Head of Security at Kraken Crypto Exchange Nick Percoco stated that unknown persons discovered an exploit on the platform and withdrew $3 million in crypto assets from it. CertiK experts took over responsibility for these actions, noting that they were looking for a vulnerability.
Kraken Position
Percoco released his statement on June 19, 2024. According to it, notification of a potential reward for the discovered bug was received by Kraken on June 9.
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
The company assembled a team to investigate the incident. According to Percoco, the isolated bug was discovered within a few minutes. At the same time, according to a representative of the exchange, client funds “were never at risk.”
The problem was quickly fixed, after which supposedly there were no traces of it left. Kraken employees also managed to discover that three addresses took advantage of the situation and consistently withdrew crypto assets from the site.
At the same time, as Percoco emphasized, to receive a reward under the Kraken program, it was enough to deposit $4 and notify the exchange about the exploit. Instead, account holders withdrew crypto assets totaling about $3 million, he noted.
Instead of the stated reward, the group that discovered the bug demanded an amount comparable to the potential damage from the exploit. Percoco called it “extortion.”
He also noted that ignoring established rules actually makes security researchers criminals.
CertiK position
On the same day, an official response to Kraken’s statement appeared on the company’s X (formerly Twitter) page. It states that CertiK experts discovered a vulnerability in the exchange platform, which could potentially lead to “hundreds of millions of dollars” in damage.
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.
Starting from a finding in @krakenfx‘s deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
— CertiK (@CertiK) June 19, 2024
They noted that Kraken did not respond to the request immediately. The exchange’s response came only a few days after the report was compiled.
The organization also expressed outrage at the further behavior of the company’s security service:
The publication in CertiK included a sequence of events indicating dates and times, as well as a complete list of addresses and amounts of test transactions.
Also in CertiK focused attention on the fact that the exchange’s security system did not pass the test. Moreover, it did not detect a large number of test transactions, experts said.
Public reaction
The community supported Kraken. In particular, Adam Cochran, managing partner of the CEHV fund, called CertiK experts “criminals”:
Holy shit.
Certik just admitted to being the security firm that stole from Kraken and is trying to extort them for more of a payment.
Given how often Certik audits get hacked and now this shit, it’s wild they still exist.
Down right criminal. https://t.co/Ijpv3x5Pxc
— Adam Cochran (adamscochran.eth) (@adamscochran) June 19, 2024
Similar thesis expressed Founder of the Rotki project Lefteris Karapetsas:
At the time of writing, no new details were available on the case. It is unknown whether Kraken received the funds back.
Source: Cryptocurrency
I am an experienced journalist and writer with a career in the news industry. My focus is on covering Top News stories for World Stock Market, where I provide comprehensive analysis and commentary on markets around the world. I have expertise in writing both long-form articles and shorter pieces that deliver timely, relevant updates to readers.
