The bug that Kraken said it patched had been used to exploit other centralised exchanges as early as last month, according to multiple crypto security experts.
That’s the latest development in the saga of two major crypto players, US-based exchange Kraken and auditor CertiK.
On Wednesday, Kraken said it patched a “critical” bug that allowed millions of dollars in crypto to be erroneously withdrawn from the US-based exchange.
CertiK came under fire after it admitted to being behind the exploit of that bug. The firm withdrew $3 million from Kraken over several days in early June.
After a public back-and-forth, CertiK returned all the funds it took and called its actions a white-hat operation, meaning they ostensibly acted as ethical hackers with the intention of identifying and fixing security vulnerabilities rather than exploiting them for malicious purposes.
Onchain records first identified by security platform Hexagate, and confirmed to DL News by multiple other security researchers, show a hacker attempted to exploit other crypto exchanges — Binance, OKX, BingX and Gate.io — using the same bug as early as May 17.
Those attempts came three weeks before CertiK said it found the bug on Kraken on June 5.
“We have no evidence these exchanges have been impacted,” Hexagate posted on X. “We only traced onchain evidence for similar activity.”
Centralised crypto exchanges hold a gargantuan amount of crypto on their customers’ behalf. The top five crypto exchanges that have publicly disclosed their wallet addresses hold a combined $172 billion worth of crypto, per DefiLlama data.
CertiK didn’t immediately respond to DL News’ request for comment.
Attempted exploits
The records highlighted by Hexagate show a hacker attempted to use a so-called “revert” attack to trick centralised exchanges into letting them withdraw funds.
To do that, the hacker created a smart contract that contains a transaction to deposit funds to a centralised exchange. The contract is engineered so that the main transaction succeeds but the deposit reverts.
This tricks the exchange into thinking a user has deposited funds when they haven’t. The hacker then requests a withdrawal from the exchange, debiting the fake deposit amount.
Onchain records show multiple attempts to use such a contract when depositing funds to Binance took place on BNB Chain on May 17.
Between May 29 and June 5, the same address, as well as another that was funded by it, made similar attempts on OKX, BingX and Gate.io on BNB Chain, Arbitrum, and Optimism.
Is CertiK involved?
Although CertiK first disclosed the revert attack publicly, there’s no proof it was involved in those earlier attacks.
Smart contracts functions each have a so-called signature hash they can be identified by.
In the case of the revert attack contract, the signature hash isn’t available, meaning the name of the function isn’t publicly known, a security researcher who wished to remain anonymous told DL News.
This means the function name for the revert attack is known onto CertiK or someone else has used exactly the same name as well, the researcher said.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out to him with tips at tim@dlnews.com.