CertiK Claims Responsibility for Identifying Kraken’s Critical Bug, Sparking Controversy
Crypto exchange Kraken announced that it faced a critical security vulnerability a few days ago. According to the details, the vulnerability allowed attackers to artificially inflate their account balances without even making deposits.
The issue was initially brought to light through the exchange’s Bug Bounty program. According to Nick Percoco, Kraken’s Chief Security Officer, the exchange receives numerous fake bug bounty reports daily. However, this particular claim was taken seriously.
Even though initially the name of the research organization was not revealed, CertiK put out a tweet saying that they were the one who initially identified the vulnerability.
Key points:
- Kraken received a Bug Bounty alert on June 9, 2024, claiming an “extremely critical” bug.
- The vulnerability allowed attackers to initiate a deposit and receive funds without fully completing the process.
- No client assets were at risk, but attackers could temporarily “print” assets in their Kraken accounts.
- CertiK discloses that they identified the vulnerability.
- CertiK says Kraken’s team threatened to repay even without providing repayment addresses.
Also checkout: SEC Closes Investigation Into Ethereum, ConsenSys Declares Major Win
Crypto community raises questions on Kraken and CertiK drama
CertiK justified in its tweet thread that they helped the exchange identify a vulnerability that could have potentially led to hundreds of millions in losses. Their team also found out that Kraken’s defense in-depth-system was compromised on multiple fronts.
However, CertiK pointed out that Kraken’s security team threatened CertiK employees to repay the amount ($3 million) in an unreasonable time. They even added that they demanded repayment without providing repayment address.
“Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access,” CertiK tweeted.
The security platform also justified that millions of dollars of crypto were minted out of thin air and that no real Kraken user assets were involved in the research.
Amidst all this drama, the crypto community on X has raised several questions about CertiK’s actions. Firstly, it was the amount used for testing. SlowMist team researcher stated that security tests can be done for a small amount to prove the vulnerability.
Secondly, he pointed out that CertiK could have obtained the authorization of Kraken, completed a single test and verified it, and then returned the funds by communicating promptly. Additionally, the community pointed out that CertiK moved all the funds to Tornado Cash, raising doubt on the motive behind it.
Kraken has yet to release a statement regarding Certik’s statements on the whole scenario.