h hoge.gg
Subscribe
BTC$67,432.18+2.34%ETH$3,521.44+1.08%SOL$178.62-0.62%BNB$612.30+0.41%XRP$0.6234-0.18%ADA$0.4521+3.12%DOGE$0.1623+1.86%AVAX$38.71-1.24%LINK$17.84+0.92%HOGE$0.00004120+4.21%
BTC$67,432.18+2.34%ETH$3,521.44+1.08%SOL$178.62-0.62%BNB$612.30+0.41%XRP$0.6234-0.18%ADA$0.4521+3.12%DOGE$0.1623+1.86%AVAX$38.71-1.24%LINK$17.84+0.92%HOGE$0.00004120+4.21%
● Security & Exploits

CertiK Explained: Crypto’s Top Auditor and Its Scandals

CertiK built Web3's most cited security audit brand on formal verification and scale. Its own record, from a Kraken bug bounty fight to auditing a sanctioned network's stablecoin, is far messier.

Every week, somewhere in Web3, a project holds up a security audit badge as proof that it can be trusted with other people’s money. More of those badges carry the name CertiK than any other firm. Since 2018, the company has built the closest thing crypto has to a household name in security, auditing everything from small token launches to entire Layer 1 blockchains, and attaching a public number, the Skynet Score, to how safe a protocol supposedly is.

CertiK’s own history complicates that pitch. This is a firm whose researchers were publicly accused of extortion by one of the world’s largest exchanges, whose own social media account was hijacked to push a wallet drainer, whose bug bounty subsidiary was accused of front running the very reports it was supposed to relay, and which spent early 2026 explaining why it had audited a stablecoin tied to a marketplace the US Treasury calls the largest illicit online marketplace ever recorded. Understanding what CertiK actually sells, how it built its dominance, and where it has stumbled is a useful lens on what a security audit in crypto can and cannot promise.

From Ivy League Research to Web3’s Biggest Auditor

CertiK was founded in 2018 in New York by Ronghui Gu, then an assistant professor of computer science at Columbia University, and Zhong Shao, a professor and chair of the computer science department at Yale. Their academic background was not in cryptocurrency; it was in formal verification, the discipline of mathematically proving that software does what it claims to do rather than merely testing it against sample inputs. Gu and Shao had spent years building CertiKOS, an operating system kernel whose core components were proven correct through mathematical proof rather than conventional testing alone.

They pointed that research at Ethereum smart contracts just as DeFi’s first wave of hacks was making headlines, and turned the pitch, mathematically verified code instead of just manually reviewed code, into a company. Binance was CertiK’s first outside investor and remains its largest backer today, a relationship that later became relevant to criticism of how the firm built its market position. CertiK went on to raise capital from Sequoia, Coinbase, SoftBank, Goldman Sachs, Tiger Global, Insight Partners and Advent International, culminating in an $88 million Series B3 round in 2022 that valued the company at $2 billion, according to The Block.

What CertiK Actually Sells

CertiK today is less a single audit shop than a bundle of security products sold across a project’s entire lifecycle, from pre-launch code review to ongoing monitoring after a token is already trading. The table below lists its main product lines.

ProductWhat It DoesNotable Detail
Smart Contract AuditManual and automated review of a contract’s code before or after launchPriced from roughly $10,000 for simple contracts to $300,000 or more for full Layer 1 engagements
L1 Chain AuditSecurity review of an entire blockchain’s core protocol and client softwareCovers consensus, networking and validator software rather than a single contract
Skynet Score and LeaderboardsAutomated, continuously updated security and risk score published on public leaderboardsCovers thousands of projects; used by some exchanges and investors as a quick reference
KYC VerificationLive video identity verification of a project’s team membersMarketed as a deterrent to anonymous rug pulls; a separate product from the audit itself
Bug Bounty (OpenBounty)Vulnerability disclosure and bounty payout platform run through CertiK’s Shentu subsidiaryAccused in 2024 of relaying other platforms’ bug reports without authorization
AI AuditorAI powered tool for pre-deployment code review and upgrade diffingLaunched April 2026; CertiK says it identified the root cause in 88.6% of a 35 incident test set
Skill ScannerSecurity screening for plugins and tools used by autonomous AI coding agentsCertiK’s newest line, extending audit expertise into AI agent security

