The security team of Kraken knew that someday an attacker would penetrate their cyber defenses. On June 9, a white hat researcher from the security firm CertiK discovered a vulnerability allowing withdrawals on a user’s balance sheet without completing the deposit process.
A researcher notified Nick Percoco, Kraken’s chief security officer, of the discovery of an “extremely critical bug,” enabling users to withdraw nonexistent funds.
According to SendBlocks, a blockchain platform, the attacker sent a malicious contract to Kraken’s internal validator, exploiting a flaw between native tokens and their internal deposit addresses. The flaw caused transfers to be mistakenly recorded as successful by Kraken’s backend operations, allowing the attacker to “double spend” the native token.
CoinPedia described the situation as “a bug bounty report turned into a daring heist,” because the researcher allegedly shared it with two associates, who both attempted to capitalize on the bug within a week. Although seemingly common on Wall Street, that’s not normal for white hat hackers.
The unknown researcher used only $4 worth of crypto to illustrate the vulnerability. Allegedly, it was the researcher’s accomplices who used the exploit to withdraw $3 million.
According to Percoco, CertiK would not agree to return the funds until Kraken provided “a speculated $ amount that this bug could have caused if they had not disclosed it,” which sounds a lot like what the mafia does in a protection racket.
They later returned the funds, expecting the bounty, but Kraken denied it, citing the ethical violations of the researcher and their accomplices. This led to the researcher and their associates asking for the funds back.
Hack and Heist
CertiK isn’t just any firm. It was founded by professors of Yale and Columbia University and counts the biggest names in venture capital, including Sequoia Capital and Goldman Sachs, as well as the biggest names in crypto, including Coinbase and Binance, among its investors. Online, it has been called the most prestigious auditor in the world.
Kraken fixed the breach within 47 minutes, and no client funds were lost, but Kraken is a firm that highly values its reputation, defending itself vociferously online and pursuing litigation against its critics. It has also never been hacked, so in an era of security lapses that were costly for investors, Kraken’s heretofore unblemished reputation is well-deserved, and Kraken staff never tire of reiterating this.
When a disgruntled Redditor claimed his account was hacked, a Krakenite responded, mentioning in the course of his comments, “So far, Kraken is known to be the safest exchange, hackers have never compromised us.”
White Hat or Black Hat?
Normally, white hat hackers operate with the explicit permission of the entity being tested. While Kraken may not be in the habit of hiring white hats, its bug bounty program has been going on for almost a decade. It isn’t just that CertiK didn’t notify Kraken of their activities.
Black hat hackers often pretend to be doing their victims a favor, asking for a bug bounty while holding onto a huge ransom. That’s extortion. By refusing to return the loot, CertiK crossed the line.
They also didn’t have a big enough bounty to hang over Kraken’s head. Think about it: If the bounty is big enough to damage the firm, it provides leverage to the hacker.
In the case of Wormhole, the blockchain bridge, which Disruption Banking analyzed, the victim of the hack pleaded with the hacker to return $325 million, offering a $10 million white hat bug bounty.
Because of sensational cases like that, hackers, white and black alike, dream of finding a zero-day exploit.
On its website, CertiK advertised its bug bounty program as “the only Web3 platform providing fully managed end-to-end support with 0% fee on bounty payouts.”
Unfortunately for CertiK, the researcher deviated from policy, blurring the lines between white and black, which provided Kraken a means of counterattack. It wasn’t smart, especially since Kraken had KYCed one of the researchers already.
Whatever leverage gained with the exploit, Kraken quickly turned the tables and CertiK’s staff revealed themselves as amateurs. What followed was a particularly savage public drubbing, and online sentiment was decidedly for Kraken and against CertiK.
The Kraken Strikes Back
The hack happened on or about June 9. On the 19th, after ten days of wrangling behind the scenes, the acrimony exploded publicly.
First, at 8:25 AM, Nick Percoco posted a thread recounting Kraken’s version of events.
— Nick Percoco (@c7five) June 19, 2024We have had a Bug Bounty program in place at Kraken for nearly ten years. This program is run internally and is fully staffed by some of the brightest minds in the community. Our program, like many others, has clear rules of the road…
1. Do not exploit more than you need to in…
Two hours later, CertiK responded with a 266-word rejoinder accompanied by a timeline.
