Cryptocurrency exchange Kraken has recovered missing funds following a high-profile bug bounty exploit fiasco. 

Kraken confirmed the return of the stolen digital assets worth nearly $3 million, putting an end to the Kraken-Certik saga that started on June 9.

The recovery of the funds, minus transaction fees, was confirmed by Nicholas Percoco, chief security officer of Kraken, in a June 20 X post:

“Update: We can now confirm the funds have been returned (minus a small amount lost to fees).”

Kraken’s CSO first announced the $3 million worth of missing funds on June 19, when he claimed that a “security researcher” maliciously withdrew them from the treasury after discovering and sharing an existing bug.

Kraken claimed that it was extorted by the security researcher who was refusing to return the funds, demanding a reward and a call with the exchange’s business development team.

Related: Nomura crypto arm Laser Digital bags Abu Dhabi license

CertiK's side of the story

Shortly after Kraken’s post about the missing funds, blockchain security firm CertiK publicly identified itself as the “security researcher” that Kraken claimed stole $3 million of digital assets.

In a June 19 X post, CertiK said it had informed Kraken of an exploit that allowed it to remove millions of dollars from the exchange’s accounts. Certik also claimed to have been threatened by the exchange’s team:

“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”

The security firm posted a timeline of events, starting with identifying the exploit on June 5 and ending with claims Kraken threatened a CertiK employee on June 18. In a statement to Cointelegraph, CertiK said it planned to transfer the funds “to an account that Kraken will be able to access.”

Related: Bitcoin ETFs legitimized the crypto industry for investors — Storm Partners

Why did CertiK withdraw nearly $3 million?

Kraken’s CSO initially said that the first malicious transfer, worth just $4, would have been sufficient to prove the bug and collect “sizable rewards” from Karken’s bounty program.

However, the security researcher, which was later disclosed as CertiK, had minted nearly $3 million into their Kraken accounts.

In a post following the return of the $3 million, CertiK said that the multi-million sum was necessary to test the limits of the exchange:

“We want to test the limit of Kraken’s protection and risk controls. After multiple tests across multiple days and close to $3 million worth of crypto, no alerts were triggered and we still haven’t figured out the limit.”

Moreover, CertiK claims that it didn’t initially request a bounty, but it was something mentioned by the exchange:

“We never mentioned any bounty request. It was Kraken who first mentioned their bounty to us, while we responded that the bounty was not the priority topic and we wanted to make sure the issue was fixed.”

CertiK added that no Kraken user funds were endangered since the exploited funds were “minted out of air.”

Magazine: Ethereum’s recent pullback could be a gift: Dynamo DeFi, X Hall of Flame