The computer scientist who hunts for costly bugs in crypto code
A NFT artist named Micah Johnson started a new auction of his drawings in the spring of 2022 before the most volatile events that hit crypto last year. Johnson is well-known in crypto circles for images featuring his character Aku (a young Black boy who dreams about becoming an astronaut). The new release was met with great interest by collectors. They spent $34 million on NFTs the day before the auction.
Then tragedy struck or, depending on your point, comedy. Johnson’s software team had written “smart contract code” to run the crypto auction. It contained a critical bug. Johnson’s entire $34 million sales were locked onto the Ethereum blockchain. Johnson could not withdraw the funds. He also couldn’t refund money to those who bid on an NFT and lost their auction. They said that the virtual money was “locked on chain” and had been frozen.
Johnson might wish he’d hired Ronghui Gu.
Gu is the cofounder and chief executive officer of CertiK. CertiK is the largest smart-contract auditor in cryptocurrencies and Web3. Gu is a Columbia University computer science professor who is friendly and approachable. He leads a team that examines crypto code to ensure it’s not filled with bugs.
CertiK’s work will not prevent you losing your money if a cryptocurrency crashes. It will not stop a cryptocurrency exchange from using your funds in an inappropriate way. It could prevent irreparable damage from an unresolved software problem. Some of the biggest crypto players, such as the Bored Ape Yacht Club or the Ronin Network, which operates a blockchain that is used in games, are among the clients of the company. Gu is often approached by clients who have lost hundreds of millions and want to prevent it from happening again.
Gu exclaims, “This is a wild world,” with a smile.
Crypto code is more difficult to use than traditional software. Silicon Valley engineers try to make their programs bug-free before they ship. However, if there is a problem or bug, the code can still be updated.
This is not possible for many crypto projects. They use smart contracts, which are computer code that governs transactions. A smart contract can be programmed to send the NFT token to you automatically once the money has arrived in the artist’s bank account. It is impossible to update smart-contract code once it is live on a blockchain. It’s too late to fix a bug. The whole point of blockchains are that you can’t change what’s been written to them. Worse, any code stored on a blockchain can be viewed publicly so that hackers can look for errors and make corrections.
Hacks are extremely lucrative and the sheer number of them is staggering. The Wormhole network had stolen more than $320 million in crypto by the end of last year. The Ronin Network then lost over $600 million in crypto.
Gu says, “The most expensive hack in the history,” and he shakes his head in disbelief. “They claim Web3 is eating all of the world, but hackers are eating Web3!”
In recent years, there has been a booming field of auditors. Gu’s CertiK, valued at $2billion, is the largest. It has performed an estimated 70% of all smart contract audits. It also has a system that monitors smart contract to detect if they are being hacked.
This is a great accomplishment for someone who came across the field by accident. Gu didn’t start in crypto. He did his PhD in verifiable and provable software to explore ways to write code that behaves mathematically predictable. This subject proved to be extremely applicable to the complex world of smart contracts. He cofounded CertiK in 2018 with his PhD supervisor. Gu now works in both academia and crypto. Gu still teaches Columbia courses in compilers and formal verification of software system software. He also manages several graduate students, one of which is researching compilers for quantum computing.
Crypto is known for its boom-bust cycles. The November collapse of the FTX exchange was just one example. Gu believes that he will have to work for many years. Mainstream companies like banks and “a major search engine”, Gu says, are now launching their own blockchain products and employing CertiK to keep their ship afloat. It’ll attract more hackers, even nation-state actors, if established businesses push more code onto blockchains. He says that the threats we are facing are becoming more severe.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.