Kraken Accuses CertiK of Stealing $3 Million in Bug Bounty Program Clash

Kraken accuses CertiK of exploiting a critical bug to withdraw $3M, while CertiK denies wrongdoing, highlighting Kraken’s security vulnerabilities.

In a security update on June 19, Kraken’s Chief Security Officer, Nick Percoco, accused CertiK of stealing $3 million from a white-hat bug bounty operation. The dispute arose after a security researcher reported a critical vulnerability to Kraken, leading to a heated exchange between the two companies.

Kraken Security Update:

On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.

— Nick Percoco (@c7five) June 19, 2024

Bug Discovery and Exploitation

On June 9, 2024, Kraken received an alert about a critical bug allowing artificial balance inflation. Despite frequent fake reports, Kraken’s team took this seriously and quickly identified an isolated bug. 

The flaw permitted malicious deposits to be credited without full completion, posing a risk despite no client assets allegedly being at risk. Kraken’s team triaged and mitigated the issue within 1 hour, 47 minutes.

Further investigation revealed three accounts exploiting this vulnerability, with one linked to the self-identified security researcher. Instead of following protocol, the researcher disclosed the bug to others, resulting in nearly $3 million being fraudulently withdrawn from Kraken’s treasury. 

Kraken requested the return of the funds and full disclosure of the activities, but the researchers refused, demanding a speculative reward instead. Interestingly, these researchers were affiliated with CertiK.

Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.

— Nick Percoco (@c7five) June 19, 2024

CertiK’s Response and Accusations

CertiK responded to Kraken’s accusations by disclosing their findings. They highlighted critical vulnerabilities in Kraken’s deposit system that could lead to massive financial losses. CertiK’s testing revealed that fabricated deposits and withdrawals were possible without triggering Kraken’s risk controls.

CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.

Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD

— CertiK (@CertiK) June 19, 2024

CertiK accused Kraken of threatening its employees to repay mismatched amounts of crypto within an unreasonable time frame, without providing repayment addresses. 

In a move to protect the Web3 community, CertiK decided to publicly share their findings and announced the transfer of funds to an account Kraken could access. CertiK emphasized that no real user assets were involved in their testing.

Industry Reactions and Ongoing Dispute

Adam Cochran, a blockchain expert, weighed in on the situation, criticizing CertiK’s actions and labeling them as criminal. He speculated on a potential conspiracy involving CertiK and North Korean entities, alleging they conduct cheap audits and allow subsequent exploits. 

Cochran also noted that CertiK moved funds through the US-sanctioned Tornado Cash, questioning their ethics as a US-domiciled company.

Holy shit.

Certik just admitted to being the security firm that stole from Kraken and is trying to extort them for more of a payment.

Given how often Certik audits get hacked and now this shit, it’s wild they still exist.

Down right criminal. https://t.co/Ijpv3x5Pxc

— Adam Cochran (adamscochran.eth) (@adamscochran) June 19, 2024

Meanwhile, a commenter on X defended CertiK, noting that the firm had run extensive tests, including on Kraken’s internal alert system, and paid back the funds. The commenter suggested Kraken should be thankful for the free security penetration test they received.