Blockchain security firm CertiK has revealed a serious vulnerability it found in cryptocurrency exchange Kraken and made public the ensuing controversy. CertiK has strongly denied Kraken’s allegations of extortion and said it will return the funds used for testing.
Vulnerability Discovery and Measures Taken
CertiK said its researchers discovered a vulnerability in Kraken’s deposit system on June 5 that could allow malicious actors to forge deposit transactions and withdraw fake funds. CertiK then launched an in-depth investigation and a series of tests to verify the actual risk of the vulnerability.
CertiK's test revealed a startling result: millions of dollars could be deposited into any Kraken account, and more than $1 million worth of fake cryptocurrency could be withdrawn and converted into valid currency. During the days of testing, these operations did not trigger any alarms. Kraken did not respond to the incident until a few days later and locked the test account.
Disputes and losses
Although CertiK and Kraken initially successfully communicated and took steps to fix the vulnerability, the situation subsequently deteriorated. On June 18, Kraken was accused of threatening CertiK employees, demanding repayment of “unmatched” amounts within an unreasonable time frame, and without providing the relevant wallet addresses.
Kraken Chief Security Officer Nick Percoco revealed on June 19 that its wallet lost nearly $3 million due to the vulnerability. He pointed out that on June 9, Kraken received an anonymous report from a "security researcher" that revealed a serious vulnerability in the funding system. Kraken found that three accounts had exploited the vulnerability in a short period of time.
CertiK’s Response and Refund Plan
CertiK denied Kraken’s extortion allegations and said that since Kraken failed to provide a repayment address and the requested amount did not match, CertiK would transfer the funds back to an account accessible to Kraken based on its records. CertiK emphasized that the funds were originally intended for “white hat testing.”
Kraken accused CertiK of unethical and criminal behavior because CertiK rejected Kraken’s request to return funds and provide data. Instead, CertiK arranged a meeting with Kraken to discuss determining the amount of the reward based on the potential losses caused by non-disclosure.
See original
Blockchain security company CertiK recently revealed a serious vulnerability it found in the cryptocurrency exchange Kraken! !
Disclaimer: Includes third-party opinions. No financial advice. May include sponsored content. See T&Cs.
Replies 0
Explore the latest crypto news
⚡️ Be a part of the latests discussions in crypto
💬 Interact with your favorite creators
👍 Enjoy content that interests you
Email / Phone number