29 Nov. 2022, on InsurAce official Telegram group (https://t.me/insurace_protocol)
Dan:
Hi everyone, for those who don’t know me and for any new members, I’m Dan, CMO here at InsurAce.io.
Recently we partnered with Cer.Live to integrate their scores on our app, to help users get a better understanding of our security ratings.
At the same time, Cer.Live has been using our referral program on its website to send customers to us.
Today we welcome Kostia from Cer.Live to talk to us about their project, our partnership and DeFi safety.
Kostia, can you please introduce yourself?
Kostia:
Hi, everyone! My name is Kostia. I am the Product Owner of Cer.Live. I have been in crypto since 2016, and I have a master’s degree in Applied Cryptography. Doing security ratings since 2020. =)
Dan:
Applied Cryptography sounds great. Challenging.
And for those who don’t know, what is Cer.Live? Can you tell us about it?
Kostia:
Cer.live is the first cryptocurrency exchange and crypto project security ranking platform. Starting from 2020, after our partnership with Coingecko and integration of our security score to Coingecko’s trust score, the number of crypto exchanges that perform regular pentests increased 3x times. The number of bug bounty programs also increased 2 times from 47 to 94.
You may find our ratings integrated into different aggregators. For example, Coingecko, Forbes, InsurAce, etc.=)
At the start of this year, we decided to expand our rankings to other categories of the crypto market: wallets, tokens, DeFis, blockchains, etc. We reviewed every audit from 2k+ projects listed on Cer.Live and analyzed audit coverage and relevance for them. We found that there are only 1.2% of the projects on the market have relevant audit, 100% audit coverage, bug bounty program and insurance program. So there is a lot of work to be done to push projects to follow security practices.
Dan:
That’s a lot of work. How big is your team?
Kostia:
Currently, its 10+ people.
Dan:
Nice, good size team. But still, very fast to get that many listings done!
There are other similar projects reviewing exchanges and DeFi protocols, what makes you stand out from the likes of DeFi Safety?
Kostia:
It’s because 4 of them are security researchers. They work only on reviews and new listings. =)\
What makes us stand out:
1) We are focused only on security ratings.
2) We have the biggest audits, insurance programs, and bug bounty programs database.
3) We cover all categories of the crypto market, and we plan to continue to decompose the market and create new methodologies for them.
4) We do listings and security evaluations for free. So if you need to review your project, do not hesitate to contact us: https://cer.live/contact.
Our goal for the cryptocurrencies rating is to cover all “alive” projects with security ratings=)
Dan:
Yes, that’s helpful. Especially taking out the payment aspect to avoid just shill projects getting listed.
What has the impact been so far? How have these security ratings made the industry safer?
Kostia:
Crypto exchanges’ security rating had a big effect on the market. The number of hacked exchanges decreases year by year.
In 2020 – 11 big hack cases
2021 – 4 big hack cases
2022 – 3 big hack cases
At the same time, the number of exchanges that performed security audits in 2020 is 21, and in 2022 is 59.
So you may see the trend.
We plan to create the same trend for crypto projects in general.
Dan:
Yes definitely!
More audits, fewer hacks. There are also a lot more projects, and the projects are bigger, as we know. But it’s still a good trend to follow.
Kostia:
Also, I have noticed that the main reason for crypto exchange hacks in 2022 is hot wallet private key leakage.
So it’s mostly about internal procedures of crypto exchanges. And soc2 + iso27001 audit may fix it.
Dan:
Great!
Can you explain to the InsurAce community how our partnership has been beneficial to your community and users?
Kostia:
Our community consists of security analytics, crypto projects representatives, and bug hunters, and they are always excited when our rating is recognized by new platforms (aggregators, bb platforms, insurance platforms, etc.). Because as I mentioned, the recognition of security ratings improves the security of the market overall. It makes the market more mature.
To be honest, I think that most of the projects do not recognize the importance of security. But the rating pushes them to take steps in that direction. That’s why every partnership has a big effect.
Dan:
Glad to hear it. We think the same.
