Audit Company
Certik
Certik is arguably the most well-known auditor on the market. The company has audited over 3000 projects in only 5 years of service. The company’s name is strongly associated with Ivy League schools which adds to its reputation. Certik often provides commentary on matters of DeFi security and is considered one of the top security experts.
DSA presents a unique series of reports on the smart contract and blockchain app auditor market. This report is published for the first time and is not affiliated with any specific vendor. The DSA expert team has performed an in-depth analysis of the blockchain security providers in the market. For that, a methodology was developed, and specific criteria were selected. The data provided in the report are actual for January 2023.
Contents
The main criteria for auditor review
1
Trustworthiness
At this point, we analyze the team, key players, as well as the experience of the company in the field.
2
Media Presence
In this paragraph, we analyze the social networks of the project, the engagement rate, and media publications.
3
Speed and service
In this paragraph, we analyze the speed of the audit as well as the speed of the team's response to the request.
4
Expertise
At this point, we analyze the company's experience with different networks, technological advancements, as well as additional services.
5
Price
In this paragraph, we analyze prices and additional services (We send the same sample contract to every auditor), sales, promo offers, bonuses, discounts, and legal transparency.
6
Quality
In this paragraph, we analyze audit quality, report analysis, and user experience.
Categories and sub-categories
6 categories are present in the review and each may be divided into sub-categories. Each category is evaluated to receive from 1 to 10 points. The same rule applies to each sub-category and the arithmetic mean value of the sub-categories will become a result of the main category. The main result will be calculated in the same manner.
Trustworthiness
- Team members' separate experiences in the field
- Current team’s experience in the field
- Company experience (years of service, date of the first audit)
Media Presence
- Social media (engagement rate, further – ER)
- Media publications
Speed
- Audit speed
- First response speed (from a real person)
- Follow-up response speed
Expertise
- What blockchains does the company audit (rare chains and language get an additional point)
- Technological advancements (developments, tools, automated tools)
- Services (KYC, Incident research, marketing)
Price
- Prices and additional services (We send the same sample contract to every auditor)
- Sales, promo offers, bonuses, discounts
- Legal transparency
Quality
- Audit quality, report analysis
- User experience
Detailed analysis
6 categories are present in the review and each may be divided into sub-categories. Each category is evaluated to receive from 1 to 10 points. Same rule applies to each sub-category and the arithmetic mean value of the sub-categories will become a result of the main category. The main result will be calculated in the same manner.
Trustworthiness
Average score 10/10
1
Team members' separate experiences in the field
The leadership team consists of 15 members. Here arу several of them:
Zhong Shao - Co-founder, Professor of Computer Science at Yale University
Ronghui Gu - Co-Founder, CS Professor at Columbia University
Yaxin Cao - СОО
Kang Li - СTО
Each member of the leadership team possesses considerable experience of over 7 years in their respective fields. Certain members have degrees in their fields and some are professors in Ivy League schools (Yale University, Columbia University), as well as the University of Georgia and other schools.
Zhong Shao - Co-founder, Professor of Computer Science at Yale University
Ronghui Gu - Co-Founder, CS Professor at Columbia University
Yaxin Cao - СОО
Kang Li - СTО
Each member of the leadership team possesses considerable experience of over 7 years in their respective fields. Certain members have degrees in their fields and some are professors in Ivy League schools (Yale University, Columbia University), as well as the University of Georgia and other schools.
2
Current team’s experience in the field
Aside from the key team members (CEO, CTO, COO, etc), the LinkedIn page of the company offers a list of 242 other employees.
The staff includes technical specialists, auditors, HR specialists, hiring experts, and marketing.
The staff includes technical specialists, auditors, HR specialists, hiring experts, and marketing.
3
Company experience (years of service, date of the first audit)
According to the LinkedIn page, the company was founded in 2018. Because of the large number of audited projects (~3500), it’s hard to pinpoint the exact date of the first audit. However, if you acknowledge the trust that the company earned from the community, we can assume that the first audit was performed around the founding date.
Security Leaderboard - provides solid proof of all audited projects and it’s being updated regularly with new reports and audits.
Security Leaderboard - provides solid proof of all audited projects and it’s being updated regularly with new reports and audits.
Media presence
Average score 9,75/10
1
Social Media
Twitter has an overall low engagement rating, however, it has a large number of subscribers with well-known projects and influencers among them. For instance, OKX Exchange, Cointelegraph, Michael Arrington and others are all subscribed to the Certik Twitter account. New tweets are posted regularly and contain information about finished audits with descriptions of projects, as well as partnership news, security news of attacks on projects, and articles related to matters of security.