Pricing for the core audit product reportedly ranges from roughly $10,000 for a simple, single purpose contract to more than $300,000 for a full Layer 1 blockchain engagement, reflecting the size and complexity of the codebase rather than a flat fee. That range, and the sheer volume of engagements CertiK runs through it, is why the firm can plausibly claim to have audited code that now secures somewhere near $600 billion in on-chain value across more than 5,000 clients, per The Block’s reporting on the company’s IPO ambitions. Its L1 Chain Audit line alone has covered nearly a dozen layer 1 blockchains, along with staking and validator infrastructure well beyond the token contracts most people associate with a CertiK report, the kind of plumbing covered in our explainer on Ethereum solo staking.

The Formal Verification Pitch: DeepSEA and Mathematical Proof

The technical idea that separates CertiK’s marketing from a typical manual audit shop is DeepSEA, a programming language and compiler the company built specifically for writing smart contracts that can be formally verified. A contract written in DeepSEA compiles down to deployable bytecode while simultaneously producing a representation that can be loaded into Coq, an academic proof assistant used to check mathematical proofs step by step. In principle, that lets an auditor prove a contract’s logic exactly matches its specification, instead of simply checking that it behaves correctly against a finite list of test cases.

In practice, formal verification is only as good as the specification it is checked against, and most of what CertiK actually delivers, even on engagements that reference formal methods, still leans on the same tools the rest of the industry uses: static analysis, fuzzing and manual review by human auditors reading code line by line. Formal verification is genuinely powerful for isolated, well-specified logic, a token transfer function, a fixed point math library, and far less useful against the economic design flaws, oracle assumptions and governance mistakes that have caused most of the largest losses in DeFi, the same category of failure our guide to how DeFi’s price feeds get attacked covers in detail. A mathematically flawless proof that a contract does exactly what its specification says is worthless if the specification itself quietly assumes an oracle cannot be manipulated or an admin key will never be misused.

How Big Is CertiK, Really?

CertiK is not the only firm selling security to crypto projects, but by volume it is the biggest by most measures. The table below places it alongside the other names that exchanges, DeFi protocols and investors cite most often.

FirmFoundedBest Known ForMarket Tier
CertiK2018Largest audit volume; formal verification pedigree; Skynet scoringRoughly $10,000 to $300,000+ per audit
OpenZeppelin2015Contract libraries used by Aave, Uniswap and CompoundTop tier, enterprise pricing
Trail of Bits2012Cryptography and zero knowledge audits; open source tools like SlitherTop tier, enterprise pricing
Certora2018Formal verification through the Certora ProverTop tier, enterprise pricing
Halborn2019Offensive security, incident response and auditsRoughly $25,000 to $150,000+
Consensys DiligencePart of ConsenSys, est. 2014EVM and DeFi audits tied to the MetaMask ecosystemTop tier, enterprise pricing
Zellic2021Solana and Rust focused auditsRoughly $20,000 to $100,000+

Being the biggest is partly a function of being early to combine an academic pedigree with an aggressive sales motion, and partly a function of that early Binance investment: exchanges routinely require projects to secure an audit from a small list of approved firms before listing a token, and CertiK’s name has sat on that list for years. A pseudonymous security researcher who goes by PopPunkOnChain told The Defiant that most of CertiK’s audits are of tokens with only a few lines of code, and that the badge still sells regardless because so many companies simply need what he called the CertiK seal of approval to get listed on major exchanges.

Audited, Then Drained: When the Badge Was Not Enough

For a company whose entire business rests on trust, CertiK has spent a remarkable share of the last five years explaining itself. The table below is a quick timeline of its highest profile incidents; this section and the two after it go through each in more detail.

