CertiK "Confronts" Kraken: What is the Right Measure for White Hat Hackers?

Author: jk, Odaily Planet Daily

On June 19, local time in the United States, cryptocurrency exchange Kraken and blockchain security company CertiK publicly confronted each other on social media over a series of serious security vulnerabilities.

The incident originated from a vulnerability discovered by CertiK on Kraken: Kraken's Chief Security Officer Nick Percoco disclosed on Twitter that they received an "extremely severe" vulnerability report in their bug bounty program, claiming to have found a vulnerability that could artificially increase account balances. CertiK referred to it as a security test on the Kraken exchange, while Kraken believed CertiK was profiting from exploiting the vulnerability. Both parties held their ground, leading to a large public spectacle.

Kraken's Incident Disclosure

Here is the account of the incident published by Kraken's Chief Security Officer on the X platform:

"On June 9, 2024, we received an alert from a security researcher through our bug bounty program. Initially, there was no specific information, but they claimed to have found an "extremely severe" vulnerability that could allow them to artificially increase balances on our platform.

We receive some false vulnerability reports daily from individuals claiming to be "security researchers." This is not new for anyone running a bug bounty program. However, we took this matter very seriously and quickly assembled a cross-functional team to investigate the issue. Here are our findings.

Within minutes, we discovered an isolated vulnerability. Under specific circumstances, this vulnerability allowed malicious attackers to initiate deposit operations and receive funds in their accounts without fully completing the deposit.

It is important to clarify that customer assets were never at risk. However, malicious attackers could effectively generate assets in their Kraken accounts for a period of time.

We assessed this vulnerability as "Critical" and mitigated the issue within an hour (to be precise, in 47 minutes) by our expert team. Within a few hours, the issue was completely resolved and will not happen again.

Our team found that this vulnerability stemmed from a recent user experience (UX) change that credited customer accounts immediately before customer assets were settled------allowing customers to trade in the cryptocurrency market in real-time. This UX change was not adequately tested against this specific attack vector.

After patching the risk, we conducted a thorough investigation and quickly discovered that three accounts had exploited this vulnerability within a few days. Upon further investigation, we noticed that one of the accounts was linked to an individual claiming to be a security researcher through identity verification (KYC).

This individual discovered the vulnerability in our funding system and used it to increase their account balance by $4. This was enough to prove the existence of the vulnerability, submit a bug bounty report to our team, and receive a considerable reward according to our program's terms.

However, this "security researcher" disclosed the vulnerability to two other individuals they were collaborating with, who fraudulently generated larger amounts of funds using this vulnerability. They ultimately withdrew nearly $3 million from their Kraken accounts. These funds came from Kraken's treasury, not from other customers' assets.

The initial bug bounty report did not fully disclose these transaction details, so we contacted the security researcher to confirm some details in order to reward them for successfully identifying a security vulnerability on our platform.

Subsequently, we requested them to provide a detailed account of the activities, create a proof of concept for the on-chain activities, and arrange to return the funds they had withdrawn. This is a common practice in any bug bounty program. These security researchers refused.

Instead, they demanded a call with their BD team (i.e., their sales representatives) and refused to agree to return any funds until we provided a hypothetical amount of potential losses. This is not white hat hacker behavior; it is extortion!

We have had a bug bounty program at Kraken for nearly a decade. The program is run internally and is overseen full-time by some of the smartest talents in the community. Our program, like many others, has clear rules:

• Do not withdraw more than what is necessary to prove the vulnerability.

• Show your work (i.e., provide proof of concept).

• Any withdrawals must be returned immediately.

We have never encountered any issues in collaboration with legitimate researchers, and we always respond positively.

For the sake of transparency, we are disclosing this vulnerability to the industry today. We are being accused of being unreasonable and unprofessional for asking "white hat hackers" to return what they stole from us. This is unbelievable.

As a security researcher, your "hacker" license is enabled by following the simple rules of the bug bounty program you participate in. Ignoring these rules and extorting companies will revoke your "hacker" license. This will make you and your company criminals.

We will not disclose the name of this research company as their actions are not worthy of recognition. We consider this a criminal case and are coordinating with law enforcement to address it. We appreciate the report of this issue, but that is all.

Our bug bounty program continues to play a vital role in Kraken's mission and is a key part of our efforts to enhance the overall security of the cryptocurrency ecosystem. We look forward to collaborating with future honest actors and view this as an isolated incident."

CertiK's Response

Although Kraken did not disclose the specific name of the company to which the security researcher belonged, a few hours later, CertiK released a response to the incident on the X platform. Here is the official response from CertiK on the X platform:

"CertiK recently discovered a series of serious vulnerabilities in the Kraken exchange that could lead to hundreds of millions of dollars in losses.

Starting from the issues found in Kraken's deposit system, which may not be able to distinguish between different internal transfer statuses, we conducted a thorough investigation focusing on the following three questions:

1. Can malicious actors forge deposit transactions to Kraken accounts?

2. Can malicious actors withdraw forged funds?

3. What risk controls and asset protections might large withdrawal requests trigger?

Based on our test results: **The Kraken exchange did not pass all of these tests, indicating that Kraken's deep defense system was compromised in multiple ways. Hundreds of millions of dollars could be deposited into any Kraken account. Over $1 million in forged cryptocurrency could be withdrawn from accounts and converted into valid cryptocurrency. Worse, *no alarms were triggered during several days of testing.* Kraken only responded and locked the test accounts after we formally reported the incident.

After the discovery, we notified Kraken, whose security team classified it as "Critical," which is the most severe classification level for security incidents at Kraken.

After initially successfully identifying and fixing the vulnerability, Kraken's security operations team threatened individual CertiK employees to return unmatched amounts of cryptocurrency within an unreasonable timeframe, even without providing a return address.

In the spirit of transparency and our commitment to the Web3 community, we are disclosing this information to protect the safety of all users. We urge Kraken to cease any threats against white hat hackers.

We face risks together and protect the future of Web3."

Subsequently, CertiK disclosed the entire timeline and deposit addresses.

Timeline published by CertiK. Source: CertiK Official X

At the same time, CertiK also stated that since Kraken did not provide a return address and the requested return amount was completely mismatched, we transferred the existing funds to an account accessible by Kraken according to the records.

Other News and Follow-up Comments

From the background information, the rewards for Kraken's bug bounty program are indeed considerable, with the highest bounty for security incidents similar to this one ranging between $1 million and $1.5 million. This is quite a difference from the $3 million amount claimed by Kraken, leading some people in the comments to say, "I think hackers shouldn't have to return anything," while others replied, "Do you want to take a million in bounty or take three million in illegal gains and go to jail?"

Rewards for Kraken's bug bounty program. Source: Kraken

On-chain detective ZachXBT said: "This story only gets more wild as it goes on."

Another Twitter user @trading_axe took a different approach, saying: "I think (CertiK) messed up… They didn't say this was theft, but a thief would take everything they could and then escape. I think where they messed up was only taking three million dollars; if they had stolen over a hundred million with this bug and then returned it, it would have made them look like white hats (implying that would make them seem like saviors/having the upper hand). But now, having only taken three million and being forced to return it, it looks very weak."