Kraken said about $3 million was taken from its wallets due to an attack related to a bug that has since been fixed.
According to Nick Percoco, Kraken’s chief security officer, the cryptocurrency exchange received a bug bounty program alert on June 9. The alert warned of a “very serious” bug that could allow attackers to artificially inflate balances on the platform.
Percoco was short on specifics in its submission, but said it had investigated the issue and discovered an isolated bug that could have allowed malicious attackers to initiate deposits on the platform and receive funds into accounts without fully completing the deposit. He pointed out that this only happens under certain circumstances.
He said the bug, derived from a flaw in a recent UX change that credited clients’ accounts before their asset deposits were fully liquidated, despite there being no client assets at risk, allowed malicious attackers to “print assets” from their Kraken accounts. “I insisted I could do it. said Percoco.
Exploited before submitting a bounty
According to Percoco, the bug was fully fixed within a few hours. However, subsequent investigation revealed that it had already been exploited on three accounts within days of each other.
Percoco claimed that one of its accounts discovered a bug and that KYC was applied to an individual who claimed to be a “security researcher.” The individual reportedly took advantage of the bug to credit $4 to his account. This is enough to prove a defect, file a bug bounty report, and demand a hefty reward, Percoco said.
However, Kraken’s CSO claimed that the researcher disclosed the bug to two other people he was working with, who subsequently withdrew much larger amounts of money from Kraken accounts, totaling $3 million. “This came from Kraken’s treasury and not from other customer assets,” Percoco said.
Percoco said Kraken had requested a full accounting of their activities and the return of the funds. However, the researchers reportedly refused to return the funds until Kraken disclosed the potential scale of the exploit if it had not disclosed the bug. “This is not white hacking, this is extortion!” Percoco said.
Percoco said the researchers criticized the cryptocurrency exchange’s request as “unreasonable” and “unprofessional” and added that Kraken would not disclose the research company involved but would consider it a bug bounty violation and handle it as a criminal case. hatchet.
“We will not disclose this research company. Because they don’t deserve recognition for their actions. We are treating this as a criminal case and coordinating with law enforcement accordingly,” Percoco said.
Disclaimer: The Block is an independent media outlet delivering news, research and data. As of November 2023, Foresight Ventures is a majority investor in The Block. Foresight Ventures invests in other companies in the cryptocurrency space. Cryptocurrency exchange Bitget is an anchor LP of Foresight Ventures. The Block continues to operate independently to provide objective, impactful and timely information about the cryptocurrency industry. Below are our current financial disclosures.
© 2023 The Block. All rights reserved. This article is provided for informational purposes only. It is not provided or intended to be used as legal, tax, investment, financial or other advice.