WhenIncidentOutcome
March 2021Meerkat Finance (BSC) rug pull, about $31 millionCertiK joined PeckShield and SlowMist investigating after the fact; funds were later returned
April 2023Merlin (zkSync) exploit, about $1.8 millionExploit involved an issue CertiK’s audit had marked as resolved
May 2023Swaprum (Arbitrum) rug pull, about $3 millionCertiK says a malicious contract replaced the audited one after launch via a flagged proxy risk
January 2024CertiK’s own X account hijackedUsed to push a wallet drainer; company says it responded within about 14 minutes
June 2024Kraken bug bounty dispute, about $3 millionKraken alleged extortion; CertiK returned the funds within about two weeks
June 2024OpenBounty front running allegationsCertiK’s Shentu subsidiary accused of relaying other platforms’ bug reports without authorization
2025 to 2026Huione and USDH stablecoin audit backlashCertiK donated the fee to charity and tightened KYC after the audit lent credibility to a sanctioned network’s stablecoin
January to February 2026Davos IPO comments, then a walk backGu floated a Web3 security IPO, then called it no concrete plan

CertiK’s history with rug pulls and post-launch exploits goes back to some of DeFi’s earliest cautionary tales. In March 2021, a Binance Smart Chain yield farm called Meerkat Finance lost about $31 million a single day after launch, in what its developers later described, not very convincingly, as a test of user greed rather than a genuine theft. Binance said at the time it was working with CertiK, alongside PeckShield and SlowMist, to investigate, according to The Block. That episode was forensics after the fact rather than a failed pre-launch audit, but it set a pattern CertiK would face again and again over the following years: its name attached, one way or another, to a project’s worst day.

CertiK’s most common category of criticism since then is the oldest one in the audit business: a project it actually did review in advance gets exploited anyway. In April 2023, a decentralized exchange called Merlin on zkSync Era was drained of roughly $1.8 million in an exploit tied to an issue CertiK’s own audit had marked as resolved. A month later, in May 2023, an Arbitrum based exchange called Swaprum lost around $3 million when its deployer swapped the audited contract for an entirely different, unaudited one through an upgradeable proxy, according to DL News.

CertiK’s defense in the Swaprum case has some merit: the firm said it never audited the malicious code because that code did not exist at audit time, and that the proxy upgradability which enabled the swap was itself a finding it had flagged in advance. That is also the audit industry’s broader, uncomfortable answer to the question of how an audited project gets hacked anyway: an audit is a snapshot of a specific commit at a specific time, not a guarantee about every future upgrade, every admin key or every economic assumption behind the code. It is the same lesson that keeps repeating across DeFi, including in the oracle price feed attacks covered in our guide to how DeFi’s price feeds get attacked, where contracts that had passed multiple audits were still drained through assumptions no auditor was ever asked to test.

The OpenBounty Affair: Front Running Its Own Industry

In June 2024, a security researcher using the handle h0wlu found that OpenBounty, a bug bounty platform run by Shentu (the rebranded successor to CertiK Chain, a blockchain project also co-founded by Gu and Shao), was not simply aggregating publicly posted bounties the way it appeared to. Bug reports submitted through OpenBounty for protocols including Uniswap and Compound were routed through infrastructure hosted on a subdomain with certik in its name before ever reaching the protocols themselves, according to Protos. Immunefi, the bug bounty platform whose listings OpenBounty had been mirroring, said publicly it had no partnership or affiliation with OpenBounty or Shentu and urged researchers to submit directly through Immunefi instead.

The arrangement meant a company in CertiK’s own corporate family could see details of unpatched vulnerabilities in other companies’ code before those companies had a chance to fix them, a serious breach of the basic etiquette of responsible disclosure. CertiK removed blog posts referencing OpenBounty and moved its reporting infrastructure off a CertiK branded domain after the story broke. Separately, some project teams have accused CertiK of using Skynet, its scoring product, to mark down protocols that decline to pay for a CertiK audit or KYC check, though CertiK has never publicly confirmed such a practice.

When the Auditor Gets Hacked

On January 5, 2024, CertiK’s own X account, verified and followed by hundreds of thousands of accounts, was hijacked and used to push a cryptocurrency wallet drainer. The attacker got in through social engineering: a dormant account previously associated with a well-known media outlet sent a CertiK employee what looked like a routine meeting link, which was in fact a credential stealing page, according to BleepingComputer. Posts from the hijacked account falsely claimed Uniswap’s router contract had been compromised and urged holders to revoke token approvals through a link that led to a fake clone of the Revoke.cash interface, a classic wallet draining setup.

