Crypto security firm CertiK says a rogue employee is to blame for several Tornado Cash transactions linked to its exploit of crypto exchange Kraken in June.
The June 19 incident, where the firm withdrew some $3 million from the exchange, provoked an outcry at the time from crypto security researchers who questioned why a wallet connected to CertiK had sent funds through the sanctioned DeFi protocol.
“These transactions were not executed maliciously and they were not related to the funds withdrawn from Kraken,” a spokesperson for CertiK told DL News, confirming that one of the firm’s employees used Tornado Cash.
The spokesperson said a team member, without authorisation, sent a small amount of his own funds to Tornado Cash and immediately withdrew the funds to several new addresses owned by himself.
Tornado Cash lets users break the chain of traceability between blockchain transactions.
While CertiK maintains that the incident was a “whitehat” operation designed to test Kraken’s security, it’s unclear why a business built on securing code for crypto appeared to break industry standards when investigating and testing the exploit.
‘Deeply sorry’
The new comments come after CertiK published its first official statement on the incident on August 16, saying it had taken steps to “minimise the risk of similar misunderstandings occurring again.”
Other cybersecurity experts were sceptical.
“That blog was barely an apology,” Security Alliance member Hudson Jameson said of CertiK’s statement on Telegram — a messaging app.
CertiK has since taken a more apologetic tone.
“We are deeply sorry for the inconvenience and confusion caused to our customers and community by the Kraken incident,” the firm’s spokesperson told DL News.
The August 16 statement did not address why assets had been sent from a wallet connected to the firm to Tornado Cash.
And CertiK did not respond to a request asking why the team member was sending small amounts through Tornado Cash in the first place.
Although Tornado Cash has legitimate uses, regulators have scrutinised it due to its popularity with money launderers, most prominently North Korean cyber crime syndicate Lazarus Group.
In 2022, Tornado Cash was sanctioned by the Office of Foreign Asset Control — or OFAC. According to OFAC’s website, the penalties for breaking the sanctions can exceed several million dollars.
As CertiK is a US-registered company, it is almost certainly beholden to such sanctions.
And the Tornado Cash transactions aren’t the only unanswered question from the debacle.
Another lingering question is why CertiK chose to withdraw such a large amount of money — almost $3 million — from Kraken after discovering the bug.
“Our team did this to test the limit of Kraken’s protection and risk controls,” CertiK said. “To our knowledge, no alerts were triggered and there were no limits triggered.”
Industry standards dictate that after confirming a bug exists, the finder should report it at the earliest opportunity — not continue to exploit it to test theoretical limits.
What went wrong?
CertiK, a crypto security firm that boasts of providing services to more than 4,700 projects, said it has since taken disciplinary action against team members involved in the Kraken exploit while implementing policy and training changes.
This, the firm said, includes ensuring internal compliance with all policies and applicable laws, including OFAC sanctions.
Last year, CertiK cut some 15% of its workforce amid a series of industry-wide layoffs.
CertiK characterised the job cuts as a “strategic workforce adjustment in response to evolving market dynamics.” The firm declined to say if the cuts had impacted the quality of its internal processes.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.