The computer scientist who hunts for costly bugs in crypto code
In the spring of 2022, before some of the most volatile events to hit the crypto world last year, an NFT artist named Micah Johnson set out to hold a new auction of his drawings. Johnson is well known in crypto circles for images featuring his character Aku, a young Black boy who dreams of being an astronaut. Collectors lined up for the new release. On the day of the auction, they spent $34 million on the NFTs.
Then tragedy (or, depending on your point of view, comedy) struck. The “smart contract” code that Johnson’s software team wrote to run the crypto auction contained a critical bug. All $34 million worth of Johnson’s sales was locked on the Ethereum blockchain. Johnson couldn’t withdraw the funds; nor could he refund money to people who’d bid on an NFT but lost their auction. The virtual money was frozen, untouchable—“locked on chain,” as they say.
Johnson might wish he’d hired Ronghui Gu.
Gu is the cofounder of CertiK, the largest smart-contract auditor in the fizzy and unpredictable world of cryptocurrencies and Web3. An affable and talkative computer science professor at Columbia University, Gu leads a team of more than 250 that pores over crypto code to try to make sure it isn’t filled with bugs.
CertiK’s work won’t prevent you from losing your money when a cryptocurrency collapses. Nor will it stop a crypto exchange from using your funds inappropriately. But it could help prevent an overlooked software issue from doing irreparable damage. The company’s clients include some of crypto’s biggest players, like the Bored Ape Yacht Club and the Ronin Network, which runs a blockchain used in games. Clients sometimes come to Gu after they’ve lost hundreds of millions—hoping he can make sure it doesn’t happen again.
“This is a real wild world,” Gu says with a laugh.
Crypto code is much more unforgiving than traditional software. Silicon Valley engineers generally try to make their programs as bug-free as possible before they ship, but if a problem or bug is later found, the code can be updated.
That’s not possible with many crypto projects. They run using smart contracts—computer code that governs the transactions. (Say you want to pay an artist 1 ETH for an NFT; a smart contract can be coded to automatically send you the NFT token once the money arrives in the artist’s wallet.) The thing is, once smart-contract code is live on a blockchain, you can’t update it. If you discover a bug, it’s too late: the whole point of blockchains is that you can’t alter stuff that’s been written to them. Worse, code that’s hosted on a blockchain is publicly visible—so black-hat hackers can study it at their leisure and look for mistakes to exploit.
The sheer number of hacks is dizzying, and they are wildly lucrative. Early last year, the Wormhole network had more than $320 million worth of crypto stolen. Then the Ronin Network lost upwards of $600 million in crypto.
“The most expensive hack in history,” Gu says, shaking his head in near disbelief. “They say Web3 is eating the world—but hackers are eating Web3.”
A bustling field of auditors has emerged in recent years, and Gu’s CertiK is the biggest: the company, which has been valued at $2 billion, figures it has done an estimated 70% of all smart-contract audits. It also runs a system that monitors smart contracts to detect in real time if any are being hacked.
Not bad for someone who stumbled into the field sideways. Gu didn’t start off in crypto; he did his PhD in provable and verifiable software, exploring ways to write code that behaves in a mathematically predictable fashion. But this subject turned out to be highly applicable to the unforgiving world of smart contracts; he cofounded CertiK with his PhD supervisor in 2018. Gu now straddles the worlds of academia and crypto. He still teaches Columbia courses on compilers and the formal verification of system software, and manages several grad students (one of whom is researching compilers for quantum computing)—while also jetting around to Davos and Morgan Stanley events, clad in his habitual black shirt and black jacket as he attempts to convince crypto and financial bigwigs to take blockchain hacks seriously.
Crypto famously runs in boom-bust cycles; the collapse of the FTX exchange in November was just a recent blow. Gu, however, believes he’ll have work to do for years to come. Mainstream firms like banks and, he says, “a major search engine” are beginning to launch their own blockchain products and hiring CertiK to help keep their ships tight. If established businesses start pushing more code onto blockchains, it’ll attract ever more hackers, including nation-state actors. “The threats we have been facing,” he says, “are more and more tough.”