CertiK has said it detected and removed the posts within roughly fourteen minutes, a genuinely fast response by industry standards. But the irony was hard to miss: the company whose entire business is telling other people their software is secure had just been compromised by one of the oldest tricks in social engineering, a fake calendar invite.

The Kraken Standoff: Bug Bounty or Extortion?

The most publicized CertiK controversy began on June 9, 2024, when researchers working for CertiK reported a vulnerability through Kraken’s bug bounty program. The bug let a user trigger a deposit credit to their Kraken account without ever completing the underlying transfer, effectively minting balance out of thin air, according to CoinDesk. Rather than stopping at a proof of concept, CertiK’s researchers used the bug repeatedly over several days, ultimately withdrawing close to $3 million from Kraken’s own treasury, not customer funds, Kraken was careful to note.

Kraken’s chief security officer, Nick Percoco, went public on June 19, accusing the researchers of holding the funds hostage: they would not return the money, he said, until Kraken specified what the bounty payout would be, and would only negotiate through the company’s business development team. “This is not white-hat hacking, it is extortion!” Percoco wrote. CertiK’s own account of events framed it differently: the firm said its research team was testing three specific questions, whether an attacker could forge a deposit, whether they could withdraw the forged funds, and what controls would catch a large suspicious withdrawal, and that Kraken triggered no internal alarms for days while insisting CertiK repay a dollar figure that did not match what had actually been withdrawn.

Whatever the intent, CertiK returned the funds by June 20, minus a small amount lost to transaction fees; Kraken redistributed the roughly $2.9 million it recovered to affected users through a token airdrop. The episode also revealed that CertiK had briefly routed some of the withdrawn funds through Tornado Cash, the sanctioned mixing service, which did little to help its case in the court of public opinion. Michael Perklin, former chief information security officer at ShapeShift, summed up the reaction from much of the security community when he told The Defiant: “I’d never hire a security company that did this. Extortion is a bad look.” The saga crystallized a tension that has simmered in crypto’s bug bounty culture for years: when a researcher moves real funds to prove a vulnerability is real, at what point does proof of concept become theft, and who gets to decide the price of a disclosure the finder was never obligated to make in the first place?

The Huione Problem: Auditing a Sanctioned Network’s Stablecoin

CertiK’s most consequential controversy to date involves a stablecoin called USDH, issued by Huione Group. Huione is a Cambodia linked conglomerate whose Telegram based marketplace, Huione Guarantee, was identified by blockchain intelligence firm Elliptic as the largest illicit online marketplace ever recorded, with at least $24 billion in transactions tied to vendors selling stolen data, scam infrastructure and money laundering services to operators of so called pig butchering romance scams, per Elliptic’s research. The US Treasury’s Financial Crimes Enforcement Network later formally designated Huione Group a foreign financial institution of primary money laundering concern, citing at least $4 billion in identified illicit proceeds laundered through Huione entities between August 2021 and January 2025, and cut the group off from the US financial system in a final rule that took effect on November 17, 2025.

CertiK conducted a smart contract audit of USDH after being approached, according to Gu, by a third party that did not disclose its ties to Huione. The audit found twelve issues, three of them serious, centered on the token’s centralization, and rated the code below 30 out of 100 on CertiK’s own security scoring scale, yet the completed audit still let Huione point to a CertiK report as a credibility signal for the token, according to Cryptopolitan. Gu later acknowledged the firm should have done more, telling CoinDesk: “we agree that deeper due diligence and extra alerts would’ve helped,” describing the episode as a wake-up call rather than a reputational endgame.

In response, CertiK said it donated the audit fee to charity, tightened its KYC procedures and began working with outside compliance providers to screen clients before accepting new engagements. Whether that is sufficient is a fair question: an audit firm’s entire value proposition rests on knowing, and disclosing, who it is actually working for. A client who lies about its ownership structure can turn even a technically competent audit into a laundering tool for legitimacy rather than a safeguard for users.

