Professor Gu recently sat down with Forbes China to discuss his journey from academia to Web3 security, and how mathematical rigor continues to shape his approach to innovation. In this blog, we’ll look at highlights from his interview, including his academic background, how he founded CertiK, and how CertiK is influencing blockchain security.

On 10 August 2025 Numa protocol was exploited for ~$313k. A malicious actor acquired additional Numa tokens by liquidating victim accounts after manipulating the NumaVault by minting nuBTC. Minting the nuBTC inflated the total synth value and in turn, reduced the collateral value of cNuma according to the Numa VaultManager logic.

This post details two security incidents involving the Lottie animation format and its ecosystem, highlighting the persistent and evolving nature of third-party dependency and supply chain risks in the modern web landscape.

In this post, we provide a detailed examination of the MtA protocol, which utilizes the additively homomorphic properties of the Paillier encryption scheme to facilitate the exchange of encrypted secret shares among the participating parties.

In our 2025 Stablecoin Report, we look at the current stablecoin landscape, vulnerabilities that affect stablecoins, and how CertiK’s Skynet Security Score can help evaluate stablecoin security.

As Web3 adoption continues to accelerate, many central banks and institutions are developing digital asset products, such as stablecoins, to support the stability of existing blockchain ecosystems while offering transparency, speed, and flexibility. However, such stablecoin innovations must win user trust, meet regulatory requirements, and integrate with existing Web3 systems in order to acquire mainstream adoption. In the context of rigorous compliance frameworks, formal verification is a promising methodology to help build reliable stablecoin contracts by verifying essential compliance requirements.

Binance Wallet is enhancing user security by integrating Skynet Token Scan, a powerful tool developed by CertiK’s security researchers. This new feature puts on-demand security intelligence directly into the hands of Binance Wallet users, empowering them to make safer, more informed decisions.

On 9 July 2025 GMX V1 vault was exploited by a white-hat for ~$42M due to a reentrancy issue. The funds were later returned to GMX who awarded the white-hat a 10% bounty. The whitehat had minted and then staked GLP before creating a short position directly from the vault contract through reentrancy. Executing in this order bypassed the ShortsTracker, and prevented the average short position price from being updated. This occurs when the market price exceeds the tracked average price, resulting in the protocol overestimating unrealized losses. As a result, the Assets Under Management (AUM) calculation was manipulated to inflate the apparent value of GLP.

On 15 July 2025, a malicious actor took advantage of a lack of input validation in Arcadia Finance’s Rebalancer contract to obtain assets by paying off a portion of a user’s debt and withdrawing the underlying assets for a net gain of ~$3.6M.

This third post in the Threshold Cryptography series provides a bird’s-eye view of the 9-round threshold ECDSA protocol implemented in tss-lib [1]. Detailed exposition of the underlying MtA secret share conversion protocol and zero-knowledge proofs will follow in the next two posts.

Stablecoins are a type of crypto-asset designed to maintain a stable price by linking each token to an external reference asset, most often a national currency like the U.S. dollar, but sometimes commodities like gold. In theory, every coin in circulation should be redeemable for an equal amount of that reference asset, protecting holders from the sharp price fluctuations typical of unpegged digital currencies.

Ronghui Gu, Co-Founder of Web3 security firm CertiK and Professor of Computer Science at Columbia University, delivered a compelling keynote speech at the University of Hong Kong Business School titled, “Scaling Web3: Balancing Innovation and Security for a Global Audience,” which outlined the critical importance of cybersecurity as the Web3 ecosystem matures.

Welcome to Hack3d: The Web3 Security Report for Q2 + H1 2025. Hack3d is the industry's most comprehensive record of statistics and analysis of on-chain security incidents. It equips stakeholders with the knowledge needed to make informed decisions in an increasingly high-stakes environment.

Following the success of Proof of Talk 2025, more major Web3 events are on the horizon! From June 24 to 27, Seoul—the innovation hub of Asia—will host two flagship Web3 conferences. CertiK invites you to join us on this exciting journey into the future of Web3.

In Web3, private keys are critical for controlling assets, governance, and trust, but their mismanagement poses significant risks, including financial loss and reputational damage. This article explores secure private key generation, storage, and usage to mitigate these vulnerabilities.

Building on our previous analysis of basic token functionalities across Solidity, Sui Move, and Aptos Move, this report focuses on the advanced features of fungible tokens. We specifically explore how these platforms implement fungible token standards, with extensions such as whitelisting/blacklisting, fee mechanisms, pausing, and whitelisting/blacklisting.

The second post in our Threshold Cryptography series explores the FROST threshold signing protocol, as proposed in FROST: Flexible Round-Optimized Schnorr Threshold Signatures [1], and highlights a potential issue that arises when implementing the protocol in a decentralized setting. This issue allows a malicious participant to send inconsistent nonce commitments, leading to honest participants to be falsely accused of misbehavior.

CertiK, the largest Web3 security firm, is proud to announce its role as the Platinum Security Partner of Proof of Talk 2025, the premier Web3 and AI summit held at the iconic Louvre Palace in Paris on June 10-11. This sponsorship marks CertiK’s most significant event presence of the year, and underscores its deep commitment to advancing trust and security in the decentralized ecosystem.