CertiK: After reporting a security vulnerability to Kraken, CertiK employees were threatened by its security operations team
ChainCatcher news, the blockchain security agency CertiK announced on social media that a series of serious vulnerabilities were found on the Kraken exchange, which could lead to potential losses of hundreds of millions of dollars.
CertiK's investigation revealed that Kraken's deposit system failed to effectively distinguish between different internal transfer statuses, posing a risk of malicious actors fabricating deposit transactions and withdrawing counterfeit funds. During testing, millions of dollars in fake funds could be deposited into Kraken accounts, and over $1 million in counterfeit cryptocurrency could be withdrawn and converted into valid assets, with the Kraken system triggering no alerts.
After CertiK notified Kraken, Kraken classified the vulnerability as "Critical" and initially fixed the issue. However, CertiK pointed out that the Kraken security team subsequently threatened CertiK employees, demanding repayment of unmatched cryptocurrency within an unreasonable timeframe, without providing a repayment address. To protect user safety, CertiK decided to make this matter public, calling on Kraken to cease any threats against white hat hackers and emphasizing the need to address risks through collaboration to jointly safeguard the future of Web3.