BingX Insights

Get the latest blockchain news with us.

White-Hat Hack Turns Sour: CertiK and Kraken in Dispute Over Bug Bounty

BingX - Editor 2024-06-20 15:56

A disagreement has erupted between blockchain security firm CertiK and cryptocurrency exchange Kraken over a recent security vulnerability. On Wednesday, CertiK revealed itself as the entity behind a "white-hat hack" that uncovered a critical bug in Kraken's system. White-hat hacking is a practice where ethical researchers identify vulnerabilities to improve security. However, Kraken considers this incident a criminal case and is seeking to recover nearly $3 million in lost funds through law enforcement.

According to Kraken's CSO, Nick Percoco, the bug allowed unauthorized access to funds before deposits were complete, essentially enabling the "printing" of new assets. CertiK claims they exploited the bug during their investigation to assess the vulnerability's scope.

The dispute centers on several points. CertiK alleges Kraken threatened their employees and demanded a different amount of cryptocurrency than was actually taken. Additionally, CertiK maintains they didn't have enough time to return the funds, despite Kraken not providing a return address.

With the recent surge in ethereum price, the value of the disputed funds has become even more significant, adding another layer of tension to the situation. This incident highlights the evolving nature of blockchain security practices and the need for effective communication between firms involved in the cryptocurrency ecosystem.

Percoco raises concerns about CertiK's actions. He points out a discrepancy between the stolen amount and the value reported in a bug bounty submission, which typically incentivizes responsible disclosure of vulnerabilities. Additionally, he claims the researchers refused to return funds until a dollar estimate of the exploit's potential impact was provided.

CertiK counters by emphasizing that no actual user funds were involved and the losses were limited to Kraken's treasury. They also highlight their efforts to return the stolen funds despite communication issues with Kraken.

The situation has sparked wider discussions within the crypto community. Taylor Monahan, a prominent figure in the crypto space, cautioned CertiK about potential legal consequences, reputational damage, and internal cultural impacts. He further raised concerns about previous exploits on projects audited by CertiK, leading to speculation about potential insider involvement.

In response, CertiK questions why Kraken's security system failed to detect their test transactions, reiterating their purpose of evaluating vulnerabilities.