On June 11, during Proof of Talk, the world’s top Web3 and AI summit, Jason Jiang, CertiK’s Chief Business Officer, was invited to attend a roundtable discussion on “Building Trust in Web3 Protocols”, together with Oliver Quie, CEO and co-founder of Innerworks, and Denis Ivanov, CPO of Hacken, to discuss “How to build real and sustainable trust for Web3 projects”.
As "security audit" is gradually packaged into marketing language, how can Web3 projects avoid "audit-washing" and build security trust for the future?
At the forum, Jason Jiang bluntly stated that there is a significant phenomenon of "audit whitewashing" in the current industry. That is, some projects claim to be "safe" simply by publishing an audit report; regardless of the timeliness, scope or results of the report, the audit report is used as a "safety badge".
He pointed out that even high-standard static code verification is only one part of the security model. It is necessary, but far from enough. Many risks actually occur after the audit: for example, upgradeable contracts may introduce new attack surfaces after the audit, deviations from the governance mechanism, or management functions controlled by external accounts (EOA), which may cause the assumptions during the audit to fail.
In addition, there are risks that go beyond the capabilities of static analysis: factors such as oracles, cross-chain bridges, liquidity changes, and composability will all bring new dynamic dependencies.
Therefore, Jason Jiang emphasized: "Audited" does not mean "safe".
CertiK’s modular and real-time security model
To address these challenges, Jason Jiang elaborated on the “composable and continuous verification and trust mechanism” that CertiK is actively building and advocating.
First, CertiK is actively promoting the establishment of an on-chain audit proof mechanism. That is, the audit report is cryptographically signed and stored on the chain, and is bound to the hash of the contract-specific bytecode. CertiK is committed to promoting this mechanism to become an industry standard.
Secondly, it is real-time security monitoring and risk scoring. Through the Skynet platform, CertiK can dynamically monitor contract interaction behaviors (such as flash loans, privilege escalation), vault behaviors, DAO governance risk points (such as proposal injections), and abnormal fluctuations in the token economy. These data can generate real-time risk profiles and provide users with continuous security status feedback.
The third is to establish a continuous verification process. CertiK integrates security checks into the entire development lifecycle (CI/CD). This includes differential fuzz testing when code changes, using simulated attack model testing (such as MEV robots, sandwich attacks), and triggering new audit processes when governance or upgrade events occur.
Fourth, we are exploring AI-assisted auditing and collaborative verification. CertiK is exploring AI models for pre-audit screening and large-scale identification of anti-patterns. This will allow human auditors to focus on the core logic of the protocol, edge scenarios, and protocol context analysis, thereby achieving "large-scale security assurance through human-machine collaboration."
Protocol Design: The Architectural Foundation of Trust
When talking about how protocol design affects user trust, Jason Jiang further pointed out that many risks do not come from code vulnerabilities, but from architectural assumptions. He specifically mentioned that unclear assumptions about permissions, control rights, and upgrade mechanisms are important factors that affect trust.
He analyzed the specific impact of several key design vectors on trust:
In terms of upgradeability and immutability, if the project needs to retain the ability to upgrade, multi-signature control should be mandatory, combined with an on-chain governance mechanism with a time delay. At the same time, the community should be given a clear veto power. This can prevent key permissions from being controlled by a small number of external accounts (EOA), thereby maintaining the promise of decentralization.
In terms of modularization and open source, core components such as core algorithms, treasury management, and governance modules should be isolated and designed. Each module should support independent testing and verification to reduce the risks brought by complex dependencies. Transparent failure protection mechanisms (such as time locks, suspendable contracts, and fuse mechanisms) must also be accompanied by clear emergency processes to prevent hidden "emergency permissions" from overriding these mechanisms.
Finally, governance practices should be fully on-chain and auditable. It needs to be clearly disclosed: who has what upgrade permissions, how the upgrade process works, and how time limits are set. Only in this way can governance be truly implemented, rather than remaining at the theoretical level.
Web3 Trust Formula: Trust = Code + Behavior + Culture + Compliance
Faced with the unique challenges of Web3, a highly decentralized environment lacking identity endorsement, Jason Jiang proposed a formula for building trust: Trust = Code + Behavior + Culture + Compliance.
He pointed out that the trust that protocols gain depends not only on the quality of the code, but also on the behavior patterns of the project under pressure. Among them, several key actions are crucial:
First, the project should implement and maintain a bug bounty program. Whether this mechanism is adequately funded, responsive, and efficient in payment directly reflects the project's operational maturity and commitment to transparency and openness.
Second, when security incidents are unavoidable, projects should publish transparent, detailed, and technically rigorous replay reports. The reports should explain the root causes of the incidents, clearly acknowledge the mistakes, assess the impact, and propose improvement measures. Such handling can build institutional trust even in a crisis.
In addition, projects should also prove their resilience over time. This includes the ability to withstand drastic market fluctuations, respond quickly and transparently to security threats, and constantly adapt to new attacks. Jason Jiang concluded: "In the crypto world, one year is equivalent to eight years in traditional industries. A project that has been running stably for six years is equivalent to winning half a century of trust."
The roundtable discussion at the Proof of Talk Summit brought together the industry's top security experts. Participants agreed that in order to reshape the cornerstone of Web3 trust and promote its sustainable development, in-depth cooperation must be carried out in multiple dimensions. This includes underlying technology innovation, protocol design optimization, and long-term verification of project behavior. In this context, CertiK's real-time, modular security model and advocacy of the "code + behavior + culture + compliance" trust framework have pointed out an important development direction for the industry.
As a Web3 security company, CertiK has been driving the industry forward, moving from “audit as security” to “security as a service”. CertiK will continue to provide Web3 builders with a trusted, secure, and transparent foundation with its full lifecycle products, community collaboration, and AI technology.
