CertiK Audit: Inside the Largest Web3 Security Auditor
The phrase "Audited by CertiK" shows up on token landing pages the way a safety sticker shows up on a child's car seat. It is supposed to say: someone checked this, you can relax. CertiK is the biggest name in Web3 security, and for a lot of investors the badge has become shorthand for "probably safe." The trouble is that several projects wearing it have still been drained of millions. So what does a CertiK audit actually buy you? This piece covers what CertiK is, how its audits and its Skynet score work, where they help, and where the badge quietly stops meaning much.
Who CertiK Is and Why It Dominates Web3 Security
CertiK did not invent the smart contract audit. It industrialized it. The company turned a slow, artisanal process done by a handful of cryptographers into a brand that a project can buy, display, and point to when investors ask whether the code is safe.
From a Yale lab to a $2 billion firm
Two computer science professors started it in 2018: Ronghui Gu of Columbia University and Zhong Shao of Yale. The pitch was academic, almost stubbornly so. Use formal verification, a mathematical method for proving software does what it claims, to make blockchain code provably correct instead of merely "tested." Niche idea. It still pulled serious money. By April 2022 CertiK had raised about $88 million at a $2 billion valuation, according to TechCrunch, with Goldman Sachs, Tiger Global, Sequoia, and SoftBank's Vision Fund all writing checks. Nine rounds, roughly $296 million in total. Not bad for a pair of academics who started out proving theorems about compilers.
What "largest auditor" really measures
CertiK's headline numbers are about volume. More than 6,100 projects audited. Over 91,000 vulnerabilities flagged across those security audits. Assets worth north of $360 billion reviewed, with clients like Aave, Polygon, and BNB Chain on the roster. The scale is real. It is also the catch, because "largest" counts how many audits a firm ships, not how deep any single one goes. A factory that prints more reports than anyone else is impressive, sure, but volume and rigor are not the same thing, and the gap between them is where most of the criticism lives. Here is the concrete version of that complaint. CertiK reviews so many projects that its name ends up on a throwaway meme token and a serious protocol alike, and a two-day pass earns the same badge as a months-long review. Buyers rarely see which is which. That flattening is the real problem with the badge.
How a CertiK Audit Actually Works, Step by Step
A CertiK audit is not one thing. It is two layers stacked together, and understanding the difference tells you a lot about what the final report can and cannot promise.
Formal verification vs manual review
The first layer is formal verification. Instead of running a smart contract and watching what happens, CertiK builds a mathematical model of the code and proves whether certain properties always hold, no matter the input. Its DeepSEA compiler exists to support this. Formal verification is powerful for narrow questions, like "can this balance ever go negative," but it only checks the properties someone thought to specify.
The second layer is manual review: human engineers reading the code line by line, looking for logic errors, bad assumptions, and the kind of subtle mistakes a model will not flag because nobody told it to look. This is where most real findings come from. Depending on how much code there is and how tangled it is, the whole process runs from about 48 hours for something tiny to several weeks for a large protocol.
Reading the report: "resolved" vs "acknowledged"
The deliverable is a report. It flags each vulnerability by severity — critical, major, minor, and informational — and notes what the project did about it. That last column matters more than people realize. A finding marked "resolved" means the team fixed it and CertiK re-checked. A finding marked "acknowledged" means the team read it, shrugged, and shipped anyway. Two projects can both wave the same badge while one fixed everything and the other ignored its critical warnings. The badge does not tell them apart. The report does. This is also why the date on a report matters. Code ships, then changes; an audit from a year and ten upgrades ago describes a project that may no longer exist on-chain in the form that was reviewed.
| Stage | What CertiK does | Catches | Blind spots |
|---|---|---|---|
| Formal verification | Proves specified properties of the code mathematically | Math and logic flaws in defined rules | Anything outside the specified properties |
| Manual review | Engineers read the code by hand | Logic bugs, bad assumptions, known attack patterns | Off-chain systems, post-audit code changes |
| Report and re-audit | Lists findings by severity, re-checks fixes | Whether issues were addressed | Whether the team actually deployed the fixed version |
Skynet and the CertiK Web3 Security Score
Audits are one-time snapshots. Skynet is CertiK's attempt to sell something continuous: a real-time dashboard that watches projects after they launch and assigns each one a Security Score. The company says it monitors more than 20,000 projects on-chain.
The score blends a few inputs. It looks at whether a project has been audited, whether its team passed CertiK's KYC check (which comes in gold, silver, and bronze tiers), and how the contracts behave — Skynet analyzes contract behavior on-chain through runtime monitoring and flags anomalies as they occur. Skynet also runs on-chain monitoring alerts for exit scams and exploits, plus leaderboards ranking projects against each other. As a first-glance signal, a Skynet score is genuinely useful. It is faster than reading a full report and it flags obvious red flags. But it is also a product CertiK sells, built partly on inputs CertiK provides, and a high score has never been a promise that a project is safe. Treat it as one data point, not a verdict. The track record bears that out. Projects have carried respectable Skynet scores right up until the moment they were exploited or quietly abandoned, because a score built largely on past behavior cannot see a malicious change coming. It tells you a project has not blown up yet. It cannot tell you it never will.
