The secret "security researcher" who discovered the exploit on the Kraken crypto exchange and used it turned out to be CertiK.
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.
Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
"CertiK has recently identified a number of critical vulnerabilities in Kraken that could potentially lead to losses of hundreds of millions of dollars," the publication says.
Earlier, Nick Percoco, director of security at the trading platform, announced that on June 9, the exchange received a vulnerability report under the Bug Bounty program. However, the researchers did not provide any details, but only used the bug to withdraw about $ 3 million from Kraken.
According to Percoco, then publicly unknown "white" hackers requested more money for disclosure of information than the reward program suggested, citing a high degree of threat. A Kraken representative accused them of "extortion."
According to CertiK's post, the exploit allowed to fabricate a deposit transaction to the exchange's account, and then withdraw the funds received.
"Worse, during several days of testing [the error], not a single security alert on the exchange was activated. Kraken reacted and blocked the trial accounts only a few days after we officially reported the incident," the company said.
Analysts also attached a screenshot with all fake deposits and withdrawals.
Transparency is important to the community. We are disclosing all testing deposit transactions here: pic.twitter.com/8RpzRX42E9
— CertiK (@CertiK) June 19, 2024The security service of the trading platform classified the exploit as "critical" (the highest level) and began working on its elimination.
However, according to CertiK's version, the Kraken security group "began threatening individual employees that they would pay an inappropriate amount of cryptocurrency in unreasonable time even without providing addresses for refunds."
The firm has published a timeline of events, starting with the discovery of the exploit on June 5 and ending with the "threats" from Kraken on June 18. During this time, the parties held several video conferences.
CertiK has promised to return all assets withdrawn during vulnerability testing:
"Since Kraken did not provide a repayment address and an incorrectly calculated amount, we are transferring funds based on our notes to an account that the exchange will be able to access."
Analysts have confirmed that user funds are not affected. However, they were concerned about the weak security system of the exchange, which did not respond to either a fake deposit or a large withdrawal of funds.
Earlier, the OKX exchange revealed details about a series of account hacks. According to the platform, the hacker forged documents and bypassed additional security mechanisms like two-factor authentication (2FA).
Recall that on June 3, it became known that the attacker gained control of the account of a Chinese trader on Binance, without having a password and access to 2FA. After a number of transactions, he withdrew assets worth $1 million.