Quick take:
- Kraken’s chief security officer Nick Percoco said Wednesday that $3 million was taken from its wallets.
- The bug allowed anyone to initiate a deposit to the platform and receive the funds without completing it.
- Percoco said three people connected with an undisclosed company had refused to return the funds until Kraken made public the potential size of the exploit.
CertiK and crypto exchange company Kraken have been engaged in a bug bounty dispute for the past several days according to information material disclosed by the blockchain security firm on X.
CertiK said on June 5, it found a vulnerability in Kraken’s deposit system that allowed withdrawals of fabricated crypto that could be converted into valid crypto.
The crypto security firm deposited 200 Matic on June 5 before withdrawing 90,000 Matic two days later. It then made a significantly larger deposit before withdrawing an even larger amount on June 9, the firm claimed via a post on X.
Commenting on its test result on X, CertiK wrote: “The Kraken exchange failed all these tests, indicating that Kraken’s defence in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account.”
“A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.”
In its response, Kraken’s chief security officer Nick Percoco said his company was able to “triage the bug” within an hour and 47 minutes, before completely fixing the issue within a few hours.
Describing the circumstances of the bug, he said: “Our team found a flaw deriving from a recent UX change that would promptly credit client accounts before their assets cleared – allowing clients to effectively trade crypto markets in real-time. This UX change was not thoroughly tested against this specific attack vector.”
Percoco said further investigations showed that three accounts had already taken full advantage of the bug to credit their accounts with $4 in crypto, which would have been enough to file a bug bounty report with the Kraken team, earning themselves a sizeable reward from the crypto exchange’s bug bounty program.
“Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.”
After discussions to file the report so the funds could be returned, the researchers refused, said Percoco, going on to brand the event as an “extortion”.
CertiK said that after initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team threatened individual CertiK employees to repay mismatched crypto amounts without giving them reasonable time or repayment addresses.
Stay on top of things:
Subscribe to our newsletter using this link – we won’t spam!
