CertiK reveals it found Kraken vulnerability and will return funds, denies extortion allegations

Share This Post

Blockchain security firm CertiK confirmed that it was behind the discovery of a critical vulnerability in crypto exchange Kraken’s deposit system and gone public with its account of the events following allegations of extortion by the exchange.

The security firm also alleged that Kraken threatened its employees on June 18 and demanded repayment of a “mismatched” amount in an unreasonable amount of time without providing a relevant wallet address.

CertiK denied the extortion allegations and said it would transfer the funds used for its “white-hat testing” back to the wallet address it has on hand since Kraken did not provide a new address. The firm said:

“Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.”

CertiK’s side

CertiK said its investigation started on June 5, when its researchers found an issue in Kraken’s deposit system that failed to differentiate between various internal transfer statuses.

This led to a deeper probe into whether a malicious actor could fabricate a deposit transaction and withdraw fabricated funds. The firm said the tests also aimed to determine whether a large withdrawal request would trigger any risk controls.

CertiK’s tests revealed that millions of dollars could be deposited into any Kraken account, and fabricated crypto worth over $1 million could be withdrawn and converted into valid cryptos. The firm said that no alerts were triggered during the multi-day testing period, and Kraken only responded and locked the test accounts days after it reported the incident.

Despite initial successful communications and steps to identify and fix the vulnerability, the situation deteriorated, leading to CertiK’s public disclosure.

The timeline of events began with the initial discovery on June 5 and included significant tests, such as a large withdrawal of over 90,000 Matic on June 7 and additional large deposits and withdrawals over the following days.

CertiK reported its findings to Kraken on June 10, and by June 12, Kraken confirmed and fixed the critical vulnerability. However, the situation escalated on June 18, when Kraken allegedly threatened a CertiK employee, demanding repayment without providing addresses.

Extortion allegations

Kraken’s Chief Security Officer Nick Percoco revealed on June 19 that nearly $3 million was taken from its wallets due to a bug that allowed anyone to initiate a deposit to the platform and receive the funds without completing the transaction.

He revealed that on June 9, the company received an anonymous tip from a “security researcher” about a critical bug affecting its funding system. The flaw allowed malicious actors to artificially inflate their account balances.

While fixing the vulnerability, Kraken found that three accounts had exploited this flaw within a few days, resulting in nearly $3 million being withdrawn from Kraken’s treasury. The amount is several magnitudes higher than it needed to be to prove the vulnerability exists.

The exchange said the researchers refused its request to return the funds and provide data in line with usual bug bounty programs, which includes “a full account of their activities, a proof of concept used to create the on-chain activity.”

Instead, the researchers scheduled meetings between the exchange and CertiK’s business department to discuss what the reward should be worth based on the damages it would have caused if undisclosed.

Percoco condemned the researchers’ demands for a speculative sum for the potential damages, calling the actions unethical and criminal.

The post CertiK reveals it found Kraken vulnerability and will return funds, denies extortion allegations appeared first on CryptoSlate.

Read Entire Article
spot_img
- Advertisement -spot_img

Related Posts

Polkadot (DOT) Price Stability Fuels Hopes For Short-Term Recovery

Polkadot (DOT) has been quietly building a strong foundation, with its price stabilizing after a period of volatility This consolidation phase often serves as a launching pad for a potential upward

Tim Draper: Bitcoin Goes to Infinity Against the Dollar—$250K BTC Is Just the Start

Tim Draper envisions a future where bitcoin dominates, fiat crumbles, and people scramble to convert dollars before they become worthless, calling BTC the ultimate global currency Tim Draper Says

Solana Inflation Reform Fails As Vote Ends In Defeat

In a remarkable showcase of on-chain governance, a proposal aimed at cutting Solana’s inflation rate by 80%—identified as SIMD-228—has officially failed to meet the vote threshold required for

Dogecoin Recovery In Sight? Key Metrics Predict A Strong Bounce

After months of struggle in gathering momentum, Dogecoin (DOGE) might be about to undergo a dramatic price reversal Monitoring the movements of the meme coin, analysts believe it has hit a turning

Republican Thomas Massie Embraces Bitcoin Amid Trump Feud Over Fiscal Clashes

US Representative Thomas Massie, a Republican hailing from Kentucky, has recently disclosed that he received more than $261,000 in contributions to his campaign This week, the staunch advocate for

US Congressman To Introduce New Crypto Bill Protecting Trump’s Strategic Bitcoin Reserve

Recent reports revealed that another member of the US House of Representatives will introduce a new bill on March 14 to codify US President Donald Trump’s executive order for a Strategic Bitcoin