— CertiK (@CertiK) June 19, 2024CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.
Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
CertiK defended itself, saying that the funds were minted out of air, and that no clients’ assets were directly involved in their research. The real question, CertiK insisted, “should be why Kraken’s in-depth defense system failed to detect so many test transactions.”
CertiK tweeted out a set of Q&As on June 20, the day after the row became public.CertiK characterized the actions of the researchers continuing to mint more crypto with the exploit as probing the limits of Kraken’s internal controls.
They also accused Kraken of asking for more funds than CertiK’s tests had minted, including a list to show the disparity.
CertiK tweeted, “Is the amount of funds returned consistent with what Kraken requires?
No, the amounts returned are inconsistent with Kraken’s command. We returned: 734.19215 ETH, 29,001 USDT, 1021.1 XMR, while Kraken requested 155818.4468 MATIC, 907400.1803 USDT, 475.5557871 ETH, 1089.794737 XMR.”
That is an odd wrinkle. It does seem as if there was a miscommunication at some point, but by then, the damage was done and Kraken had the upper hand in the PR battle.
Public Reactions
In a tweet, Taylor Monahan, former CEO and founder of MyCrypto, now known as MetaMask, offered CertiK a “stack ranked list” of things they should be scared of:
1. krakens lawyers
2. their own lawyers when they find out bout this
3. legit security researchers
4. their internal culture, ethics
5. their brand
The reversal was so devastating that other players in the space started taking potshots at CertiK.
— 0xBoboShanti (@0xBoboShanti) June 19, 2024An address previously tweeted by a Certik security researcher was probing and testing as early as May 27th. This already contradicts Certik's timeline of events.
One of the Certik tornado txs funded a wallet that has been interacting with the same contract as recently as TODAY -… https://t.co/rSbQLkyfZv pic.twitter.com/TBSfPtjp5l
Although the dates are certainly curious, screenshotted records of wallet transactions can guarantee neither the sender nor the receiver to any level of journalistic rigor. But the attempt by private actors to gainsay CertiK’s version of events exemplifies the venom it brought on itself with this hamfisted operation.
— Kevin Schellinger (@k_schellinger) June 19, 2024This is the nail in the coffin for #CertiK
If you can't trust your security audit company, you can't be sure if they won't be exploiting you later.
You are essentially less safe after the audit than before. https://t.co/tErC6wxpF3
It is not an understatement that by the end of last week, CertiK had become a laughingstock among its industry peers.
— BigPump (@BigCryptoUAA) June 19, 2024Just remember @CertiK are 100% felons and scammers
Personally got scammed by merlin after 2 hours after certik audit (there was no audit) Its matter of time when they all go to jail.
Check this new case they scammed @krakenfx:https://t.co/uMaQ5dwutC#scam #certik #certikscam
One industry analyst, Cryptopian News, wrote on Medium that the Kraken case shows “how thin the line between ethical hacking and cybercrime is.”
A Thin Line
This should have been a distinction that CertiK’s researchers well understood. Did they go rogue? It certainly seems unlikely that CertiK built this big, well-regarded business by extorting platforms.
However, the researchers tried to put Kraken in contact with their sales team to negotiate the bug bounty, so it does seem as if they were at least following some semblance of an internal protocol.
In the Q&A, CertiK claimed that its tests always last five days and that they never even mentioned a bug bounty in their initial communications with Kraken.
At the end of the day, law enforcement will have to sort it out, but Disruption Banking wouldn’t be surprised to discover that Kraken massaged the truth just a little to make sure CertiK came out looking criminal.
After all, they didn’t offer any evidence to substantiate their side of the story. It’s not unreasonable to wonder why.
Author: Laird Dilorenzo
#Crypto #Blockchain #DigitalAssets #DeFi
Laird Dilorenzo is a hatchet thrower and wordsmith.
The editorial team at #DisruptionBanking has taken all precautions to ensure that no persons or organizations have been adversely affected or offered any sort of financial advice in this article. This article is most definitely not financial advice.