IPO Ambitions and the Institutionalization of Web3 Security

Weeks before the Huione story broke into wider view, Gu used the World Economic Forum’s January 2026 meeting in Davos to float the idea that CertiK could become the first publicly listed Web3 native cybersecurity company. By February, speaking to CoinDesk, he was walking that framing back to “no concrete plan,” while confirming the company had raised more than $240 million and had received several inbound requests from investors interested in a future listing.

CertiK’s most recent priced valuation remains the $2 billion mark set in its 2022 Series B3 round, though Gu has said valuation frameworks for Web3 native companies are still unsettled and that CertiK may add one or two more strategic investors before any listing, per The Block. Binance, CertiK’s first outside investor and still its largest backer, recently made a further eight figure investment alongside a partnership with YZi Labs, the family office tied to Binance co-founder Changpeng Zhao. An IPO would put CertiK’s books, and its incentive structure, on public record in a way that has never applied to a private security vendor whose reports move markets and unlock exchange listings.

Hack3D: CertiK’s Role as Web3’s Data Bureau

Whatever the criticism of its audits, CertiK’s periodic Hack3D reports have become one of the industry’s standard references for how much money crypto loses to hacks, scams and exploits, cited by outlets and researchers well beyond CertiK’s own marketing. The H1 2026 edition put total losses at more than $1.31 billion across 344 incidents, or roughly $1.2 billion after accounting for funds that were frozen or clawed back, according to CertiK’s own release. On a headline basis that looked like an improvement on 2025, but adjusted for the roughly $1.5 billion Bybit theft that dominated the first half of last year, CertiK said losses were actually about 28 percent higher on a comparable basis.

The more interesting shift is in how the money disappeared. Wallet compromise, not smart contract bugs, was H1 2026’s most expensive category, responsible for more than $444 million across just 33 incidents, including the roughly $291 million Kelp DAO RPC compromise and the roughly $285 million Drift Protocol breach, both in April. Phishing came second, at about $366 million across 63 incidents. Other trackers slice the same period differently: TRM Labs puts H1 2026 losses closer to $972 million across 207 incidents, a reminder that even the firms whose job is counting the damage do not agree on the count, let alone the causes. What both agree on is the direction of travel: operational and human factors, not unaudited code, increasingly decide who gets robbed, which is a strange position for an industry to be in when audits remain the primary product it sells for trust.

Who Regulates the Auditors?

One reason CertiK can absorb the Kraken dispute, the OpenBounty allegations and the Huione fallout and keep operating largely as before is that, in the United States, nobody actually regulates smart contract auditors. There is no accreditation body that licenses firms to audit Solidity or Rust code, no license the SEC can suspend, and no rule requiring a project to disclose which of an audit’s recommendations it actually implemented. The SEC under Chair Paul Atkins has generally moved toward a lighter touch, through initiatives like Project Crypto and its Crypto Task Force, but that effort is aimed at clarifying which tokens count as securities in the first place, a question our explainer on the Howey test covers in more detail, not at setting standards for who gets to call themselves a Web3 security auditor.

The CLARITY Act, still moving through Congress and covered in our explainer on the bill, would redraw the jurisdictional lines between the SEC and the CFTC over digital assets, but even that legislation does not touch code review standards. In the absence of a licensing regime, the market has improvised its own accountability tools: CertiK’s competitors and critics publicize its misses, outlets like The Defiant keep a public scoreboard, and rivals such as Immunefi and Sherlock offer contest and bounty models that are at least partially insured against a bad outcome. None of that is a substitute for regulation, but reputation is, for now, the only enforcement mechanism this industry has.

The AI Frontier: CertiK’s Next Bet

CertiK’s newest pitch is that the skills it built auditing smart contracts translate directly to a bigger, scarier problem: autonomous AI agents that can read local files, call external tools and move money on a user’s behalf. In April 2026, the company opened public access to AI Auditor, a tool originally built for its own internal team that it says correctly identified the root cause in 88.6 percent of a test set of 35 real 2026 Web3 security incidents. It followed with Skill Scanner, aimed specifically at vetting the plugins and tool integrations that AI coding agents rely on.

