Kraken Exploited for Nearly $3 Million Due to Bug
Kraken, a well-known crypto exchange, recently disclosed that a bug allowed people to deposit money into their accounts without actually completing the deposit. This bug was exploited for nearly $3 million from Kraken’s treasuries before it was fixed. Kraken’s Chief Security Officer (CSO) shared details about this incident.
Discovery of the Bug
On June 9, Kraken’s bug bounty program received an alert about an “extremely critical” bug. This alert was sent by a security researcher who noticed a serious flaw. According to Kraken’s CSO, Nick Percoco, this bug allowed someone to inflate their account balance artificially. This meant they could initiate a deposit and receive funds without finishing the deposit process.
How the Bug Worked
The bug was due to a recent change in the User Experience (UX) design of Kraken’s platform. The flaw made it possible for accounts to be credited before the asset deposits fully cleared. This allowed attackers to “print assets” in their accounts temporarily. However, Percoco assured that no client assets were at risk; the issue was with Kraken’s own treasury funds.
Exploitation Before Fix
Kraken quickly fixed the bug within a few hours of the alert. However, an investigation revealed that three accounts had already exploited the bug within a few days. One of these accounts belonged to the security researcher who found the bug. This individual claimed to be testing the flaw by crediting their account with $4. They then filed a bug bounty report and claimed a reward.
Bigger Exploit by Associates
The situation became more serious when it was discovered that the researcher had shared the bug with two other individuals. These people used the bug to withdraw much larger sums, nearly $3 million in total, from Kraken’s treasuries. Percoco clarified that this money came from Kraken’s funds, not client assets.
Kraken’s Response
Kraken asked the researchers to return the funds and provide a full account of their activities. However, the researchers refused to return the money unless Kraken disclosed the potential size of the exploit. Percoco labeled this demand as extortion, stating that it was not an act of white-hat hacking.
Legal Action and Security Measures
Due to the breach of its bug bounty terms, Kraken decided to treat the case as criminal. They chose not to disclose the name of the research firm involved, believing that they did not deserve recognition. Instead, Kraken coordinated with law enforcement agencies to handle the situation.
Importance of Bug Bounty Programs
This incident highlights the importance of bug bounty programs in identifying and fixing vulnerabilities. Bug bounty programs are designed to reward researchers who find and report bugs. However, it also shows the potential risks when researchers do not follow ethical guidelines.
Protecting Crypto Exchanges
Crypto exchanges like Kraken must constantly improve their security measures to protect against such exploits. This includes thorough testing of new features and quick response to any reported issues. By doing so, they can safeguard their platforms and maintain the trust of their users.
Kraken’s recent bug exploit incident serves as a reminder of the challenges faced by crypto exchanges. With nearly $3 million taken from its treasuries, Kraken acted quickly to fix the bug and is now pursuing legal action against those responsible. This case underscores the importance of robust security measures and ethical practices in the crypto industry.
