Written by: Yangz, Techub News

Last night, Kraken Chief Security Officer Nick Percoco published a post disclosing that the Kraken team received a bug bounty report on June 9, saying that an "extremely serious" vulnerability was discovered, allowing attackers to artificially increase account balances without completing deposits. Although the Kraken team fixed the vulnerability within a few hours, an in-depth investigation revealed that the vulnerability was exploited by three accounts. The KYC information of one of the accounts claimed to be a "security researcher" and used the vulnerability to deposit $4 in cryptocurrency into his account, and then submitted a bug bounty report.

But more importantly, the "researcher" revealed the vulnerability to two other people who worked with them, resulting in the withdrawal of nearly $3 million from Kranken's treasury.

Percoco said that because the initial report did not fully disclose the details of the vulnerability, the team contacted the above account and planned to arrange the return of funds according to the general vulnerability bounty process and reward its "white hat behavior." But unexpectedly, the "security researcher" asked to speak with the Kraken business development team, saying that no funds would be returned unless rewards were given according to the amount of losses that the vulnerability might cause. In this way, the "white hat hacker" instantly became "extortion", and Percoco decided not to disclose the name of "this research company" and treat the matter as a criminal case, planning to coordinate with law enforcement agencies. I thought the matter had come to an end for the time being, but surprisingly, the security company CertiK automatically stood up 3 hours after Percoco posted the article, saying that it had discovered the security vulnerability in Kraken and that the vulnerability could result in hundreds of millions of dollars in losses.

CertiK said that through testing, it found three major problems with Kraken, and no Kraken alarms were triggered during the several-day test. CertiK said that it took Kraken several days to respond after it formally reported the vulnerability. Moreover, after the vulnerability was fixed, the Kraken security operations team threatened individual CertiK employees to repay an unmatched amount of cryptocurrency within an unreasonable period of time, and even did not provide a repayment address. For a time, the two sides in the confrontation each insisted on their own opinions. Kraken regarded CertiK's behavior as a "crime", while CertiK asked Kraken to "stop any threats to white hat hackers."

There was a lot of discussion on CT about this matter, but public opinion generally tended to blame CertiK. In particular, it was puzzling why CertiK would conduct testing for several days before reporting the vulnerability to Kraken. In response to this question, CertiK said, "The real question should be why Kraken's deep defense system failed to detect so many test transactions."As the incident developed, more details were uncovered by netizens. @lilbagscientist tweeted that Certik had actually conducted tests as early as May 27. According to Meir Dolev, chief technology officer of security company Cyvers, CertiK "had conducted similar tests on OKX and Coinbase to determine whether the two exchanges had the same vulnerability as Kraken." In addition, the Certik-related addresses also sent several assets to Tornado and ChangeNOW during this period, which is confusing. Conor Grogan, product director of Coinbase, wrote in the CertiK comment section, "You know that Tornado Cash is sanctioned by OFAC? And your place of registration is in the United States, right?"In addition, as a recognized top white hat hacker in the industry, Paradigm research partner Samczsun forwarded Certik’s previous financing news (in April 2022, CertiK completed US$88 million in financing, led by Insight Partners, Tiger Global and Advent International, with participating investors including Goldman Sachs, Sequoia and Lightspeed Venture, etc.) and joked, "My thoughts and prayers go out to investment partners who have to explain why the company they invested in hacked into a US exchange, stole US$3 million, and laundered money through an OFAC-blocked agreement."Compared to the overwhelming accusations, there are indeed not many people who speak out for CertiK, but some opinions are worth thinking about. @trading_axe replied in the comment section of CertiK, "If you want to steal assets, why settle for $3 million? You should take everything and run away... It would be stupid to only steal $3 million and then be forced to return it." Indeed, it would be too stupid if CertiK only carried out "theft" for this $3 million.

@BoxMrChen, based on his own experience as a white hat hacker, said that he understood the behavior of the CertiK security researcher. @BoxMrChen said that there is actually a lot of story behind the bug bounty. Some project owners can refuse to provide bounties to white hat hackers on the grounds of "duplicate vulnerability submissions", or deliberately reduce the risk level of the vulnerability and reduce the amount of the bounty. In addition, even if the project owner generously offers tens of thousands of dollars in token bounties, white hat hackers have to wait for the process approval. Often, several months have passed, the token has fallen by 90%, and the bounty is still being approved.

@BoxMrChen speculated that the CertiK security researcher wanted to wait for Kraken risk control to find out and then negotiate with them. It was only after Kraken did not seem to respond for 5 days that they began to submit vulnerability reports. @BoxMrChen concluded that "What CertiK did is indeed controversial, but how much is the so-called nobleness and justice worth in this circle? Compared to these, I would rather know how much white hat bounty Kraken is willing to pay CertiK to see whether CertiK is greedy and cunning, or Kraken is stingy."

Currently, CertiK has issued an announcement stating that all funds have been refunded and that the incident does not involve the loss of real user funds. CertiK stated that the reason it conducted multiple large-scale tests was because it wanted to test the limits of Kraken's protection and risk control. But after multiple days and multiple tests of nearly three million cryptocurrencies, no alarms were triggered. In addition, CertiK stated that it did not participate in Kraken's bounty program, but only contacted Kraken officials and CSO Nick through Twitter and LinkedIn, and finally sent a detailed report via email. Moreover, "the team has never made any bounty requests."

So far, this incident has come to an end. CertiK has not responded to the transfer of part of the assets to Tornado and ChangeNOW. Kraken has not commented on the assets that CertiK has returned. Who lied? Only CertiK and Kraken know. All the information at present is just speculation. It is unknown whether there will be any solid evidence in the future, such as chat records. As far as CertiK has returned the funds, perhaps this matter will end with the so-called "settlement".

Author: TechubNews; from the ChainDD content open platform "DeDeHao", this article only represents the author's point of view, not the official position of ChainDD. For all "DeDeHao" articles, the originality and authenticity of the content are guaranteed by the contributors. If the article is plagiarized, falsified, etc., the legal consequences will be borne by the contributors themselves. If there are any infringements, violations, or other inappropriate remarks on the DeDeHao platform, please supervise the readers. Once confirmed, the platform will be offline immediately. If you encounter any problems with the content of the article, please contact WeChat: chaindd123