Gu has been unusually blunt about the risk he sees in his own industry’s next phase. “Agents are no longer just answering questions in a chat window, they are beginning to call external tools, read local files, trigger workflows and interact with financial infrastructure,” he told CoinDesk in May 2026, warning that ungoverned deployment is “a massive security disaster waiting to happen” because, in his words, “it is even easier to scam the machine than it is to scam a human.” It is a notable admission from the head of a firm still explaining a stablecoin audit and a bug bounty fight of its own: CertiK is betting its next act on convincing the market that it, of all companies, should referee the next wave of autonomous systems. Projects experimenting with verifiable on-chain AI infrastructure, like the ones covered in our explainer on Ritual, are a preview of how high the stakes on that bet could get.

What CertiK’s Record Actually Means for Web3 Users

None of this means audits are worthless. Unaudited contracts fail far more often, and far worse, than audited ones, and CertiK’s Hack3D data set, whatever its precise numbers, exists because someone has to keep score. The honest reading is narrower: a CertiK badge, or any single audit badge, tells you a specific commit was reviewed by specific people using specific tools on a specific date. It does not tell you whether the client disclosed everything relevant, whether an admin key can later override every finding, whether the business behind the token is who it claims to be, or whether tomorrow’s upgrade will still resemble what was actually reviewed.

For a reader deciding whether to trust a project, it helps to treat an audit report the way a careful investor treats a credit rating: informative, occasionally compromised by who is paying for it, and never a substitute for basic diligence. A short checklist worth running before trusting any audit badge:

  • Who actually paid for the audit, and did they disclose who they represent?
  • Does the audit cover the exact contract address that is live today, including any upgrades made since?
  • Can an admin key or multisig override the audited logic, and who holds it?
  • Has more than one independent firm reviewed the same code?
  • Does the project’s monitoring update after major upgrades, or only at the original launch?

CertiK will likely remain Web3’s most cited auditor for years to come, in part because no regulator forces it to compete on anything other than reputation. That makes its own reputation, messy as the last few years have been, the product it is really selling.

Frequently Asked Questions

What is CertiK and what does it do?

CertiK is a blockchain security company founded in 2018 by Columbia University’s Ronghui Gu and Yale University’s Zhong Shao. It reviews smart contract code for vulnerabilities before and after projects launch, runs a real-time monitoring and scoring product called Skynet, offers identity verification for project teams, and operates a bug bounty platform, alongside newer AI focused security tools such as AI Auditor and Skill Scanner.

Does a CertiK audit mean a project is safe to use?

No. An audit reviews a specific version of a contract’s code at a specific point in time; it does not guarantee the code will never be upgraded, that admin keys will not be misused, or that the team behind the project is honest. Several CertiK audited projects, including the Merlin exchange on zkSync and the Swaprum exchange on Arbitrum, were exploited or rug pulled after receiving a completed audit.

What is CertiK’s Skynet Score?

Skynet Score is CertiK’s automated rating system that scores blockchain projects on security and operational factors and ranks them on public leaderboards. CertiK says most of the underlying metrics are automated to limit human bias, though critics have accused the system of favoring projects that pay for a CertiK audit or KYC check over those that do not.

Why did Kraken accuse CertiK of extortion?

In June 2024, researchers working for CertiK found a bug that let them credit funds to a Kraken account without completing a deposit, then withdrew nearly $3 million from Kraken’s treasury over several days. Kraken’s chief security officer accused the researchers of refusing to return the funds until Kraken specified a bounty amount; CertiK said Kraken mishandled the disclosure and threatened its staff. CertiK returned the funds, minus a small amount lost to fees, within about two weeks of the initial report.

Is CertiK going public?

CertiK has discussed an IPO without committing to one. Co-founder Ronghui Gu raised the idea publicly at Davos in January 2026, then told CoinDesk the following month that the company had no concrete IPO plan, despite having raised more than $240 million and fielding investor interest. Its most recent priced valuation was $2 billion, set in a 2022 funding round.

Written by the HOGE Wire security desk.

Share 𝕏 Post Telegram