The ongoing Kraken-CertiK saga has taken an unexpected turn. CertiK, a security firm, has claimed that it conducted a white hat operation on specific Kraken accounts that did not belong to customers, resulting in the draining of nearly $3 million, according to Kraken. However, Kraken insists that the total amount exploited has not been returned to them, while CertiK claims that all funds have been returned according to their records.
On June 20, CertiK provided an update on the situation, stating that they had returned 734 Ether (ETH), 29,001 Tether (USDT) tokens, and 1,021 Monero (XMR) coins. In response, Kraken requested 155,818 Polygon (MATIC) tokens, 907,400 USDT, 475.5 ETH, and 1,089.8 XMR.
The Kraken-CertiK saga began on June 9 when Kraken received a bug bounty program alert from an alleged security researcher. The alert revealed a bug in Kraken’s system that allowed users to inflate their account balances. When the exchange moved to fix the bug, it discovered that three accounts had exploited the flaw, stealing $3 million from Kraken’s accounts.
One of the three accounts was Know Your Customer (KYC) verified and used the bug to credit $4 to their account. Kraken’s chief security officer, Nick Percoco, stated that this would have been enough to prove the bug and claim the bounty. However, the account allegedly shared the flaw with two other accounts, resulting in all three pocketing $3 million from the exchange in the following days.
When Kraken asked the alleged security researcher to return the funds and receive the bounty after providing the necessary on-chain proofs, the white hat hacker allegedly refused and demanded the bounty be paid first. Although Kraken did not disclose the name of the security firm behind the white hat exploit, CertiK later revealed that it was responsible for the Kraken exploit.
CertiK claimed that its employee who discovered the vulnerability was threatened to return the stolen funds but did not receive a wallet address to send the funds to. Ronghui Gu, co-founder at CertiK, told Cointelegraph that CertiK sent the stolen funds to the crypto mixing service Tornado Cash to prevent them from being frozen by crypto exchanges. This decision was met with criticism from the crypto community, which questioned CertiK’s motives behind the white hat operation.
The crypto community raised concerns about why CertiK researchers moved millions of dollars worth of funds when a single transaction could have proven the vulnerability. Others pointed out that Tornado Cash is an Office of Foreign Assets Control (OFAC)-sanctioned tool, and using it could lead to legal trouble for the security firm. Many questioned CertiK’s intentions with the funds and why they were sent to Tornado Cash.
The majority of the crypto community sided with Kraken on the issue and criticized CertiK for its actions, accusing them of “stealing” and blackmailing Kraken for the bounty. Kraken informed Cointelegraph that they are in contact with law enforcement agencies regarding the situation.
Update: This article will be updated with comments from Kraken and CertiK.
Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them.