Kraken argues that CertiK was excessive — but the cybersecurity firm insists large-scale withdrawals were necessary to ascertain the scale of the problem.
Last week, Kraken announced that a critical bug had enabled security researchers to artificially inflate their balance — and withdraw almost $3 million.
Kraken Security Update:
— Nick Percoco (@c7five) June 19, 2024
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
But there was something incredibly unusual about the whole incident, and it ended up sparking a war of words between the crypto exchange and a major cybersecurity firm.
Kraken’s chief security officer Nick Percoco kicked things off by announcing that a flaw had been found that allowed malicious actors to print funds in an account.
It had taken 47 minutes to mitigate the issue, and a few hours to completely fix. So far, all of this seems pretty normal and routine.
But Percoco escalated things further by claiming that the security researcher involved had told two of their colleagues about the issue, enabling them to take company funds worth millions.
He said Kraken had asked for details about how the exploit was achieved and had sought to arrange for funds to be returned in full, but alleged that the exchange was rebuffed.
“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!”
Nick Percoco
Percoco went on to claim that the researchers hadn’t worked within the spirit of the bug bounty program because they extracted far more than they needed to, failed to provide a proof of concept, and didn’t return the cash immediately.
So what was going on here? Was this a white hat hacker making their way to the dark side? Someone holding Kraken to ransom? A criminal matter?
CertiK steps forward
This is where the story takes an unusual turn. You might have assumed that the exploit was orchestrated by a bright teenager locked away in their bedroom somewhere. In actual fact, it was carried out by CertiK — one of the biggest auditors in the Web3 space.
Just three hours after Percoco’s thread on X, the company stepped forward with its own version of events.
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.
— CertiK (@CertiK) June 19, 2024
Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
It said days upon days of tests had failed to throw up any red flags in Kraken’s internal systems — meaning the exchange’s security team only intervened after being told about the flaw.
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”
CertiK
CertiK went on to urge Kraken “to cease any threats against white hat hackers.”
A day later, it followed up with a thread answering questions about its research.
Q&A to recent CertiK-Kraken whitehat operations:
— CertiK (@CertiK) June 20, 2024
1. Did any real user lose fund?
No. Cryptos were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.
2. Have we refused to return the funds?
No. In our communication with…
As well as stressing that no Kraken customers ended up losing money, CertiK stressed it had “consistently assured” the company that the money would be returned, and it was. The only sticking point? Disagreement over how much the exchange was actually owed.
In explaining why it chose to exploit the flaw on such a large scale, the company added:
“We want to test the limit of Kraken’s protection and risk controls. After multiple tests across multiple days and close to three millions worth of crypto, no alerts were triggered and we still haven’t figured out the limit.”
CertiK
Reading between the lines, and it seems CertiK wanted answers from Kraken on how much a genuine fraudster could have ended up walking away with if they kept on going.
The cybersecurity firm went on to argue that a bug bounty was far down its list of priorities — and all transactions associated with its tests had entered the public domain.
An almighty war of words
On X, there’s been a fair bit of disagreement over who’s in the right and who’s in the wrong.
The real question should be why you exploited an obscene amount as part of your testing in a role where trust is the most crucial element. Take the L and stop tweeting without legal advice.
— Seeb $LSS BULL (@crypto_seeb) June 19, 2024
$3m is peanuts compared to the magnitude of a potential bankruptcy hack. Double L by Kraken making it into a public issue instead of just thanking god anons didn't exploit it.
— everhusk (@everhusk) June 19, 2024
CertiK’s argument boils down to this: it needed to make astronomically large withdrawals to test whether any of them would end up being flagged by Kraken’s internal systems.
The spat, which now appears to have been resolved on the surface, highlights some of the tension between businesses in the crypto space — and the cybersecurity researchers tasked with keeping them in check.
Does there need to be greater agreement on the rules of engagement? Are there ever instances where large-scale exploits by white hat hackers are justified, as it could prevent something more calamitous happening at a later date?
If this had happened to the Ronin Network — helping prevent one of the greatest crypto heists of all time that led to $625 million being stolen — you’d probably argue that the temporary theft of a few million dollars would be warranted.
No matter how you look at it, this incident is a painful reminder that major exchanges could have bugs that are yet to be uncovered, posing a risk to the everyday investors who use these trading platforms to store their funds.