The computer scientist who hunts for costly bugs in crypto code

The computer scientist who hunts for costly bugs in crypto code thumbnail

In the spring of 2022, before some of the most volatile events to hit the crypto world last year, an NFT artist named Micah Johnson set out to hold a new auction of his drawings. Johnson is well-known in crypto circles for images featuring his character Aku (a young Black boy who dreams about becoming an astronaut). The new release was met with great interest by collectors. On the day of the auction, they spent $34 million on the NFTs.

Then tragedy struck or, depending on your point, comedy. Johnson’s software team had written “smart contracts” code to run the crypto auction. However, it contained a critical flaw. All $34 million worth of Johnson’s sales was locked on the Ethereum blockchain. Johnson could not withdraw the funds and he couldn’t refund money to those who bid on an NFT, but lost their auction. They said that the virtual money was “locked on chain” and had been frozen.

Johnson might wish he’d hired Ronghui Gu.

Gu is cofounder of CertiK. This company is the largest smart-contract auditor in the unpredictable and fizzy world of cryptocurrencies. An affable and talkative computer science professor at Columbia University, Gu leads a team of more than 250 that pores over crypto code to try to make sure it isn’t filled with bugs.

CertiK won’t stop you from losing your money if a cryptocurrency crashes. It will not stop a cryptocurrency exchange from using your funds in an inappropriate way. It could prevent irreparable damage from an unresolved software problem. Some of the biggest crypto players, such as the Bored Ape Yacht Club or the Ronin Network, which operates a blockchain that is used in games, are among the clients of the company. Gu is often approached by clients who have lost hundreds of millions and want to prevent it from happening again.

This is a wild world,” Gu laughs.

Crypto is more difficult than traditional software. Silicon Valley engineers try to make their programs bug-free before they ship. However, if there is a problem or bug, the code can still be updated.

This is not possible with many cryptocurrency projects. They use smart contracts, which are computer code that governs transactions. A smart contract can be programmed to send the NFT token to you automatically once the money has arrived in the artist’s bank account. It is impossible to update smart-contract code once it is live on a blockchain. It’s too late to fix a bug. The whole point of blockchains are that you can’t change what’s been written to them. Worse, any code stored on a blockchain can be viewed publicly so that hackers can look for flaws and exploit them. The sheer number of hacks available is staggering and they are extremely lucrative. Early last year, the Wormhole network had more than $320 million worth of crypto stolen. Then the Ronin Network lost upwards of $600 million in crypto.

“The most expensive hack in history,” Gu says, shaking his head in near disbelief. “They say Web3 is eating the world–but hackers are eating Web3.”

A bustling field of auditors has emerged in recent years, and Gu’s CertiK is the biggest: the company, which has been valued at $2 billion, figures it has done an estimated 70% of all smart-contract audits. It also has a system that monitors smart contract to detect if they are being hacked.

Not bad for someone who came across the field by accident. Gu didn’t start in crypto. He did his PhD in verifiable and provable software to explore ways to write code that behaves mathematically predictable. But this subject turned out to be highly applicable to the unforgiving world of smart contracts; he cofounded CertiK with his PhD supervisor in 2018. Gu now works in both academia and crypto. Gu still teaches Columbia courses in compilers and formal verification of software system software. He also manages several grad students, one of whom is researching compilers of quantum computing. While he travels to Davos, Morgan Stanley events and Davos, he wears his black shirt and jacket as a way to convince financial and crypto leaders to take blockchain hacks seriously. Crypto is known for its boom-bust cycles. The November collapse of the FTX exchange was just one example. Gu believes that he will have to work for many years. Mainstream companies like banks and “a major search engine”, Gu says, are now launching their own blockchain products and hiring CertiK as a support team. It’ll attract more hackers, including those from the nation-state, if established businesses push more code onto blockchains. “The threats we have been facing,” he says, “are more and more tough.”

Read More