Kraken, a cryptocurrency exchange, recently reported the theft of nearly $3 million from its accounts due to a critical bug. The issue, stemming from a flaw introduced in a recent user experience update, allowed attackers to credit their accounts before their deposits were fully cleared.
Discovery of the Bug
This vulnerability was labeled as allowing malicious users to “print assets” for a temporary period. The security breach was contained within a few hours after its discovery, as stated by Kraken’s Chief Security Officer, Nick Percoco.
The bug was first flagged to Kraken’s attention through its bug bounty program on June 9. Although the initial report lacked detailed information, it prompted an immediate investigation by Kraken.
This probe uncovered an isolated incident where a malicious party could initiate an incomplete deposit to fraudulently receive funds. Percoco clarified that the vulnerability occurred under specific conditions and did not put client assets directly at risk.
Kraken discloses it was exploited on X
Subsequent inquiries into the system’s integrity revealed that the vulnerability had been exploited by three separate accounts shortly before the bug was officially reported. These accounts managed to siphon off substantial sums in a series of transactions that coincidentally took place over several days.
Percoco disclosed that the individual who reported the bug had originally tested the flaw by crediting their own account with $4, supposedly to demonstrate the bug’s existence and secure a reward through the bug bounty program.
However, it later emerged that this individual had shared details of the vulnerability with two associates instead of keeping it confidential. These collaborators then withdrew nearly $3 million in total from Kraken, directly from the company’s reserves.
Percoco emphasized that these funds were not from other client accounts. In response to this incident, Kraken demanded a full account of their activities and the return of the stolen funds.
The accused parties, however, have withheld the funds, demanding Kraken first reveal the potential extent of the exploit had it remained undisclosed.
Kraken’s Response and Legal Actions
This situation escalated when the researchers labeled Kraken’s requests for the return of the funds as “unreasonable” and “unprofessional.”
As a result, Kraken has opted not to publicly identify the research firm involved, citing the breach of bug bounty terms and framing their actions as not only unethical but criminal.
The exchange is now coordinating with law enforcement to address the issue as a criminal case, rejecting any recognition of the firm involved due to their actions.
This unfortunate event at Kraken adds to the broader landscape of digital asset vulnerabilities, with crypto hacks set to rise in 2024.
Crypto Losses Breakdown by Vulnerability
According to Merkle Science’s “2024 Crypto HackHub Report,” the first quarter of 2024 alone saw hackers steal digital assets worth $542.7 million, marking a 42% increase from the same period in 2023.
The industry has noted a shift in the nature of these security breaches, with private key leaks now overtaking smart contract exploits as the leading cause. This trend contrasts sharply with previous years, where vulnerabilities in smart contracts were more dominant.
The report also highlighted a significant decrease in losses due to smart contract vulnerabilities, which fell 92% to $179 million in 2023, down from $2.6 billion in 2022. Despite this, over 55% of the hacked digital assets in 2023 were attributed to private key leaks, underscoring a persistent security challenge within the cryptocurrency sector.
Over the past 13 years, the industry has faced 785 reported hacks and exploits, with nearly $19 billion lost, indicating a critical need for improved security measures across the board.
The post Hackers Exploit Kraken Bug, Steal Nearly $3 Million appeared first on Coinfomania.