Vulnerability Management, Audits (External, Internal), Bug Bounties

CertiK researchers accused of stealing $3M before reporting crypto bug

Share
(Credit: photo_gonzo – stock.adobe.com)

Blockchain security company CertiK is facing accusations that its employees stole nearly $3 million using a critical bug they discovered in the Kraken cryptocurrency exchange.

In a series of posts on X, Kraken Exchange Chief Security Officer Nick Percoco said Wednesday that a security researcher who reported the flaw through Kraken’s bug bounty program had shared the bug with two other individuals who used it to make large deposits to and withdrawals from their own accounts.

The bug, which was reported to Kraken on June 9 and first disclosed publicly at the time of Percoco’s posts, caused funds to appear in a user’s account after a deposit was initiated, regardless of whether the deposit was fully completed. The user could then withdraw those funds, taking the money from “Kraken’s treasuries,” according to Percoco, who added that no customers’ funds were ever at risk.

Kraken CSO accuses research company of extortion

Percoco claims the researcher who initially reported the flaw did not fully disclose the details of transactions made to confirm the bug, refused to provide a proof-of-concept to recreate the flaw and would not agree to return any withdrawn funds until Kraken provided an estimate of how much money the company could have lost if the bug was not fixed.

“This is not white-hat hacking, it is extortion!” Percoco wrote, adding that the company has “never had issues with legitimate researchers in this way.”

Percoco did not name the researchers or security company involved in the incident, stating, “they don’t deserve recognition for their actions,” and said Kraken was working with law enforcement agencies to treat the incident as a criminal case.

CertiK responds, claims Kraken threatened white hat hackers

Within three hours of Percoco’s initial post, CertiK disclosed that its researchers had discovered the critical Kraken bug. CertiK’s response on X claims Kraken threatened individual CertiK employees, asked them to repay a “mismatched” amount of funds and did not provide repayment addresses after requesting the funds be returned within six hours.  

“In the spirit of transparency and our commitment to the Web3 community, we are going public to protect all users’ security. We urge [Kraken Exchange] to cease any threats against whitehat hackers,” the company wrote.

CertiK provided a timeline of events from the initial discovery of the bug on June 5 to the time Kraken allegedly threatened an employee and requested the “mismatched” amount with a six-hour deadline, on June 18.

The timeline indicates an initial deposit test of 200 MATIC (about $116 USD) on June 5, a withdrawal test of more than 90,000 MATIC (about $52,400) on June 7, a deposit test of more than 500,000 MATIC (about $291,000) and “a few more large deposits/withdrawal” between June 8 and June 9. The final deposit and withdrawal were reportedly made on June 9.

In additional replies, CertiK disclosed all of the deposits made during its testing, including dates and times, amounts and transaction hashes, totaling more than 7.5 million MATIC (more than $4.3 million USD).

“The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions. Continuous large withdrawals from different testing accounts was a part of our testing,” CertiK stated.

Funds returned, crypto community takes sides

On Thursday morning, Percoco posted an update, stating all funds were returned to Kraken, with a small amount lost to fees. Kraken subsequently distributed the recovered $2.9 million to its users’ via a USDT airdrop.  

While some users defended CertiK and questioned Kraken’s security practices in replies to Percoco’s post, much of the sentiment from cryptocurrency enthusiasts on the social media platform was against CertiK, with comments ranging from criticisms of its disclosure practices to accusations of criminal activity.

“CertiK exploited Kraken for $3M, waited 5 days to disclose the vulnerability, and has been extorting them for over a week […] Stay the f--k away from this horrific company,” one user commented.

Another user claimed to have observed CertiK moving the funds to cryptocurrency tumbler Tornado Cash on the blockchain.  

However, commentators remained skeptical that CertiK planned to make off with the money.

“Certik was asked to find vulnerabilities. They did. They say the amount Kraken is asking for is different than what they made out with. You are jumping the gun and making things up. Maybe focus on how busted Kraken’s own security was first,” one user replied.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.