After the reported $3 million loss from Kraken exchange’s treasury, smart contract auditor CertiK has revealed an association with the incident.
The trading platform tried to recover the funds immediately but resorted to law enforcement, citing a case of extortion.
CertiK Shares Perspective on Kraken’s Loss
Kraken exchange’s recent $3 million bug attack has been linked to smart contract auditing firm CertiK, which confirmed the association. They discovered a series of critical vulnerabilities that could potentially lead to hundreds of millions of dollars in losses.
Following the discovery, the researchers took the initiative to explore the vulnerability, with three questions driving their research.
- Can a malicious actor fabricate a deposit transaction to a Kraken account?
- Can a malicious actor withdraw fabricated funds?
- What risk controls and asset protection might trigger from a large withdrawal request?
Read more: Kraken Review 2024: Security and Features
According to CertiK, the trading platform failed all the tests, which led it to conclude that Kraken’s “defense in-depth system is compromised on multiple fronts.”
“According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken’s defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident,” read the report as highlighted in a post.
CertiK presented these findings to Kraken Exchange, whose security team classified them as “critical,” the most serious classification level at the trading platform. Unfortunately, it all culminated in a case that required the involvement of law enforcement.
“Kraken’s security operation team threatened individual CertiK employees to repay a mismatched amount of crypto in an unreasonable time even without providing repayment addresses. The verbal consensus reached during our meeting was not confirmed afterward. Ultimately, they publicly accused us of theft and even directly threatened our employees, which is completely unacceptable,” CertiK told BeInCrypto.
CertiK has urged Kraken to cease the threats against their persona, which is termed “Whitehat hackers.” The smart contract auditor has shared all testing deposit transactions. They added that they moved all funds to an accessible account with Kraken.
Charles Guillemet, CTO at Ledger, the hardware wallet manufacturer, acknowledged that security standards across centralized exchanges remain inconsistent. He also noted the recent incident should serve as a reminder to users that exchanges are made for doing trades, not to store crypto.
«Major crypto exchanges, including Kraken, have done a great job at improving their security posture. However, the bar for security remains uneven in the landscape of centralized exchanges. The very nature of cryptocurrencies and blockchain immutability makes the security problem very challenging. Exchanges should segregate wallets, and have different wallets for different uses. They should also implement organizational security measures, detection, alerting and so on,” Guillemet shared with BeInCrypto.
Auditor Being Judged For $3 Million Bug-Attack
Despite CertiK’s efforts to shed light on the matter, the crypto community has criticized the researchers, calling them out for malpractice. One user observes that “the sentiment around this story would have been more positive if resolved friendly with Kraken and posted about it after.”
Developer Uttam Singh’s summary of the event ridiculed several aspects that make the case tilt further against CertiK. He highlights the fact that the researchers performed multiple transactions and that they waited five days before disclosure.
According to Cyvers CTO Meir Dolev, a Certik-associated address created a contract on the Coinbase Layer-2 network Base on May 24. This cast doubt on Certik’s claim that the vulnerability was discovered on June 5. Reportedly, the address is also testing OKX and Coinbase to see if there is the same vulnerability as Kraken.
Read more: Top 5 Flaws in Crypto Security and How To Avoid Them
Based on the community reaction, the general sentiment is that the action was not a Whitehat security research, with social media engagement citing on-chain evidence. Nevertheless, this did not derail CertiK’s Series B3 financing round, which garnered a stark $88 million.
Among the leaders in the funding round are Insight Partners, Tiger Global, and Advent International. Goldman Sachs, Sequoia, and Lightspeed Venture Partners also participated. Noteworthy, it marked CertiK’s fourth round of capital raised in nine months, totaling $230 million.
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.