Crypto hack: CertiK discovers a bug on the Kraken exchange and exploits it to withdraw 3 million dollars without authorization


Even Vitalik Buterin shares his thoughts on the USA elections

A couple of days ago, even the most well-known...

Top-5 DEX Aggregators 2024

Decentralized exchange (DEX) aggregators have become vital tools in...


In this article we talk about an incredible story: a few days ago the auditing company Certik identified a flaw in the security systems of the crypto exchange Kraken that could lead to a serious hack.

After conducting some tests for 3 days and executing a “white hack” attack worth 3 million dollars, Certik contacted Kraken to inform it of the bug, but initially refused to immediately return the stolen amount.

The exchange in crypto immediately contacted law enforcement treating the situation as a criminal case, while the cryptographic security firm insists that it is a typical test of a “bounty program.” Now the funds seem to have been returned.

Let’s see everything in detail below.

The 3 million dollar hack against the crypto exchange Kraken: Certik is responsible, but refuses to return the money

This story begins on June 9, 2024, when the crypto exchange Kraken receives an informal communication from a “security researcher” who claims to have discovered a vulnerability on the platform that could have caused a large-scale hack.

As reported in a post-mortem tweet by Nick Percoco, Chief Security Officer of Kraken, the researcher had highlighted a flaw in the security systems of the deposits (unable to distinguish different states of internal transfer), which allows users to inflate their balance and withdraw more coins than they actually have available. The exchange immediately took action to resolve the issue, and in just 47 minutes a team of experts managed to fix the bug.

Here is what Percoco reported:

“the bug allowed a malicious attacker, under the right circumstances, to initiate a deposit on our platform and receive funds into their account without fully completing the deposit. To be clear, no customer assets were ever at risk”

So far everything is normal, except that the same security company web3 where the researcher who contacted Kraken works, before officially reporting the bug, would have carried out several hacks on the platform for a total of 3 million dollars.

Immediately after the publication of Percoco’s post, the well-known auditing firm Certik immediately took responsibility for the incident and revealed its crucial role in the matter.

Certik allegedly “tested” Kraken’s defense mechanisms by carrying out a large-scale attack, and withdrawing large quantities of MATIC tokens from 3 different accounts, then cleaning the traces of the funds through the Tornado Cash mixer.

 As explained by the security manager of the exchange, after fixing the problem, Kraken asked Certik to return the funds, but she initially refused.

Despite this, Certik insists that its activity is in line with the principles of “white hack”.

Apparently Certik did not mention the role of the 3 account exploiter in the incident, despite having performed the withdrawal tests in the 3 days prior to the communications with Kraken.

The security researcher who spotted the bug, would have asked for a substantial bounty for having identified a major flaw that could have imploded into a heavy hack, but Kraken insisted on getting their funds back.

Since the auditing company refused to return the loot, and indeed seemed to have moved to hide the evidence of the hack, the exchange decided to treat the situation as if it were a criminal case by notifying the competent authorities and law enforcement.

The web3 security company had asked the exchange for a bounty reward equal to the amount speculated that this bug could have caused if it had not been disclosed, infuriating the exchange platform team.

Percoco commented on his X profile about what happened, showing all his opposition towards Certik’s behavior:

“This is not white hacking, this is extortion”.

The denial by Certik: funds returned despite some employees having received threats from the Kraken team

Certik, after introducing itself as the company responsible for identifying the flaw in the deposit systems, immediately denied what Kraken reported, highlighting its “white hack” role and its positive intentions.

The company revealed that it had set up a large-scale hack, for an amount of 3 million dollars, solely for the purpose of testing the exchange’s defense, but it also emphasized that it never refused to return the loot but rather wanted to ensure that everything was executed correctly.

Certik said she was amazed by the potential negative impact that the bug could have caused, but especially by the fact that Kraken’s alarms were never triggered. This was stated in a post: 

“Millions of dollars can be deposited into ANY Kraken account. A huge amount of crypto (worth over 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse still, during the multi-day testing period, no alerts were triggered”.

Furthermore, the auditing firm explained that a member of the exchange team had threatened their own researcher to return the amount within an unreasonable time frame (6 hours) without, however, providing a repayment address.

This took place after, days after the hack, the two companies had a call to try to find a solution and resolve the matter.

Apparently, what triggered the chaos was the amount of the bounty reward proposed by Kraken, which was not considered appropriate to the effort made and the potential exploit prevented. As reported by a spokesperson for Kraken to Coindesk:

“We involved these researchers in good faith and, in line with a decade of managing a bug bounty program, we had offered a considerable bounty for their efforts. We are disappointed by this experience and are now working with law enforcement to recover the assets from these security researchers”.

Today Certik published another post with some FAQs to further clarify their position and remove any doubt.

The security company reiterates that it has “consistently” confirmed that it would return the stolen amount, and states that now all the funds are back in Kraken’s hands.

These funds were sent back to the sender in 734.19215 ETH, 29,001 USDT, and 1021.1 XMR, while the exchange had expressly requested to send 155818.4468 MATIC, 907400.1803 USDT, 475.5557871 ETH, and 1089.794737 XMR, for a total equivalent value greater by about 100,000 dollars.

Kraken remains firm on its concept of ethics of “white hacking” and maintains that the bullying carried out by Certik can be identified as extortion.

The Bounty program of the exchange indeed requires third parties to find the problem, exploit the minimum amount necessary to test the bug (without executing a 3 million dollar hack), return the resources, and provide details on the vulnerability.