CertiK Comes Forward as the Hacker Seeking Bounty from Kraken

posted  20 Jun 2024
Photo - CertiK Comes Forward as the Hacker Seeking Bounty from Kraken
According to the company's report, on June 5, the team identified several critical vulnerabilities in Kraken's security system, which could have led to significant financial losses.

In their analysis, CertiK addressed three main concerns:

1. Can a malicious actor fabricate a deposit transaction to a Kraken account?
2. Can a malicious actor withdraw fabricated funds?
3. What risk controls and asset protection might be triggered by a large withdrawal request?

The researchers concluded that the exchange’s security measures failed on all three counts, allowing for the possibility of depositing millions of dollars into any Kraken account. The system permitted the withdrawal of large sums of fabricated crypto, which could then be converted into valid coins.

During the testing period from June 5 to June 9, the activities conducted by the researchers did not trigger any response from Kraken's security system, and the test accounts were only blocked after CertiK reported the vulnerabilities to the exchange team.

After remedying the vulnerabilities deemed critical by Kraken, a dispute arose between the exchange and the security firm regarding the bounty reward. CertiK expressed dissatisfaction with the reward amount and the terms offered.

Despite the dispute, CertiK transferred the funds acquired during testing to an address accessible to Kraken's team.

Kraken user accounts remain secure.