In the Security Leaderboard Twitter account, the engagement rating is also low, but the page contains a lot of useful information and educational content, as well as announcements of AMAs and their transcriptions.
Certik Alert Twitter account has a high engagement rating, especially compared to similar accounts from other projects. The website itself is a system that alerts users of hacker attacks, rug pulls, and other security incidents. The posts are regular with detailed descriptions of attacked projects. Famous projects and people are also among subscribers to this account: Wu Blockchain, Andrew Kang, etc.
The TG chat is very active. Users communicate with each other and the admins. The admins provide fast responses and provide accurate and quality information. Announcements and news are also published in the chat.
LinkedIn has a large number of subscribers especially compared to similar projects. The page provides updates regarding the company and its events, as well as partnership announcements, and other related news.
Discord channel provides a convenient and easy-to-navigate list of thematic chats. Users communicate among themselves and with the admins. The channel is active.
The admins provide fast responses and provide accurate and quality information. Announcements and news are also published in the respective chat.
The Youtube channel is regularly updated with new videos regarding security, education, and the history of blockchain. Approximately videos don’t go past 1000 views, but the most popular can be viewed 10k or even 100k times.
In the Security Leaderboard Twitter account, the engagement rating is also low, but the page contains a lot of useful information and educational content, as well as announcements of AMAs and their transcriptions.
Certik Alert Twitter account has a high engagement rating, especially compared to similar accounts from other projects. The website itself is a system that alerts users of hacker attacks, rug pulls, and other security incidents. The posts are regular with detailed descriptions of attacked projects. Famous projects and people are also among subscribers to this account: Wu Blockchain, Andrew Kang, etc.
The TG chat is very active. Users communicate with each other and the admins. The admins provide fast responses and provide accurate and quality information. Announcements and news are also published in the chat.
LinkedIn has a large number of subscribers especially compared to similar projects. The page provides updates regarding the company and its events, as well as partnership announcements, and other related news.
Discord channel provides a convenient and easy-to-navigate list of thematic chats. Users communicate among themselves and with the admins. The channel is active.
The admins provide fast responses and provide accurate and quality information. Announcements and news are also published in the respective chat.
The Youtube channel is regularly updated with new videos regarding security, education, and the history of blockchain. Approximately videos don’t go past 1000 views, but the most popular can be viewed 10k or even 100k times.
2
Media publications
The company regularly publishes articles from its representatives and the project is often mentioned in the top online media such as Coindesk, The Times, The Washington Post, The Wall Street Journal, Cointelegraph, Forbes, etc.
All data is actual at the time of compiling the report in January, 2023.
Main Twitter - 184500 subscribers, ER 0.01%
Approximately the account receives:
11.0 likes per tweet
1.5 replies per tweet
1.5 retweets per tweet.
Telegram chat - 4400 subscribers
LinkedIn - 15000 subscribers
The average engagement rate is 0.37%.
On average 53.8 eng/post
(reactions + comments + reposts)
Discord - 7000 subscribers
Security Leaderboard Twitter - 168700 subscribers, ER 0.03%
Approximately the account receives:
23.7 likes per tweet
7.5 replies per tweet
10.7 retweets per tweet.
Certik Alert Twitter - 25200 subscribers, ER 0.16%
Approximately the account receives:
13.9 likes per tweet
1.6 replies per tweet
7.9 retweets per tweet.
YouTube - 5000 subscribers
Main Twitter - 184500 subscribers, ER 0.01%
Approximately the account receives:
11.0 likes per tweet
1.5 replies per tweet
1.5 retweets per tweet.
Telegram chat - 4400 subscribers
LinkedIn - 15000 subscribers
The average engagement rate is 0.37%.
On average 53.8 eng/post
(reactions + comments + reposts)
Discord - 7000 subscribers
Security Leaderboard Twitter - 168700 subscribers, ER 0.03%
Approximately the account receives:
23.7 likes per tweet
7.5 replies per tweet
10.7 retweets per tweet.
Certik Alert Twitter - 25200 subscribers, ER 0.16%
Approximately the account receives:
13.9 likes per tweet
1.6 replies per tweet
7.9 retweets per tweet.
YouTube - 5000 subscribers
Speed
Average score 8,66/10
1
Audit Speed
An audit takes approximately 15 workdays
2
First response speed
We have contacted the company via the website form. Within 10 minutes a response has been received with an offer to chat via Telegram for more convenience.
