In a recent security update, Kraken’s Chief Security Officer, Nick Percoco, made a serious accusation against CertiK, claiming that they exploited a critical bug to steal $3 million from a white-hat bug bounty operation. This allegation has sparked a heated dispute between the two companies.
The bug was discovered on June 9, 2024, when Kraken received an alert about a vulnerability that allowed artificial balance inflation. Despite receiving numerous false reports in the past, Kraken took this one seriously and swiftly identified and addressed the issue. The bug allowed malicious deposits to be credited without proper completion, posing a potential risk. Fortunately, Kraken’s team was able to address the problem within just under two hours.
Further investigation revealed that three accounts had exploited this vulnerability, with one of them being linked to a self-identified security researcher. Instead of following proper protocol, the researcher disclosed the bug to others, resulting in the fraudulent withdrawal of almost $3 million from Kraken’s treasury. Kraken demanded the return of the funds and full disclosure of the activities, but the researchers refused and instead demanded a speculative reward. Interestingly, these researchers were affiliated with CertiK.
CertiK responded to Kraken’s accusations by revealing their own findings. They brought attention to critical vulnerabilities in Kraken’s deposit system that could potentially lead to significant financial losses. CertiK’s testing demonstrated that it was possible to make fabricated deposits and withdrawals without triggering Kraken’s risk controls. They also accused Kraken of pressuring their employees to repay mismatched amounts of cryptocurrency within an unreasonable timeframe without providing repayment addresses.
In an effort to protect the Web3 community, CertiK decided to publicly disclose their findings and transfer the funds to an account accessible by Kraken. They emphasized that no real user assets were involved in their testing.
This dispute has garnered attention from industry experts. Blockchain expert Adam Cochran criticized CertiK’s actions, labeling them as criminal. He speculated about a potential conspiracy involving CertiK and North Korean entities, suggesting that they conduct cheap audits and then allow subsequent exploits. Cochran also questioned CertiK’s ethics as a US-based company, noting that they moved funds through the US-sanctioned Tornado Cash.
However, there are those who defend CertiK. One commenter pointed out that the firm conducted extensive testing, including on Kraken’s internal alert system, and promptly returned the funds. This commenter suggested that Kraken should be grateful for the free security penetration test they received.
It is important to note that the views expressed in this article are the author’s personal opinions and should not be considered financial advice. Readers are encouraged to conduct thorough research before making any investment decisions. The Crypto Basic, the source of this article, is not responsible for any financial losses that may occur.
