 |
| By Marija Matic |
CertiK is the largest Web3 security provider, holding 60% of the smart contract audit market.
Organizations like these are the ones that test platforms and networks to make sure smart contracts are safe and identify any weaknesses.
Recently, CertiK’s engineers began to fight fire with fire. They’re now using AI to catch vulnerabilities before attackers do.
This is the side of crypto that most casual investors never see. But security and what goes on behind the scenes is critical to understand.
It’s what separates the crypto noise … from opportunities that have real stability.
I had the opportunity to sit down with one such engineer, Yuannan Yang, a few weeks ago.
Day to day, he audits smart contracts, cryptocurrencies and blockchains. When something goes wrong on-chain, he's one of the first people analyzing what happened and why.
At Consensus Miami 2026, we discussed the current threat landscape, what’s likely ahead, what battle-proven security actually looks like and why projects that take security seriously — like Uniswap (UNI, “C”) — are becoming harder to crack than ever.
I recorded our entire conversation for you and transcribed it below. This way, you can get the insider knowledge straight from the source …
Marija Matić: The crypto industry has seen a wave of high-profile hacks recently. What types of attacks are you seeing most?
Yuannan Yang: There are two main types I'm seeing right now.
The first is tied to vibe coding. That is, coding with the help of AI, where developers click through AI suggestions without fully understanding each step.
Vibe coding itself isn't malicious. It can actually be very helpful. The problem arises when AI picks up malicious code packages from the internet without properly vetting them for bugs or vulnerabilities.
Fortunately, avoiding this type of hack is straightforward: Don’t let AI install random code packages it found online to your computer. Every download and installation must to be done with your full understanding and awareness. Otherwise, you could end up with malware you didn’t know about running on your device.
Another solution is also simple but critical: Never do vibe coding on your main computer where your crypto wallets live.
Instead, use a secure sandbox — a separate, dedicated computer. This way, even if something malicious gets installed, it stays isolated and can't touch your wallets or private keys.
The second major attack type is social engineering.
Someone approaches you — at a conference, via email, or on social media — and pretends to be an important client or partner. You're excited, so when they later invite you to a video chat, you agree. Then, during your Zoom call, they send you a link.
The moment you click it, malware is installed on your computer and the attacker takes control. Sometimes without you even noticing.
Marija: Are you seeing more vibe-coded applications being deployed, creating vulnerabilities for both developers and users?
Yuannan: Yes, and it's becoming a serious trend. Developers who vibe code on their main computers risk having a malicious package steal their private keys and send them directly to groups like Lazarus.
That's how a lot of money is disappearing.
The fix is straightforward, as I said earlier: Use a completely separate, isolated machine for anything involving AI-assisted coding. And never mix it with the device you use for crypto transactions.
Marija: What about ordinary retail users? How are they being targeted?
Yuannan: Retail users need to be careful any time someone sends them a link or a QR code to scan.
Attackers either pretend to be someone you already trust, or they invest time building fake credibility. They’ll create company websites, LinkedIn profiles and fake entire digital footprints so that when you Google them, everything looks legitimate.
Here’s a simple example that happened to me directly …
I received an email that appeared to be from a colleague asking me to review a document. Something felt off, so I checked the email address carefully.
And it didn’t show certik.com. It was cert1k.com, with the letter "i" replaced by the number "1." One character that most people would miss it entirely was the key to keeping myself safe.
Marija: What's your practical advice for people who want to verify whether an outreach is legitimate?
Yuannan: When someone contacts me to schedule a call, the first thing I do is check their email address. I'll even ask ChatGPT or Claude: "Is this email address associated with this company?"
It takes thirty seconds and it's one of the most effective basic checks you can do.
Beyond that, people should pay attention to what they're actually asking. If someone is being low-effort and just pushing you to click a link, that's a red flag.
And if they’re using the guise of a friend or family member reaching out, take care about how they’re contacting you. If your friend usually texts, but this contact is an email, call them on a different platform to verify.
All these steps boil down to the same principle: Always double-check before you click anything.
Marija: CertiK has audited thousands of projects. Which types of smart contracts and crypto projects have proven genuinely battle-tested?
Yuannan: Projects that use OpenZeppelin's code libraries are generally good. That code has been used for years across thousands of projects, such as Ethereum’s (ETH, “B+”) ERC20 tokens, without issues.
Beyond that, the battle-tested contracts from established DeFi protocols hold up well.
