A digital asset security research firm has returned $3 million in funds to crypto exchange Kraken after an unusual saga following a bug bounty program exploit.
Yesterday, Kraken chief security officer Nick Percoco said in a lengthy X thread that the exchange was alerted days ago that an “extremely critical” code exploit allowing hackers to artificially inflate their funds had been discovered.
“Within minutes we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.
To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.”
According to Percoco, the unnamed “security researchers” who found the bug proceeded to act unprofessionally in returning the exploited funds.
“We have never had issues with legitimate researchers in this way and are always responsive.
In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that ‘white-hat hackers’ return what they stole from us. Unbelievable.
As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack’. It makes you, and your company, criminals.
We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends.”
However, today Percoco said the funds have since been returned to the US-based exchange, though the security officer still declined to name who returned them.
“Update: We can now confirm the funds have been returned (minus a small amount lost to fees).”
Crypto security firm Certik has claimed responsibility for identifying the exploit, taking to social media platform X to tell its side of the story:
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT…
Click Here to Read the Full Original Article at The Daily Hodl…