Institutional finance is moving into Web3 faster than the security infrastructure designed to protect it. Smart-contract audits are becoming licensing requirements. On-chain monitoring is no longer optional. And the attack surface, once confined to lines of code, now includes supply chains, signing keys, and in some documented cases, physical coercion.
Jason Jiang, Chief Business Officer at CertiK, sits at the center of that gap. Measured, precise, and consistently willing to say what the industry has not yet figured out; he is not the type to oversell the state of readiness.
“They Know the Importance. What They Don’t Know Is the Attack Vectors.”
The opening question is blunt by design. Institutions coming into Web3 arrive from a world of Big Four audits, SOC 2 certifications, and decades of standardized financial controls. When they look at a smart-contract audit, what are they actually buying?
“It takes a lot of education and communication, for sure,” Jiang says. “But large institutions have been preparing themselves for this kind of digital asset adaptation for years. They know the importance of smart-contract audits, chain audits, penetration testing.” He pauses. “What they’re not so sure about is the attacking vectors coming from the blockchain infrastructure. They’re not so sure about how to fix their SOPs to adapt to this new challenge. And this is where our expertise is treasured.”
It is a careful answer, acknowledging institutional readiness without overstating it. The gap, as Jiang frames it, is not knowledge of the product. It is knowledge of the threat.
The Bybit Problem
That threat has never been more visible. In February 2025, the Bybit exchange lost $1.5 billion. The smart contract was fine. The attackers compromised a third-party signing provider upstream. CertiK’s own Skynet data attributed the breach to North Korea’s TraderTraitor cluster. It remains the largest single hack in crypto history.
So what does that say about smart-contract audits as the primary security instrument for institutions?
“The height of smart-contract exploits was really the 2020 to 2023 era,” Jiang explains. “After that, attackers changed their methodology. As smart contracts got more stable and developers adopted better practices, the low-hanging fruit became social engineering, multi-signature key leakages, those kinds of things. We published a report not too long ago talking about the wrench attack, which is a physical attack.” He references the high-profile kidnapping of a crypto founder’s family member. “From the attacker’s point of view, they don’t care what methodologies they use. They’re going after the assets, and whichever gives them the easier way to do it, they will utilize that.”
The implication is sobering: auditing the code is necessary but no longer sufficient. The perimeter has expanded well beyond the contract itself.
The low-hanging fruit [for attackers] becomes social engineering, multi-signature key leakages. They don’t care what methodologies they use. They’re going after the assets.
Point-in-Time vs. Real-Time
Which raises an obvious follow-up. A smart-contract audit is, by nature, a snapshot. Protocols get upgraded. Market conditions shift. DeFi does not pause while the auditors write their report.
CertiK’s answer to this is Skynet, its on-chain monitoring platform, now integrated with CoinMarketCap and used across hundreds of projects. But Jiang is frank about its limits. “Skynet is a continuous surveillance tool. It uses live data to rate a project’s security in near-real time. But it does not solve the problem of possible vulnerabilities on its own.”
When pushed on whether institutions should think of security as a one-time exercise or an ongoing commitment, his answer is unambiguous. “It definitely needs to be ongoing. If you look at newly updated regulatory policies, they all require smart-contract audits and penetration testing as part of licensing requirements.” He adds, with a candor that is rare in this industry: “We even say it needs to be real-time. But we’re not there yet.”
The Standards Gap — and Who Fills It
The absence of a Basel III equivalent for smart-contract risk is one of the cleaner ways to articulate what institutional Web3 is still missing. Is CertiK trying to become the body that sets that standard?
“I don’t think regulators have the technical know-how yet,” Jiang says. He points to NIST in the US and Abu Dhabi Global Market as examples of standardization bodies where CertiK is already an active participant, contributing to both security measures and policy formation. “Definitely we want to be part of it, but it takes more than us alone to push out a policy, and we’re very much aware of that.”
It is a significant admission from a company that could easily claim the territory. The humility reads as strategic as much as genuine.
The Weapon That Cuts Both Ways
Then there is AI; the variable that complicates every security conversation right now. CertiK recently launched its Skill Scanner, a tool designed to identify security risks in third-party AI agent skills before they reach user data or assets. The timing is pointed: as institutions grow more cautious about AI, attackers are growing more ambitious with it. Deepfakes, automated exploit discovery, AI-assisted social engineering are all accelerating.
So is AI, on balance, a net positive or a net risk for institutional smart-contract security?
“Institutions are taking more conservative roles,” Jiang says. “They don’t want to see AI technology involvement yet.” But CertiK’s own relationship with AI is more pragmatic than that framing suggests. The Skill Scanner, it turns out, was not built for the market. It was built for CertiK. “We use so many AI skills internally and we encountered some security problems. That’s why we developed the tool. Then we gave it to the community.” A product born from self-defence, now offered as infrastructure.
It is a telling detail. If the world’s largest Web3 security firm is discovering AI vulnerabilities in its own operations and building tools to patch them, the implication for institutions running leaner security teams is uncomfortable. Jiang does not dramatize it. “AI is such a fast-evolving technology. It’s hard to predict what’s coming in a year.” Which, from a security professional, is less reassurance than it might sound.
The Question Every CFO Is Asking
The closing question is the one that matters most in any boardroom conversation about Web3 adoption: at what point is a deployment, a tokenised bond, a DeFi treasury strategy, an on-chain settlement layer, secure enough for a CFO to sign off?
Jiang does not pretend the answer is clean. “Every region has its own flavour of standardization. For instance, we started working with the Brazilian Central Bank on their requirements, and they require some of their entities to conduct a penetration test every year, and some of them are just once and done kind of thing. So I think the whole industry is still trying to figure out what’s the optimal setups there.”
But he does draw a line. “There are some must-dos. Auditing, penetration testing, on-chain monitoring, on-chain surveillance. They are some of the must-have tools or methodologies to make them get to certain levels of security.”
It is not the definitive answer institutions are hoping for. But from someone who has spent years at the intersection of enterprise operations and blockchain security, it may be the most honest one available.
