Last night, cryptocurrency exchange Kraken and blockchain security firm CertiK had a public standoff on social media over a series of serious security vulnerabilities.

Initially, CertiK discovered a series of serious vulnerabilities at Kraken that stemmed from a recent user experience (UX) change at Kraken that immediately debits customer accounts before their assets are settled and allows customers to trade cryptocurrency markets in real time, without Kraken fully testing for this specific attack vector.

In simple terms, the vulnerability allows a malicious attacker to initiate a deposit operation and receive funds in their account without fully completing the deposit.

After Kraken checked the vulnerability, it was immediately assessed as "critical" and the problem was mitigated by Kraken's expert team 47 minutes later. Subsequently, Kraken Chief Security Officer Nick Percoco stated that the issue was fully fixed and would not occur again.

Timeline of events, source: CertiK official X

However, an interesting thing happened. Nick Percoco pointed out that CertiK swindled nearly $3 million from Kraken during this "security check", but CertiK strongly denied this.

White hat behavior or blackmail?

Kraken’s post-mortem investigation found that three accounts exploited the vulnerability within a few days, one of which was linked to a CertiK staff member through identity verification (KYC), who used the vulnerability to increase his account balance by $4.

In theory, generating $4 is enough to prove the existence of the vulnerability, and the vulnerability is assessed as "critical" by Kraken, which means that as long as the generated $4 is returned, you can apply for a bounty of $1 to $1.5 million from Kraken.

Kraken bug bounty program rewards. Source: Kraken

However, the “security researcher” chose to disclose the vulnerability to two other people he was working with, who used it to generate larger amounts of funds, ultimately withdrawing nearly $3 million from their Kraken accounts.

When Kraken asked CertiK to provide a detailed description of the activity, create a proof of concept of the on-chain activity, and arrange to return the funds they had withdrawn, CertiK refused and asked to speak to its BD team. At the same time, CertiK also stated that it would not agree to return any funds until Kraken provided a hypothetical possible loss amount.

At this point, Kraken Chief Security Officer Nick Percoco labeled CertiK's actions as extortion in a tweet, and regarded the loss of $3 million as a "criminal case" and is currently coordinating with law enforcement agencies to recover the funds.

CertiK later defended its actions on X.

CertiK’s testing of Kraken focused on three questions: Can a malicious actor forge a deposit transaction to a Kraken account? Can a malicious actor withdraw forged funds? What risk controls and asset protections might be triggered by large withdrawal requests? CertiK believes that the Kraken exchange failed all of these tests, indicating that Kraken’s defense-in-depth system was compromised in multiple ways.

CertiK said that the vulnerability allowed millions of dollars to be deposited into any Kraken account, and Kraken did not trigger any alarms during the multi-day testing period until CertiK officially reported the incident and responded and locked the test account.

As for Kraken’s $3 million loss, CertiK claimed that Kraken threatened its employees and that the total amount of funds Kraken requested to be returned “does not match” the stolen cryptocurrencies. At the same time, CertiK disclosed all deposit addresses and stated that it would transfer the existing funds to an account that Kraken could access based on the records.

Community news is even more exciting

This long-criticized security company has run into trouble again, and the crypto community quickly took to the front line to watch.

Meir Dolev, founder of Cyvers.AI, said, “According to on-chain analysis, 26 days before the Kraken incident, a similar withdrawal activity was carried out on Coinbase using the same signature hash. In addition, a transfer using the same signature hash also occurred on the Polygon network 14 days ago.”

Certik previously claimed that it discovered and exploited the Kraken vulnerability on June 5, but on-chain evidence seems to indicate that it may have already known about the vulnerability and implemented similar actions many times. Industry insiders questioned whether the timeline published by Certik was true and whether it had already exploited the vulnerability to transfer funds for a long time. This discovery undoubtedly intensified doubts about Certik's integrity.

Not only that, the security of CertiK, a security company, is also being questioned.

Adam Cochran of Synthetix said, “CertiK is a complete criminal and its behavior is completely contrary to the professional ethics of a security company. Given that projects audited by CertiK have been repeatedly hacked, why does the company still exist today?”

In the following hours, Synthetix once again raised serious questions about CertiK’s professionalism and credibility. “CertiK security auditors took advantage of their positions to transfer and sell assets through sanctioned channels such as Tornado Cash, and their behavior patterns are similar to those of the malicious hacker group Lazarus.”

It was revealed that CertiK's security auditors not only transferred assets through Tornado Cash, but also sold assets through ChangeNOW, which is exactly the same as the common practice of the Lazarus hacker group after invading encryption protocols. Some analysts said that Lazarus hacked into Certik's audit protocol more than any other protocol, which raised questions about whether Certik had already been infiltrated by hackers.

While it is not yet certain whether the entire CertiK company was involved, it does make people wonder whether Certik's security research team was already "compromised."