Compound's (COMP, “C-”) timelock contract is a good example: Any protocol-level change must wait 48 hours before taking effect. This gives users full transparency and time to react.
But Uniswap is probably the gold standard for how a team should approach security.
Before it launches any new version, there’s rigorous mathematical proofing that must be completed first. That includes “fuzzing” — flooding the code with thousands of random inputs to find edge cases no human would think to test.
Uniswap does unit testing to check each individual function in isolation. It also does adversarial testing, actively trying to break its own code the way a hacker would. And most importantly, it applies formal verification.
Marija: Can you explain formal verification for readers who aren't engineers?
Yuannan: Formal verification mathematically proves that code works correctly under every possible condition.
A smart contract is essentially a series of if-and-else logic paths; if I do this, then that happens.
Formal verification takes all those logical paths and converts them into mathematical equations. Then, it uses a prover to confirm that the equations always hold true.
If code passes formal verification, it means there are zero bugs. Not “we didn’t find any,” but we mathematically proved none ever existed.
This is actually how CertiK started.
Our founders — both professors who made landmark contributions to computer science — developed the world's first formally verified operating system and the first formally verified cloud hypervisor before turning their attention to blockchain.
We believe formal verification is the gold standard and the future of auditing.
Marija: CertiK has been developing AI tools for security. How does AI help on the defense side?
Yuannan: With 60% of the Web3 audit market, we're handling an enormous volume of smart contracts. Maintaining consistent quality at that scale is genuinely challenging. And a lot of audit work is tedious and repetitive — checklists, known vulnerability patterns, standard checks, etc.
We've have a large knowledge base from years of audits, so we trained AI to handle those repetitive processes. This frees our senior auditors for work that actually requires deep expertise.
Every audit we've completed has made our knowledge richer and feeding that into AI means the quality floor rises continuously across every engagement.
Marija: How much has North Korea’s Lazarus Group's approach evolved? Are they using AI now?
Yuannan: Lazarus has been organized and sophisticated for years. Their money laundering practices through casinos and crypto is well-documented going back a long time.
What I'm seeing now is evidence that they are using AI to scan for vulnerabilities in older code. I looked into one exploit last year, and the attacker’s coding patterns were strongly consistent with AI-generated code.
Here's the data point that stood out to me: 80% - 85% of the projects hacked this year were launched between 2021 and 2023. And our own AI independently found vulnerabilities in those same projects. They were the exact vulnerabilities that led to hacks.
This strongly suggests attackers are using AI to systematically scan old, unpatched codebases for weaknesses before striking.
Marija: Anthropic recently gave banks and government agencies early access to Mythos, its AI tool for finding code vulnerabilities. Were crypto security firms like CertiK included?
Yuannan: I think that Mythos is primarily focused on Web2 security — traditional applications with conventional vulnerability types like denial-of-service attacks.
Smart contracts are fundamentally different. What Web3 attackers look for in smart contracts isn't a standard software bug. They want a way to bypass the economic rules encoded in the contract through financial arbitrage, rounding errors or edge cases in the logic.
I think AI still has a long way to go when it comes to understanding that attack surface.
So, no, Web3 wasn't at the Mythos table. But honestly, I think the tool wasn't built for the problem we're solving.
Marija: So, when CertiK audits a project, are those economic edge cases — rounding errors, fringe conditions — actually being checked?
Yuannan: Absolutely. Every audit involves at least two or three experienced security engineers going through the code line by line. And rounding issues and edge cases are explicitly part of what we look for.
We also run fuzzing and unit testing on every engagement and apply formal verification on projects where the complexity warrants it.
Nothing gets a pass on the edge cases — that's often exactly where the money is.
Security is one of the biggest reasons investors give for staying away from crypto.
Some investors still see the market as a whole as a step up from a Ponzi scheme. Others will admit to the utility and value, but struggle to separate the projects built on a strong foundations … from those with vulnerabilities so big, it’s only a matter of time before they fall.
While that concern keeps this crowd safe from crypto’s infamous volatility or parking their capital in memecoins that go nowhere …
It also leaves them outside the capital gain and income opportunities that crypto can offer.
CertiK-audited projects typically display the CertiK badge on their website. And it’s a good sign that the crypto project has undergone a quality and independent security review.
That should help you narrow down which opportunities have what it takes to be part of your investment strategy.
Best,
Marija Matić
P.S. For even more insight into how my colleague Juan Villaverde picks his favorite crypto projects, click here.
