As part of our ongoing efforts to strengthen the overall security of the cryptocurrency ecosystem, we are informing the cryptocurrency community that we have patched an isolated bug in our deposit and funding systems. No customer assets were affected or vulnerable as a result of this disclosure. Kraken fixed a bug.
The bug was initially discovered by a third-party security research firm that exploited the flaw for financial gain before reporting it to Kraken’s Bug Bounty program. The flaw allowed certain users to artificially increase the value of their Kraken account balances without fully completing deposits for a short period of time.
Upon discovery, a cross-departmental effort at Kraken alleviated the problem within an hour. We then thoroughly tested the solution to prevent similar issues in the future.
Unfortunately, the third-party researchers who discovered the bug acted in bad faith and in violation of the rules of our Bug Bounty program, which has been running for nearly a decade. Bug bounty program industry best practices typically require careful collaboration between both parties and security researchers expect:
- Exploit only what is necessary to demonstrate a security vulnerability
- Immediate return of extracted assets
- Provide testing details, such as proof-of-concept code, that can help the company identify and resolve underlying defects.
We will not give the researchers credit for this publication. Because they didn’t adhere to these industry expectations.
In return for bug bounty reports, developers like Kraken must take great care, quickly patch underlying issues, and publicly acknowledge the researchers’ amazing work. Most importantly, researchers are expected to be rewarded with generous bounties. We have moved aggressively to support this deal.
Security research is not new to Kraken, which has deep roots in the information security industry. Our Kraken Security Labs team has a track record of discovering security vulnerabilities and reporting them to other cryptocurrency providers, including Ledger and Trezor, helping them improve their products.
We understand the value external security research can bring and how it can improve the broader ecosystem. There is no better way to protect everyone in the cryptocurrency space than by working together.
“As a leader with deep roots in the hacking community, we can attest to the importance of leveraging the skills, knowledge and expertise from across the security community to strengthen an enterprise’s security strategy and risk management controls,” said Nick Percoco, Chief Security Officer at Kraken. “There is,” he said.
We view our bug bounty program as an essential shield to Kraken’s mission and a key part of our efforts to improve our overall security systems and processes. We have collaborated with many talented and well-intentioned security researchers over the years, and we look forward to continuing this work in the future.
These materials are provided for general information purposes only and do not constitute investment advice or a recommendation or solicitation to buy, sell, own any cryptocurrency, or engage in any particular trading strategy. Kraken makes no representations or warranties of any kind, express or implied, as to the accuracy, completeness, timeliness, suitability or validity of such information and will not be liable for any errors, omissions, delays or losses in this information. Injury or damage resulting from display or use. Kraken does not and will not seek to increase or decrease the price of any particular cryptocurrency it offers. Some cryptocurrency products and markets are unregulated and you may not be protected by government compensation and/or regulatory protection schemes. The unpredictable nature of the cryptocurrency market may result in loss of funds. Taxes may be payable on the appreciation and/or declaration of the value of your cryptocurrency assets and you should seek independent advice on your tax position. Geographic restrictions may apply.