Some relevant people pointed out that since the North Korean hacker group had agents using DeFi protocols to find jobs, did they also "collude" with CertiK's auditors? Otherwise, it is difficult to explain why a US company with many well-known investors would blackmail exchanges and violate US sanctions on money laundering agreements.

Chen Jian of Puffer Finance said, "Former employees revealed that CertiK's senior management was too focused on profits and had a distorted value system. The company was abandoned after issuing tokens, causing investors to suffer losses. It is recommended that project owners carefully choose CertiK for security audits." Chen Jian believes that CertiK has basically become a "stamping company that is packaged with a halo and charges expensive fees." The projects it has audited have repeatedly encountered security issues.

In addition, it was revealed that "some CertiK internal auditors leaked the company's confidential information and audit details."

Regarding CertiK’s misdeeds, many industry insiders have criticized CertiK as “disgusting”, “immoral”, “irresponsible”, “delusional”, and “worthless”. A large number of crypto community members have joined the verbal attack on CertiK. Among them, Zi Ye, a former OKX employee, said: “Someone has hit a wall.”

DegenBing.eth | Buji DAO said that those who tout CertiK are either stupid or bad, "Everyone, prepare your popcorn, the follow-up should be very exciting." Community user @tayvano_ also mocked CertiK, saying, "There is absolutely no excuse for CertiK's behavior, and it cannot be regarded as a legitimate white hat test at all," and called on CertiK to "get out."

CrertiK, only "slander all over the world" left?

From the community's reaction, it can be seen that this is not the first time that CertiK, the protagonist of this incident, has been involved in controversy. CertiK was born in 2017 and was once a star project in the field of Web3 security. Its founders are Shao Zhong, the director and tenured professor of the Department of Computer Science at Yale University, and Gu Ronghui, a professor of the Department of Computer Science at Columbia University, both of whom are top scholars in the field of security.

In 2021, CertiK began to develop rapidly, and received five rounds of financing in less than a year, including the most luxurious investors such as Goldman Sachs, Tiger, Softbank, Sequoia, and Hillhouse. That year, among all DeFi projects that have undergone security audits on CoinMarketCa, CertiK's market share reached 70%, far exceeding its peers. Its cooperative clients include leading projects such as Aave, Polygon, Yearn Finance and Chiliz.

On the other hand, CertiK has been facing controversy since its launch. The community has been questioning why CertiK, which occupies the vast majority of the Web3 security market, cannot guarantee the security of the projects it handles. Some people even complained that "not all CertiK audits have gone bankrupt, but those that have gone bankrupt are almost all CertiK audits, and they like to claim that there are upgrades, but everyone knows the actual results, so that "CertiK audits" have almost become a guide to avoid spoilers."

In April 2023, GeekPark interviewed CertiK CEO Gu Ronghui, who responded to these controversies with the phrase "reputation is everywhere, slander is everywhere". CertiK regards the frequent security issues as "inevitable situations" and responds by publishing security audit reports and allowing the community to conduct spontaneous inspections. Gu Ronghui once said that he did not want CertiK to become a "seal" or an anti-theft "certificate".

Shortly after Geek Park released this interview with CertiK, about $1.82 million was stolen from Merlin, a decentralized trading platform based on zkSync. Prior to this, Merlin had just passed CertiK’s audit. This time, CertiK attributed the Merlin attack to “rogue developers.”

A month later, the DeFi project Swaprum ran away with a total of $3 million in customer funds a few weeks after being audited by CertiK. The community pointed the finger at CertiK, saying it approved "another conspiracy."

In addition to these accidents, the community also questioned CertiK's technical barriers.

CertiK uses formal verification and AI technology to provide end-to-end blockchain security audit services. Simply put, it combines formal verification with manual verification, uses large language models to automatically check source code problems, conducts simulated attacks, and then security engineers provide feedback on the issues raised.

The founder is confident in its mechanism. "Even if our technology does not develop, as long as we can see more code and more people annotate it, our engine will become better and better. Then our security level will become higher and higher, and there will be more and more customers, which will make the engine better and better. It's a positive cycle."

In addition to the fact that the audit results are unreliable, CertiK's dark history also includes its coin issuance experience. CertiK launched Certik chain and its token CTK in 2021, but now the introduction of its token CTK can no longer be found on Certik's official website.

It is understood that CTK had two rounds of private placements at that time, with the first round of 29% and the price at $0.77; the second round of 9% and the price at $1.9. After CTK went online, it started to fall after a short charge. As of the time of writing, its price was $0.8.

After being involved in the "extortion of Kraken" controversy, although Kraken did have vulnerabilities, the community's attitude was surprisingly consistent, and they all recounted CertiK's past deeds. From a star project in the Web3 security field with a luxurious financing lineup and a valuation of US$2 billion, to being caught up in various controversies and being regarded as a "lightning avoidance label", CertiK's experience in recent years has made the community sigh and also provided a warning to the project parties still in the field.