Kraken Critical Vulnerabilities Could Lead To Hundreds Of Millions Of Dollars In Losses

Key Points:

• CertiK found Kraken critical vulnerabilities allowing counterfeit crypto withdrawals.
• Kraken allegedly threatened CertiK after initial fixes, demanding returns of funds.

Security agency CertiK recently announced the discovery of Kraken critical vulnerabilities, potentially leading to losses worth hundreds of millions of dollars.

CertiK Uncovers Kraken Critical Vulnerabilities in Security System

The investigation revealed that Kraken’s deposit system was unable to effectively distinguish between different internal transfer states. Kraken critical vulnerabilities allowed malicious actors to forge deposit transactions and withdraw these counterfeit funds without triggering any alarms.

During CertiK’s testing, millions of dollars in fake funds were successfully deposited into Kraken accounts, and over $1 million in fabricated cryptocurrencies were withdrawn and converted into valid assets. Despite initially acknowledging the issue and classifying it as “extremely critical,” Kraken’s response took a contentious turn.

CertiK reported that Kraken’s security team threatened its employees, demanding the return of unmatched cryptocurrencies within an unreasonably short timeframe without providing a repayment address. The timeline provided by CertiK detailed their use of Polygon’s MATIC token for testing deposit transactions.

“The real issue is why Kraken’s in-depth defense system failed to detect numerous test transactions,” CertiK stated. “Weak exchanges often boast about their strong risk controls and defense systems, but Kraken‘s failed miserably during our tests.”

CertiK decided to go public to protect user safety, urging Kraken to cease threats against white hat hackers and emphasizing the importance of collaboration to address security risks and safeguard the future of Web3.

Kraken Reports $3 Million Loss, Pursues Legal Action

Kraken Chief Security Officer Nick Percoco acknowledged that three accounts exploited the vulnerability, withdrawing nearly $3 million in total. He claimed that this behavior violated the vulnerability bounty program rules, crossing into extortion rather than white hat hacking.

Percoco alleged that three individuals linked to an unnamed research company were responsible for the withdrawals and refused to return any funds until Kraken disclosed the potential exploit’s size. Kraken is treating the matter as a criminal case and is cooperating with law enforcement agencies.