Kraken and CertiK Dispute Over $3M White Hat Operation Funds
The recent conflict between CertiK and Kraken has brought to light critical issues, which center around a security bug exploit that resulted in the unauthorized withdrawal of approximately $3 million from Kraken’s treasury by a research team from CertiK.
Both parties have presented contrasting narratives, raising significant questions about the nature of ethical hacking, communication protocols, and the appropriate handling of discovered vulnerabilities.
The Origin of the Dispute
Kraken recently experienced a loss of about $3 million due to a bug exploit by a security research team that initially reported the bug. Kraken’s Chief Security Officer, Nicholas Percoco, accused the team of extortion, claiming they demanded a reward for the stolen funds and refused to return them unless Kraken agreed to pay a speculative amount for potential damages.
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
According to Percoco, the bug, first reported on June 9, allowed the research team to withdraw over $3 million from Kraken’s treasury. The team exploited the bug despite alerting Kraken to the critical security flaw.
Kraken confirmed that the stolen assets came from their treasury and assured users that their funds were safe. Furthermore, the exchange is collaborating with law enforcement to recover the stolen funds.
Percoco continued that one of the accounts involved in the exploit completed Know Your Customer (KYC) verification. The suspected research team initially demonstrated the bug with a $4 crypto transfer, sufficient to claim a bounty from Kraken. However, the subsequent withdrawal of nearly $3 million raised ethical concerns.
CertiK later identified itself as the involved team and claimed Kraken threatened its employees. Percoco expressed disappointment, noting that Kraken’s request to return the funds was met with accusations of unprofessionalism.
Dispute Over CertiK-Kraken White Hat Operations
Several critical questions have arisen regarding the nature of a recent controversy between CertiK and Kraken and the actions taken by both parties.
Q&A to recent CertiK-Kraken whitehat operations:
1. Did any real user lose fund?
No. Cryptos were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.2. Have we refused to return the funds?
No. In our communication with…— CertiK (@CertiK) June 20, 2024
CertiK has, therefore, stepped forward to clarify. Certik states that no real Kraken users’ assets were involved in their research activities, as the cryptos were minted out of thin air. Despite allegations, CertiK consistently assured Kraken that they would return the funds, which they have done.
However, the total amount returned is inconsistent with Kraken’s request. CertiK returned 734.19215 ETH, 29,001 USDT, and 1021.1 XMR, while Kraken had requested 155818.4468 MATIC, 907400.1803 USDT, 475.5557871 ETH, and 1089.794737 XMR.
CertiK explained that their reasons for conducting multiple large-scale tests were to assess the limits of Kraken’s protection and risk controls. CertiK further noted that, despite conducting tests involving nearly three million dollars worth of crypto over several days, no alerts were triggered.
The security team claims to have promptly disclosed all vulnerability details to Kraken, which, based on their report, fixed the issue within 47 minutes. They also stated that they did not participate in Kraken’s bounty program and had no intention of seeking a bounty. Their priority was ensuring the issue was fixed.
Although they did not submit a complete transaction list to Kraken, they provided large deposit addresses from Day 1, enabling Kraken to identify all transactions and lock all related accounts. CertiK has also made all deposit transactions public.
Community Reaction
>_< pic.twitter.com/C5cydyz83S
— smolting (wassie, verse) (@inversebrah) June 20, 2024
The controversy surrounding CertiK has elicited strong reactions within the crypto community. Prominent figures like Adam Cochran and Erik Voorhees have weighed in on the situation. Cochran pointed out that CertiK’s security auditors moved assets via sanctioned Tornado Cash and dumped assets via ChangeNOW, a pattern associated with hacking groups like Lazarus. He further alleged that “Lazarus has hacked more CertiK audited protocols than any others.”
Amid discussions, some reminded the firm that Tornado Cash is a tool sanctioned by the Office of Foreign Assets Control (OFAC), warning that using it could attract legal trouble. As an American firm, using a US-sanctioned tool could result in heavy legal issues for CertiK.
Erik Voorhees questioned the relevance of sanctions if CertiK was not based in the U.S. Cochran responded by highlighting that CertiK’s cofounders are U.S. professors and the company’s headquarters are in the U.S.
Community members expressed concerns about the severity of the situation. Twitter user @ToroTheDog emphasized the seriousness of violating OFAC regulations, suggesting CertiK needs immediate legal counsel. Questions further arose about the firm’s intentions to return the funds and the reasoning behind sending them to Tornado Cash.
Meanwhile, Kraken reassured its users that their funds were never at risk and is committed to recovering the stolen assets. The exchange remains firm in its stance against CertiK, accusing the firm of unethical practices and urging the return of all exploited funds.
