In this article we talk about an incredible story: a few days ago the auditing company Certik identified a flaw in the security systems of the crypto exchange Kraken that could lead to a serious hack.
After conducting some tests for 3 days and executing a “white hack” attack worth 3 million dollars, Certik contacted Kraken to inform it of the bug, but initially refused to immediately return the stolen amount.
The exchange in crypto immediately contacted law enforcement treating the situation as a criminal case, while the cryptographic security firm insists that it is a typical test of a “bounty program.” Now the funds seem to have been returned.
Let’s see everything in detail below.
The 3 million dollar hack against the crypto exchange Kraken: Certik is responsible, but refuses to return the money
This story begins on June 9, 2024, when the crypto exchange Kraken receives an informal communication from a “security researcher” who claims to have discovered a vulnerability on the platform that could have caused a large-scale hack.
As reported in a post-mortem tweet by Nick Percoco, Chief Security Officer of Kraken, the researcher had highlighted a flaw in the security systems of the deposits (unable to distinguish different states of internal transfer), which allows users to inflate their balance and withdraw more coins than they actually have available. The exchange immediately took action to resolve the issue, and in just 47 minutes a team of experts managed to fix the bug.
Here is what Percoco reported:
“the bug allowed a malicious attacker, under the right circumstances, to initiate a deposit on our platform and receive funds into their account without fully completing the deposit. To be clear, no customer assets were ever at risk”
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
So far everything is normal, except that the same security company web3 where the researcher who contacted Kraken works, before officially reporting the bug, would have carried out several hacks on the platform for a total of 3 million dollars.
Immediately after the publication of Percoco’s post, the well-known auditing firm Certik immediately took responsibility for the incident and revealed its crucial role in the matter.
Certik allegedly “tested” Kraken’s defense mechanisms by carrying out a large-scale attack, and withdrawing large quantities of MATIC tokens from 3 different accounts, then cleaning the traces of the funds through the Tornado Cash mixer.
As explained by the security manager of the exchange, after fixing the problem, Kraken asked Certik to return the funds, but she initially refused.
Despite this, Certik insists that its activity is in line with the principles of “white hack”.
Apparently Certik did not mention the role of the 3 account exploiter in the incident, despite having performed the withdrawal tests in the 3 days prior to the communications with Kraken.
The security researcher who spotted the bug, would have asked for a substantial bounty for having identified a major flaw that could have imploded into a heavy hack, but Kraken insisted on getting their funds back.
Since the auditing company refused to return the loot, and indeed seemed to have moved to hide the evidence of the hack, the exchange decided to treat the situation as if it were a criminal case by notifying the competent authorities and law enforcement.
The web3 security company had asked the exchange for a bounty reward equal to the amount speculated that this bug could have caused if it had not been disclosed, infuriating the exchange platform team.
Percoco commented on his X profile about what happened, showing all his opposition towards Certik’s behavior:
“This is not white hacking, this is extortion”.
We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends.
— Nick Percoco (@c7five) June 19, 2024
The denial by Certik: funds returned despite some employees having received threats from the Kraken team
Certik, after introducing itself as the company responsible for identifying the flaw in the deposit systems, immediately denied what Kraken reported, highlighting its “white hack” role and its positive intentions.
The company revealed that it had set up a large-scale hack, for an amount of 3 million dollars, solely for the purpose of testing the exchange’s defense, but it also emphasized that it never refused to return the loot but rather wanted to ensure that everything was executed correctly.
Certik said she was amazed by the potential negative impact that the bug could have caused, but especially by the fact that Kraken’s alarms were never triggered. This was stated in a post:
“Millions of dollars can be deposited into ANY Kraken account. A huge amount of crypto (worth over 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse still, during the multi-day testing period, no alerts were triggered”.
Furthermore, the auditing firm explained that a member of the exchange team had threatened their own researcher to return the amount within an unreasonable time frame (6 hours) without, however, providing a repayment address.
This took place after, days after the hack, the two companies had a call to try to find a solution and resolve the matter.
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.
Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
— CertiK (@CertiK) June 19, 2024
Apparently, what triggered the chaos was the amount of the bounty reward proposed by Kraken, which was not considered appropriate to the effort made and the potential exploit prevented. As reported by a spokesperson for Kraken to Coindesk:
“We involved these researchers in good faith and, in line with a decade of managing a bug bounty program, we had offered a considerable bounty for their efforts. We are disappointed by this experience and are now working with law enforcement to recover the assets from these security researchers”.
Today Certik published another post with some FAQs to further clarify their position and remove any doubt.
The security company reiterates that it has “consistently” confirmed that it would return the stolen amount, and states that now all the funds are back in Kraken’s hands.
These funds were sent back to the sender in 734.19215 ETH, 29,001 USDT, and 1021.1 XMR, while the exchange had expressly requested to send 155818.4468 MATIC, 907400.1803 USDT, 475.5557871 ETH, and 1089.794737 XMR, for a total equivalent value greater by about 100,000 dollars.
Q&A to recent CertiK-Kraken whitehat operations:
1. Did any real user lose fund?
No. Cryptos were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.
2. Have we refused to return the funds?
No. In our communication with…
— CertiK (@CertiK) June 20, 2024
Kraken remains firm on its concept of ethics of “white hacking” and maintains that the bullying carried out by Certik can be identified as extortion.
The Bounty program of the exchange indeed requires third parties to find the problem, exploit the minimum amount necessary to test the bug (without executing a 3 million dollar hack), return the resources, and provide details on the vulnerability.