Full Report
Kraken is a cryptocurrency exchange similar to Coinbase. Recently, CertiK found and exploited a vulnerability on Kraken to create arbitrary funds within their account. This is the drama that unfolded from the perspective of Kraken, CertiK and then my personal thoughts on it. While reviewing the Kraken application, Certik failed to spot the different transfer statuses. By abusing this, a partially made deposit was able to receive funds. By doing this, an attacker could effectively print money. After discovering the vulnerability, they exploited the issue multiple times to print the funds into the account. At this point, CertiK wanted to see if it was possible to withdraw the funds. The initial whitehat had withdrawn $4 (and was KYCed) but two other actors had stolen much more, including 3M! They sent some funds through Tornado Cash as well for some reason. After knowing about the bug for 5 days, they finally reported it with very vague details. Even with the vague details, the Kraken team wsa able to find and triage the bug within some new code in 47ish minutes. Why didn't the team give full details? CertiK wanted full impact information of the vulnerability to talk to their business development team. I'm guessing they wanted this information to have ground to arrange juicy bounty. Initially, CertiK didn't come clean out the transactions and funds that were stolen; this was discovered by the Kraken team and the funds were not immediately returned. To me, this felt like straight blackhat hacking... they stole funds and then effectively exhorted the company to try to get a bounty. CertiK tried to defend their actions... they claimed they took out a lot of money and let it sit to see if there was any detection on the Kraken side. To their credit, they were right in the defenses being bad. However, it's NOT their place to test. Given they hacked the company, disclosed secrets to other folks and didn't tell them about the funds, I am curious what sort of legal ramifications this will have. From the perspective of CertiK, I disagree with how much money they stole but understand their perspective. If you find a bug and steal $4, the company may claim that they had protections in place that would make bigger impacts impossible. Since you didn't test it, you can't prove or disprove otherwise, leading to a low bounty. Unfortunately, as a bug bounty hunter, we are at the mercy of the company being upfront and truthful. If not, they will eventually pay the price for crossing too many people. A day after this all happened, CertiK released a Q/A about it. There is no way the CertiK team actually thought that stealing these large sums of money was actually the right thing to do; I think they're just claiming it's okay hoping that other people will go along with it instead of admitting their mistake. What happens if the bells rang at Kraken of a hack before they had a chance to report it? Now, they look like a real hacker taking out 3M. They also claim that Kraken is asking for more back than what was stolen. However, CertiK put funds into Tornado and ChangeNow that are untraceable. Overall, this was a failure all around. CertiK found an impactful bug but A) went too far exploiting it and B) a bad job exploiting it. Being more upfront to Kraken about the bug and exploit transactions, this would have gone better. From the Kraken side, bugs happen and that's how life is. Monitoring is a crucial part of security of a platform, as we can't always predict when stuff will go wrong. However, monitoring for everything isn't always trivial for catching all bugs. Makes me wonder what they had in place and what allowed this to skate by. There is never a dull day in crypto!
Analysis Summary
# Incident Report: The CertiK-Kraken "Whitehat" Exploitation Dispute
## Executive Summary
A security researcher from CertiK discovered a critical logic vulnerability in Kraken’s deposit processing system that allowed for the creation of arbitrary funds. Over a five-day period, the researchers escalated their testing into a full-scale exploitation, withdrawing nearly $3 million in assets to private wallets and mixing services. The incident resulted in a contentious public dispute over bug bounty ethics, fund recovery, and the line between security research and "blackhat" extortion.
## Incident Details
- **Discovery Date:** June 9, 2024 (Reported to Kraken)
- **Incident Date:** June 4 – June 9, 2024 (Active exploitation period)
- **Affected Organization:** Kraken (Payward Inc.)
- **Sector:** Cryptocurrency / Financial Services
- **Geography:** Global / Digital
## Timeline of Events
### Initial Access
- **Date/Time:** Early June 2024
- **Vector:** Web Application Logic Flaw
- **Details:** CertiK discovered that Kraken’s system failed to differentiate between various transfer statuses. By initiating a deposit and abusing the "partially made" status, a user could credit their account with funds they did not actually possess.
