June 20, 2024 at 01:38PM
Kraken, a major cryptocurrency exchange, accuses security researchers of exploiting a critical bug to steal millions in digital cash and attempt to extort more from the exchange. The bug allowed users to manipulate their account balance without completing deposits. Kraken labeled the researchers’ actions as extortion and is coordinating with law enforcement. CertiK, the alleged party involved in the dispute, denies attempting to withhold funds and accuses Kraken’s security team of misconduct.
After reviewing the meeting notes, it is clear that there is a dispute between Kraken, a major cryptocurrency exchange, and a trio of security researchers from CertiK. The researchers are accused of exploiting a critical bug, stealing millions in digital cash, and then attempting to extort the exchange for more funds.
Kraken’s chief security officer, Nicholas Percoco, revealed that the issue stemmed from a recent user experience (UX) change that allowed some users to artificially increase the value of their Kraken account balance without completing a full deposit. It is noted that the researchers did not provide full details of the bug in their bug bounty report, and instead exploited the vulnerability. Kraken alleges that the researchers withdrew nearly $3 million from the platform and then demanded further funds while refusing to provide a full account of their activity or return the withdrawn funds.
However, CertiK has contested Kraken’s claims, stating that after initially identifying and fixing the vulnerability, Kraken’s security team threatened individual CertiK employees to repay an amount of crypto in an unreasonable time, even without providing repayment addresses. CertiK also claimed they offered to return the funds and did not try to withhold them, although there are allegations from the crypto community regarding CertiK’s activities and inconsistencies in their public disclosures and blockchain records.
Furthermore, there are discrepancies between the amounts claimed by Kraken and CertiK regarding the returned funds and the amount owed. Despite Kraken stating that all funds have been returned, there are assertions that the amount reported by CertiK was significantly less than what Kraken claimed was stolen.
It is important to note that the situation has escalated to the point where Kraken is treating it as a criminal case and coordinating with law enforcement agencies. The exchange has also not responded to inquiries from The Register for further details.
In summary, the meeting notes indicate a complex and contentious situation between Kraken and CertiK. This dispute involves accusations of exploitation, theft, extortion, and potential misconduct from both parties. It will be crucial for the executive team to monitor further developments and legal proceedings related to this case.