Coinfeeds Daily → CertiK Found Vulnerability in Kraken; Exchange Accuses it of Extortion

CertiK Found Vulnerability in Kraken; Exchange Accuses it of Extortion

Published: Jun 20, 2024 | Last Updated: Jun 20, 2024
Howard Kane
Kraken software vulnerability
Image: Kraken software vulnerability

Crypto exchange Kraken and CertiK clash over a critical vulnerability, highlighting the complexities of digital asset security and ethical hacking.

In the world of cryptocurrency, security is paramount. Recently, a significant incident involving Kraken, a US-based crypto exchange, and CertiK, a blockchain security firm, has highlighted the complexities and challenges of maintaining security in the digital asset space.

The Incident

Kraken reported that it was being extorted by a security researcher who exploited a bug in its system to steal $3 million in digital assets. The researcher, after withdrawing the funds, demanded a reward for returning the stolen assets. Kraken's Chief Security Officer, Nick Percoco, stated that this act of demanding a reward after exploiting a vulnerability constitutes extortion, not white-hat hacking. Importantly, the stolen cryptocurrency came from Kraken's treasury, ensuring no user funds were at risk.

CertiK's Involvement

CertiK, a blockchain security firm, revealed that it had discovered a critical vulnerability in Kraken's deposit system. This flaw allowed for fabricated deposits and withdrawals of over $1 million in crypto. Initially, CertiK cooperated with Kraken to fix the issue. However, relations soured when Kraken allegedly threatened CertiK employees and demanded repayment without providing a wallet address. CertiK denied the extortion allegations and stated its intention to return the funds based on its records.

Understanding the Vulnerability

The vulnerability discovered by CertiK was significant. It allowed for fabricated deposits and withdrawals, meaning that malicious actors could potentially exploit Kraken's system to withdraw funds that were never actually deposited. CertiK's tests aimed to probe Kraken's risk controls and revealed that the exchange's system failed to differentiate between internal transfer statuses. This failure could lead to potential exploitation by malicious actors.

Receive a Custom Newsletter for the Coins You Follow

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.