3
Follow-up response speed
After being contacted via Telegram, the manager responded within 2 hours.
Expertise
Average score 8,3/10
1
What blockchains does the company audit
Officially, the company works with projects in the following chains:
BNBChain/ Polygon/ Ethereum/ Avalanche/ Fantom/ Solana/ Polkadot/ Arbitrum/ Near/ Tron/ Cosmos/ Harmony/ Algorand/ Cronos/ Cardano/ Terra/ Aptos/ Ferrum/ IoTeX/ TON/ Optimism
As can be seen in this impressive list, the company works with both EVM and non-EVM chains.
Aside from Solidity и Rust, Certik takes on projects in the Cosmos network on Cosmos SDK written in the Go language. The company audits projects in Polygon on both Golang and Vyper. Regarding stack technologies, the company seems to have no flaws.
BNBChain/ Polygon/ Ethereum/ Avalanche/ Fantom/ Solana/ Polkadot/ Arbitrum/ Near/ Tron/ Cosmos/ Harmony/ Algorand/ Cronos/ Cardano/ Terra/ Aptos/ Ferrum/ IoTeX/ TON/ Optimism
As can be seen in this impressive list, the company works with both EVM and non-EVM chains.
Aside from Solidity и Rust, Certik takes on projects in the Cosmos network on Cosmos SDK written in the Go language. The company audits projects in Polygon on both Golang and Vyper. Regarding stack technologies, the company seems to have no flaws.
2
Technological advancements
Certik offers a list of products, all presented on its website:
Skynet - Powering on-chain security monitoring and data insights for smart contracts.
Skytrace - An intelligent wallet tracing and visualization tool to help users access security insights and follow the flow of funds.
Incident Response - Rapid response for security incidents
Formal Verification for Web3 Security - A tool that helps to mathematically prove that users’ smart contracts and blockchain protocols work as intended.
Skynet - Powering on-chain security monitoring and data insights for smart contracts.
Skytrace - An intelligent wallet tracing and visualization tool to help users access security insights and follow the flow of funds.
Incident Response - Rapid response for security incidents
Formal Verification for Web3 Security - A tool that helps to mathematically prove that users’ smart contracts and blockchain protocols work as intended.
3
Services
The company offers auditing services as well as the following:
KYC, Penetration Testing, Bug Bounty
KYC, Penetration Testing, Bug Bounty
Prices and additional services
Average score 6,76/10
1
Audit prices, affordability
The price for an audit of our test project is $60k. Compared to other similar companies, this price is high.
2
Sales, promo offers, bonuses, discounts
During communication with the team, no discounts were offered. In addition to the audit report, clients receive their own security profile at certik.com that they can use for marketing even during the audit process. After the audit is complete, Certik tweets the news in their account.
3
Legal transparency
The company offers a legal agreement. Payment can be transferred via a bank transaction, invoice, fiat, or other methods on demand.
Quality
Average score 10/10
1
Audit quality, report analysis
- Issue description (thoroughness, code examples): YES
- Project description and contracts (what do they do): YES
- Conclusions (automatically generated vs written by specialists): YES
- Recommendations: YES
- Manual audits (a large number of automatically generated audits is a disadvantage): YES
2
User Experience
Users can request the price through a form on the website or directly from the manager in Telegram. An option to contact the company directly is useful especially if a clients wants to ask a question prior to placing an order.
The form on the website is convenient and doesn’t require unnecessary information that could potentially confuse a client and turn them away.
The form on the website is convenient and doesn’t require unnecessary information that could potentially confuse a client and turn them away.
Additional Information
Post-audit hacks and attacks
All information is gathered from an open source. Consider that because the company is well-known and audits large, notable projects, the possibility of a hack is increased compared to smaller projects. We are reviewing only the attacks that resulted in the loss of over $100k.
The amount of the lost funds - $15,275,000
The amount of the lost funds - $15,275,000
Starting around 3 AM +UTC on Jan 4th, the project drained the vaults of users’ funds and deleted their website, Twitter and Telegram accounts. Around $10M in user’s assets were drained directly from the vaults into this wallet, beginning with ~$1M in BTCB.
Also stolen were:
$920k Binance-pegged ETH
$2.25M in BSC-USD
$1.7M BUSD
$1.4M CAKE
$1M BSC-USDC
As well as lesser amounts of ADA, DOT, DOGE, LINK, XRP and WBNB.
In addition to the vault funds, on the 10th December this address minted 4.5M ARBX. Once the rug pull had begun, these tokens were dumped via PancakeSwap, tanking the price from $1.42 to ~$0.00. The ~$50k in proceeds were then sent to the main rug wallet.
