Authored by Yangz, Techub News
Yesterday evening, the Chief Security Officer of Kraken, Nick Percoco, disclosed in a post that the Kraken team received a bug bounty report on June 9th, describing a “highly critical” vulnerability that allowed attackers to artificially increase account balances without completing deposits. While Kraken’s team quickly fixed the bug within hours, a deeper investigation revealed that the vulnerability had been exploited by three accounts. One of these accounts claimed to be a “security researcher” in their KYC information and used the bug to deposit $4 worth of cryptocurrency into their account, then submitted a bug bounty report. However, the “researcher” then disclosed the bug to two others they worked with, resulting in nearly $3 million being withdrawn from Kraken’s treasury.
Percoco mentioned that since the initial report did not fully disclose the details of the bug, the team reached out to the mentioned accounts, planning to follow the standard bug bounty process to arrange for the funds to be returned and reward their “white-hat behavior.” Unexpectedly, the “security researcher” demanded to speak with Kraken’s business development team, stating that they would not return any funds unless rewarded based on the potential losses from the bug.
Thus, the “white-hat hacker” quickly turned into an extortionist, leading Percoco to decide not to disclose the name of “this research company” and treat the matter as a criminal case, planning to coordinate with law enforcement agencies.
One might have thought that the matter would end there, but surprisingly, the security company CertiK automatically stepped forward three hours after Percoco’s post, claiming that they had discovered a security vulnerability in Kraken that could result in losses of several hundred million dollars.
CertiK stated that through their testing, they identified three major issues with Kraken and during the testin