- Kraken’s bug led to a $3 million theft, sparking controversy over security practices.
- CertiK criticized Kraken’s repayment demands post-vulnerability, adding to the exchange’s uncertainties.
In an unexpected turn of events, Kraken, a leading cryptocurrency exchange, revealed on the 19th of June that it had been dealing with a bug allowing users to generate free money in their accounts for months.
The issue came to light after a security researcher alerted Kraken of an “extremely critical bug” in their system.
Kraken exchange scrambles?
This bug led to the withdrawal of at least $3 million in digital assets, making headlines. Commenting on the situation, Nicholas Percoco, Kraken’s chief security officer, took to X (formerly Twitter) and noted,
Source: Nick Percoco/X
Despite this incident, the firm asserted that “no client’s assets were ever at risk”. Percoco further explained that users could credit funds to their Kraken accounts by initiating deposits without actually completing the deposit process. He said,
“A malicious attacker could effectively print assets in their Kraken account for a period of time.”
The “security researcher” used the bug to credit their account with $4 in cryptocurrency, which would have been enough to report the flaw and claim a reward.
But instead of reporting the flaw, the researcher shared it with two associates, who withdrew nearly $3 million from Kraken.
Addressing user worries around the issue, Kraken claimed,
“This was from Kraken’s treasuries, not other client assets.”
Unexpected response from the researchers
Needless to say, when Kraken asked the researchers to return the money and provide details, which is a standard practice for bug bounty programs, they refused to cooperate.
To this, Percoco responded,
Source: Nick Percoco/X
Expressing his frustration on the same, Kraken’s CSO said,
“We are being accused of being unreasonable and unprofessional for requesting that ‘white-hat hackers’ return what they stole from us. Unbelievable.”
Source: Nick Percoco/X
CertiK: The security researcher
However, things actually escalated when blockchain security firm CertiK went public, identifying itself as the “security researcher”. They said,
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”
This was met with initial criticism, as highlighted by Lefteris Karapetsas, Founder of Rotkiapp, who said,
Source: Lefteris Karapetsas/X
But with CertiK’s track record in vulnerability identification, outcomes for the exchange remains uncertain.