Kraken Retrieves $3M Lost to CertiK in a High-Profile Bug Bounty Exploit
Summary:
The digital currency exchange, Kraken, has retraced nearly $3 million lost due to a bug bounty exploit. The saga began when an unknown "security researcher", later identified as security firm CertiK, dishonestly withdrew the funds by exploiting a bug. The firm claimed it was merely testing Kraken's risk controls. While CertiK denied asking for a bounty, Kraken claims that the firm only agreed to return the funds in exchange for a reward and a meeting with Kraken's executives. All reclaimed funds, excluding transaction fees, are now secured, according to Kraken.
The popular crypto exchange platform, Kraken, has successfully recovered nearly $3 million worth of digital assets that were illicitly withdrawn due to a renowned bug bounty exploit. This achievement follows a saga involving Kraken and cybersecurity company, CertiK that began on June 9th. Nicholas Percoco, Kraken's Chief Security Officer, authenticated the retrieval of the digital funds (excluding transaction fees) in a statement on June 20th.
Percoco first revealed the situation on June 19th, stating that a self-styled "security researcher" had dishonestly extracted the digital funds from Kraken's treasury, having found and disclosed a bug previously unknown to the exchange. Kraken then alleged financial blackmail by the researcher who refused to return the stolen assets unless given a reward and a discussion with its business development team.
The plot thickened when blockchain security firm CertiK came out as the said "security researcher" that Kraken accused of snatching away $3 million in digital assets. In its own report on June 19th, CertiK said it had acquainted Kraken with a flaw that allowed it to funnel out substantial sums from Kraken's coffers. CertiK also hit back at Kraken alleging there had been threats made against its personnel by team-members from Kraken.
CertiK delineated a chronology of events, starting from discovering the exploit on June 5, and climaxing with accusations of Kraken threatening one of CertiK's staff on June 18. Stating its intention to Cointelegraph, CertiK expressed plans of transferring the funds to a secure account to which Kraken has access.
On the question of why CertiK siphoned almost $3 million, Kraken's CSO initially contended that a single malicious transfer of just $4 would have sufficed to demonstrate the bug and claim an ample reward under Karken's bounty scheme. Contrarily, CertiK retaliated stating that it had removed nearly $3 million to test Kraken's risk controls and protection ceilings.
CertiK emphasizes that it never asked for a bounty and it was Kraken who brought up the bounty offer. It also noted that at no point were Kraken user funds at risk because the compromised funds were "minted out of air".
Published At
6/20/2024 5:30:31 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.