CertiK reveals it found Kraken vulnerability and will return funds, denies extortion allegations
Blockchain security firm CertiK confirmed that it was behind the discovery of a critical vulnerability in crypto exchange Krakens deposit system and gone public with its account of the events following allegations of extortion by the exchange.
The security firm also alleged that Kraken threatened its employees on June 18 and demanded repayment of a mismatched amount in an unreasonable amount of time without providing a relevant wallet address.
CertiK denied the extortion allegations and said it would transfer the funds used for its white-hat testing back to the wallet address it has on hand since Kraken did not provide a new address. The firm said:
Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.
CertiKs side
CertiK said its investigation started on June 5, when its researchers found an issue in Krakens deposit system that failed to differentiate between various internal transfer statuses.
This led to a deeper probe into whether a malicious actor could fabricate a deposit transaction and withdraw fabricated funds. The firm said the tests also aimed to determine whether a large withdrawal request would trigger any risk controls.
CertiKs tests revealed that millions of dollars could be deposited into any Kraken account, and fabricated crypto worth over $1 million could be withdrawn and converted into valid cryptos. The firm said that no alerts were triggered during the multi-day testing period, and Kraken only responded and locked the test accounts days after it reported the incident.
Despite initial successful communications and steps to identify and fix the vulnerability, the situation deteriorated, leading to CertiKs public disclosure.
The timeline of events began with the initial discovery on June 5 and included significant tests, such as a large withdrawal of over 90,000 Matic on June 7 and additional large deposits and withdrawals over the following days.
CertiK reported its findings to Kraken on June 10, and by June 12, Kraken confirmed and fixed the critical vulnerability. However, the situation escalated on June 18, when Kraken allegedly threatened a CertiK employee, demanding repayment without providing addresses.
Extortion allegations
Krakens Chief Security Officer Nick Percoco revealed on June 19 that nearly $3 million was taken from its wallets due to a bug that allowed anyone to initiate a deposit to the platform and receive the funds without completing the transaction.
He revealed that on June 9, the company received an anonymous tip from a security researcher about a critical bug affecting its funding system. The flaw allowed malicious actors to artificially inflate their account balances.
While fixing the vulnerability, Kraken found that three accounts had exploited this flaw within a few days, resulting in nearly $3 million being withdrawn from Krakens treasury. The amount is several magnitudes higher than it needed to be to prove the vulnerability exists.
The exchange said the researchers refused its request to return the funds and provide data in line with usual bug bounty programs, which includes a full account of their activities, a proof of concept used to create the on-chain activity.
Instead, the researchers scheduled meetings between the exchange and CertiKs business department to discuss what the reward should be worth based on the damages it would have caused if undisclosed.
Percoco condemned the researchers demands for a speculative sum for the potential damages, calling the actions unethical and criminal.
The post CertiK reveals it found Kraken vulnerability and will return funds, denies extortion allegations appeared first on CryptoSlate.
Text source: CryptoSlate
