The Kraken CertiK saga, which the security company CertiK claims to have implemented, took place
The Kraken CertiK saga, in which security firm CertiK claimed to have executed a white hat operation on certain Kraken accounts (not customers) and drained nearly $3 million (as Kraken claims), has taken on another twist. The exchange claimed that the full amount mined was not returned to it, while CertiK claims to have returned all funds as per its filing.
On June 20, CertiK reached 5557871 ETH. And 1089.794737XMR.
Kraken claims to exploit it and Certic says it’s a white hat operation
The Kraken-CertiK saga began on June 9, when Kraken claimed to have received a bug bounty program alert from a purported security researcher. The alert highlighted a bug in Kraken’s system that allowed users to inflate their account balance. The cryptocurrency exchange was quick to correct the error and discovered three accounts that took advantage of the flaw and withdrew $3 million from the Kraken account.
In its research, Kraken discovered that one of the three accounts had been KYC verified and used the wrong account to add $4 to its account.
Nick Percoco, Kraken’s head of security, said that would have been enough to prove the bug and claim the reward, but the account would have shared the flaw with two other accounts within a few days, and in total the three accounts earned 3 million dollars thanks to the exchange. .
When the cryptocurrency exchange asked the so-called “security researcher” to return the funds and collect his reward after providing the required on-chain proof, the hacker in question allegedly refused to respond to the requests and allegedly first demanded the reward. Although Kraken did not reveal the name of the security company behind the white hat vulnerability, CertiK revealed that it was the security company behind the Kraken vulnerability.
CertiK claimed that the employee who discovered the vulnerability was threatened to return the stolen funds without providing a wallet address. Rong Hui Ju, co-founder of CertiK, told Cointelegraph:
“The verbal consensus reached during our meeting was not subsequently confirmed. Ultimately, they publicly accused us of theft and even directly threatened our employees, which is completely unacceptable.
CertIK allegedly sent the stolen amount to cryptocurrency mixing service Tornado Cash to avoid freezing cryptocurrency exchanges. The move sparked widespread criticism from the cryptocurrency community, questioning CertiK’s motives behind its “white hat” operations.
Related: Cryptocurrency Phishing Attacks Have Reached “Worrying Levels” – CertiK Co-Founder
The cryptocurrency community calls on CertiK
The cryptocurrency community has questioned why CertiK researchers transferred millions of dollars of funds when a single transaction could have proven the existence of the vulnerability. Others reminded them that Tornado Cash is an OFAC-approved tool and that using it could land the security company in legal trouble. Others questioned whether they planned to return the funds and why they sent them to an OFAC-approved cryptocurrency mixer.
The majority of the cryptocurrency community sided with Kraken on the issue and criticized CertiK for its harsh behavior. Many accused them of “stealing” and then blackmailed Kraken to get the reward.
Kraken told Cointelegraph that it is in contact with law enforcement regarding this situation.
Update: This article will be updated with comments from Kraken and CertiK.
review: Cryptocurrency audits and bug bounties are broken: here’s how to fix it