Funds were sent from the BSC wallet: 0x4714a26e4e2e1334c80575332ec9eb043b61a2c4
To Ethereum:
0x4714a26e4e2e1334c80575332ec9eb043b61a2c4
And from there, converted into ~2.5k ETH (currently worth ~$9.9M), then sent to 0xdc85c1eb22b0ece7be559a83fd788fe57f5a7a9f.
Despite providing the project’s audit in November of last year, and marking all major or critical issues as resolved, Certik decided to publish a basic incident analysis.
However, the thread merely served to attract the attention of the frustrated users who had trusted Certik’s stamp of approval.
Source
Also stolen were:
$920k Binance-pegged ETH
$2.25M in BSC-USD
$1.7M BUSD
$1.4M CAKE
$1M BSC-USDC
As well as lesser amounts of ADA, DOT, DOGE, LINK, XRP and WBNB.
In addition to the vault funds, on the 10th December this address minted 4.5M ARBX. Once the rug pull had begun, these tokens were dumped via PancakeSwap, tanking the price from $1.42 to ~$0.00. The ~$50k in proceeds were then sent to the main rug wallet.
Funds were sent from the BSC wallet: 0x4714a26e4e2e1334c80575332ec9eb043b61a2c4
To Ethereum:
0x4714a26e4e2e1334c80575332ec9eb043b61a2c4
And from there, converted into ~2.5k ETH (currently worth ~$9.9M), then sent to 0xdc85c1eb22b0ece7be559a83fd788fe57f5a7a9f.
Despite providing the project’s audit in November of last year, and marking all major or critical issues as resolved, Certik decided to publish a basic incident analysis.
However, the thread merely served to attract the attention of the frustrated users who had trusted Certik’s stamp of approval.
Source
Orion Protocol fell prey to a reentrancy exploit on Feb 3, 2023, losing a total of $3M on ETH and BSC.
The project is a ‘liquidity aggregator’ aiming to bring CEX liquidity on-chain (not to be confused with Orion Finance who rugged $320k on Arbitrum the day before).
A few hours after the news spread on Twitter, Orion’s CEO announced the loss, clarifying that the damage was contained to an internal broker account and that user funds remain safe.
The attacker used manipulated swaps of flash loaned stablecoins, artificially depositing the assets twice before withdrawing the inflated balance.
By creating a fake token (ATK) and routing a swap of the flash loaned funds via ATK, a reentrancy hook called depositAsset within ATK’s transfer function, effectively doubling the attacker’s account balance.
Stolen funds have mostly been deposited to Tornado Cash, with approximately $1M of ETH remaining in the Ethereum address. The attacker’s account was funded from a Binance-labelled wallet, though the original source was allegedly another CEX, SimpleSwap.
Source
The project is a ‘liquidity aggregator’ aiming to bring CEX liquidity on-chain (not to be confused with Orion Finance who rugged $320k on Arbitrum the day before).
A few hours after the news spread on Twitter, Orion’s CEO announced the loss, clarifying that the damage was contained to an internal broker account and that user funds remain safe.
The attacker used manipulated swaps of flash loaned stablecoins, artificially depositing the assets twice before withdrawing the inflated balance.
By creating a fake token (ATK) and routing a swap of the flash loaned funds via ATK, a reentrancy hook called depositAsset within ATK’s transfer function, effectively doubling the attacker’s account balance.
Stolen funds have mostly been deposited to Tornado Cash, with approximately $1M of ETH remaining in the Ethereum address. The attacker’s account was funded from a Binance-labelled wallet, though the original source was allegedly another CEX, SimpleSwap.
Source
Pericles must be turning in his grave.
The Akropolis has not been this rekt since the battle of Salamina in 480 B.C.
A modern day King Xerses has razed the Akropolis once more, stealing $2,000,000 DAI via a combination of flash loans and re-entrancy.
At first, the Akropolis admins tried to claim they were simply carrying out some “fixes”
.
The Akropolis protocol allows users to deposit tokens into a vault and get different tokens in return. The amount of new tokens you get back depends on how much is deposited.
The deposit amount is calculated by the difference in balance from before and after the transfer operation.
Here’s how the attacker took advantage of this system by creating a malicious token contract which called deposit again (reentrancy). This is the attack contract.
Create faketoken
Deposit faketoken
3a. Get a callback to faketoken, deposit 25k DAI
3b. Get credited for 25k DAI of deposits
4. Get credited for 25k DAI of deposits
Withdraw 50k DAI
Source
The Akropolis has not been this rekt since the battle of Salamina in 480 B.C.
