- Kraken said it had patched a bug that could have allowed exploiters to inflate account balances.
- A bug discovered by security researchers reportedly exploited a vulnerability in linked accounts to siphon $3 million from Kraken’s treasury.
Kraken announced that its security team has patched a bug that could have potentially allowed certain users to inflate their account balances on the exchange.
The announcement follows Kraken’s revelation that security researchers had identified the vulnerability as part of the exchange’s bug bounty program.
“On June 9, 2024, we received a bug bounty program notification from a security researcher. Although specific details were not initially revealed, their email claimed that they had discovered a “highly significant” bug that could have artificially inflated balances on our platform,” Nick Percoco, Kraken’s chief security officer, posted to X.
$3 million stolen, not user funds
Specifically, the flaw may have allowed certain users, albeit briefly, to “artificially increase the value of their Kraken account balances without fully completing their deposits,” the exchange said in a blog post.
Kraken later patched the bug in its deposit and funding systems and noted that customer funds were not affected.
However, although the exchange fixed the isolated bug, the report comes after two users had already exploited the vulnerability to withdraw $3 million from their accounts. This account is reportedly associated with the same security researcher who identified the bug and provided information to Kraken.
An anonymous individual is believed to have reported the bug to Kraken after withdrawing $3 million.
Despite the massive withdrawals, security researchers have claimed a bounty reward, according to Percoco.
“We will not disclose this research company. Because they don’t deserve recognition for their actions. We are treating this as a criminal case and coordinating with law enforcement accordingly. We appreciate this issue being reported, but that is the end of our thoughts,” Percoco added.