Beyond Audits: The Rest of CertiK's Ecosystem
The audit is the headline, but CertiK sells a wider stack around it. Penetration testing throws simulated attacks at wallets, exchanges, and apps. A bug bounty program, run at zero platform fee, pays outside hackers to find holes before the criminals do. Then there is KYC to put a real name behind anonymous founders, SkyInsights for the compliance and anti-money-laundering work that regulated firms need under MiCA and DORA, and SkyTrace to chase stolen funds across chains once something has already gone wrong. None of it replaces the audit. It wraps around the audit, which is how a one-off engagement quietly becomes a subscription covering the full life of a decentralized project.
Audited Then Hacked: When Attack Vectors Slip Through
Here is the part the glossy explainers skip. An audit is a snapshot of specific code at a specific moment. It is not a warranty, and treating it like one is how people lose money on projects that did everything "right" on paper.
What an audit does not cover
A smart contract audit checks the contract. It does not check whether the founders hold an admin key that lets them drain the pool. It does not check the website, the servers, or the private keys behind them. It does not check the version of the code the team deploys after the audit ends, which can differ from what was reviewed. And it cannot stop a team that simply decides to run off with the money. Most of the attack vectors that empty a project are not bugs in the audited contract at all. They live in the gaps around it.
The Merlin DEX case: flagged but exploited
Merlin DEX is the cleanest example. CertiK audited it, and the audit actually flagged the problem: the project's contracts were dangerously centralized, with privileged access that a malicious insider could abuse. In April 2023 that exact vector was used to drain roughly $1.82 million. The audit was not wrong; it named the risk. But the warning sat in the "acknowledged" column instead of the "resolved" one, and the exploit walked straight through the door the report had already pointed at. Catching the flaw was the easy part. Acting on it was the client's job, and Merlin's team never did.
Zoom out and the trend is uncomfortable for the whole industry. CertiK's own Hack3d reports show losses climbing, not falling. The firm counted about $2.36 billion stolen across 760 incidents in 2024, then about $3.35 billion across 630 incidents in 2025, a year inflated by the single $1.45 billion Bybit breach. Independent data from Chainalysis put 2025 theft near $3.4 billion, of which roughly $2.02 billion was tied to North Korea-linked groups. Those operators increasingly go after the people and infrastructure around a contract rather than the contract itself, which is precisely the ground an audit does not cover. More auditing has not meant less crime.
| Year | Reported losses | Incidents | Largest single hit |
|---|---|---|---|
| 2024 | $2.36 billion | 760 | — |
| 2025 | $3.35 billion | 630 | Bybit, $1.45 billion |
The Kraken Incident and CertiK's Trust Problem
For a company that sells trust, its own conduct is part of the product. Two episodes have made that awkward.
In June 2024, CertiK researchers found a zero-day flaw in the exchange Kraken and, instead of just reporting it, used it to pull about $3 million out of Kraken's systems. CertiK framed it as proving the severity of the bug. Kraken called it extortion and said the firm initially refused to return the funds until pressed. The money was eventually sent back, but the episode read badly: a security firm exploiting a client at scale to make a point. Then in early 2025 CertiK apologized over work tied to Huione, a Cambodian operation later linked to forced-labor scam compounds. None of this means CertiK's audits are worthless. It does mean that a firm asking the market to take its word now has to rebuild some of that word, and it is doing so while reportedly preparing for an eventual IPO at around its $2 billion valuation.
CertiK vs Other Web3 Security Firms
CertiK is the loudest name in blockchain security, not the only one, and for many projects it is not the obvious pick. The audit market splits roughly into scale players and boutiques. Boutique firms take on fewer clients and tend to go deeper, and many set their own security standards that exceed what a high-volume shop has bandwidth to enforce. Protocols handling serious money often pay for a second opinion from one of them precisely for that reason. Scale and depth are not the same thing, and the right choice depends on your stage and budget. Pricing reflects that range: a small token audit can run a few thousand dollars, while a full review of a complex protocol reaches well into six figures.
| Firm | Focus | Known for | Model |
|---|---|---|---|
| CertiK | Broad Web3 security | Volume, Skynet, brand recognition | Scale |
| Trail of Bits | High-assurance security | Deep manual review, research | Boutique |
| OpenZeppelin | Smart contract security | Widely used contract libraries | Boutique |
| Halborn | Blockchain and infra security | Pen testing, advanced exploits | Mid-size |
| Hacken | Web3 audits and monitoring | Cost-effective audits | Mid-size |
How to Read the Audited by CertiK Badge
So you see "Audited by CertiK" on a project. Before you trust it, open the actual report and check five things. First, scope: which contracts were reviewed, and is the part holding your money one of them? Second, the date and the commit hash, then compare them against the code that is actually live, because they often diverge. Third, the findings: how many were critical, and were they resolved or merely acknowledged? Fourth, whether the audited version is the deployed version. Fifth, do not lean on the Skynet score alone; it is a summary, not the document.
One quick aside on tickers, because people confuse them. CertiK the company is private and has no stock. CTK is the token of Shentu chain, a separate proof-of-stake network connected to CertiK's early work. Buying CTK is not buying a stake in the audit business. If you came looking for "CertiK stock," there isn't one yet.
What a CertiK Audit Is Really Worth
So is a CertiK audit worth anything? Yes, within limits. It raises the floor. It screens out lazy code, puts real risks on paper, and hands a serious team a punch-list to work through. What it cannot do is vouch for the people. It will not promise that the deployed code matches what was reviewed, or that a single flagged risk was ever actually closed. Treat the badge as the start of your diligence, not the finish line. So the next time you see "Audited by CertiK," do the boring thing almost nobody does: open the report and read the column that says what got fixed. And if the project will not show you the report? That reluctance is the answer. A badge you cannot check is just a logo.
