TLDR

  • Kraken discovered a bug that allowed users to artificially inflate their balances and withdraw funds without completing deposits.
  • CertiK, a blockchain security firm, identified itself as the “security researcher” that exploited the bug and withdrew nearly $3 million from Kraken’s treasuries.
  • Kraken claims CertiK refused to return the funds until the exchange provided an estimate of the potential losses, calling it “extortion.”
  • CertiK defended its actions, stating that it was testing the scope of the vulnerability and that Kraken had threatened its employees to return a mismatched amount of funds within an unreasonable timeframe.
  • The incident has sparked a debate on the ethics of white hat hacking and bug bounty programs in the cryptocurrency industry.

Cryptocurrency exchange Kraken recently revealed that it had fallen victim to a security vulnerability that allowed users to artificially inflate their account balances and withdraw funds without fully completing deposits. The exchange reported that nearly $3 million was stolen from its treasuries as a result of the exploit.

Blockchain security firm CertiK came forward, identifying itself as the “security researcher” responsible for exploiting the bug and withdrawing the funds.

Kraken’s Chief Security Officer, Nick Percoco, had earlier accused the then-unnamed security team of “extortion” for refusing to return the funds until the exchange provided an estimate of the potential losses if the bug had remained undisclosed.

CertiK, however, defended its actions, claiming that it had been testing the scope of the vulnerability and that Kraken had threatened its employees to return a mismatched amount of funds within an unreasonable timeframe, without even providing a repayment address.

The security firm provided a timeline of events, detailing its interactions with Kraken and the discovery of the exploit.

According to CertiK, the vulnerability allowed millions of dollars to be deposited into any Kraken account, with the ability to withdraw and convert the fabricated crypto into valid cryptocurrencies.

The firm also claimed that no alerts were triggered during its multi-day testing period, and Kraken only responded and locked the test accounts days after the initial disclosure.

The incident has sparked a debate about the ethics of white hat hacking and the effectiveness of bug bounty programs.

While some argue that CertiK’s actions were justified in the interest of thoroughly testing the vulnerability, others believe that the firm crossed a line by withdrawing such a large sum of money and refusing to return it promptly.

Kraken maintains that CertiK’s actions do not align with the principles of white hat hacking and that it is working with law enforcement agencies to retrieve the assets. The exchange also emphasized that no user funds were affected by the exploit, as the stolen money came from Kraken’s own treasuries.

The post Bug Bounty Gone Wrong: Kraken Accuses CertiK of Extortion, CertiK Defends Its Actions appeared first on Blockonomi.

from Blockonomi https://ift.tt/H6clIvk