Crypto security company CertiK detected major vulnerabilities in Kraken
CertiK, one of the companies providing services on blockchain security, claimed that it had detected major vulnerabilities in the US-based exchange Kraken and that this could lead to losses of hundreds of millions of dollars. CertiK stated that the vulnerabilities were shared with the relevant unit of Kraken and that the unit accepted these errors and vulnerabilities. Kraken, on the other hand, announced that it was eliminated in a short time after the error was seen, but claimed that CertiK employees also stole millions of dollars from the stock market.
CertiK, known for its security work on decentralized finance and smart contracts, announced that it had detected major vulnerabilities in Kraken, a centralized exchange.
“Fake crypto can be withdrawn as real”
Stating that there were some errors regarding investment transactions in Kraken in the first place, CertiK stated that, based on this, other and important vulnerabilities were also detected:
“We found that some differences in Kraken's deposit system were indistinguishable and we deepened our research further. We conducted our research around 3 questions.
*Can a malicious person pretend to have deposited cryptocurrencies that are not in an account with Kraken?
*Can the same person withdraw these unreal funds from the stock market as if they were real?
*What asset protection systems does Kraken put into effect when a large withdrawal request arrives?
As a result of our tests, we found that Kraken could not pass any of these tests. We have determined that Kraken's defense mechanisms can be bypassed in various places. As a result, millions of dollars of back-made, inauthentic crypto can be deposited into any Kraken account, which can then be converted into real cryptocurrency and withdrawn from the account.”
“They closed the accounts and threatened them”
CertiK's statement was not limited to these only. The company stated that the necessary warnings were made to Kraken, but after these warnings, the accounts were closed and they were asked to pay back the withdrawn cryptocurrencies within an unreasonable period of time:
“After providing the necessary information to Kraken, the company's security team flagged the issue as 'Critical', which is their highest level security classification. After some well-intentioned speeches, they threatened our employees about the refund of the withdrawn cryptocurrencies, which did not even match the real ones. "Even though they asked for payment, they didn't even send an address."
Finally, CertiK stated that it will continue to work for the crypto world and the Web3 community and said, "We warn Kraken to end the threats it sends to well-intentioned hackers."
Statement from Kraken: They stole 3 million dollars
On the other hand, Nick Percoco, Kraken's chief security officer, made a statement about the issue from X. Stating that after the problem was reported, the teams took action in a short time and the vulnerabilities were closed, the manager stated that people who claimed to be security researchers stole 3 million dollars from Kraken:
“This security researcher initially debited $4 from the account and proved the bug. In fact, this was enough to see the gap. This person could have received a significant amount of money after reporting the bug to our rewards team. But he also told two other people about the deficit. These people withdrew $3 million from Kraken. This money belonged to Kraken, not the customers. The initial report did not include details about this transaction. We asked them for the full report, but they still did not respond. "This is not a case of a well-intentioned hacker, it is extortion."
-Hakan Ateşler