A modern day King Xerses has razed the Akropolis once more, stealing $2,000,000 DAI via a combination of flash loans and re-entrancy.
At first, the Akropolis admins tried to claim they were simply carrying out some “fixes”
.
The Akropolis protocol allows users to deposit tokens into a vault and get different tokens in return. The amount of new tokens you get back depends on how much is deposited.
The deposit amount is calculated by the difference in balance from before and after the transfer operation.
Here’s how the attacker took advantage of this system by creating a malicious token contract which called deposit again (reentrancy). This is the attack contract.
Create faketoken
Deposit faketoken
3a. Get a callback to faketoken, deposit 25k DAI
3b. Get credited for 25k DAI of deposits
4. Get credited for 25k DAI of deposits
Withdraw 50k DAI
Source
Some things are better left alone.
Why fund a fork with zero innovation?
This industry is still so young and there is so much we haven’t yet built, why spend time and money on copying an existing product without adding any value?
Fast forks are understandable when done by small teams - often anonymous developers just looking for fast cash. However, this was a heavily funded and promoted project that offered nothing new to the community.
Raise $4.2m, copy the code from Curve, and get rekt.
If you fully understand the maths behind Curve Finance, you have the power to build tools that push forward the technological progress of the human race. So why imitate?
If you don’t fully understand the maths behind Curve Finance, why imitate?
If you have enough funding to become a VC firm, you have enough cash to invest in projects that offer something new to the world. So why fund a fork?
Any investor that backed this project values profit over progress.
This includes new (and old) media companies, who took money from Saddle in exchange for promotional pieces. We know it’s hard to start a business and you have to take the work when it’s offered, but please consider your reputation...
At least three major arbs took over 7.9 BTC ($275,735) from the early liquidity providers within 6 minutes.
4.01 BTC $139,961 Jan-19-2021 04:06:54 PM +UTC
0.79 BTC $27,573 Jan-19-2021 04:08:46 PM +UTC
3.11 BTC $108,548 Jan-19-2021 04:12:37 PM +UTC
Users who deposited into Saddle Finance in the hour after their launch will never get out as much as they put in, they can only hope that the liquidity rewards are generous...
Source
Why fund a fork with zero innovation?
This industry is still so young and there is so much we haven’t yet built, why spend time and money on copying an existing product without adding any value?
Fast forks are understandable when done by small teams - often anonymous developers just looking for fast cash. However, this was a heavily funded and promoted project that offered nothing new to the community.
Raise $4.2m, copy the code from Curve, and get rekt.
If you fully understand the maths behind Curve Finance, you have the power to build tools that push forward the technological progress of the human race. So why imitate?
If you don’t fully understand the maths behind Curve Finance, why imitate?
If you have enough funding to become a VC firm, you have enough cash to invest in projects that offer something new to the world. So why fund a fork?
Any investor that backed this project values profit over progress.
This includes new (and old) media companies, who took money from Saddle in exchange for promotional pieces. We know it’s hard to start a business and you have to take the work when it’s offered, but please consider your reputation...
At least three major arbs took over 7.9 BTC ($275,735) from the early liquidity providers within 6 minutes.
4.01 BTC $139,961 Jan-19-2021 04:06:54 PM +UTC
0.79 BTC $27,573 Jan-19-2021 04:08:46 PM +UTC
3.11 BTC $108,548 Jan-19-2021 04:12:37 PM +UTC
Users who deposited into Saddle Finance in the hour after their launch will never get out as much as they put in, they can only hope that the liquidity rewards are generous...
Source
Final Score
Considering the results presented in every category, the following points have been assigned:
10/10 Trustworthiness
9,75/10 Media presence
8,66/10 Speed
8,3/10 Expertise
6,76/10 Prices and additional services
10/10 Quality
The Final Score:
8,92/10
8,92/10
This is the analytic report in a series of reports on the smart contract and blockchain apps auditor market. Presented to you by DSA, it’s guaranteed impartial and factual information on the most well-known, new, and obscure players.
Follow us on Twitter and be the first to know about new reports
Follow us on Twitter and be the first to know about new reports
Haсken Analysis Report
Hacken Defi Security company was founded in 2017 in Kyiv, Ukraine by security specialists and hackers to deliver cybersecurity solutions to companies and individuals, making histories of success.
RugFreeCoins Analysis Report
A company that conducts smart contract security audits and provides token listing and other related services.