White hat hacking, also known as ethical hacking, plays a crucial role in the realm of cybersecurity. It involves authorized individuals, dubbed as the “good guys,” dissecting applications, identifying security vulnerabilities, notifying vendors about these issues, and utilizing that information to enhance the overall security landscape.
This practice is not unique to the blockchain industry, as it is also prevalent in various other domains such as cloud computing, artificial intelligence, operating system security, and more. Across all these sectors, a delicate yet powerful relationship has been established between vendors and security researchers, built upon a foundation of trust.
Within the blockchain space, auditing firms like Trail of Bits, Halborn, and Open Zeppelin have been engaged in analyzing and rectifying diverse smart contracts for an extended period, operating with the utmost professionalism and cultivating a strong sense of trust.
A recent incident involving CertiK and Kraken exemplifies the importance of ethical hacking. On May 17, CertiK researchers identified a vulnerability in Kraken’s Digital Asset Exchange balance calculation and deposit mechanism. The Kraken Security Team promptly acknowledged the severity of the issue, swiftly addressing it within just 47 minutes.
Although initially appearing benign, this vulnerability could enable malicious actors to engage in “double spend” attacks, essentially fabricating a deposit into the exchange, manipulating their balance, and then withdrawing the same amount, thereby depleting the exchange’s primary treasury wallet.
CertiK subsequently disclosed a series of simulated deposit transactions, exploiting the vulnerability approximately 20 times over a span of five days, under the guise of testing Kraken’s detection capabilities. Upon successfully demonstrating the exploit, CertiK researchers should have promptly reported the issue to Kraken and ceased any further exploitation. Subsequently, the funds acquired during this testing phase were returned to Kraken, with only a minimal sum being lost in transaction fees.
Ethical hacking, commonly referred to as white hat hacking, is a nuanced endeavor. Its primary objective is to bolster application security while upholding trust and transparency without compromising the vendor’s business operations. However, it’s imperative to acknowledge that at times, white hat hackers may be driven by public relations motives, potentially sensationalizing their discoveries for attention.
In instances like the CertiK-Kraken episode, ethical researchers are expected to promptly disclose their findings with a concise proof-of-concept to minimize disruption to the vendor’s operations. Unless explicitly invited by the vendor for penetration testing, researchers should adhere to pre-established guidelines to ensure responsible and ethical conduct.
Unfortunately, in this scenario, the unsolicited testing persisted for four days post the successful demonstration of the proof-of-concept by CertiK. Ideally, the funds should have been returned before or at the time of the initial disclosure, preventing such a substantial sum from being withdrawn from Kraken’s treasury or any other exchange.
In an industry plagued by malicious actors, it is essential for industry stakeholders to foster collaboration and mutual support, prioritizing the collective good over individual gains or competitive advantages. Despite setbacks like the aforementioned incident, ongoing efforts to enhance security measures and foster innovation underscore the industry’s resilience and commitment to progress.
Industry-wide cooperation, characterized by the sharing of valuable insights and information among competitors, is paramount for safeguarding the ecosystem collectively. Trust and collaboration among ethical actors are essential pillars for advancing the industry and safeguarding its integrity.
Shahar Madar, the Vice President of Security and Trust Products at Fireblocks, specializes in developing security, identity, compliance, and governance solutions tailored for large enterprises and reputable brands. He also serves as the Vice Chairman of Crypto ISAC, a non-profit organization dedicated to promoting security initiatives within the crypto ecosystem.
This article serves as general information and should not be construed as legal or investment advice. The opinions expressed herein are solely those of the author, Shahar Madar, and do not necessarily reflect the views of Cointelegraph.