Yesterday evening, Kraken’s Chief Security Officer Nick Percoco revealed that the Kraken team received a bug bounty report on June 9th, stating that a “extremely serious” vulnerability had been discovered that allowed attackers to artificially increase account balances without completing a deposit. Although the Kraken team fixed the vulnerability within hours, they discovered during their investigation that the vulnerability had been exploited by three accounts. One of these accounts claimed to be a “security researcher” and used the vulnerability to deposit $4 worth of cryptocurrency into their account before submitting a bug bounty report. However, the “researcher” also disclosed the vulnerability to two other individuals they were working with, resulting in nearly $3 million being withdrawn from Kraken’s treasury.
Percoco stated that since the initial report did not fully disclose the details of the vulnerability, the team reached out to the aforementioned accounts to arrange for the funds to be returned and to reward them for their “white hat behavior” according to the standard bug bounty process. However, unexpectedly, the “security researcher” requested a phone call with the Kraken development team and stated that they would not return any funds unless they were rewarded according to the potential loss caused by the vulnerability.
Thus, the “white hat hacker” instantly turned into a “blackmailer,” and Percoco decided not to disclose the name of “this research company” and to treat the matter as a criminal case, planning to coordinate with law enforcement agencies.
It seemed like the end of the story, but unexpectedly, security company CertiK automatically came forward three hours after Percoco’s post, claiming that they had discovered security vulnerabilities in Kraken that could result in hundreds of millions of dollars in losses.
CertiK stated that through testing, they discovered three major issues with Kraken and that during several days of testing, no Kraken alerts were triggered. CertiK also mentioned that it took several days for Kraken to respond after the vulnerability was formally reported. Furthermore, after the vulnerability was fixed, Kraken’s security operations team threatened individual CertiK employees with returning mismatched amounts of cryptocurrency within unreasonable timeframes, and did not even provide a return address.
Both sides stood their ground, with Kraken considering CertiK’s actions as “criminal,” while CertiK demanded that Kraken “stop threatening white hat hackers.”
There has been much discussion on CT regarding this matter, but the majority of the criticism has been directed towards CertiK. Particularly puzzling is CertiK’s decision to conduct several days of testing before reporting the vulnerability. In response to this question, CertiK stated, “The real question should be why Kraken’s deep defense system did not detect so many test transactions.”
As the events unfolded, more details were uncovered by netizens. @lilbagscientist tweeted that CertiK had actually conducted testing on May 27th. According to Meir Dolev, Chief Technology Officer of security company Cyvers, CertiK “has performed similar tests on OKX and Coinbase to determine if these two exchanges have the same vulnerabilities as Kraken.” Additionally, CertiK’s related addresses also sent assets to Tornado and ChangeNOW during this period, which raised suspicions. Coinbase Product Manager Conor Grogan commented in the CertiK comment section, “You do know that Tornado Cash is under OFAC sanctions, right? And your registered location is in the United States, correct?”
Furthermore, as a well-known top white hat hacker in the industry, Paradigm Research Partner Samczsun sarcastically retweeted CertiK’s previous financing news (in April 2022, CertiK completed an $88 million financing round led by Insight Partners, Tiger Global, and Advent International, with participation from Goldman Sachs, Sequoia, and Lightspeed Venture, among others), saying, “My condolences and prayers to the investment partners who have to explain why the company they invested in hacked into a US exchange, stole $3 million, and laundered it through OFAC-sanctioned agreements.”
Compared to the overwhelming accusations, there are indeed few voices speaking up for CertiK. However, some perspectives are worth considering. In the CertiK comment section, @trading_axe replied, “If you want to steal assets, why settle for $3 million? You should take everything and run… Only stealing $3 million and being forced to return it will make you look foolish.” Indeed, if CertiK only targeted this $3 million for “theft,” it would be too foolish.
@BoxMrChen, on the other hand, expressed understanding for CertiK’s security researchers based on his own experiences as a white hat hacker. @BoxMrChen stated that there is much more to bug bounties than meets the eye. Some project teams can completely reject providing bounties to white hat hackers citing “duplicate vulnerability submissions,” or deliberately lower the risk level of vulnerabilities to reduce the bounty amount. Additionally, even if the project team generously provides tens of thousands of dollars in token bounties, white hat hackers have to wait for the approval process, often several months have passed, and the tokens have already dropped by 90%, but the bounty is still pending approval. @BoxMrChen speculated that CertiK’s security researchers only wanted to wait for Kraken’s risk control to discover the vulnerability and then negotiate with them. However, there seemed to be no response from Kraken within the five-day period, prompting the submission of the vulnerability report.
@BoxMrChen concluded, “CertiK’s actions are indeed controversial, but in this industry, how much value does righteousness and justice really hold? Instead of these, I would like to know how much white hat bounty CertiK is willing to pay, to see whether CertiK is greedy and cunning, or if Kraken is stingy.”
Currently, CertiK has announced that all funds have been returned and that this incident did not involve any real user fund losses. CertiK stated that the reason they conducted multiple large-scale tests was to test the limits of Kraken’s protection and risk control. However, even after several days and multiple tests involving nearly three million cryptocurrencies, no alerts were triggered. Furthermore, CertiK claimed that they did not participate in Kraken’s bounty program, but only contacted Kraken’s official and CSO Nick via Twitter and LinkedIn, and finally sent a detailed report via email. And, “the team never mentioned any bounty requests.”
With this, the current incident has come to a temporary conclusion, except for the transfer of some assets to Tornado and ChangeNOW, which CertiK has not responded to. Kraken has also refrained from commenting on the assets that CertiK has returned.
Who is lying? Only CertiK and Kraken themselves know. Currently, all the information is just speculation, and it is unknown if there will be any solid evidence in the future, such as chat records. Considering the current situation of CertiK returning the funds, perhaps this matter will ultimately be resolved through a so-called “settlement.”