TL;DR
-
Crypto exchange Kraken has lost roughly $3 million in an exploit.
-
The exchange said a bug was exploited that allowed anyone to initiate a deposit to the platform and receive the funds without completing it.
Kraken Suffers an Exploit, Fixes the Bug
Kraken, one of the leading cryptocurrency exchanges in the world, disclosed that it has lost nearly $3 million following a bug-related exploit that's since been fixed.
While revealing this in an X post, Kraken’s Chief Security Officer Nick Percoco said the exchange received a bug bounty program alert on June 9. The alert warned the crypto exchange that it was an extremely critical bug, allowing hackers to artificially inflate their balance on its platform.
Upon further examination, Kraken discovered an isolated bug allowing a malicious attacker to initiate a deposit onto its platform and receive funds in their account, without fully completing the deposit. However, this only happened in a specific set of circumstances.
Kraken Security Update:
— Nick Percoco (@c7five) June 19, 2024
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
Percoco added that no client assets were at risk and the bug has already been fixed. The bug came into place from a flaw in a recent UX change, he pointed out.
While the bug has been completely fixed, deeper investigation revealed that it had already been exploited by three accounts within a few days of each other, he said.
Percoco added that one of the accounts had completed its KYC and belonged to the individual who discovered the bug. The security researcher exploited the bug to credit their account with $4, proving the flaw and filing a bug bounty reward before claiming a sizable reward.
However, Percoco added that the security researcher had disclosed the bug to two other individuals they work with, who went ahead to withdraw much larger sums from their Kraken accounts totaling nearly $3 million.
Kraken has already requested a full account of their activities and for the funds to be returned to the exchange’s treasuries. However, the researchers refused to return the funds until the crypto exchange disclosed the potential size of the exploit if they hadn’t disclosed the bug. Percoco claimed that the event was not white-hat hacking but instead an extortion.
The researchers accused Kraken of being “unreasonable” and “unprofessional” in its requests. Kraken will not disclose the research firm involved but will treat the incident as a criminal case given the breach of its bug bounty terms.
Percoco concluded that,
“We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly.”
Kraken is currently the sixth-largest cryptocurrency exchange by trading volume, processing over $600 million daily.