TLDR
- Kraken discovered a bug that allowed users to artificially inflate their balances and withdraw funds without completing deposits.
- CertiK, a blockchain security firm, identified itself as the “security researcher” that exploited the bug and withdrew nearly $3 million from Kraken’s treasuries.
- Kraken claims CertiK refused to return the funds until the exchange provided an estimate of the potential losses, calling it “extortion.”
- CertiK defended its actions, stating that it was testing the scope of the vulnerability and that Kraken had threatened its employees to return a mismatched amount of funds within an unreasonable timeframe.
- The incident has sparked a debate on the ethics of white hat hacking and bug bounty programs in the cryptocurrency industry.
Cryptocurrency exchange Kraken recently revealed that it had fallen victim to a security vulnerability that allowed users to artificially inflate their account balances and withdraw funds without fully completing deposits. The exchange reported that nearly $3 million was stolen from its treasuries as a result of the exploit.
Blockchain security firm CertiK came forward, identifying itself as the “security researcher” responsible for exploiting the bug and withdrawing the funds.
Kraken’s Chief Security Officer, Nick Percoco, had earlier accused the then-unnamed security team of “extortion” for refusing to return the funds until the exchange provided an estimate of the potential losses if the bug had remained undisclosed.
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
CertiK, however, defended its actions, claiming that it had been testing the scope of the vulnerability and that Kraken had threatened its employees to return a mismatched amount of funds within an unreasonable timeframe, without even providing a repayment address.
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.
Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
— CertiK (@CertiK) June 19, 2024
The security firm provided a timeline of events, detailing its interactions with Kraken and the discovery of the exploit.
According to CertiK, the vulnerability allowed millions of dollars to be deposited into any Kraken account, with the ability to withdraw and convert the fabricated crypto into valid cryptocurrencies.
The firm also claimed that no alerts were triggered during its multi-day testing period, and Kraken only responded and locked the test accounts days after the initial disclosure.
The incident has sparked a debate about the ethics of white hat hacking and the effectiveness of bug bounty programs.
While some argue that CertiK’s actions were justified in the interest of thoroughly testing the vulnerability, others believe that the firm crossed a line by withdrawing such a large sum of money and refusing to return it promptly.
Kraken maintains that CertiK’s actions do not align with the principles of white hat hacking and that it is working with law enforcement agencies to retrieve the assets. The exchange also emphasized that no user funds were affected by the exploit, as the stolen money came from Kraken’s own treasuries.