TLDR
- Kraken discovered a bug that could allow users to artificially inflate balances and withdraw funds without completing a deposit.
- Blockchain security company CertiK identified itself as the ‘security researcher’ who exploited the bug and withdrew nearly $3 million from Kraken’s coffers.
- Kraken claims CertiK refused to return the funds until the exchange called its estimates of potential losses “extortion.”
- CertiK defended its actions, saying it was testing the scope of the vulnerability and that Kraken threatened employees into returning inconsistent amounts of funds within an unreasonable time period.
- The incident sparked a debate in the cryptocurrency industry about the ethics of white hat hacking and bug bounty programs.
Cryptocurrency exchange Kraken recently revealed that it was hit by a security vulnerability that could allow users to artificially inflate account balances and withdraw funds without fully completing a deposit. The exchange reported that the exploit resulted in approximately $3 million being stolen from treasury.
Blockchain security company CertiK identified the “security researchers” responsible for exploiting the bug and withdrawing funds.
Kraken’s chief security officer, Nick Percoco, previously accused the then-unnamed security team of “robbing” the company for refusing to return funds until the exchange provided an estimate of potential losses if the bug was not disclosed.
Kraken Security Updates:
On June 9, 2024, we received a bug bounty program notification from a security researcher. Although no specifics were initially revealed, their email claimed that they had discovered a “very important” bug in our platform that could have artificially inflated balances.
— Nick Percoco (@c7five) June 19, 2024
But CertiK defended its actions, claiming it was testing the scope of the vulnerability and that Kraken had threatened employees into returning inconsistent amounts of funds within an unreasonable period of time without even providing a redemption address.
CertiK recently identified a series of serious vulnerabilities in: @krakenfx It’s an exchange that could potentially result in hundreds of millions of dollars in losses.
Starting by looking for @krakenfxA deposit system that may not be able to distinguish internal differences… pic.twitter.com/JZkMXj2ZCD
— CertiK (@CertiK) June 19, 2024
The security company provided a timeline of events detailing its interactions with Kraken and the discovery of the exploit.
According to CertiK, the vulnerability allowed millions of dollars to be deposited into Kraken accounts, and the manipulated cryptocurrency could be withdrawn and converted to valid cryptocurrency.
The company also claimed that no alerts were raised during several days of testing, and that Kraken responded and locked down test accounts just days after the initial public disclosure.
The incident sparked debate about the ethics of white hat hacking and the effectiveness of bug bounty programs.
While some argue that CertiK’s actions were justified to thoroughly test vulnerabilities, others believe the company crossed a line by withdrawing so much money and refusing to return it immediately.
Kraken claims CertiK’s actions do not conform to the principles of white hat hacking and that it is working with law enforcement to recover its assets. The exchange also emphasized that user funds were not affected by the attack as the stolen money came from Kraken’s own coffers.