Navigating Trust and Accountability in White Hat Hacking: A Closer Look at the CertiK-Kraken Scenario
Summary:
The article explores the delicate balance of trust between cybersecurity firms and vendors in the context of white hat hacking, discussing an incident between security experts CertiK and digital asset exchange company Kraken. The incident involved a security vulnerability discovered by CertiK in Kraken's exchange balance and deposit functionality. The complicated situation underscored the role and responsibilities of ethical hackers, emphasizing the timely reporting of critical findings and initiating no further exploitation. The piece suggests that such collaborative work and trust are essential in improving industry-wide security practices.
The field of ethical hacking, often termed as white hat hacking, is a vital element in maintaining cybersecurity. Serving as a tool for cyber 'good guys', this form of hacking offers a way to break down applications, discover security flaws, and utilise these findings to fortify the system's overall security strength. Its application ranges across various sectors including blockchain, cloud storage, artificial intelligence and operating system security among others. In each scenario, an intricate yet robust bond has developed between vendors and security experts, founded on a nuanced balance of trust. Firms such as Trail of Bits, Halborn, and Open Zeppelin have been examining and fixing a range of smart contracts, maintaining an impeccable professional record that enhances trust.
Discussion arose between CertiK and Kraken on May 17th when CertiK researchers unearthed a security gap in Kraken's Digital Asset Exchange balance computation and deposit functionality. The Kraken Security Squad acknowledged it as a grave matter, and managed to rectify it within 47 minutes. Though it seems harmless on the surface, such a vulnerability could allow cybercriminals to carry out a 'double spend' action - duping an exchange into accepting a false deposit. Once the balance mistakenly updates, they could turn around and withdraw the equivalent amount. This would drain funds from the exchange's treasury wallet, much like a bank.
CertiK disclosed a list of fraudulent deposit transactions, demonstrating the exploitation of this vulnerability 20 times over five days as supposed 'tests' of Kraken's detection abilities. In the aftermath of this incident, all funds displaced during this purported 'testing' phase have been re-deposited into Kraken, save for a small segment that was depleted in fees.
Despite having clear evidence-of-function, the CertiK team should have alerted Kraken regarding the issue immediately while refraining from further manipulations of the security gap.
White hat hacking is a sensitive domain with the primary goal to escalate app security, ensuring trust and transparency without imposing a threat to the business operation of the vendor. However, white hat hackers do court a certain amount of publicity and with misguided ambitions can instead sensationalize their discoveries for attention, resulting in tension. Ethical hackers are required to disclose their findings promptly with a bare-minimum proof-of-concept, mitigating disturbances to vendor's businesses. Uninvited penetration testing over a period of four days after the successful proof-of-concept by CertiK is an example of what not to do. Evidently, funds should have been returned to Kraken either immediately or at the time of initial report - such a substantial sum should never have been withdrawn.
From an industry perspective, it's vital to show solidarity and protect each other against the potential harms of damaging headlines or rivalries. With a high volume of malicious hackers to fend off, we are improving our security products and procedures, moving consistently forward with pioneering solutions. Collaboration within the industry is key as it leads to the exchange of significant and invaluable information, and as they say, security is a team game. Trust among the 'good guys' is fundamental for progress and it should never be a case of 'us against them'. We're all aiming for a common good and must emphasize on this point always.
The author Shahar Madar is the vice president of security and trust at Fireblocks. The views shared in this article are solely those of the author and do not reflect the views and opinions of Cointelegraph. It is for informational purposes only and does not constitute legal or investment advice.
Published At
6/28/2024 11:48:06 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.