Exclusive Q&A with CertiK’s Prof. Ronghui Gu

Web3 in 2024 has been a year of both progress and peril. While regulatory breakthroughs like the US approval of Bitcoin and Ethereum exchange-traded funds (ETFs) signaled mainstream acceptance, the industry was overshadowed by a surge in hacks and scams, putting billions at risk.

To unpack the scale of these threats, we spoke with Prof. Ronghui Gu, Co-Founder at CertiK, whose firm’s latest Hack3d: The Web3 Security Report 2024 reveals a staggering $2.36 billion in losses across 760 on-chain incidents—a 31.61% increase from last year. With phishing attacks alone responsible for nearly half of these losses, the findings highlight the urgent need for stronger security measures across the ecosystem.

BeInCrypto: What were the key factors behind Ethereum’s high number of targeted attacks?

Prof. Gu: Ethereum’s status as the most popular EVM chain reflects its success, but it is also a prime target for exploits, given the large number of projects and users operating on the network. 

Additionally, its open and composable ecosystem allows developers to build on existing protocols, which, while fostering innovation, can inadvertently introduce vulnerabilities through interconnected dependencies. The frequent deployment of experimental or untested code by newer projects further increases these risks. 

BeInCrypto: How can the industry combat the rise of phishing attacks that caused nearly 50% of 2024’s losses?

Prof. Gu: Education, technological innovation, and collaboration are key to addressing the growing threat of phishing attacks. Educating users on identifying red flags—such as suspicious links, unsolicited communications, and fake websites—is essential for prevention. Clear, ongoing communication about these risks empowers individuals to protect themselves. 

On the technical side, integrating advanced detection systems like AI-driven threat monitoring and real-time alerts can help organizations preempt attacks. Collaboration across the industry to share threat intelligence and best practices further strengthens defenses. 

BeInCrypto: Which DeFi protocols were most vulnerable, and what steps can they take to strengthen security?

Prof. Gu: In 2024, we observed a rise in private key compromises and phishing incidents across the ecosystem. This represents a general shift from contract vulnerabilities to human vulnerability, which is often considered the weakest link in such a system. 

Two of the biggest steps protocols can take to ensure they remain secure are safely storing private keys and implementing robust procedures to ensure employees themselves aren’t targeted.

BeInCrypto: How effective have efforts been to address recurring issues with smart contract exploits?

Prof. Gu: Overall, losses due to code vulnerabilities have fallen year-over-year since 2022, which suggests that smart contracts have become more secure. In addition to this, we have seen a shift toward private key compromises and phishing, likely due to the fact that code vulnerabilities are difficult for most users to find, except for highly skilled bug hunters. 

BeInCrypto: Did the approval of Bitcoin and Ethereum ETFs expose the ecosystem to new types of threats?

Prof. Gu: These products bridge traditional finance and crypto, potentially exposing the ecosystem to threats like regulatory arbitrage, insider trading, and increased scrutiny from bad actors targeting both investors and institutions involved in these offerings. 

Cybersecurity threats, such as attacks on custodial services or ETF infrastructure, are a significant concern. Safeguarding these assets requires robust security protocols, including cold storage solutions and real-time monitoring. 

Additionally, transparency in ETF operations and collaboration with regulators can help mitigate risks. While Bitcoin and Ethereum ETFs represent a positive step for mainstream adoption, ensuring security and trust in these products is paramount to their long-term success. 

BeInCrypto: What role does user education play in mitigating private key compromises?

Many incidents stem from a lack of understanding of secure practices, such as safeguarding keys and recognizing social engineering tactics. Educating users about secure storage methods, including hardware wallets and encrypted backups, can help minimize exposure. 

Additionally, training users to identify phishing schemes, avoid sharing sensitive information, and use multi-factor authentication can further enhance overall security posture.

BeInCrypto: How are blockchain developers addressing the growing sophistication of hacking tactics?

Prof. Gu: Many developers are integrating advanced cryptographic methods, improving consensus mechanisms, and conducting rigorous security audits. Formal verification processes help ensure smart contract code is free from vulnerabilities, while AI and machine learning tools monitor networks in real-time to detect and neutralize anomalies. 

BeInCrypto: What lessons can the Web3 industry learn from the largest attacks of 2024 to shape future security frameworks?

Prof. Gu: In general, we expect stronger regulations, such as those from institutions and governments like MiCA in Europe, improved security measures, and broader education efforts to help mitigate risks associated with hacks and scams. However, as technology advances, so will the strategies employed by bad actors. 

The industry must stay ahead of these threats by fostering collaboration among developers, regulators, and security professionals. With sustained effort, crypto-related losses could decrease over time, but vigilance will remain critical.

CertiK’s Hack3d: The Web3 Security Report 2024 provides an in-depth look at the biggest risks facing the ecosystem, along with key takeaways to help projects and users stay ahead of emerging threats. To gain deeper insights into the trends, attack vectors, and solutions shaping Web3 security, read the full report here.