CertiK reveals it found Kraken vulnerability and will return funds, denies extortion allegations

cyptouser5 months agoCryptocurrencies News69
Blockchain security firm CertiK confirmed that it was behind the discovery of a critical vulnerability in crypto exchange Kraken’s deposit system and gone public with its account of the events following allegations of extortion by the exchange.

The security firm also alleged that Kraken threatened its employees on June 18 and demanded repayment of a “mismatched” amount in an unreasonable amount of time without providing a relevant wallet address.

CertiK denied the extortion allegations and said it would transfer the funds used for its “white-hat testing” back to the wallet address it has on hand since Kraken did not provide a new address. The firm said:

“Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.”

CertiK’s side

CertiK said its investigation started on June 5, when its researchers found an issue in Kraken’s deposit system that failed to differentiate between various internal transfer statuses.

This led to a deeper probe into whether a malicious actor could fabricate a deposit transaction and withdraw fabricated funds. The firm said the tests also aimed to determine whether a large withdrawal request would trigger any risk controls.

CertiK’s tests revealed that millions of dollars could be deposited into any Kraken account, and fabricated crypto worth over $1 million could be withdrawn and converted into valid cryptos. The firm said that no alerts were triggered during the multi-day testing period, and Kraken only responded and locked the test accounts days after it reported the incident.

Despite initial successful communications and steps to identify and fix the vulnerability, the situation deteriorated, leading to CertiK’s public disclosure.

The timeline of events began with the initial discovery on June 5 and included significant tests, such as a large withdrawal of over 90,000 Matic on June 7 and additional large deposits and withdrawals over the following days.

CertiK reported its findings to Kraken on June 10, and by June 12, Kraken confirmed and fixed the critical vulnerability. However, the situation escalated on June 18, when Kraken allegedly threatened a CertiK employee, demanding repayment without providing addresses.

Extortion allegations

Kraken’s Chief Security Officer Nick Percoco revealed on June 19 that nearly $3 million was taken from its wallets due to a bug that allowed anyone to initiate a deposit to the platform and receive the funds without completing the transaction.

He revealed that on June 9, the company received an anonymous tip from a “security researcher” about a critical bug affecting its funding system. The flaw allowed malicious actors to artificially inflate their account balances.

While fixing the vulnerability, Kraken found that three accounts had exploited this flaw within a few days, resulting in nearly $3 million being withdrawn from Kraken’s treasury. The amount is several magnitudes higher than it needed to be to prove the vulnerability exists.

The exchange said the researchers refused its request to return the funds and provide data in line with usual bug bounty programs, which includes “a full account of their activities, a proof of concept used to create the on-chain activity.”

Instead, the researchers scheduled meetings between the exchange and CertiK’s business department to discuss what the reward should be worth based on the damages it would have caused if undisclosed.

Percoco condemned the researchers’ demands for a speculative sum for the potential damages, calling the actions unethical and criminal.

Mentioned in this article
CertiK Kraken
The content on this website comes from the Internet. Due to the inconvenience of proofreading the authenticity and accuracy of the copyright or content of some content, it may be temporarily impossible to confirm the authenticity and accuracy of the copyright or content. For copyright issues or other issues caused by this, please Call or email this site. It will be deleted or changed immediately after verification.

related articles

Hong Kong police investigate $15.4 million scam on Hounax trading platform

The Hong Kong Police have initiated an inquiry into Hounax, a cryptocurrency trading platform, follo...

Terraform claims SEC offered ‘no evidence’ for $4.7B in disgorgement

Terraform claims SEC offered ‘no evidence’ for $4.7B in disgorgement

55966e89˃With a hearing scheduled for May 22 to listen to proposed remedies in the United States Sec...

This blockchain platform offers decentralization, security and scalability in tandem

This blockchain platform offers decentralization, security and scalability in tandem

1205f261˃Partisia Blockchain is an L1 with novel zero-knowledge oracle and sharding solutions, sorti...

Binance helps Taiwan solve $6.2M crypto fraud

Binance helps Taiwan solve $6.2M crypto fraud

55966e89˃The Financial Crimes Compliance (FCC) Department of Binance has joined forces with Taiwan’s...

ETH to spike post halving, ETF denial would not ‘be bearish’ — Analysts

ETH to spike post halving, ETF denial would not ‘be bearish’ — Analysts

92485d12˃Crypto analysts are betting that Ether’s (ETH) price could see a significant upswing within...

Tether completes ‘gold standard’ security audit

25cc9d4a˃Tether has announced the successful completion of a System and Organization Controls 2 (SOC...