### Lateral Movement & Escalation
- **June 4-9:** CertiK moved beyond a Proof of Concept (PoC). After an initial $4 withdrawal by a KYC-verified researcher, two other associated accounts (individuals linked to CertiK) began printing large sums of money.
- **Action:** Researchers moved funds across multiple accounts and began withdrawing large amounts to external wallets.
### Data Exfiltration/Impact
- **Total Stolen:** Approximately $3.0 million USD in digital assets.
- **Obfuscation:** Some funds were sent through Tornado Cash and ChangeNow to obscure the transaction trail.
### Detection & Response
- **June 9:** CertiK submitted a vague bug report via Kraken’s Bug Bounty program without disclosing the full extent of the funds taken.
- **Analysis:** Within 47 minutes of receiving the vague report, Kraken’s internal team identified, triaged, and patched the bug.
- **Discovery of Theft:** Kraken identified that ~$3M had been taken; CertiK initially refused to return the funds or provide a full accounting, demanding a bounty meeting first.
## Attack Methodology
- **Initial Access:** Exploitation of a "Race Condition" or "Status Handling" logic error in the deposit UX/API.
- **Persistence:** Not applicable (direct exploitation of exchange credit logic).
- **Defense Evasion:** Use of Tornado Cash and ChangeNow to hide the destination of the stolen funds; staggered withdrawals over 5 days.
- **Discovery:** Researchers found a discrepancy in how "partially made" deposits were credited to user balances.
- **Exfiltration:** Direct withdrawal of artificially inflated balances to private, non-custodial wallets.
- **Impact:** Direct financial loss (temporary) and potential destabilization of the exchange’s liquidity.
## Impact Assessment
- **Financial:** ~$3 million USD initially removed from the platform. CertiK later claimed Kraken asked for more back than was "stolen" due to conversion fees and market fluctuations.
- **Data Breach:** None reported; limited to financial logic exploitation.
- **Operational:** Rapid emergency patching required; suspension of certain deposit features during triage.
- **Reputational:** High. CertiK’s reputation as a "whitehat" firm was severely questioned; Kraken’s automated monitoring was criticized for failing to detect multi-million dollar "money printing" for five days.
## Indicators of Compromise
- **Behavioral Indicators:**
- Disposals of funds originating from "partial" or "failed" deposit transactions.
- Massive imbalance between deposited fiat/crypto and credited account balance.
- High-value withdrawals by recently active or test-related KYC accounts.
## Response Actions
- **Containment:** Kraken patched the deposit logic within an hour of the report.
- **Eradication:** Revocation of API keys and account access for the three involved CertiK accounts.
- **Recovery:** Legal threats and public pressure used to facilitate the return of funds.
- **Disclosure:** Public statements by Nick Percoco (Kraken CSO) and CertiK to address the community.
## Lessons Learned
- **Bounty Scope:** Testing "impact" does not require stealing millions of dollars. A successful PoC only requires demonstrating the flaw (e.g., the $4 withdrawal).
- **Monitoring Gaps:** The fact that $3M was printed and moved off-platform without triggering automatic freezes suggests a need for more robust real-time reconciliation engines.
- **Reporting Ethics:** Delayed reporting (5 days) while continuing to exploit a vulnerability moves an actor from "Whitehat" to "Greyhat" or "Blackhat" territory.
## Recommendations
- **Implement Real-Time Reconciliation:** Ensure that the total value of assets credited to users matches the verified assets held in deposit wallets at all times.
- **Strict Bounty Enforcement:** Update Bug Bounty Terms of Service to explicitly disqualify any researcher who moves funds to mixing services (e.g., Tornado Cash).
- **Grace Period Monitoring:** Apply heightened withdrawal delays/scrutiny for accounts that have recently interacted with new or obscure code paths.