Kraken crypto exchange: security vulnerability worth millions found
Yesterday, the popular crypto exchange Kraken published information on a critical vulnerability that is said to have enabled attackers to fake deposits to an account in order to pay out these - actually uncovered - amounts of money in cryptocurrencies. Almost three million US dollars are said to have been lost immediately in this way.
Security researchers, who have since turned out to be the company CertiK, had already reported the vulnerability in the form of a responsible disclosure via Kraken's bug bounty program on 9 June. The exchange responded swiftly and, according to Kraken CSO Nick Percoco, was able to isolate and fix the vulnerability "within 47 minutes".
White hat or black hat?
The term "white hat" is generally used to describe hackers who act responsibly and with a "good moral compass". It is therefore mainly about discovering vulnerabilities so that they can be fixed - instead of exploiting them for criminal purposes, as a so-called "black hat" would do.
In this incident, it does not seem entirely clear what color the CertiK security researcher's hat actually was, at least if you believe the statements of Percoco, who described the incident in detail on the 𝕏 platform. A total of three accounts are said to have exploited the vulnerability; one for just four US dollars, two others then took it to the extreme with almost three million US dollars.
Instead, the 'security researcher' disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken's treasuries, not other client assets.
" - Nick Percoco (@c7five) June 19, 2024
A slightly different picture is painted by CertiK, the company behind the disclosure of the vulnerability, which also spoke out on 𝕏 after Kraken's accusations.
After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.
In the spirit of transparency and our commitment to the Web3 community, we are going public to protect all users' security. We urge
@krakenfx to cease any threats against whitehat hackers.
CertiK
When asked why it was even necessary to test the vulnerability with such high amounts, CertiK responded by stating that they wanted to test exactly that, i.e. whether Kraken would automatically recognize the vulnerability based on the suspicious payouts. Kraken, on the other hand, sees a criminal motive in this step and announced that it would take appropriate measures.
In the meantime, the more or less stolen stocks have been returned to Kraken. As the security vulnerability has also been rectified, both Kraken itself and its customers have escaped unscathed.
Call for self-custody
Completely independent of the two representations of CertiK and Kraken, it can be stated: A vulnerability at one of the largest and most respected crypto exchanges could potentially have resulted in a much larger loss for Kraken, and therefore indirectly for customers. It is not unlikely that the vulnerability would have been discovered at some point even without the disclosure by CertiK, and Kraken would certainly have reimbursed potential losses to a certain extent.
Nevertheless, this incident adds to the many reasons why you should always store Bitcoin and other cryptocurrencies on your own wallet - outside the direct control of trusted parties such as a crypto exchange. Because even if the latter have no bad intentions, there is still the trust that you have to have in their complex and non-transparent systems - which, in contrast to the current incident, has had more fatal consequences in the past.
