As a researcher with experience in the crypto and cybersecurity industries, I find the Kraken-CertiK incident both intriguing and concerning. While it appears that CertiK discovered critical vulnerabilities within Kraken’s systems, the methods they employed to test these vulnerabilities have sparked heated debates.
As a security analyst, I’d interpret Kraken’s perspective as claiming that Certik acted too aggressively. However, Certik maintains that their extensive withdrawal actions were essential to accurately assess the magnitude of the issue at hand.
Last week, Kraken revealed that a significant flaw allowed security experts to falsely increase their reported balances and withdraw approximately $3 million unjustifiably.
On June 9, 2024, we received a notification from a security researcher in our Bug Bounty program. At first, they didn’t reveal any details, but they claimed to have discovered a “highly critical” flaw that enabled them to unfairly boost their account balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
As an analyst, I found the occurrence surrounding the crypto exchange and the cybersecurity firm’s interaction quite extraordinary. This anomalous situation ignited a heated verbal confrontation between the two parties.
Nick Percoco, the top security officer at Kraken, began by disclosing the discovery of a vulnerability that enabled malevolent users to counterfeit funds into an account unlawfully.
As a researcher, I experienced an incident that required 47 minutes to address the initial symptoms, followed by several hours to fully resolve it. This process seemed typical and standard in my line of work.
Percoco added that the security researcher had informed two colleagues about the problem, allowing them to misappropriate company funds worth millions.
Kraken requested information on how the exploit was carried out and aimed to restore the funds completely, yet claimed that their efforts were rejected by the exchange.
“Instead of refunding the money, they insisted on speaking with their business development team and haven’t agreed to do so until we give an estimated figure for the damage this bug might have caused if left undisclosed. This isn’t ethical hacking; it’s extortion.”
Nick Percoco
Percoco argued that the researchers exceeded the intended bounds of the bug bounty program by extracting excess information, neglected to present a working demonstration, and delayed returning the awarded money.
As an analyst, I pondered over the situation at hand. Could it be that a once ethical hacker had strayed from the path and was now engaging in malicious activities against Kraken? Or perhaps someone was attempting to extort money from the exchange by threatening to disrupt its operations? Alternatively, this could have been an entirely criminal matter. Regardless of the motivation, it was crucial to gather more information and assess the potential impact on Kraken and its users.
CertiK steps forward
The tale takes an unexpected twist. You may have thought the scheme was masterminded by a clever teen hidden away in their bedroom. In reality, it was executed by CertiK – a prominent figure in the Web3 auditing community.
Three hours after Percoco’s post about X, the company released its account of what transpired.
Recently, CertiK uncovered several major vulnerabilities in KrakenFX exchange, which, if exploited, could result in financial losses totalling hundreds of millions of dollars. The issues were initially discovered in KrakenFX’s deposit system, where it might not effectively distinguish between various internal transactions.
— CertiK (@CertiK) June 19, 2024
For several days in a row, Kraken’s internal tests did not uncover any issues, resulting in their security team taking action only after being informed about the vulnerability.
“Following the initial success in addressing and resolving the identified vulnerability, Kraken’s security team has reportedly demanded that specific CertiK employees refund an inconsistent quantity of cryptocurrency within an unjustifiably short timeline without disclosing any repayment addresses.”
CertiK
CertiK went on to urge Kraken “to cease any threats against white hat hackers.”
A day later, it followed up with a thread answering questions about its research.
1. Were any genuine users’ funds affected in our recent CertiK-Kraken investigations?
— CertiK (@CertiK) June 20, 2024
I want to clarify that no Kraken customers suffered financial losses during the recent incident. CertiK, on its part, maintained its commitment and ensured the return of the funds. The sole point of contention was the exact amount owed by the exchange.
In explaining why it chose to exploit the flaw on such a large scale, the company added:
“Our goal is to push Kraken’s protective measures and risk controls to their maximum capacity. Over several days and nearly three million dollars in cryptocurrency transactions, we have yet to elicit a response from the system, leaving us uncertain as to where that limit lies.”
CertiK
As an analyst, I’ve been closely examining the situation between CertiK and Kraken. It appears that CertiK was seeking clarification from Kraken regarding the potential losses a fraudulent actor could have incurred if their malicious activities continued unchecked.
The cybersecurity company maintained that a bug bounty program was not high on their agenda, and all deals pertaining to their testing activities had become publicly accessible.
An almighty war of words
On X, there’s been a fair bit of disagreement over who’s in the right and who’s in the wrong.
A more clear and conversational way of expressing that sentence could be: “The important issue is to understand why such a large sum was used during testing in a position where trust is paramount. It would be prudent to consult with a lawyer before continuing to post any further.”
— Seeb $LSS BULL (@crypto_seeb) June 19, 2024
Three million dollars is insignificant next to the immense consequences of a bankruptcy hack. The fact that Kraken’s double L vulnerability became public instead of being quietly addressed by anonymous users significantly escalated the situation.
— everhusk (@everhusk) June 19, 2024
As a analyst, I can rephrase CertiK’s justification as follows: To ensure the effectiveness of Kraken’s internal flags, I had to initiate massive withdrawals as part of my thorough examination process.
The recent disagreement between businesses in the cryptocurrency industry, which seems to have been settled externally, reveals underlying tension and friction. This tension exists not only among the businesses themselves but also between them and the cybersecurity specialists who strive to ensure their security.
As a researcher examining the ethical boundaries of white hat hacking, I ponder over the need for a more unified consensus regarding the rules governing this practice. In certain scenarios, I ask myself, is it justifiable for white hats to employ large-scale exploits to safeguard against potential future catastrophes?
In the hypothetical scenario where the Ronin Network had thwarted one of the largest crypto heists resulting in the prevention of $625 million being taken, you might justify the temporary loss of a few millions as necessary.
Regardless of the perspective taken, this occurrence serves as an unpleasant wake-up call that significant exchanges may harbor undiscovered flaws, potentially endangering the savings of regular investors relying on these trading venues for asset custody.
Read More
Sorry. No data so far.
2024-06-26 13:46