On March 18, CertiK conducted an AMA with Berry Data on their Telegram channel. Berry Data is currently undergoing a CertiK audit and we took this opportunity to introduce ourselves to the fast-growing Berry community.
CertiK is a leading global blockchain security company, founded by computer science professors from Yale and Columbia Universities. By leveraging cutting-edge technology and expertise, CertiK has performed more than 400 audits and secured over $10 billion in digital asset value.
CertiK provides end-to-end solutions across the lifecycle of blockchain projects, including formal verification, code security audits, penetration testing, on-chain risk monitoring, and reimbursement protocols for lost or stolen assets.
We have audited some top DeFi projects such as AAVE, Bancor, Ampleforth, Swipe, and more.
About Berry Data
Berry Data operates a community-veriﬁed price oracle network on Binance Smart Chain. This network provides price data to any dApp on BSC.
Berry Data makes use of crypto-economic incentives and penalties to ensure the quality of data published to the chain. Miners must stake a minimum of 1,000 BRY tokens as collateral which can be slashed if they provide incorrect data.
BRY token holders can dispute data that miners provide. As such, holders play an important role in maintaining the integrity of the Berry ecosystem.
Aaron and Candice from CertiK joined Berry Data’s Telegram channel to answer questions from the Berry team and community.
Aaron: Hi! My name is Aaron Leibowitz, I’ve been in the blockchain space since 2013. I founded one of the first clubs in the Blockchain Education Network in 2014 at Tulane University. Since then I’ve worked across the industry and now I am a Product Manager on the CertiK team.
Candice: Hi everyone, Candice here! I am currently working for CertiK as a marketing director in Asia. I graduated from Peking University and Cornell University, majoring in advertising. My career in blockchain started back in 2018. Prior to joining CertiK, I worked as a marketing manager in a BaaS company. I’m very excited to be here to tell you more about CertiK! Thanks Berry Data for having us!
Q: I believe most of our community members know CertiK as a top auditing firm. Could you tell us what are CertiK’s biggest accomplishments in 2020? Any breakthroughs?
Candice: Thank you! CertiK made some fantastic advancements in 2020.
Let’s dive into securing the DeFi space. We audited many new projects in 2020 including some top DeFi projects such as AAVE, Bancor, Ampleforth, Swipe, and more.
Beyond auditing projects we’ve also made great strides in the wallet security space. In 2020 CertiK worked with dozens of wallets including MYKEY and Shapeshift.
Overall, CertiK worked with over 150 companies in 2020 and has launched multiple new products improving blockchain security across the industry. CertiK has also expanded in the traditional technology sector and has made some great achievements in software security.
Our CTK token was also listed on Binance in 2020 which was another great milestone for us.
Q: As you just mentioned, CertiK has performed many audits of great blockchain projects. Where can we find the list of projects CertiK has audited? Could you explain your auditing process?
Candice: We pride ourselves on transparency and in that spirit we launched our Security Leaderboard. On Certik.org you can see a list of all projects that we’ve worked with, their audit reports, security scores, active shields, and Skynet.
Our audit process includes manual code review, penetration testing, business logic testing, and much more. The audit process includes planning, execution, assessment, and reporting from the initial planning to the post-review phase.
Q: You mentioned some other products that you’ve launched this year. Can you tell us more about those?
Aaron: Absolutely, thanks for picking up on that! We’ve launched 2 new products in the last year. First is our Skynet toolchain. Second is CertiKShield.
Skynet is a unified set of security tool chains that leverages automated technologies to check deployed smart contracts against a wide range of known vulnerabilities at scale.
CertiKShield is digital asset reimbursement protection to mitigate risk in the event of asset theft or loss due to smart contract failure. What this means is that token holders of any onboarded token can go to the CertiK wallet and purchase protection for themselves. In the event of asset loss, the Shield purchaser would submit a claim for reimbursement.
Q: When a member faces a loss through a malfunctioning contract, and wants a reimbursement, they have to submit a Claim. If this member is non-technical, how can they put up a substantiated claim without having any knowledge of why this loss occurred? Won’t it result in an easy rejection of the claim?
Aaron: Claim Proposals do not require details of how the losses occur — the Security Council is intended to conduct investigations to determine the sources. Instead, the Claim Proposal must demonstrate the evidence of a loss. For instance, the Claim Proposal may provide a blockchain explorer link that evidences crypto was transferred away from the Shielded address to a known hacker wallet.
Additionally, CertiK’s team of security experts provides a full and impartial review of the facts of each Claim Proposal. The Security Council has this report at their disposal when deciding on a claim.
Q: Can you tell us more about Terminators? I mean Skynet. What exactly is it used for?
Aaron: LOL! Yes we can.
