Cryptocurrency exchange Kraken has successfully recovered nearly $3 million in digital assets following a high-profile bug bounty exploit by CertiK.
Cryptocurrency exchange Kraken has successfully recovered nearly $3 million in digital assets following a high-profile bug bounty exploit by CertiK. Nicholas Percoco, Kraken's Chief Security Officer, confirmed the recovery in a June 20 post on X, stating: "Update: We can now confirm the funds have been returned (minus a small amount lost to fees)." This announcement came after Percoco initially revealed the disappearance of the funds on June 19, attributing the incident to a "security researcher" who had exploited a bug.
Kraken alleged that the security researcher had extorted the exchange, refusing to return the funds without a reward. Blockchain security firm CertiK soon identified itself as the "security researcher" involved in the incident. In a June 19 X post, CertiK detailed that it had informed Kraken about an exploit that allowed the withdrawal of millions from the exchange's accounts. CertiK further claimed that Kraken had threatened its employees to repay the mismatched amount of crypto within an unreasonable time frame, without providing repayment addresses.
The saga raised questions about the necessity of the nearly $3 million withdrawal. Percoco initially noted that a mere $4 transfer would have sufficed to prove the bug and qualify for a sizable reward from Kraken's bounty program. However, CertiK defended its actions, explaining that the large sum was part of an effort to test the limits of Kraken's security and risk controls. "We want to test the limit of Kraken’s protection and risk controls. After multiple tests across multiple days and close to $3 million worth of crypto, no alerts were triggered and we still haven’t figured out the limit," CertiK stated.
CertiK also clarified that it did not initially request a bounty; instead, Kraken had mentioned the bounty first. "We never mentioned any bounty request. It was Kraken who first mentioned their bounty to us, while we responded that the bounty was not the priority topic and we wanted to make sure the issue was fixed," CertiK elaborated. They added that no Kraken user funds were at risk since the exploited funds were "minted out of air."
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators.
This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice.
The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
