CertiK Hacks Kraken: Funds Returned, But Questions Remain
Although CertiK claims this was a white hat operation, how the incident was reported and the vulnerability tested raises many questions about its security auditing practices.
Although CertiK claims this was a white hat operation, how the incident was reported and the vulnerability tested raises many questions about its security auditing practices.
The incident began with Nick Percoco, the Chief Security Officer at Kraken cryptocurrency exchange, disclosing a security update on X (formerly Twitter). He reported that Kraken had detected an “extremely critical” vulnerability that could allow malicious attackers to inflate their cryptocurrency balances and withdraw funds far exceeding their actual holdings.
The vulnerability was quickly addressed and resolved within two hours after being reported by a ‘security researcher.’ However, it emerged that there was a delay of four days before the researcher reported the issue to Kraken. During this period, he and two colleagues exploited the vulnerability to withdraw nearly $3 million from their Kraken accounts.
This withdrawal far exceeded what would be needed to demonstrate the vulnerability, prompting Kraken to request a comprehensive report of the activities and the return of the withdrawn funds. Kraken also offered a bug bounty as compensation.
Instead of complying, the security research company, later identified as CertiK, demanded a discussion with Kraken’s business development team. They refused to return any funds until Kraken estimated the financial impact had the bug not been discovered. Kraken saw this as an act of extortion rather than a responsible disclosure.
In the aftermath, CertiK released a statement claiming they had identified the vulnerabilities themselves, suggesting that their exploitation could have led to losses amounting to hundreds of millions for Kraken. They accused Kraken’s security team of threatening their employees and making unreasonable demands.
However, several crypto community detectives raised issues with CertiK’s narrative. Discrepancies were spotted concerning the timing of the vulnerability’s discovery and subsequent exploitation, as evidenced by blockchain data showing potential early testing dates.
In addition, some of the withdrawn funds were traced to Tornado Cash and ChangeNOW, services known for their lack of KYC procedures and potential use in money laundering, further tarnishing CertiK’s claim of ethical conduct. Notably, interaction with OFAC-sanctioned entities such as Tornado Cash is legally dubious under U.S. law.
Adding to these concerns, CertiK is already facing scrutiny within the crypto community due to its past security practices. There have been numerous incidents where protocols that CertiK audited were later compromised.
This checkered history raises additional questions about the effectiveness and integrity of their security research. Whether these incidents were the result of oversights by CertiK or possibly even malicious actions by individuals within the firm remains a topic of speculation and concern.
This situation has not only exposed significant operational vulnerabilities within Kraken but has also potentially inflicted severe damage to CertiK’s reputation as a security auditor in the crypto space.
Although it appears that CertiK has returned the funds, the crypto community still seeks clear and transparent responses regarding their recent actions. We will continue to Observe the situation.