Smart-contract security company Certora has raised $36 million in a Series B round led by Jump Crypto to fund development and port its vulnerability detection technology to new blockchains.
Other participants in the round included Tiger Global, Galaxy Digital, Electric Capital, ACapital, Framework Ventures, CoinFund, Lemniscap, Coinbase and VMware, according to a draft blog post obtained by CoinDesk.
Blockchain security breaches have made headlines this year, with some resulting in nine-figure financial losses. These include $326 million for blockchain bridge Wormhole and $625 million for Ronin Network, the infrastructure behind popular play-to-earn game Axie Infinity.
Certora is designed to help developers identify and avoid security flaws before code is deployed. The company's Prover tool is meant to complement human audits and bug bounties. Certora says it currently secures $50 billion in decentralized financial assets (DeFi). The product finds and displays any rule violations or formally proves there are none.
The company is led by Shmuel "Mooly" Sagiv, a chair of computer science at Tel Aviv University and a pioneer in formal verification, a field that uses complex mathematics to prove or disprove the correctness of an algorithm, such as liquidity protocol smart contracts.
Certora currently only processes blockchains compatible with Ethereum Virtual Machine (EVM). The next focus is to extend support to Solana and then expand to Polkadot.
"What we want to do in the next year is to cover all blockchains," Sagiv said in an interview with CoinDesk.
How it works
Certora identifies violations of invariants, or rules that should not be broken, in smart contracts. The company's technology has identified bugs in Aave, Compound, Balancer and SushiSwap. Most of these bugs were discovered and fixed before the code was deployed.
For example, Certora prevented a critical bug in SushiSwap's Trident liquidity pool contract. In Trident, users add funds to create the pool and then receive fees for their lending and swapping activities. The fees are proportional to their share of the total liquidity.
For a liquidity pool to work, there must be a technical rule that says that as long as there are pool funds, there must be user shares because someone is providing that liquidity. Violation of this rule means that either the pool shares are worthless or the funds exist but cannot be drawn down by users.
In the case of Trident, the Certora Prover found a rule violation that would have allowed an attacker to withdraw the pool's funds. The problem was identified and fixed before the code was deployed.
"Driven by world-class experts, Certora is leveraging formal verification to deploy a set of scalable and robust products that offer much higher reusability and granular testing," Jump Crypto partner and chief investment officer Saurabh Sharma said in a statement.