PANews June 19 news, according to Kraken Chief Security Officer Nick Percoco disclosed on Twitter, on June 9 received a vulnerability report from a security researcher, claiming to have found an "extremely serious" vulnerability that can artificially increase the account balance. The investigation found that recent changes to the user experience (UX) caused the system to credit funds in advance before the deposit was completed, allowing attackers to inflate account balances. Although customer assets were not at risk, the vulnerability allowed attackers to "manufacture" funds for a period of time. Kraken fixed the vulnerability in about 1 hour (47 minutes) and found that three accounts had exploited the vulnerability to withdraw nearly $3 million from the Kraken vault, one of which belonged to the researcher who initially reported the vulnerability. This person only increased the balance by $4, which could have proved the existence of the vulnerability and received a bounty, but he informed others of the vulnerability, who withdrew a large amount of funds. Kraken asked them to provide a complete record of activities and return the funds, but was refused and attempted to blackmail. Kraken is working with law enforcement agencies to handle this matter. Percoco emphasized that compliant security research should comply with the regulations of the vulnerability bounty program, and behavior that exceeds the rules and blackmails is unacceptable.
