Certik/Kraken - Rekt

Kraken accuses security researchers of extortion after $3M bug bounty exploit.

A cybersecurity firm's disclosure of a critical vulnerability in Kraken's systems has escalated into accusations of extortion and threats between the parties.

Chief Security Officer Nick Percoco disclosed that Kraken received a bug bounty program alert from a security researcher in early June.

Security research firm Certik revealed that they discovered the bug.

However, rather than cooperating to address the issue, Kraken allegedly responded by threatening CertiK employees and making unreasonable demands, as claimed by CertiK.

The conflicting claims have devolved into a public he-said-she-said dispute, with each party accusing the other of questionable behavior.

In this strange and unsettling situation, can we truly trust the guardians of our digital fortresses?

While initially vague, the report claimed to have found an "extremely critical" bug that allowed inflating account balances on the cryptocurrency exchange.

Nick Percoco stated that Kraken's security team promptly investigated the matter and discovered an isolated bug that allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.

Within an hour and 47 minutes, Kraken had deployed a fix to resolve the issue.

CertiK alleges their investigation uncovered more alarming vulnerabilities in Kraken's systems beyond the initial bug report.

According to CertiK, their testing confirmed the ability to fabricate deposits into any Kraken account, withdraw large sums of fabricated crypto exceeding $1 million, all without triggering any alerts for multiple days.

CertiK claims that after responsibly reporting these critical findings, which Kraken itself classified at the highest severity level, the exchange then threatened CertiK employees with demands to repay a "mismatched amount" of crypto within an "unreasonable time" without even providing wallet addresses.

The security firm alleges Kraken's threats came after CertiK had already assisted in successfully identifying and remediating the vulnerabilities.

CertiK states they have gone public to protect users and urge Kraken to cease making threats against ethical security researchers acting in good faith.

This contradicts Kraken's portrayal of the initial $3 million incident as clear extortion by bad actors.

CertiK asserts they followed responsible vulnerability disclosure practices in coordination with Kraken initially.

Further analysis revealed that the bug had already been actively exploited in the preceding days across three accounts associated with the original researcher's colleagues.

One account controlled by the researcher had deposited a mere $4, seemingly to validate the vulnerability.

Ultimately, the exploitation of a vulnerability in Kraken's systems enabled the withdrawal of over $3 million dollars from Kraken's corporate wallets over a five-day period by abusing the same flaw.

CertiK claims that the transactions were merely testing deposit transactions, with millions being withdrawn from the system for testing purposes.

Certik asserted that millions of dollars of crypto were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.

Notably, they underlined that despite numerous fabricated tokens being generated and exchanged for valid cryptocurrencies over several days, no risk control or prevention measures were enacted until CertiK brought the issue to light.

When Kraken requested that the illegally obtained funds be returned per its bug bounty policy, the researchers refused and instead demanded a speculative ransom payment based on hypothetical maximum losses.

This $3 million exploit formed the basis of Kraken's claim of extortion by bad actors.

However, CertiK alleges this demand was in response to Kraken's own threats after CertiK reported even more severe vulnerabilities.

It should be worthy to note, according to Kraken’s Bug Bounty page, the max pay out for a Critical severity is capped at $1.5 million.

Strangely, 3 transactions made by the same address conducting these “tests” made 3 deposits to Tornado Cash almost 2 weeks ago.

Tornado Cash Deposit

Tornado Cash Deposit

Tornado Cash Deposit

If it turns out that Certik was routing funds through a Tornado Cash, a sanctioned virtual currency mixer, the legal implications could be massive.

Time will tell who was in the wrong here, clearly someone really screwed up.

Are we venturing into a realm where the lines between ethical behavior and exploitation blur, akin to crossing over into the enigmatic realm of the Twilight Zone?

With both parties trading accusations of extortion and threats, the matter has devolved into a heated he-said-she-said quagmire.

Kraken insists it took reasonable actions to protect itself after ethical boundaries were crossed.

CertiK maintains it followed industry best practices for vulnerability disclosures and responsible coordination.

Caught in the crossfire of this public spat are the users and broader crypto community.

As fingers get pointed in both directions, maybe the truth about what actually transpired will be established.

Whose narrative will prove credible?

What if there is another version of the story that has yet to be uncovered, such as a rogue actor?

As the outcome may significantly impact platform security and user safety in the crypto world, one wonders if ethics and collaboration will triumph over assertions of misconduct.

In light of this significant occurrence, it's important to consider the possible impact on security researchers who may be more cautious about sharing their discoveries, fearing potential involvement in similar disputes.

Additionally, can we fully dismiss the possibility that a rogue actor within CertiK might have played a role in the alleged exploitation, further complicating the narrative and raising questions about trust and accountability in the security research community?

REKT는 익명 작성자들에 의한 공공 플랫폼이며, REKT에 작성된 관점이나 내용에 대해서 그 어떤 책임도 지지 않습니다.

기부 (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT는 당사 웹 사이트의 익명의 작성자 또는 REKT에 의해 게시되거나 관련된 서비스에서 게시되는 콘텐츠에 대해 어떠한 책임도 지지 않습니다. 당사는 익명 작성자들의 행동 및 게시물에 대한 규칙을 제공하지만, 익명의 작성자가 웹 사이트 또는 서비스에 게시, 전송 혹은 공유한 내용을 통제하거나 책임지지 않으며, 귀하가 웹 사이트 또는 서비스에서 직면할 수 있는 불쾌함, 부적절함, 음란함, 불법 또는 기타 해로운 콘텐츠에 대해서도 책임을 지지 않습니다. REKT는 당사 웹 사이트 또는 서비스 사용자의 온라인 또는 오프라인 행위에 대한 책임을 지지 않습니다.