Blockchain security firm CertiK has revealed a serious vulnerability it found in cryptocurrency exchange Kraken and made public the ensuing controversy. CertiK has strongly denied Kraken’s allegations of extortion and said it will return the funds used for testing.

Vulnerability Discovery and Measures Taken

CertiK said its researchers discovered a vulnerability in Kraken’s deposit system on June 5 that could allow malicious actors to forge deposit transactions and withdraw fake funds. CertiK then launched an in-depth investigation and a series of tests to verify the actual risk of the vulnerability.

CertiK's test revealed a startling result: millions of dollars could be deposited into any Kraken account, and more than $1 million worth of fake cryptocurrency could be withdrawn and converted into valid currency. During the days of testing, these operations did not trigger any alarms. Kraken did not respond to the incident until a few days later and locked the test account.

Disputes and losses

Although CertiK and Kraken initially successfully communicated and took steps to fix the vulnerability, the situation subsequently deteriorated. On June 18, Kraken was accused of threatening CertiK employees, demanding repayment of “unmatched” amounts within an unreasonable time frame, and without providing the relevant wallet addresses.

Kraken Chief Security Officer Nick Percoco revealed on June 19 that its wallet lost nearly $3 million due to the vulnerability. He pointed out that on June 9, Kraken received an anonymous report from a "security researcher" that revealed a serious vulnerability in the funding system. Kraken found that three accounts had exploited the vulnerability in a short period of time.

CertiK’s Response and Refund Plan

CertiK denied Kraken’s extortion allegations and said that since Kraken failed to provide a repayment address and the requested amount did not match, CertiK would transfer the funds back to an account accessible to Kraken based on its records. CertiK emphasized that the funds were originally intended for “white hat testing.”

Kraken accused CertiK of unethical and criminal behavior because CertiK rejected Kraken's request to return funds and provide data. Instead, CertiK arranged a meeting with Kraken to discuss determining the amount of the reward based on the potential losses caused by non-disclosure. #CertiK #Kraken #敲诈勒索 #指控 #交易所漏洞

Conclusion

This incident not only highlights the security vulnerabilities of cryptocurrency exchanges, but also sparks discussions about the ethical and legal boundaries of security research.

The dispute between CertiK and Kraken could have long-term implications for trust and collaboration in the blockchain security space. As the legal and ethical issues become clearer, this incident will continue to be closely watched by both the industry and beyond.