Kostia:
I think for your community, it’s valuable that we do security research with our experienced team so the only thing they need to check – is the rating that proves that project is secure or not. They don’t need to check the relevance of the audits, acceptance of bug bounty programs, coverage of the audits, etc. We have already made it for you. =)
Dan:
This is definitely true. They don’t always take it seriously until they see a bad score somewhere or their community finds a bad score and tells them to improve.
This is why we made it one of our minimum requirements to get at least a score of 50 on Cer.Live before we can list a new project.
But what about the day-to-day crypto & DeFi users… Given the recent FTX collapse, what more can we do to protect ourselves in Web3?
Kostia:
“The rating is the weapon that pushes projects to improve their security.”
Dan:
You mentioned earlier that only 1.2% of projects have a relevant audit. That’s a scary fact.
Kostia:
This question needs a detailed answer. =)
Better to store crypto on the wallets where you own your private key. So the security of the assets is your own.
For trading, it is always better to trade on an exchange that has at least partial Proof of Reserves (PoR) audit. As a minimum, the balances of the exchange must be opened as at Binance, for example.
Alert! Open balances (as at Binance) and Proof of Reserves audits are different things. PoR audit proves that the exchange can handle the liabilities of its clients. For example, if users deposited 100m USDT to crypto, then the exchange must have the same balance on the wallets so it may handle all withdrawal requests.
At the same time, open balances may show that the exchange just has liquidity for trades. But at least it’s the first step.
I have noticed that there are only 3 exchanges that performed PoR audit: Kraken, Bitmex, and Gate.io.
The case of FTX shows that the market needs to be transparent for further growth.
Unfortunately, the FTX case will have a long negative effect on the market. But at the same time, it will make it more mature, secure and transparent. Which will have a huge effect in the future.
Dan:
That’s for sure.
I have some follow-up q’s myself…
Do you have any concerns about other centralised exchanges at this time?
Kostia:
There are some exchanges that seem to be brokers that don’t store the users’ balances on their own wallets.
I have to say that every exchange that will not do PoR audit till the end of Q2 of 2023 is a risky exchange.
Dan:
And regarding those audits, there have been a few released already, but I wouldn’t say they were all trustworthy. How can investors check for bad audits?
Kostia:
It’s really hard to check because there is no methodology and requirements for the audits at the moment. The only thing that may prove the quality is the presence of Merkle Proof. So it’s possible to reproduce the audit on your own.
Dan:
That’s interesting, I didn’t know that.
Will have to do some more research myself it seems.
Kostia:
Currently, the PoR audits market is at very early stage.
Dan:
That definitely makes sense. It’s been driven out of necessity in the last month.
Kostia:
Ideally, PoR audit must be done automatically at least every 24 hours. That will be 100% proof. But there are no such solutions on the market atm.
Dan:
Will be interesting to see who can come up with one.
I’ve seen some good on-chain accounting solutions emerge recently.
Last couple of questions:
What’s next for Cer.Live?
Kostia:
First of all, we will improve or exchange security rating by the addition of new metrics Proof of reserves audit, SOC2, “Are the balances open” audit and some other metrics. =)
Spoiler: Kraken will be there in the first place.
Dan:
More data is good.
Kostia:
Some information is already published on Cer.Live, but the comprehensive overview will be released by the end of December.
Dan:
This is unexpected but great to see.
Kostia:
After that, we plan to improve our cryptocurrency security rating with new metrics and methodology in general. It’s for Q1 of 2023.
Also, we plan to continuously improve our database and list new projects to be “all in one place” security data provider.
Dan:
Awesome! Looking forward to it!
And lastly, where can community members find out more about Cer.Live? Can you share some links to your community and information?
Kostia:
First of all, our blog: https://cer.live/blog
Twitter: https://twitter.com/cer_live
On Twitter you will be able to find security insights from our research, announcements, partnerships and so on.
And also our ratings: https://cer.live/cryptocurrency-security-rating
Dan:
Great! Well worth a follow.
Thank you so much for coming today
Kostia:
Thank you for the invitation. I am always happy to share more information about ratings and security in general.
