Kraken revealed nearly $3 million was stolen from its wallets after a bug-related vulnerability was fixed.
Kraken Chief Security Officer Nick Percoco said The exchange received a warning about the bug bounty program on June 9. The warning pointed to a “critically critical” bug that allowed attackers to artificially increase balances on their platform.
Nick Percoco – Kraken Security Director
Percoco said that although the submission lacked specific information, it had looked into the issue and discovered a separate bug that allowed a malicious attacker to initiate deposits to the platform and receive funds into accounts without fully completing it. enough deposit. Percoco notes this only happens in specific cases.
Percoco asserted that while no customer assets were at risk, the error stemmed from a flaw in a recent UX change that credited customer accounts before deposited assets were fully cleared. safe, allowing a malicious attacker to effectively “print assets” in a Kraken account over a period of time.
Exploited before depositing bonus
According to Percoco, this error was completely fixed within a few hours. However, a subsequent investigation showed that there were 3 exploit accounts several days apart.
Percoco claims one of the accounts has been KYC (identity verified) for the individual who discovered the bug and claims to be a “security researcher”. Percoco said this individual intentionally took advantage of the bug to credit their account with $4 – enough to prove the vulnerability, submit a bug bounty report, and receive a large reward.
However, Kraken’s CSO alleges the researcher disclosed the bug to 2 other individuals they worked with and they then withdrew much larger amounts from Kraken accounts totaling nearly $3 million . Percoco clarified: “This is from Kraken’s treasury, not other customers’ assets.”
Percoco said Kraken has asked for a full accounting of its activities and a refund of the money. However, the researchers allegedly refused to return any funds until Kraken revealed the scale of the potential exploit if they did not disclose the bug.
“This is not whitehat hacking (white hat), but extortion!”, Percoco said.
Percoco said the exchange had been accused by researchers of being “unreasonable” and “unprofessional” in its inquiries, adding while Kraken would not reveal the research firm involved but they consider this a criminal case due to violating the bug bounty clause.
“We will not disclose this research company because they do not deserve credit for their actions. We are treating this as a criminal case and coordinating with law enforcement agencies,” Percoco said.
Home home
According to The Block
