Kraken has accused CertiK of taking advantage of a critical bug to withdraw $3 million, but CertiK denies any wrongdoing and instead points out Kraken’s own security vulnerabilities.
In a recent security update, Nick Percoco, Kraken’s Chief Security Officer, alleged that CertiK had stolen $3 million from a bug bounty operation. The dispute began when a security researcher reported a critical vulnerability to Kraken, sparking a heated exchange between the two companies.
On June 9, 2024, Kraken received an alert regarding a critical bug that allowed for artificial balance inflation. Despite receiving many false reports, Kraken’s team took this one seriously and quickly identified the isolated bug. Although no client assets were reportedly at risk, the flaw allowed for malicious deposits to be credited without full completion, posing a potential threat. Kraken’s team promptly addressed the issue within 1 hour and 47 minutes.
Further investigation revealed that three accounts were exploiting this vulnerability, with one of them belonging to the self-identified security researcher. Instead of following proper protocol, the researcher disclosed the bug to others, resulting in nearly $3 million being fraudulently withdrawn from Kraken’s treasury. Kraken demanded the return of the funds and full disclosure of the activities, but the researchers refused and instead requested a speculative reward. Interestingly, these researchers were affiliated with CertiK.
In response to Kraken’s accusations, CertiK disclosed their own findings and highlighted critical vulnerabilities in Kraken’s deposit system that could potentially lead to significant financial losses. CertiK’s testing revealed that fabricated deposits and withdrawals could occur without triggering Kraken’s risk controls. CertiK also accused Kraken of pressuring its employees to repay mismatched amounts of cryptocurrency within an unreasonable timeframe, without providing repayment addresses.
To protect the Web3 community, CertiK decided to publicly share their findings and transferred the funds to an account accessible by Kraken. CertiK emphasized that no real user assets were involved in their testing.
The industry has had mixed reactions to this ongoing dispute. Blockchain expert Adam Cochran criticized CertiK’s actions, labeling them as criminal and suggesting a potential conspiracy involving CertiK and North Korean entities. Cochran also questioned CertiK’s ethics as a US-domiciled company, noting their use of the US-sanctioned Tornado Cash to move funds.
However, a commenter defended CertiK, highlighting the extensive tests they conducted, including on Kraken’s internal alert system, and the fact that they paid back the funds. The commenter suggested that Kraken should be grateful for the free security penetration test they received.
It’s important to note that this article is for informational purposes only and should not be considered financial advice. The views expressed here may include the author’s personal opinions and do not reflect those of The Crypto Basic. Readers are advised to conduct thorough research before making any investment decisions, and The Crypto Basic is not responsible for any financial losses incurred.
