Key Points:
The investigation revealed that Kraken’s deposit system was unable to effectively distinguish between different internal transfer states. Kraken critical vulnerabilities allowed malicious actors to forge deposit transactions and withdraw these counterfeit funds without triggering any alarms.
During CertiK’s testing, millions of dollars in fake funds were successfully deposited into Kraken accounts, and over $1 million in fabricated cryptocurrencies were withdrawn and converted into valid assets. Despite initially acknowledging the issue and classifying it as “extremely critical,” Kraken’s response took a contentious turn.
CertiK reported that Kraken’s security team threatened its employees, demanding the return of unmatched cryptocurrencies within an unreasonably short timeframe without providing a repayment address. The timeline provided by CertiK detailed their use of Polygon’s MATIC token for testing deposit transactions.
“The real issue is why Kraken’s in-depth defense system failed to detect numerous test transactions,” CertiK stated. “Weak exchanges often boast about their strong risk controls and defense systems, but Kraken‘s failed miserably during our tests.”
CertiK decided to go public to protect user safety, urging Kraken to cease threats against white hat hackers and emphasizing the importance of collaboration to address security risks and safeguard the future of Web3.
Kraken Chief Security Officer Nick Percoco acknowledged that three accounts exploited the vulnerability, withdrawing nearly $3 million in total. He claimed that this behavior violated the vulnerability bounty program rules, crossing into extortion rather than white hat hacking.
Percoco alleged that three individuals linked to an unnamed research company were responsible for the withdrawals and refused to return any funds until Kraken disclosed the potential exploit’s size. Kraken is treating the matter as a criminal case and is cooperating with law enforcement agencies.
DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing. |
dYdX Trading will shut down the dYdX v3 platform on October 28, 2024, to make…
Bitget Wallet OmniConnect was launched to enable developers to integrate Telegram Mini-Apps with multichain ecosystems.
The recent approval for BlackRock’s Bitcoin ETF options raises concerns about a shift from physical…
MapleStory N Web3 game built on Avalanche, aims to leverage nostalgia and blockchain technology, adding…
Coinme overcame early challenges to become a leader in cash-to-crypto services, with over 40,000 locations…
Spot Bitcoin ETFs extend inflows for the 6th day, recording $365.57M, led by Ark Invest’s…
This website uses cookies.