Kraken Recoups $3 Million Lost in Bug Bounty Exploit Involving Blockchain Firm CertiK
Summary:
The cryptocurrency exchange Kraken has successfully reclaimed nearly $3 million worth of digital assets initially lost in a bug bounty exploit. The saga began with Kraken's accusation against blockchain security firm CertiK of maliciously withdrawing the funds after discovering a bug. CertiK defended its actions, explaining the multi-million withdrawal was an attempt to test Kraken's risk controls. Upon return of the funds, CertiK emphasized no user funds were compromised during the exploit as the funds were created out of nothing.
After a high-profile mishap involving a bug bounty exploit, the cryptocurrency exchange Kraken has reclaimed lost funds. Kraken verified the retrieval of the pilfered digital assets, worth close to $3 million, effectively concluding the ordeal between Kraken and CertiK that commenced on June 9. Nicholas Percoco, Kraken's chief security officer, authenticated the return of the funds, less transaction charges, in a post dated June 20, stating that the funds had indeed been returned, with a small portion lost to fees.
Percoco had initially disclosed the absence of $3 million in funds on June 19, accusing a "security researcher" of maliciously drawing these funds from the exchange's treasury after identifying and disclosing an existing bug. The exchange contended that the security researcher was withholding the funds, demanding both a reward and a conversation with Kraken's business team.
Shortly after Kraken publicized the missing funds, the blockchain security company CertiK confirmed that it was the "security researcher" who Kraken accused of absconding with $3 million worth of digital assets. In a post on June 19, CertiK stated that it had brought an exploit to Kraken's attention that enabled the withdrawal of millions of dollars from the exchange's accounts. CertiK also claimed to have received threats from Kraken's team.
In responding to these allegations, CertiK shared the events' chronology, starting with the exploit's recognition on June 5 and ending with threats to a CertiK employee by Kraken on June 18. It announced plans to transfer the funds to an account that Kraken could access.
Kraken’s Percoco originally mentioned that the first malicious transaction of merely $4 would have been ample to demonstrate the bug and obtain considerable rewards from Kraken’s bounty scheme. Yet $3 million was minted by the security researcher, later identified as CertiK.
Certik explained in a subsequent post that the multimillion-dollar sum was necessary to evaluate the exchange's limits. Furthermore, CertiK argued that it had not initially requested a bounty - it had been brought up by Kraken first. CertiK also stressed that at no point during the exploit were Kraken user funds at risk since the funds manipulated were created from nothing.
Published At
6/20/2024 5:30:31 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.