Nick Percoco, head of security at US cryptocurrency exchange Kraken, brought attention to X by sharing a major security alert discovered on the platform. However, this alert is only the starting point of a story worth exploring in detail.
Kraken: Extortion by a “white hat” after a $3 million bug
Kraken, one of the first cryptocurrency exchanges, has established a strong reputation for security since its founding in 2011. That's why the crypto world was surprised when Nick Percoco, head of security at exchange, revealed a crucial update following discovery of a bug judge ” extremely critical ».
Nick Percoco explained in a thread on
Despite everything, he explains that he took into account and processed this report as quickly as possible and discovered in just a few minutes “ an isolated bug “. To summarize, itThis flaw would have allowed the attacker to receive funds without having to make a real deposit into his Kraken account.
To be clear, no client's assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.
— Nick Percoco (@c7five) June 19, 2024
To reassure the community, Kraken's security manager assured that his team handled this critical report and mitigated the main risks in just 47 minutes.
In just a few hours, the problem was resolved and the flaw was therefore impossible to reproduce. This bug appears to have been caused by a change in user experience (UX) that had not been tested for this specific type of attack.
🔒 Why and how to audit a smart contract on the blockchain?
After resolving the issue, Kraken then investigated the source of the report. The alleged security researcher allegedly added $4 in cryptocurrencies to his account (with KYC) for the purpose of the investigation.
However, according to Nick Percoco, it didn't stop there: he also allegedly shared this vulnerability with 2 other colleagues, which would have made it possible to exploit the flaw to withdraw $3 million from 2 other separate Kraken accounts.
As the initial Bug Bounty report was not descriptive enough, a request for additional information was made by the Kraken teams to the individuals who exploited the flaw. The latter allegedly refused and demanded a call with the exchange's sales teams.
In addition to this, They reportedly refused to return the funds until Kraken provided a reward in an amount equal to whatever damage this bug could have caused.
Ledger: the best solution to protect your cryptocurrencies
CertiK gives its version of the facts
But the story doesn't end there: although Kraken did not want to disclose the identity of the person behind the Bug Bounty, CertiK, a leading blockchain security company, spoke out on X just a few hours later Nick Percoco's tweet.
In this press release, the company announced that it was it which discovered the flaw in Kraken's deposit system, and that it would have carried out an in-depth investigation into several points.
These points concern the artificial fabrication of a deposit transaction into a Kraken account, the ability to withdraw such funds and the controls relating to the risks and protection of assets relating to a consequent withdrawal request.
The exchange targeted by the investigation allegedly failed all of these tests: “ an amount of more than 1 million dollars can be withdrawn and converted into valid cryptocurrencies without any alert being triggered, » declared the firm.
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.
Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
— CertiK (@CertiK) June 19, 2024
The security company states that after successful discussions on identifying and remediating vulnerabilities, Kraken's security team would ” threatened CertiK employees into repaying an incorrect cryptocurrency amount, within an unreasonable time frame and without even providing a refund address.”
👉 In the news – Ethereum spot ETF: first returns for requests Friday?
Thus, CertiK published all the details of its file. According to their timeline of events, the first alert was reported on June 5. This was followed by several rounds of deposits between June 5 and 9, when all deposits were withdrawn.
The first contact with Kraken took place on June 10, but after a second meeting on June 18, the relationship deteriorated significantly following the threats reported by CertiK.
The company explains that “ large and continuous withdrawals from different test accounts were part of our trials“. At the end of the thread, she also indicates that she has made all the funds involved in the case available to Kraken in an accessible account.
€20 offered when you register on Bitvavo
Newsletter 🍞
Receive a summary of crypto news every Monday by email 👌
What you need to know about affiliate links. This page may feature investment-related assets, products or services. Some links in this article may be affiliated. This means that if you buy a product or register on a site from this article, our partner pays us a commission. This allows us to continue to offer you original and useful content. There is no harm to you and you can even get a bonus using our links.
Investments in cryptocurrencies are risky. Cryptoast is not responsible for the quality of the products or services presented on this page and cannot be held responsible, directly or indirectly, for any damage or loss caused following the use of a good or service highlighted in this article. Investments related to cryptoassets are risky by nature, readers should do their own research before taking any action and only invest within the limits of their financial capabilities. This article does not constitute investment advice.
AMF recommendations. There is no guaranteed high return, a product with high return potential involves high risk. This risk-taking must be in line with your project, your investment horizon and your capacity to lose part of this savings. Do not invest if you are not prepared to lose all or part of your capital.
To go further, read our Financial Situation, Media Transparency and Legal Notices pages.