The computer scientist who hunts for costly bugs in crypto code – MIT Technology Review

The computer scientist who hunts for costly bugs in crypto code – MIT Technology Review

Blockchain Crypto Market Technology
January 9, 2023 by Coinvasity
27
Programming errors on the blockchain can mean $100 million lost in the blink of an eye. Ronghui Gu and his company CertiK are trying to help.In the spring of 2022, before some of the most volatile events to hit the crypto world last year, an NFT artist named Micah Johnson set out to hold a
wp-header-logo-129.png

Programming errors on the blockchain can mean $100 million lost in the blink of an eye. Ronghui Gu and his company CertiK are trying to help.
In the spring of 2022, before some of the most volatile events to hit the crypto world last year, an NFT artist named Micah Johnson set out to hold a new auction of his drawings. Johnson is well known in crypto circles for images featuring his character Aku, a young Black boy who dreams of being an astronaut. Collectors lined up for the new release. On the day of the auction, they spent $34 million on the NFTs.
Then tragedy (or, depending on your point of view, comedy) struck. The “smart contract” code that Johnson’s software team wrote to run the crypto auction contained a critical bug. All $34 million worth of Johnson’s sales was locked on the Ethereum blockchain. Johnson couldn’t withdraw the funds; nor could he refund money to people who’d bid on an NFT but lost their auction. The virtual money was frozen, untouchable—“locked on chain,” as they say. 
Johnson might wish he’d hired Ronghui Gu.
Gu is the cofounder of CertiK, the largest smart-contract auditor in the fizzy and unpredictable world of cryptocurrencies and Web3. An affable and talkative computer science professor at Columbia University, Gu leads a team of more than 250 that pores over crypto code to try to make sure it isn’t filled with bugs. 
CertiK’s work won’t prevent you from losing your money when a cryptocurrency collapses. Nor will it stop a crypto exchange from using your funds inappropriately. But it could help prevent an overlooked software issue from doing irreparable damage. The company’s clients include some of crypto’s biggest players, like the Bored Ape Yacht Club and the Ronin Network, which runs a blockchain used in games. Clients sometimes come to Gu after they’ve lost hundreds of millions—hoping he can make sure it doesn’t happen again.
“This is a real wild world,” Gu says with a laugh.
Crypto code is much more unforgiving than traditional software. Silicon Valley engineers generally try to make their programs as bug-free as possible before they ship, but if a problem or bug is later found, the code can be updated.
That’s not possible with many crypto projects. They run using smart contracts—computer code that governs the transactions. (Say you want to pay an artist 1 ETH for an NFT; a smart contract can be coded to automatically send you the NFT token once the money arrives in the artist’s wallet.) The thing is, once smart-contract code is live on a blockchain, you can’t update it. If you discover a bug, it’s too late: the whole point of blockchains is that you can’t alter stuff that’s been written to them. Worse, code that’s hosted on a blockchain is publicly visible—so black-hat hackers can study it at their leisure and look for mistakes to exploit. 
The sheer number of hacks is dizzying, and they are wildly lucrative. Early last year, the Wormhole network had more than $320 million worth of crypto stolen. Then the Ronin Network lost upwards of $600 million in crypto.
For the World Bank Group, technology modernizations and a move to the cloud allow for improved productivity, global collaboration, and real-time solutions.
“The most expensive hack in history,” Gu says, shaking his head in near disbelief. “They say Web3 is eating the world—but hackers are eating Web3.”
A bustling field of auditors has emerged in recent years, and Gu’s CertiK is the biggest: the company, which has been valued at $2 billion, figures it has done an estimated 70% of all smart-contract audits. It also runs a system that monitors smart contracts to detect in real time if any are being hacked.
Not bad for someone who stumbled into the field sideways. Gu didn’t start off in crypto; he did his PhD in provable and verifiable software, exploring ways to write code that behaves in a mathematically predictable fashion. But this subject turned out to be highly applicable to the unforgiving world of smart contracts; he cofounded CertiK with his PhD supervisor in 2018. Gu now straddles the worlds of academia and crypto. He still teaches Columbia courses on compilers and the formal verification of system software, and manages several grad students (one of whom is researching compilers for quantum computing)—while also jetting around to Davos and Morgan Stanley events, clad in his habitual black shirt and black jacket as he attempts to convince crypto and financial bigwigs to take blockchain hacks seriously.
Crypto famously runs in boom-bust cycles; the collapse of the FTX exchange in November was just a recent blow. Gu, however, believes he’ll have work to do for years to come. Mainstream firms like banks and, he says, “a major search engine” are beginning to launch their own blockchain products and hiring CertiK to help keep their ships tight. If established businesses start pushing more code onto blockchains, it’ll attract ever more hackers, including nation-state actors. “The threats we have been facing,” he says, “are more and more tough.”
“When it comes to really cutting off ransomware from the source, I think we took a step back.”
The war over advanced semiconductor technology continues, but China will likely take a more important role in manufacturing legacy chips for common devices.
Digital leaders can meet the speed of innovation in 2023 by acting now on these four emerging technologies.
More diverse data estates require a new strategy—and the infrastructure to support it.
Discover special offers, top stories, upcoming events, and more.
Thank you for submitting your email!
It looks like something went wrong.
We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.
Our in-depth reporting reveals what’s going on now to prepare you for what’s coming next.
Subscribe to support our journalism.
© 2023 MIT Technology Review

source

Add a comment