A digital asset security research firm has returned $3 million in funds to crypto exchange Kraken after an unusual saga following a bug bounty program exploit.
Yesterday, Kraken chief security officer Nick Percoco said in a lengthy X thread that the exchange was alerted days ago that an “extremely critical” code exploit allowing hackers to artificially inflate their funds had been discovered.
“Within minutes we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.
To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.”
According to Percoco, the unnamed “security researchers” who found the bug proceeded to act unprofessionally in returning the exploited funds.
“We have never had issues with legitimate researchers in this way and are always responsive.
In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that ‘white-hat hackers’ return what they stole from us. Unbelievable.
As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack’. It makes you, and your company, criminals.
We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends.”
However, today Percoco said the funds have since been returned to the US-based exchange, though the security officer still declined to name who returned them.
“Update: We can now confirm the funds have been returned (minus a small amount lost to fees).”
Crypto security firm Certik has claimed responsibility for identifying the exploit, taking to social media platform X to tell its side of the story:
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”
According to Certik, Kraken is avoiding the deeper issues revealed by the firm’s audit.
“Fact of the Whitehat Operation: Millions dollars of crypto were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.
More Severe Security Issue: For several days, with many fabricated tokens generated and withdrawn to valid cryptos, no risk control or prevention mechanisms were triggered until reported by CertiK.
The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions. Continuous large withdrawals from different testing accounts was a part of our testing.”
Don't Miss a Beat – Subscribe to get email alerts delivered directly to your inboxGenerated Image: Midjourney