Kraken, one of the largest cryptocurrency brokers in the world, revealed that it had found a critical bug on its platform. In short, the vulnerability allowed hackers to print money to their accounts.
The information was presented by Nick Percoco, Kraken's security director, this Wednesday (19).
“We discovered an isolated bug,” Percoco wrote. “This allowed a malicious attacker, under the right circumstances, to initiate a deposit on our platform and receive funds into their account without fully completing it.”
“To be clear, no client’s assets were at risk. However, a malicious attacker could effectively “print” assets in your Kraken account for a period of time.”
Next, the Kraken executive highlights that the flaw was fixed in 47 minutes and therefore no longer poses any threat.
Kraken provides more details about the vulnerability
Explaining the situation, Kraken revealed that the bug was related to a recent change to its website that allowed its users to trade cryptocurrencies before deposits were confirmed.
In total, three accounts would have abused the flaw, one of them was in the name of the hacker who sent the report to the broker.
“This individual discovered the bug in our funding system and used it to credit his account with $4 worth of cryptocurrency,” Kraken wrote. “However, this “security researcher” disclosed this bug to two other people he works with, who fraudulently generated much larger sums.”
This is where the story gets even more interesting. This is because the broker and the hackers got into a dispute.
Kraken accuses hackers of extortion
The vulnerability was reported to the exchange through its bug bounty program. According to Kraken's page, prizes vary between 500 and 1.5 million dollars, depending on the severity of the failure.
However, Nick Percoco claims that the hackers did not disclose data about the other two accounts that raised $3 million. Afterwards, Kraken's security director notes that the hackers did not accept the program's terms, but rather imposed new ones.
“They demanded a call with their business development team,” Percoco wrote. “They have not agreed to return any funds until we provide a speculated dollar amount that this bug could have caused if they had not disclosed it.”