Kraken Recovers Stolen Funds from CertiK

Bug Bounty Dispute Ends: Kraken Recovers $3 Million from CertiK

A high-profile disagreement between cryptocurrency exchange Kraken and blockchain security firm CertiK has finally reached a resolution. The saga, which began with a reported bug bounty exploit, has concluded with the return of nearly $3 million in digital assets to Kraken.

On June 19th, Kraken announced the disappearance of $3 million worth of digital assets. The exchange’s Chief Security Officer, Nicholas Percoco, claimed a “security researcher” had exploited a discovered bug to steal the funds from Kraken’s treasury. Percoco further accused the researcher of extortion, refusing to return the funds and demanding a reward and a meeting with the exchange’s business development team.

Shortly after Kraken’s statement, CertiK identified itself as the “security researcher” in question. They acknowledged informing Kraken of an exploit allowing the removal of millions from the exchange’s accounts. However, CertiK disputed Kraken’s version of events, claiming threats from the exchange’s security team regarding the return of the funds.

CertiK provided a timeline detailing their actions, beginning with the exploit discovery on June 5th and culminating with alleged threats towards a CertiK employee on June 18th. They added that they planned to return the funds to an accessible account for Kraken.

Percoco initially stated that a small initial transfer of only $4 would have been enough to demonstrate the bug and qualify for a reward from Kraken’s bug bounty program. However, CertiK, the identified researcher, minted nearly $3 million into their Kraken accounts.

In a follow-up post after returning the funds, CertiK clarified their actions. They stated that the larger sum was necessary to test the limits of Kraken’s security measures. Despite transferring millions across multiple days, they claim no alerts were triggered, highlighting their concerns about the exchange’s defenses.

Furthermore, CertiK denies any initial request for a bounty. They claim the bounty program was first mentioned by Kraken, with CertiK prioritizing the bug’s resolution over a reward. They also emphasize that no user funds were compromised, as the exploited funds were “minted out of thin air.”

While the recovered funds mark the official end of the saga, questions remain. Both parties offer contrasting narratives about the interaction, leaving room for interpretation. The incident highlights the complexities of bug bounty programs and the importance of clear communication between security researchers and companies.