untitled design

CertiK experts came into conflict with Kraken

Head of Security at Kraken Crypto Exchange Nick Percoco stated that unknown persons discovered an exploit on the platform and withdrew $3 million in crypto assets from it. CertiK experts took over responsibility for these actions, noting that they were looking for a vulnerability.

Kraken Position

Percoco released his statement on June 19, 2024. According to it, notification of a potential reward for the discovered bug was received by Kraken on June 9.

“No specifics were initially disclosed, but the letter said the error was “extremely critical.” She allegedly allowed the balance on the platform to be inflated,” Percoco noted.

The company assembled a team to investigate the incident. According to Percoco, the isolated bug was discovered within a few minutes. At the same time, according to a representative of the exchange, client funds “were never at risk.”

The problem was quickly fixed, after which supposedly there were no traces of it left. Kraken employees also managed to discover that three addresses took advantage of the situation and consistently withdrew crypto assets from the site.

At the same time, as Percoco emphasized, to receive a reward under the Kraken program, it was enough to deposit $4 and notify the exchange about the exploit. Instead, account holders withdrew crypto assets totaling about $3 million, he noted.

“In turn, we asked to provide a full report on their activities, evidence of the discovered exploit, and to arrange for the return of the funds they withdrew. This is common practice for any Bug Bounty program. These security researchers refused,” Percoco emphasized.

Instead of the stated reward, the group that discovered the bug demanded an amount comparable to the potential damage from the exploit. Percoco called it “extortion.”

He also noted that ignoring established rules actually makes security researchers criminals.

“We will not disclose information about this company as it does not deserve credit for its actions. We are treating this as a criminal matter and are coordinating with law enforcement accordingly,” Percoco said.

CertiK position

On the same day, an official response to Kraken’s statement appeared on the company’s X (formerly Twitter) page. It states that CertiK experts discovered a vulnerability in the exchange platform, which could potentially lead to “hundreds of millions of dollars” in damage.

They noted that Kraken did not respond to the request immediately. The exchange’s response came only a few days after the report was compiled.

The organization also expressed outrage at the further behavior of the company’s security service:

“Following initial successful conversions related to the identification and resolution of the vulnerability, Kraken’s security operations team DEMANDED individual CertiK employees to return a MISCELLANEOUS amount of crypto assets at an UNREASONABLE time. [шесть часов] even WITHOUT providing return addresses.”

The publication in CertiK included a sequence of events indicating dates and times, as well as a complete list of addresses and amounts of test transactions.

“Since Kraken did not provide an address for repayment of the debt, and the requested amount did not match the amount received, we are transferring funds based on our records to an account that Kraken can access,” the company emphasized.

Also in CertiK focused attention on the fact that the exchange’s security system did not pass the test. Moreover, it did not detect a large number of test transactions, experts said.

Public reaction

The community supported Kraken. In particular, Adam Cochran, managing partner of the CEHV fund, called CertiK experts “criminals”:

Similar thesis expressed Founder of the Rotki project Lefteris Karapetsas:

“This looks like extortion. Ethical hackers do not hold funds hostage.”

At the time of writing, no new details were available on the case. It is unknown whether Kraken received the funds back.


Source: Cryptocurrency

You may also like

Get the latest

Stay Informed: Get the Latest Updates and Insights

 

Most popular