Cryptocurrency exchange Kraken has recovered lost funds after a major bug bounty exploitation failure.
Kraken has confirmed the return of stolen digital assets worth approximately $3 million, ending the Kraken-Certik saga that began on June 9.
The refund, minus transaction fees, was confirmed by Nicholas Percoco, Kraken’s head of security, in a June 20 post:
“Update: We can now confirm the refund (minus a small amount missing due to fees).”
The Kraken CSO first made the missing $3 million public on June 19, when it claimed a “security researcher” maliciously removed it from the vault after discovering and sharing an existing bug .
Kraken claimed it was blackmailed by the security researcher who refused to return the funds, demanding a reward and a call with the exchange’s business development team.
about: Nomura crypto arm digital laser bags license abu dhabi
CertiK’s point of view
Shortly after Kraken’s post about the missing funds, blockchain security firm CertiK publicly identified itself as the “security researcher” who Kraken claimed had stolen $3 million in digital assets.
In an X post dated June 19, CertiK said it informed Kraken of a vulnerability that allowed it to delete millions of dollars from the exchange’s accounts. Certik also claimed to have been threatened by the stock exchange team:
“After successful initial transfers to identify and remediate the vulnerability, Kraken’s security operations team threatened individual CertiK employees with an unreasonable amount of cryptocurrency payments without even providing payment addresses.”
The security company published a timeline of events, starting with the identification of the exploit on June 5 and ending with allegations that Kraken threatened a CertiK employee on June 18. In a statement to Cointelegraph, CertiK said it plans to transfer the funds “to a Kraken account that it can access.”
about: Bitcoin ETFs brought legitimacy to the cryptocurrency sector for investors – Storm Partners
Why did CertiK withdraw almost $3 million?
Kraken CSO officials initially said the first malicious transfer, worth just $4, was enough to prove the bug and collect “significant rewards” from Karken’s bounty program.
However, the security researcher, later revealed as CertiK, withdrew almost $3 million from his Kraken accounts.
In a message after returning the $3 million, CertiK said the millions were needed to test the limits of the exchange:
“We want to test the limits of Kraken’s security and risk controls. After multiple tests over several days and nearly $3 million in cryptocurrencies, no alerts were triggered and we still have not detected the cap.
Additionally, CertiK claims that it did not initially request a bonus, but that it was something the exchange mentioned:
“We never talked about asking for a reward. Kraken was the first to mention their bounty to us, while we responded that bounty was not a priority topic and we wanted to make sure the issue was resolved.
CertiK added that no Kraken user funds were put at risk since the funds mined were “created out of thin air.”
review: Recent Ethereum Pullback Could Be a Gift: Dynamo DeFi, X Hall of Flame
