Cryptocurrency exchange Kraken has announced that it has fallen victim to a major security flaw that has resulted in the theft of $3 million worth of digital assets. However, in a surprising turn of events, the party responsible has been identified as CertiK. This blockchain security firm claims to have initially reported the bug through Kraken’s bug bounty program.
CertiK is now accused of exploiting additional vulnerabilities and extorting the exchange for more money, leading to calls for legal action and concerns among crypto investors.
Kraken Security Flaws Exposed
The incident unfolded when Kraken’s Chief Security Officer, Nick Percoco, revealed that the exchange had received a bug report on June 9 from a self-described security researcher. The researcher claimed to have discovered an “extremely critical” bug that allowed them to inflate their balance on the platform artificially.
Upon further investigation, CertiK, which admitted its involvement in the incident in its social media post, uncovered several critical vulnerabilities in Kraken’s systems that could potentially result in losses of hundreds of millions of dollars.
Related Reading
CertiK’s findings revealed shortcomings in Kraken’s deposit system, indicating a failure to differentiate between internal transfer statuses. Furthermore, CertiK’s testing revealed that Kraken failed all these tests, exposing the compromised state of Kraken’s defense-in-depth system.
According to CertiK, “millions of dollars” could be deposited into any Kraken account, and a substantial amount of fabricated cryptocurrency (worth over $1 million) could be withdrawn and converted into valid digital assets.
The security firm also claimed that no alerts were triggered during a “multi-day test period” and that Kraken only responded and blocked the test accounts days after the incident was officially reported.
Following the identification of the vulnerability, CertiK alleges that Kraken’s security operations team “threatened” individual CertiK employees, demanding the repayment of a “mismatched” amount of cryptocurrency within an “unreasonable time frame,” without providing repayment addresses.
However, Kraken’s Percoco countered that they had requested a full accounting of the then-unknown company’s activities and the return of the withdrawn funds. Percoco argued that CertiK’s refusal to comply with these requests violated the rules of ethical…
Click Here to Read the Full Original Article at NewsBTC…
