Key Takeaways:
Leading cryptocurrency exchange Kraken has revealed that “security researchers” who found a vulnerability on its platform refuse to return $3 million worth of digital assets taken from its treasury.
In a series of X posts, Nick Percoco, Kraken’s chief security officer, explained how the event unfolded.
White Hat Hackers Take Away $3 Million From Kraken’s Treasury After Reporting Bug
On June 9th, the crypto exchange received an anonymous tip from a blockchain security researcher about a bug in its system that would allow users to inflate their balance artificially. This flaw “under the right circumstances” allows a malicious attacker to initiate a deposit on the exchange and receive funds in their account without fully completing the transaction.
As soon as the bug was reported, Kraken’s security team discovered and fixed the issue. Perococo noted that no user funds were affected. However, it was what came after that left the exchange’s team stunned.
Apparently, after discovering the bug, the security researcher shared the information with two associates. Turns out that instead of filing a bug bounty report with Kraken at first instance, the researcher used the flaw to credit their Kraken account in crypto and then worked with their colleagues to withdraw roughly $3 million in crypto from the exchange’s treasury.
The initial bug report submitted did not mention the transactions done by the two other individuals, but when Kraken asked them for more details and to return the funds, they refused.
Perococo said the security researchers instead demanded that Kraken give them a speculated sum for the potential damages the bug could have caused had they not discovered it.
Kraken Refuses to Pay Security Researchers Bounty for Breaching Rules
Kraken’s security chief condemned these actions as unethical and criminal, stating that a security researcher’s “license to hack” a company is enabled by following the rules of the bug bounty program they are participating.
“Ignoring those rules and extorting the company makes you, and your company, criminals”, Perococo wrote.
Bug bounty programs are used by many crypto firms to test the robustness of their security systems while incentivizing those who act in good faith. They invite third-party hackers called “white hats” to find vulnerabilities so that they can be fixed before a malicious actor exploits them.
To get paid a bounty by Kraken, the white hat is required to first discover the problem, exploit the minimum amount needed to prove the bug, return the assets, and provide a full report on the vulnerability.
Kraken said in a blog post that it refused to pay the researchers their bounty because they didn’t follow the rules.
Blockchain Security Firm Certik Thought to be Behind the Exploit
Even though the name of the white hat was not disclosed, it is widely believed to be blockchain security technology company Certik.
Certik had earlier posted on its social media channels that it found several vulnerabilities on Kraken while conducting “multi-day testing”. They warned that the bug could be exploited to create millions of dollars worth of crypto.
The on-chain security researcher wrote that millions can be deposited into any Kraken user’s account and a huge amount of “fabricated crypto” worth over a million dollars can be withdrawn from that account and converted into “valid cryptos”. Certik raised serious concerns that the flaw failed to trigger any alert in Kraken’s systems during the testing period.
However, Certik reported that things went sour following initial discussions with Kraken. They said in an X post that Kraken’s security operation team threatened its employees to repay a mismatched amount of crypto “in an unreasonable time” without even providing a repayment address.
Kraken is now treating the incident as a crime and is working with law enforcement authorities to retrieve the lost funds. “We’re disappointed by this experience”, a spokesperson for the company told the media.
More News: Bitcoin Drops Below $65,000 As Crypto Market Collapses
