The ongoing saga between Kraken and CertiK has taken an unexpected twist. CertiK, a security firm, claims to have conducted a white hat operation on specific Kraken accounts that did not belong to customers, resulting in the draining of almost $3 million. However, Kraken disputes this, stating that the full amount exploited was not returned, while CertiK maintains that it has returned all funds according to its records.
On June 20, CertiK provided an update on the situation, revealing that it had returned 734 Ether (ETH), 29,001 Tether (USDT) tokens, and 1,021 Monero (XMR) coins. In contrast, Kraken requested the return of 155,818 Polygon (MATIC) tokens, 907,400 USDT, 475.5 ETH, and 1,089.8 XMR.
The Kraken-CertiK saga began on June 9 when Kraken announced that it had received an alert from an alleged security researcher through its bug bounty program. The alert brought attention to a bug in Kraken’s system that allowed users to inflate their account balances. As Kraken rushed to address the bug, it discovered that three accounts had exploited the flaw, resulting in the theft of $3 million from the exchange.
Kraken’s chief security officer, Nick Percoco, stated that one of the three accounts had passed Know Your Customer (KYC) verification and had used the bug to credit $4 to their account. This would have been sufficient evidence to prove the bug and claim the bounty. However, this account allegedly shared the flaw with two other accounts, leading to all three accounts pocketing $3 million from Kraken in the subsequent days.
When Kraken asked the alleged security researcher to return the funds and collect the bounty, the individual refused and requested payment of the bounty first. Although Kraken did not disclose the name of the security firm involved in the “white hat” exploit, CertiK later revealed that it was responsible for the Kraken exploit.
CertiK claimed that its employee who discovered the vulnerability had been threatened to return the stolen funds but had not received a wallet address to send the funds to. Ronghui Gu, co-founder of CertiK, confirmed this and stated that the stolen funds were sent to the crypto mixing service Tornado Cash to prevent them from being frozen by other crypto exchanges. However, this move received criticism from the crypto community, which questioned CertiK’s intentions behind the “white hat” operation.
The crypto community raised concerns about why CertiK researchers moved millions of dollars’ worth of funds instead of conducting a single transaction to demonstrate the vulnerability. Some pointed out that Tornado Cash is an Office of Foreign Assets Control (OFAC)-sanctioned tool, potentially exposing CertiK to legal issues. Others questioned CertiK’s intentions in returning the funds and why they chose to send them to Tornado Cash.
The majority of the crypto community supported Kraken in this dispute and criticized CertiK for its actions, accusing them of “stealing” from and blackmailing Kraken for the bounty.
Kraken has stated that it is in contact with law enforcement agencies regarding the situation. Updates on this matter will be provided as they become available.
Magazine: Crypto audits and bug bounties are flawed: Here’s how to rectify them.