct.

Security researcher h0wlu first sounded the alarm, uncovering troubling practices within OpenBounty's operations.

"I created a test account on their platform to check it out, thinking maybe it's just an aggregator, but no. They have submission forms for all these programs and the findings are sent to their API servers," h0wlu reported.

This discovery raised immediate red flags. OpenBounty was not merely compiling bug bounty information from various sources, it was actively soliciting vulnerability reports for programs hosted on other platforms, including ImmuneFi, and even for self-hosted programs like Uniswap and Ethereum.

Uniswap for example clearly states in their Bug Bounty program rules, that you must report bugs directly to them not via 3rd party.

The implications of this practice are severe. By funneling vulnerability reports through their own servers before reaching the affected protocols, CertiK potentially gains advanced knowledge of critical security flaws.

This information asymmetry could theoretically be exploited for financial gain or to pressure projects into using CertiK's services.

Adding to the suspicion, h0wlu noted that the API used by OpenBounty is hosted on a subdomain containing "CertiK," further cementing the connection between the two entities.

PopPunk, co-founder of Gaslite and a vocal critic of CertiK, expanded on these findings, "OpenBounty... appears to be attempting to front-run bug bounty reports.The more suspicious thing is that their website makes requests to a domain with CertiK in the name when you report a bounty.”

This practice isn't just ethically questionable, it potentially violates the terms of service of many major protocols' bug bounty programs.

The controversy deepened when, following these revelations, CertiK appeared to attempt a cover-up.

"CertiK is now scrubbing blog posts about OpenBounty and changed their API to a non-CertiK domain," PopPunkOnChain claimed.

These allegations, if proven true, strike at the very core of CertiK's credibility as a security firm.

The possibility that a trusted auditor could leverage its position for financial gain or to gain an unfair competitive edge raises serious concerns about the integrity and security of individual blockchain projects and, by extension, the ecosystem as a whole.

Poor Quality Audits: A Pattern of Negligence?

The allegations against CertiK extend beyond the OpenBounty controversy.

Former clients and security researchers have come forward with accusations of subpar auditing practices, painting a picture of a firm prioritizing quantity over quality.

Matías Barrios, an offensive security engineer at Halborn, alleges that the firm often does "the bare minimum" when auditing protocols.

"Instead of running three layers of audits, which includes static analyzers, manual review, and then testing, they only did the first," Barrios told The Defiant.

He claims this is CertiK's modus operandi: "They go over the code through some automatic tooling, offer a very simple report, and leave it at that."

The April 2023 hack of Merlin, a Zksync-based DEX, where $1.8 million was drained post-CertiK audit, stands as a stark example of the potential consequences of inadequate security reviews.

The exploit that resulted in the $1.8 million Merlin hack directly involved the very issue CertiK had marked as resolved after their audit, raising serious concerns about the thoroughness of their security reviews.

Critics argue that CertiK's dominance in the market is less about quality and more about brand recognition.

"They are so widely used because so many companies simply need the 'CertiK seal of approval,'" Barrios explained.

This reliance on CertiK's reputation, rather than the substance of their audits, raises serious questions about the state of security practices in the crypto industry.

The CertiK controversy serves as a stark reminder that in the world of blockchain, even the watchdogs need watching.

As we move forward, one question looms large, who audits the auditors?

“You were put here to protect us. But who protects us from you?” - KRS-One

The allegations against CertiK paint a troubling picture of a firm that may have strayed far from its mission of safeguarding the blockchain ecosystem.

If proven true, these practices represent not just ethical breaches, but a fundamental betrayal of the trust placed in security auditors.

CertiK does not seem to be quick to address many of these accusations either.

Do they even care or just care about getting paid at the end of the day?

The potential for a trusted auditor to exploit its position for financial gain or competitive advantage poses a significant threat to the entire blockchain ecosystem.

How did one firm gain such a stronghold on protocol audits?

They are a brand name in the space, but many brand names have fallen from grace when trust was broken.

Maybe more people will see “Audited by CertiK” as a warning label moving forward.

Perhaps it's time to classify the auditors themselves using a severity scale.

Where would CertiK rank on this scale?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.