Kraken and CertiK White Hat Hacker Incident Tracking

ChainCatcher news, Kraken Exchange's Chief Security Officer Nick Percoco posted an update on social media stating that it can now be confirmed that the funds withdrawn due to the previous vulnerability have been refunded (minus a small fee loss).Previously, CertiK stated that all funds had been returned but did not align with Kraken's request and did not demand a bounty for the vulnerability.

ChainCatcher message, CertiK announced a series of Q&A regarding the CertiK-Kraken white hat incident on platform X. CertiK stated that no assets of actual Kraken users were directly involved in the research activities. In communications with Kraken (via email and video conference), CertiK consistently assured them that funds would be returned. All funds currently held have been returned, but the total amount differs from Kraken's request. CertiK made refunds based on its own records.CertiK disclosed the details of the vulnerability to Kraken and received a fix within 47 minutes. After the testing concluded, CertiK promptly notified Kraken through various means and sent a detailed report. CertiK did not participate in Kraken's bounty program and did not mention any bounty requests, focusing instead on ensuring the issue was resolved.Additionally, CertiK stated that it conducted multiple large-scale tests to assess the limits of Kraken's protection and risk control. After several days of repeated testing and nearly three million in cryptocurrency, no alarms were triggered, and they still have not figured out the limitations.

ChainCatcher message, regarding the dispute over the security vulnerability report between Kraken and CertiK, Meir Dolev, the Chief Technology Officer of the security company Cyvers, referenced previously shared content by security researcher @tayvano on social media to question the vulnerability discovery date stated by Certik on June 5.The address 0x1d...7ac9 created the contract 0x45...CeA9 on the Base network on May 24 and engaged in related activities, while the Certik testing address also used the same signature hash as this unknown address. It is suspected that this contract deployed on Base (0x45...CeA9) has also conducted the same tests on OKX and Coinbase to determine if these two exchanges have the same vulnerabilities as Kraken.

Kraken accuses CertiK of "extortion," while CertiK claims its employees are being threatened by Kraken.

ChainCatcher news, the blockchain security agency CertiK announced on social media that a series of serious vulnerabilities were found on the Kraken exchange, which could lead to potential losses of hundreds of millions of dollars.CertiK's investigation revealed that Kraken's deposit system failed to effectively distinguish between different internal transfer statuses, posing a risk of malicious actors fabricating deposit transactions and withdrawing counterfeit funds. During testing, millions of dollars in fake funds could be deposited into Kraken accounts, and over $1 million in counterfeit cryptocurrency could be withdrawn and converted into valid assets, with the Kraken system triggering no alerts.After CertiK notified Kraken, Kraken classified the vulnerability as "Critical" and initially fixed the issue. However, CertiK pointed out that the Kraken security team subsequently threatened CertiK employees, demanding repayment of unmatched cryptocurrency within an unreasonable timeframe, without providing a repayment address. To protect user safety, CertiK decided to make this matter public, calling on Kraken to cease any threats against white hat hackers and emphasizing the need to address risks through collaboration to jointly safeguard the future of Web3.