tl;dr
Kraken has confirmed the return of funds taken by "security researchers," minus fees, who exploited a bug to steal $3 million. CertiK, the blockchain security experts behind the hack, returned the funds but justified their actions as testing Kraken's security. Kraken criticized CertiK for not follow...
Kraken has confirmed the return of funds taken by "security researchers," minus fees, who exploited a bug to steal $3 million. CertiK, the blockchain security experts behind the hack, returned the funds but justified their actions as testing Kraken's security. Kraken criticized CertiK for not following standard procedures and refusing to immediately return all stolen funds. CertiK, on the other hand, accused Kraken of unreasonable demands and confirmed the return of all funds in a different crypto amount.
Crypto exchange Kraken says it got its money back from the “security researchers” that took $3 million from the platform this year. “Update: We can now confirm the funds have been returned (minus a small amount lost to fees),” tweeted Nick Percoco, Chief Security Officer for Kraken, on Thursday.
Though Kraken first refused to identify the culprits, blockchain security experts at CertiK outed themselves on Wednesday as the ones behind the hack. Earlier that day, Percoco revealed that Kraken had recently patched a bug that let technically sophisticated individuals artificially inflate their balance on the platform, effectively letting them steal any amount of money from the exchange since January. CertiK experts notified them of the vulnerability in June, but not before draining $3 million from Kraken’s Treasury as a demonstration. “Within a few hours, the issue was completely fixed and could not reoccur again,” Percoco clarified, noting that “no client’s assets were ever at risk.”
While CertiK characterized its actions as a “whitehat” operation to help reinforce Kraken’s security, the way the company went about its actions did not sit well with Kraken nor the wider crypto community. These include having failed to follow Kraken’s standard whitehat bounty program procedures, such as not immediately returning all funds once stolen, and arguably stealing far more money than necessary to demonstrate the vulnerability. When asked to return the funds, CertiK explicitly refused until provided with an estimate of how much money was at risk had the company not identified the vulnerability, according to Kraken.
By contrast, CertiK said it had “consistently assured them that we would return the funds.” “Kraken’s security operation team has threatened individual CertiK employees to repay a mismatched amount of crypto in an unreasonable time even without providing repayment addresses,” CertiK contested over Twitter. The company confirmed on Thursday that all funds had been returned, though in a different crypto amount than Kraken had commanded. It also justified the size of its attack as necessary to test the limit of Kraken’s alerts and risk controls – which still never went off after losing millions.
“We never mentioned any bounty request,” CertiK added. “It was Kraken which first mentioned their bounty to us, while we responded that the bounty was not the priority topic and we wanted to make sure the issue was fixed.”