So audits are static — they’re a snapshot at a point in time of the code. Smart contracts are constantly updated meaning that while the audit was useful and important — it is not necessarily reflective of the deployed code. As a result of this, we realized that we needed to build something that could constantly monitor deployed contracts. In comes Skynet — a unified set of security tools that monitor, analyze, score, and push on chain smart contract scoring.
Q: The transparent nature of blockchain has inadvertently created an environment that is rife with exploitation. Can you share critical bugs and vulnerabilities and what we should keep in mind when deploying code?
Aaron: There are three types of major exploits common today: logic errors, flash loan or price oracle attacks, and rugpulls.
Logic errors are simply flaws in the underlying code, oftentimes these are not intentional though they can be devastating, as we saw last year with YAM finance. The idea is that even if the code is “grammatically correct” the logic doesn’t work so it leaves room to be exploited.
Flash loans allow hackers to initialize an attack without any starting capital. By utilising flash loans, hackers have made profits by manipulating the LP token price on decentralized exchanges which is determined via a price oracle.
Rugpulls are the most commonly seen exploits nowadays. This involves project owners intentionally invoking the explicit or implicit backdoor function of a smart contract to make off with their investors’ money.
When it comes to code deployment, we should pay particular attention to the following:
- Building projects with robust, widely adopted building templates and 3-party libraries, e.g. OpenZeppelin libraries
- Develop code within a local environment. The compiler version and unit tests must be checked and executed. Truffle and Brownie frameworks are good choices in doing so
- Deploy code on testnet first with Remix, Truffle or another widely adopted deployment environment
- Be sure to review your code’s functioning on testnet extensively before migrating your code to mainnet
Q: Thanks for those suggestions! For our community members who are not so technically savvy, are there ways to effectively prevent major exploits?
Candice: First, evaluate your risk preferences and financial capability before investing.
Second, do your own research on the project before investing. The Security Leaderboard is a great resource for this. Also, keep an eye on Twitter and Telegram channels to see if anyone has challenged the security of the contract. Listen to different voices from different sources, while thinking independently and actively identifying the truth of the news. Don’t follow the trend blindly simply because the project is popular or has a high token price.
And last but not least, the most straightforward method to ensure the security of your funds: Check if the project and its contracts have been audited by a professional security team.
Code auditing is now a must-have for high quality projects. It shows that they believe in their code and are willing to stake their reputation on it. If a project has not been audited, users need to be extra cautious about investing in it.
If the project has been audited, it is important to understand as much as possible about the background of the auditing firm and the indicators in their audit report, which include but are not limited to:
- The scope, methodology, and results of the security audit
- Are there any vulnerabilities or security risks in the contract? If so, you need to understand the severity of these issues and their potential impact
- The overall code quality of the contract
- The professionalism and independence of the audit firm
Social and contact:
Remember to check out CertiK’s social media and website:
🌏 Auditing and Pen test Website: https://certik.io/
🌐 Skynet & CertiKShield Website: https://certik.foundation/
🐦 Twitter: https://twitter.com/certik_io
🐦 Twitter: https://twitter.com/certikorg
💻 Github: https://github.com/CertiKProject
📚 Medium: https://medium.com/certik
✉️ Telegram: https://t.me/certikfoundation
Hi, what would say are the least obvious signs that a project is fake (is gonna rugpull) and did you ever have fake projects trying to get audited by you?
We have definitely had rugpulls request audits… It’s a tough question. The least obvious signal of rugpull? Being willing to pay for an expensive audit BUT after the audit swapping the code.
In what ways do you think CERTIK contributes so that financial institutions can benefit from the advantages that DeFi offers?
Great question — Our security leaderboard (found at Certik.org) is super useful for anyone looking into projects we’ve worked with. We list all info including audit reports, skynet, shield info, warnings, etc.
Are you coordinateing wkith other sec. companies or competing against. /
We work with some other security firms especially on the education front. We host a weekly DeFi Security clubhouse with Halborn for example.
On moving forward through your roadmap, what are your most important next priorities? Does the CERTIK team have enough fundamental (Funds, Community
Continue to secure the BSC ecosystem
Hello, Skynet is Automated technokogies for checking. can you tell me how it works Skynet? Is checking with Skynet really safe? what if you miss something? this is very dangerous
Skynet monitors smart contracts against known vulnerabilities. As far as we know it’s not currently possible to automate security against unknown / novel attack vectors. Skynet should be used in conjunction with a formal, manual audit in order to aid with security. You are right it’s possible to miss something — no security solution is perfect.
So guys we will pick what we thought were the best questions and reward those. I answered some questions that won’t be picked
That’s going to be it from us for now. Thank you so much to the Berry Data team for hosting us tonight!