CertiK reveals it found Kraken vulnerability and will return funds, denies extortion allegations
The security firm also alleged that Kraken threatened its employees on June 18 and demanded repayment of a “mismatched” amount in an unreasonable amount of time without providing a relevant wallet address.
CertiK denied the extortion allegations and said it would transfer the funds used for its “white-hat testing” back to the wallet address it has on hand since Kraken did not provide a new address. The firm said:
“Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.”
CertiK’s side
CertiK said its investigation started on June 5, when its researchers found an issue in Kraken’s deposit system that failed to differentiate between various internal transfer statuses.
This led to a deeper probe into whether a malicious actor could fabricate a deposit transaction and withdraw fabricated funds. The firm said the tests also aimed to determine whether a large withdrawal request would trigger any risk controls.
CertiK’s tests revealed that millions of dollars could be deposited into any Kraken account, and fabricated crypto worth over $1 million could be withdrawn and converted into valid cryptos. The firm said that no alerts were triggered during the multi-day testing period, and Kraken only responded and locked the test accounts days after it reported the incident.
Despite initial successful communications and steps to identify and fix the vulnerability, the situation deteriorated, leading to CertiK’s public disclosure.
The timeline of events began with the initial discovery on June 5 and included significant tests, such as a large withdrawal of over 90,000 Matic on June 7 and additional large deposits and withdrawals over the following days.
CertiK reported its findings to Kraken on June 10, and by June 12, Kraken confirmed and fixed the critical vulnerability. However, the situation escalated on June 18, when Kraken allegedly threatened a CertiK employee, demanding repayment without providing addresses.
Extortion allegations
Kraken’s Chief Security Officer Nick Percoco revealed on June 19 that nearly $3 million was taken from its wallets due to a bug that allowed anyone to initiate a deposit to the platform and receive the funds without completing the transaction.
He revealed that on June 9, the company received an anonymous tip from a “security researcher” about a critical bug affecting its funding system. The flaw allowed malicious actors to artificially inflate their account balances.
While fixing the vulnerability, Kraken found that three accounts had exploited this flaw within a few days, resulting in nearly $3 million being withdrawn from Kraken’s treasury. The amount is several magnitudes higher than it needed to be to prove the vulnerability exists.
The exchange said the researchers refused its request to return the funds and provide data in line with usual bug bounty programs, which includes “a full account of their activities, a proof of concept used to create the on-chain activity.”
Instead, the researchers scheduled meetings between the exchange and CertiK’s business department to discuss what the reward should be worth based on the damages it would have caused if undisclosed.
Percoco condemned the researchers’ demands for a speculative sum for the potential damages, calling the actions unethical and criminal.